Notice: this is the staging test environment, not production.

Suomen pyörärekisteri
Log in

Privacy Policy (GDPR)

Updated: 30 Apr 2026

1. Data controller

The Suomen pyörärekisteri service acts as the data controller for user data in this service.

2. What data we collect

We only collect data necessary for operating the service:

  • account email address and login-related data
  • bike data added by the user (for example frame number, make, model)
  • technical usage logs for service security
  • IP address captured at signup for abuse prevention

3. Purpose and legal basis of processing

We process personal data to provide the service, manage accounts, prevent misuse, and verify bike ownership and status. The legal basis is performance of a contract and legitimate interest in maintaining service security.

4. Cookies and similar technologies

We currently use only cookies that are strictly necessary for service operation. We do not use analytics or advertising cookies without separate rollout and consent handling.

CookiePurposeCategoryRetention
site_localeStores the user's language preference (fi/sv/en) so the UI opens in the selected language.Strictly necessary12 months
sb-*-auth-token*Supabase Auth session cookies that enable secure sign-in and access to protected pages.Strictly necessarySession-based / token lifetime
  • First-party cookies are set only to support core service functionality.
  • Analytics and marketing cookies are not currently in use.
  • If we introduce non-essential cookies (for example analytics/ads), we will request consent before setting them.

5. Data retention

We retain data only as long as required for service purposes or legal obligations. In profile settings, users can request a data report and data erasure with email confirmation.

  • GDPR report download links expire in 48 hours
  • Expired report files are removed automatically
  • Erasure requests are processed automatically after confirmation
  • Old request logs are cleaned automatically based on retention period

6. How GDPR requests are handled

Data subjects can submit requests directly from profile settings (after sign-in) by choosing either a data export request or a data erasure request.

  • Each request requires email confirmation before processing.
  • Data erasure requests use a 24-hour safety period after confirmation before final deletion.
  • Data reports are generated automatically and delivered via a single-use download link.
  • The download link and report file expire automatically after the set period.
  • Erasure requests are processed automatically in the background after confirmation.
  • Request statuses are logged in the system (for example pending confirmation, queued, processing, completed, expired).
  • All deletion events are recorded as separate audit log entries.

Our goal is to process requests without undue delay. If a request requires clarification, administration may contact the data subject.

7. Data disclosure and transfers

We do not sell personal data. Data may be processed by technical subcontractors (for example hosting or database providers) only for agreed purposes and with appropriate safeguards.

8. Data subject rights

You have the right to:

  • access your personal data
  • request correction of inaccurate data
  • request data erasure
  • restrict or object to processing where permitted by law
  • lodge a complaint with a supervisory authority

9. Contact

For privacy-related requests, you can contact service administration by email: info@suomenpyorarekisteri.fi.