Privacy Policy

This privacy policy describes how Kadonneet Esineet Saas Platform Oy (Business ID: 3553502-1, hereinafter 'Controller', 'we') processes personal data in the Kadonneet Esineet web service ('Service'). We are committed to protecting our users' privacy in accordance with the EU General Data Protection Regulation (GDPR) and other applicable legislation.

Data Controller

Kadonneet Esineet Saas Platform Oy PL 999 42011 Yrityslokero Email: support(a)kadonneet.fi Business ID: 3553502-1

Purpose of Personal Data Processing and Legal Basis

We process personal data on the following legal bases:

Contract performance (GDPR Art. 6(1)(b)):

  • Providing the service and managing user accounts
  • Processing orders and delivery of physical products
  • Providing customer service

Legal obligation (GDPR Art. 6(1)(c)):

  • Compliance with accounting obligations

Legitimate interest (GDPR Art. 6(1)(f)):

  • Technical service development and data security assurance
  • Preventing misuse and IP address logging for security purposes
  • Customer communication regarding service matters (e.g., outages, feature updates)
  • Relaying finder contact requests (non-customers) to item owners - core service functionality for returning lost items

Consent (GDPR Art. 6(1)(a)):

  • Setting non-essential analytics and other cookies and using the data collected with them to improve the service (PostHog Cloud EU)
  • - You can remove cookies directly from your browser settings, removing essential cookies may impair the functionality of the Service.

Personal Data Processed and Data Sources

We collect data directly from you. Below are all personal data categories processed and details of their processing:

Basic data:

  • Name and email address (from Google account when registering) - Required for account creation
  • Without name and email, we cannot provide the service

Delivery data:

Delivery address - Required for physical product delivery. Without delivery address, we cannot deliver physical products you order. We use your provided delivery address for order fulfillment and share it with our trusted EU delivery partners solely for this purpose We retain order and delivery data for the period required by accounting law (currently 6 years from end of fiscal year)

Service usage data:

  • Added items (name, description, category, image, reward information)
  • IP address, browser and device information
  • Analytics data (PostHog Cloud EU): page views, button clicks, session duration, device type
  • Session recordings: user actions on website, visible text and images (input fields masked). Recordings are retained for 90 days, then deleted.

Finder data (non-customers):

  • Finder contact forms: email/phone number and message

Customer communication:

  • Email correspondence with customer service

Cookies and Similar Technologies

We use cookies to ensure the Service functions properly:

Necessary cookies:

  • Session cookies to maintain login
  • Security cookies

Analytics cookies:

  • PostHog Cloud EU (Frankfurt) analytics service
  • Cookies: ph_phc_* (site analytics), posthog (session and user identification)
  • Duration: 365 days (ph_phc_*), 365 days (posthog)
  • Purpose: identifiable user behavior data for website analysis and performance monitoring
  • Analytics cookies are not set without your consent

We use a cookie banner where you can accept or reject analytics cookies or make individual choices. Rejection is as easy as acceptance. You can delete cookies directly through your browser settings. Disabling necessary cookies may impair Service functionality.

Personal Data Recipients, Processors and Transfers

We never sell your personal data. We share your data only with trusted and necessary partners to provide our service. Below are details for each partner, their role, and how data protection is ensured.

1. Technical Service Platform Partners: Supabase Inc. (US): Database, authentication, storage. Vercel Inc. (US): Service maintenance and delivery (Hosting/CDN). Role: Personal data processors. Data processed: Supabase processes all service user data. Vercel processes technical data (IP addresses, HTTP requests) for service delivery and security. Location and transfers: We use EU region servers. Potential technical support or network operations transfers outside EU (USA) are protected by EU-US Data Privacy Framework and/or EU Standard Contractual Clauses (SCC). More information: Supabase DPA (https://supabase.com/legal/dpa), Vercel DPA (https://vercel.com/legal/dpa)

2. Payment Processing Partner: Stripe Payments Europe, Ltd (Ireland) Role: Independent data controller. We do not store your payment card details. Data processed: Payment transaction confirmation data. Location and transfers: Possible transfers to United States are protected by EU-US Data Privacy Framework and/or EU Standard Contractual Clauses (SCC). More information: Stripe DTA (https://stripe.com/legal/dta)

3. Analytics and Product Development (consent only) Partner: PostHog Cloud EU (Germany) Role: Personal data processor. Data processed: IP address, browser data, user events and session recordings (input fields masked). Location and transfers: All data is processed and stored in EU region (Frankfurt). No data is transferred outside EU. More information: PostHog DPA (https://posthog.com/dpa)

4. Email Delivery Partner: Resend (US) Role: Personal data processor. Data processed: Email address (e.g., system notifications, finder message relay). Location and transfers: Possible transfers to United States are protected by EU-US Data Privacy Framework and/or EU Standard Contractual Clauses (SCC). More information: Resend DPA (https://resend.com/legal/dpa)

5. Physical Product Delivery Partners: Our trusted printing and postal partners. Role: Personal data processor. Data processed: Delivery address. Location and transfers: We work only with EU-based partners.

6. Authorities We share data with authorities only when required by law.

Data Retention Periods

  • User account: Duration of active account, 90 days after deletion
  • Order and delivery data: Period required by accounting law (6 years)
  • Customer communication and finder contacts: 2 years from last contact
  • Analytics data: PostHog raw data maximum 12 months, session recordings 90 days.
  • Backups: We aim to remove data from active systems within 90 days of deletion request, but removal from backups may take longer according to backup rotation cycles.

Record of Processing Activities

We maintain internal records of all personal data processing activities under our responsibility in accordance with GDPR Article 30. This documentation includes all processors and their roles, and is available to authorities upon request.

Your Rights as Data Subject

You have the following rights:

  • Right to access your data
  • Right to rectification of data
  • Right to erasure of data (except legal obligations)
  • Right to restriction of processing
  • Right to object to processing
  • Right to data portability
  • Right to withdraw consent
  • Right to lodge a complaint

Exercising rights: Send request to support(a)kadonneet.fi. We respond within 30 days, with possible extension to 60 days. We may verify your identity using appropriate means. Requests are free unless clearly unfounded or excessive.

Right to complaint:

You can lodge a complaint with the Data Protection Ombudsman (tietosuoja(a)om.fi).

Data Security and Security Breaches

Security measures:

SSL/TLS encryption in all data transmission Access control and OAuth for login MFA enabled for system administrators Regular backups Cloud services (Vercel, Supabase) in EU region, contracts and security measures according to service providers' DPA

Security breach:

We will notify authorities within 72 hours in accordance with GDPR and notify you without undue delay if a breach poses a high risk to your rights.

Profiling, Automated Decision-Making and AI

We do not engage in profiling or automated decision-making. We do not use AI in personal data processing. If we implement AI-based functions in the future, we will update this policy.

Direct Marketing

If we send marketing messages in the future, each message will include a clear opt-out link.

Data Protection Officer

We do not have a statutory obligation to appoint a data protection officer. Data protection matters are handled by our company management: support(a)kadonneet.fi

Minors and Guardian Consent

The Service is intended for persons at least 13 years old in accordance with Finland's information society services consent age regulation. When registering for the service, the customer confirms being over 18 years old or having guardian consent for all service functions including paid subscriptions.

Policy Changes

We will update this policy as necessary. We will notify you by email of significant changes.

Last updated: September 28, 2025