Privacy Policy

Last updated: May 2026

ENFISV

1. Data controller

This service is operated by Silta NTF Oy (Helsinki, Finland). For privacy questions, data access requests, or complaints, contact support@newtofin.fi.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

2. What data we collect

Account data: your email address and (optionally) a name, plus a bcrypt-hashed version of your password (12 rounds). We never store your password in plain text.

Profile data: your answers to onboarding questions, why you moved to Finland, your city, whether you're an EU/EEA citizen, job status, study level and university (if a student), preferred language, and arrival date (optional).

Sensitive PII (if you choose to store it): Finnish personal identity code (henkilötunnus), passport or ID document number, bank account (IBAN) for payroll purposes. These fields are encrypted at the column level with AES-256-GCM before being stored. The encryption key is held in our infrastructure secret store.

Authentication metadata: if you enable two-factor authentication (TOTP), we store an encrypted MFA secret and bcrypt-hashed backup codes. We record a login event per successful sign-in (timestamp, truncated IP, country derived from IP, a hashed fingerprint of the browser) so we can alert you when a sign-in looks unusual.

App activity: your checklist progress and notes, saved guides, community questions and answers you post, language preference.

Audit log (organisation admins): a record of significant administrative actions on organisation accounts (invitations, worker list exports, contract drafts, plan changes, MFA changes). Includes actor, IP, user-agent, timestamp.

Hotel partner data (only if you register your hotel for the free QR poster at a dedicated URL): hotel name, contact name, work email, city, optional postal address, and an anonymous scan counter. No guest data from the QR scans is collected.

Technical data: IP address for rate limiting and abuse prevention, timestamps of account actions, and anonymised usage metrics (see section 6).

3. Legal basis for processing (GDPR Art. 6)

  • Performance of a contract , account, profile, checklist data, email verification and password reset.
  • Legitimate interest , security (rate limiting, abuse prevention), aggregated usage analytics to improve the service.
  • Consent , optional Google Analytics when enabled (see section 6).

4. How we use your data

  • To provide and personalise the service (checklist, procedures, dashboard shortcuts).
  • To authenticate you and keep your account secure.
  • To send transactional emails you request or need: verification, password reset.
  • To translate user-interface content into the language you select.

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not profile you for advertising.

5. Data storage and security

Your data is stored in a PostgreSQL database hosted by Neon Inc. in the European Union (Frankfurt, Germany). Application servers are on Vercel EU regions. Both providers are GDPR-compliant.

Encryption: all traffic uses HTTPS with HSTS (TLS 1.2+). Databases and backups are encrypted at rest by the provider. Sensitive PII columns (henkilötunnus, passport, bank account) are additionally encrypted at the application layer with AES-256-GCM.

Access controls: bcrypt 12-round password hashing. Optional TOTP two-factor authentication. Account lockout after 10 consecutive failed password attempts. Rate limiting and CSRF protection on all authentication and mutating endpoints. Security headers (HSTS, CSP, X-Frame-Options, Cross-Origin-*) on every response.

See our security page for the full list of controls and sub-processors.

6. Cookies, local storage, and analytics

Essential: a session cookie for authentication (required for the service to function).

Local storage: your language preference and offline-cache identifiers. Does not contain personal data.

Aggregated usage analytics:

  • Vercel Analytics , aggregate, anonymised page-view counts. No cookies, no personal identifiers.
  • Vercel Speed Insights , aggregate performance metrics (page load time, layout shift). No cookies, no personal identifiers.
  • Google Analytics 4 , only active when configured (when NEXT_PUBLIC_GA_MEASUREMENT_ID is set). Where active, it uses cookies to measure aggregate app usage. IP addresses are anonymised by Google before storage.

A service worker (sw.js) caches static assets for offline access. It does not transmit data.

7. Third-party processors

  • Vercel Inc. (EU region, company US-based), application hosting, Vercel Analytics, Speed Insights. GDPR Article 28 DPA in place, EU Standard Contractual Clauses.
  • Neon Inc. (EU region, Frankfurt, Germany), PostgreSQL database. EU-based processing, SOC 2.
  • Resend (EU region, company US-based), transactional email delivery (verification, password reset, suspicious-login alerts, hotel onboarding). Your email address and the email content are sent when we send you a message.
  • Anthropic PBC (US, with EU data-residency option), AI coach and employment-contract drafting features. We send only the data a given feature needs (e.g., job title, salary), no personal identifier numbers. EU SCCs in place.
  • DeepL SE (Germany), translation of UI and content. Only the text being translated is sent; DeepL deletes it after processing.
  • Google LLC (United States), Google Translate API for languages DeepL does not support, and (optionally, with your consent) Google Analytics 4. EU SCCs in place.
  • Brave Software (United States), Brave Search API for the in-app finland-scoped web search, when used. Only the search query is sent, no personal data.
  • Upstash Inc. (EU region, Frankfurt), Redis-backed rate limiting. Stores only IP-keyed counters, not personal data.

All processors operate under appropriate data-processing agreements and (for US-based processors) the EU Standard Contractual Clauses.

8. Your rights (GDPR)

Under the EU General Data Protection Regulation you have the right to:

  • Access your personal data.
  • Correct inaccurate data via your profile settings.
  • Delete your account and all associated data (Profile → Delete account).
  • Export your data in JSON (Profile → Export data).
  • Object to processing or request restriction.
  • Withdraw consent for optional processing at any time.
  • Lodge a complaint with the Finnish Data Protection Ombudsman.

9. Data retention

Account and profile data are retained for as long as your account is active. When you delete your account (Profile → Delete account), all personal data and user-generated content (checklist progress, notes, community posts) are permanently removed from the database immediately.

Automated database backups (point-in-time recovery) are retained by our database provider for up to 7 days before being permanently purged.

Server-side access logs (containing IP addresses) are retained for up to 30 days for security and abuse-prevention purposes.

Login events (timestamp, country, UA-hash) are retained for up to 90 days for suspicious-login detection, then deleted.

Audit-log entries for organisation-admin actions are retained as long as the organisation account exists, to satisfy compliance obligations. Deleted when the organisation account is closed.

10. Children

This service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at support@newtofin.fi and we will delete it.

11. Changes to this policy

We may update this policy as the service evolves. Significant changes will be communicated in-app or via email. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy-related questions or requests, email: support@newtofin.fi