← All legal documentsSuomi

Privacy Policy

Last updated: 17.2.2026

1. Data controller

NeurFlow Oy (Business ID: 3597951-1)
Helsinki, Finland
Email: privacy@neurflow.fi

2. Roles: Controller and Processor

NeurFlow as controller: We collect and process customer data (name, email, company details) to manage our business relationship.

NeurFlow as data processor:When the Customer (data controller) enters telemetry data into the Service that contains personal data (e.g. driver name, GPS location), NeurFlow processes this data on behalf of and in accordance with the Customer's instructions. The legal basis for processing telemetry data is determined by the Customer as controller; NeurFlow processes data in accordance with the DPA and Customer instructions.

3. Data we collect

Data typeExamplesLegal basis (GDPR Art.)
Customer dataName, email, company, Business ID6(1)(b) Contract
TelemetryGPS, speed, fuel, SOC%, sensor data6(1)(f) Legitimate interest / 6(1)(b)
Driver dataName, driving hours, fatigue indicators6(1)(b) + DPA
Usage logsIP address, browser, page loads6(1)(f) Legitimate interest
Contact formName, email, message6(1)(a) Consent

4. Data storage and location

🇪🇺 EU sovereign storage

  • Google Cloud Platform: europe-north1 (Hamina, Finland)
  • Supabase: EU (PostgreSQL, Row Level Security)
  • Encryption: AES-256-GCM (at rest) + TLS 1.3 (in transit)

As a rule, we process and store data within the EU/EEA. Sovereignty Switch: Customers may select EU mode, in which AI processing uses only EU-based models (Mistral, Aleph Alpha) — no data leaves Europe.

In limited cases we use sub-processors outside the EU/EEA (e.g. transactional email and Global-mode AI services). In such cases we apply GDPR safeguards (e.g. SCC/DPF), minimise the data transferred, and avoid direct personal identifiers where possible. Current sub-processor list: Sub-processors, DPA.

5. Data sharing

We do not sell, rent or share personal data with third parties for marketing purposes.

Data is shared only with:

  • Technical sub-processors (Supabase, GCP, etc.) — DPAs in place
  • Legal obligations (authority requests)
  • With the Customer's explicit consent

6. Retention periods

  • Account data: duration of contract + 12 months
  • Telemetry: as defined by Customer, default 24 months
  • Usage logs: 90 days
  • Contact form data: 12 months
  • DLP-scrubbed analytics (anonymous): indefinite

7. Your rights

Under GDPR you have the right to:

  • Access — request a copy of your data
  • Rectification — correct inaccurate data
  • Erasure — request deletion (“right to be forgotten”)
  • Restriction — restrict processing
  • Portability — receive data in machine-readable format
  • Objection — object to processing based on legitimate interest

Requests: privacy@neurflow.fi. We respond within 30 days. You may also lodge a complaint with the supervisory authority (tietosuoja.fi).

8. Cookies

neurflow.fi uses only strictly necessary technical cookies (session, CSRF protection). We do not use third-party tracking or advertising cookies.

9. Security breaches

In accordance with the NIS2 Directive and GDPR, we notify the supervisory authority of personal data breaches within 72 hours and notify data subjects without undue delay when the breach is likely to pose a high risk to their rights.

NeurFlow Oy · Business ID: 3597951-1 · Helsinki, Finland

Data protection contact: privacy@neurflow.fi