Privacy Policy

Name: Arctura Platform
Author: NeurFlow Oy

Last updated: 2.4.2026

1. Data controller

NeurFlow Oy (Business ID: 3597951-1)
Helsinki, Finland
Email: privacy@neurflow.fi

2. Roles: Controller and Processor

NeurFlow as controller: We collect and process customer data (name, email, company details) to manage our business relationship.

NeurFlow as data processor:When the Customer (data controller) enters telemetry data into the Service that contains personal data (e.g. driver name, GPS location), NeurFlow processes this data on behalf of and in accordance with the Customer's instructions. The legal basis for processing telemetry data is determined by the Customer as controller; NeurFlow processes data in accordance with the DPA and Customer instructions.

3. Data we collect

Data type	Examples	Legal basis (GDPR Art.)
Customer data	Name, email, company, Business ID	6(1)(b) Contract
Telemetry	GPS, speed, fuel, SOC%, sensor data	6(1)(f) Legitimate interest / 6(1)(b)
Driver data	Name, driving hours, fatigue indicators	6(1)(b) + DPA
Sovereign Scan lead	Domain, email, IP hash, consent timestamp	6(1)(a) Consent
ArcturaLens browser extension	Supported listing page URL, marketplace domain, and structured fields needed for scoring (for example price, model year, address, MMSI)	6(1)(b) Requested service + 6(1)(f) abuse prevention
Usage logs	IP address, browser, page loads	6(1)(f) Legitimate interest
Contact form	Name, email, message	6(1)(a) Consent

4. Data storage and location

🇪🇺 EU sovereign storage

• Microsoft Azure: Sweden Central (EU)
• Supabase: EU (managed database, row-level tenant isolation)
• Encryption: Industry-standard encryption (AES-256) at rest + TLS 1.3 in transit

As a rule, we process and store data within the EU/EEA. Sovereignty Switch: Customers may select EU mode, in which AI processing uses only EU-based models (Mistral, Aleph Alpha) — no data leaves Europe.

In limited cases we use sub-processors outside the EU/EEA (e.g. transactional email and Global-mode AI services). In such cases we apply GDPR safeguards (e.g. SCC/DPF), minimise the data transferred, and avoid direct personal identifiers where possible. Current sub-processor list: Sub-processors, DPA.

The public Sovereign Scan analyses only the user-submitted domain and the email address captured for report delivery. Scan rows are stored in EU-hosted Supabase. When you request delivery, your email and scan summary may be transferred to Resend (delivery) and HubSpot (lead handling). Public-domain enrichment may query Firecrawl or DuckDuckGo.

ArcturaLens browser extension: The extension reads data only on supported public listing pages, builds a scoring request from structured page fields, and sends that request to api.neurflow.fi. The extension stores only its own local usage counters in Chrome extension storage.

5. Data sharing

We do not sell, rent or share personal data with third parties for marketing purposes.

Data is shared only with:

Technical sub-processors (Supabase, Azure, Resend, HubSpot, Firecrawl) — DPA/SCC/DPF safeguards applied where relevant
Legal obligations (authority requests)
With the Customer's explicit consent

6. Retention periods

Account data: duration of contract + 12 months
Telemetry: as defined by Customer, default 24 months
Usage logs: 90 days
Sovereign Scan without email capture: 7 days
Sovereign Scan with email capture: 90 days or earlier if you unsubscribe
Contact form data: 12 months
DLP-scrubbed analytics (anonymous): indefinite

7. Your rights

Under GDPR you have the right to:

Access — request a copy of your data
Rectification — correct inaccurate data
Erasure — request deletion (“right to be forgotten”)
Restriction — restrict processing
Portability — receive data in machine-readable format
Objection — object to processing based on legitimate interest

Requests: privacy@neurflow.fi. We respond within 30 days. You may also lodge a complaint with the supervisory authority (tietosuoja.fi).

8. Cookies

neurflow.fi uses only strictly necessary technical cookies. We do not use third-party tracking or advertising cookies.

sb-* — Supabase authentication session cookies. Duration: session.
nf_sub_cache — signed subscription cache, accelerates subscription check at middleware level. Duration: 5 min.
arctura_aurora — signed (HMAC-SHA256) Aurora funnel session cookie. Contains stakeholder ID, email, tenant ID, and Aurora stage (T0–T3). Set only when an invite link (QR/NFC/shared URL) is redeemed via desktop browser. HttpOnly + Secure + SameSite=Lax. Duration: max 7 days. Can be revoked via invite management.

9. Security breaches

In accordance with the NIS2 Directive and GDPR, we notify the supervisory authority of personal data breaches within 72 hours and notify data subjects without undue delay when the breach is likely to pose a high risk to their rights.

NeurFlow Oy · Business ID: 3597951-1 · Helsinki, Finland

Data protection contact: privacy@neurflow.fi