Privacy policy

1. Data controller

Fronterak Oy (business ID 3456789-1) Helsinki, Finland Email: info@fronterak.fi The data controller decides on the purposes and means of processing personal data. You can contact the data protection officer at info@fronterak.fi.

2. Data we collect

We collect the following personal data when you use the service:

• Identification data: name, email, phone number, username, password hash
• Address details: street address, postal code, city — to define the renovation site
• Business details (contractors): business ID, company name, liability insurance, prepayment register status
• Project data: requests for quotes, calculator inputs, quotes, messages and images
• Technical data: IP address, browser, operating system, cookie identifiers
• Payment data: reference details for subscriptions and invoices (no card data is processed)

3. Purposes of data use

We process personal data for the following purposes:

• Providing, maintaining and improving the service and user experience
• Forwarding requests for quotes and facilitating communication between parties
• Verifying contractors, quality control and collecting reviews
• Invoicing, payment protection and retaining accounting records as required by the Finnish Accounting Act
• Preventing fraud, maintaining information security and investigating misuse
• Complying with statutory obligations
• Marketing and communications when based on consent or legitimate interest

4. Legal bases for processing (Article 6 GDPR)

The legal bases for our processing vary by data type:

• Contract (6(1)(b)): creation of a user account, forwarding of quote requests, project management and payment protection
• Legal obligation (6(1)(c)): accounting, taxation, consumer protection and anti-money-laundering
• Legitimate interest (6(1)(f)): service development, fraud prevention, information security and direct marketing to existing customers
• Consent (6(1)(a)): marketing communications to non-customers, non-essential cookies (analytics, marketing) and precise location processing

5. Data storage and protection

Data is stored on servers located in the EU/EEA. We use encryption (TLS at rest and in transit), role-based access control (Supabase RLS), two-factor authentication for administrative tasks and regular log monitoring. Only employees and subcontractors who need personal data for their tasks may process it.

6. Retention periods

We retain personal data only as long as is necessary for the processing purpose or as required by law:

• User account and profile data: for the duration of the account, and 30 days in a backup register after deletion
• Requests for quotes and project data: 5 years from the end of the project (liability periods)
• Accounting records and invoices: 6 years from the end of the financial year (Finnish Accounting Act 1336/1997, ch. 2 § 10)
• Communication logs and support conversations: 2 years from contact
• Technical server logs: 90 days
• Marketing consents: until withdrawal, and 30 days after withdrawal for audit purposes

7. Disclosure of data to third parties

We do not sell personal data. We disclose data only in the following situations:

• To contractors: the request details and the consumer's contact details to the extent required by the quoting process
• To consumers: the contractor's public business details, reviews and insurance information together with the quote
• To subprocessors (Supabase, Vercel, Google AI Studio, Resend): under separately agreed data processing agreements — the full list is in the subprocessor list
• To authorities: where required by law (e.g. tax authorities, consumer protection authority)
• In connection with business arrangements: in case of a change of ownership we transfer the data to the new controller after notifying users

8. International transfers

As a general rule, data is stored within the EU/EEA. However, some of our subprocessors also operate outside the EU, in particular in the United States:

Google AI Studio (United States) — AI-powered renovation calculator Vercel Inc. (United States / EU edge) — website hosting In those cases transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) and additional technical safeguards by the recipient companies (encryption, anonymisation). Alternatively, we rely on the EU–US Data Privacy Framework (DPF) where the target company is covered by it.

9. Automated decision-making and profiling

Our renovation calculator uses AI to produce price estimates based on the data you enter. This is an indicative estimate, not binding pricing, and the final price is always set in the contractor's quote.

We do not make automated individual decisions as defined in Article 22 GDPR that would have legal or similarly significant effects on the data subject. All contractor selections are made by the consumer.

10. Cookies and tracking technologies

We use essential cookies to ensure the operation of the service, and analytics and marketing cookies with your separate consent. A detailed list and consent management are available in the cookie policy.

11. Rights of the data subject

Under the GDPR you have the following rights:

• Right of access (Art. 15) — to request a copy of the data processed about you
• Right to rectification (Art. 16) — to request correction of inaccurate data
• Right to erasure (Art. 17, the "right to be forgotten")
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing (Art. 21), especially for direct marketing
• Right to withdraw consent at any time (Art. 7(3))

12. Right to lodge a complaint with the supervisory authority

If you believe that the processing of your personal data does not comply with the law, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman: Office of the Data Protection Ombudsman P.O. Box 800, FI-00531 Helsinki Phone: +358 29 56 66700 www.tietosuoja.fi

13. Contact and changes

For privacy-related questions, please contact us by email at info@fronterak.fi. We respond to requests within one month.

We may update this privacy policy as the service or legislation evolves. We notify users of material changes via the service or by email. The update date is shown at the end of the policy.