Legal & Privacy — GDPR (EU) 2016/679

Privacy Policy.

This policy explains how Koukku Kapital Oy processes your personal data. It has been prepared in accordance with the EU General Data Protection Regulation (GDPR).

Last updated: 3 May 2026·Version 1.1
01

Data controller

CompanyKoukku Kapital Oy
Business ID3331246-5
AddressKärsämäentie 35, 20360 Turku, Finland
Emailjohn@koukku.ai
Privacyjohn@koukku.ai (privacy matters)

Koukku Kapital Oy (hereinafter "Koukku.ai" or "we") acts as the data controller for the services described in this policy.

02

Data we collect

We collect the following categories of personal data:

  • Contact details: Name, email address, and company name — when you fill in a contact form or register for our service.
  • Message content: Messages submitted via the contact form and other written communications.
  • Technical data: IP address, browser type, operating system, and session data (essential cookies).
  • Usage data: Page visits and actions taken within the service (anonymised analytics).
We do not collect sensitive personal data (health information, political opinions, religious beliefs, etc.).
03

How we use your data

  • Responding to enquiries: We process data submitted via the contact form to reply to you.
  • Providing the service: Managing access to the customer portal, processing orders, and customer support.
  • Legal notices: Important service and security announcements.
  • Marketing (with consent): Newsletters and offers — you may withdraw consent at any time.
  • Service improvement: Anonymised usage statistics analysis.
  • Legal obligations: Accounting and tax law requirements.
04

Legal basis for processing (GDPR art. 6)

  • Performance of a contract (art. 6.1.b): Registration, orders, and service delivery.
  • Legitimate interest (art. 6.1.f): Service security, preventing misuse, and responding to enquiries.
  • Consent (art. 6.1.a): Marketing communications — you may withdraw at any time.
  • Legal obligation (art. 6.1.c): Accounting and taxation.
05

Data retention periods

  • Contact form data: Retained for 2 years after the enquiry, then automatically deleted.
  • Customer account: Data retained while the account is active. Deleted within 30 days of account closure.
  • Billing data: 7 years in accordance with the Accounting Act (1336/1997).
  • Marketing consent: Until you withdraw your consent.
  • Log data: Maximum 90 days.
06

Third parties

We do not sell your personal data. We share data only with trusted partners to deliver the service:

  • Resend Inc. — Email service for sending contact replies. Location: USA. Safeguard: EU SCCs.
  • Google LLC — OAuth login and cloud services. Location: USA. Safeguard: EU–US Data Privacy Framework.
  • Vercel Inc. — Website hosting. Location: USA/EU. Safeguard: EU SCCs.
  • Upstash Inc. — Redis database (sessions). EU region (Frankfurt).
  • Authorities: Only when required by law.

All our sub-processors have signed a GDPR-compliant Data Processing Agreement (DPA).

07

Your rights (GDPR art. 15–22)

You have the following rights regarding your personal data:

  • Right of access (art. 15): You may request a copy of all data we hold about you.
  • Right to rectification (art. 16): You may request correction of inaccurate data.
  • Right to erasure (art. 17): "Right to be forgotten" — request deletion of your data.
  • Restriction of processing (art. 18): You may restrict processing of your data in certain circumstances.
  • Data portability (art. 20): Receive your data in a machine-readable format (JSON/CSV).
  • Right to object (art. 21): You may object to processing based on direct marketing or legitimate interest.
Submit your requestjohn@koukku.ai →We respond within 30 calendar days as required by GDPR.
08

Cookies

We use cookies for the following purposes:

  • Essential cookies: Login session and security functions. No consent required — necessary for the service to function.
  • Analytics cookies: Anonymised usage statistics to improve the service. Requires your consent.

You can manage cookie settings in your browser settings or by clicking the Cookie Settings link in the page footer. Blocking essential cookies may affect service functionality.

09

Security

We protect your personal data according to industry standards:

  • HTTPS encryption for all data transmission (TLS 1.3)
  • Bcrypt password hashing (cost factor 12)
  • Encrypted database connections (Cloud SQL + TLS)
  • Access to production systems restricted to authorised personnel only
  • Regular security audits and vulnerability scans
  • Rate limiting and IP-based abuse prevention

In the event of a data breach, we will notify relevant parties without undue delay in accordance with GDPR art. 33–34 (within 72 hours of discovery).

10

International data transfers

Some of our service providers are located outside the EU/EEA (particularly the USA). We ensure the legality of transfers by using:

  • EU Standard Contractual Clauses (SCCs): Model clauses approved by the European Commission for transfers to third countries.
  • EU–US Data Privacy Framework: Certification for US companies, replacing Privacy Shield.
  • EU-based servers: Our first choice whenever possible.
11

Right to complain

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman (Finland)
PO Box 800, 00531 Helsinki  ·  tel. +358 29 566 6700
tietosuoja.fi →

We recommend contacting us first — we aim to resolve all privacy concerns quickly and professionally.

12

Changes to this policy

We reserve the right to update this Privacy Policy as our services evolve or legislation changes. We will notify you of significant changes by email or on the service homepage at least 14 days before the changes take effect.

The current version of this policy is always available at koukku.ai/en/privacy.

Privacy question? Get in touch →
Terms of ServiceCookie SettingsDPA← Home