Privacy Policy
Last updated: March 14, 2026
1. Data Controller
Pauhu Ltd (Y-tunnus: 0768171-8, "we", "us") is the data controller for personal data processed through pauhu.eu and the Pauhu Data Marketplace.
Contact: privacy@pauhu.eu
Data Protection Officer: dpo@pauhu.ai
2. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email, name, company | Service delivery |
| Payment | Billing address, VAT ID | Invoicing (via Stripe) |
| Usage | API calls, data feed access | Billing, service improvement |
| Technical | IP address, browser | Security |
Publicly available sources (GDPR Art. 14): Pauhu indexes and processes publicly available data from EU institutional APIs (EUR-Lex, TED, IATE, Eurostat, and other EU open data portals), publicly available web sources (Wikipedia, news RSS feeds, OpenStreetMap), and open-source code repositories (GitHub, npm, PyPI, crates.io). Where this data incidentally contains personal data (e.g. names in court judgments, biographical articles about public figures, journalist bylines in news feeds), it is processed under the legal basis of legitimate interest (GDPR Art. 6(1)(f)) and published in accordance with the source institution's open data policy. The Art. 14(5)(b) exemption applies as individual notice would involve disproportionate effort. News feed data is retained for 90 days. You may exercise your rights (including erasure) by contacting dpo@pauhu.ai.
3. Legal Basis (GDPR Art. 6)
- Contract: Processing necessary for service delivery
- Legal obligation: Tax and accounting requirements
- Legitimate interest: Security and fraud prevention
4. Data Retention
- Account data: Duration of account + 2 years
- Payment records: 7 years (Finnish accounting law)
- Usage logs: 90 days
5. Data Sharing
We share data only with the following processors and sub-processors:
5.1 Infrastructure (EU)
- Cloudflare, Inc. — CDN, Workers, D1, R2 storage. EU data centers. DPA in place. US-headquartered; EU processing under Cloudflare DPA with SCCs.
- Hetzner Online GmbH — LDS Connector hosting. Helsinki, Finland. EU jurisdiction.
5.2 Authentication (third-country transfers — Art. 13(1)(f))
When you choose to sign in with a third-party identity provider, authentication tokens are exchanged with that provider. We receive only your name, email, and profile photo — no passwords are transmitted to or stored by Pauhu.
- Google LLC — Google OAuth 2.0 (accounts.google.com). US. Transfer safeguard: EU Standard Contractual Clauses (Commission Decision 2021/914, Module 3).
- GitHub, Inc. (Microsoft subsidiary) — GitHub OAuth (github.com). US. Transfer safeguard: EU SCCs Module 3.
- Microsoft Corporation — Microsoft OAuth / MS Graph (login.microsoftonline.com, graph.microsoft.com). US. Transfer safeguard: Microsoft DPA with EU SCCs.
- Apple Inc. — Sign in with Apple (appleid.apple.com). US. Transfer safeguard: Apple DPA with EU SCCs Module 3.
You are never required to use a third-party identity provider. Email/password authentication processes data entirely within the EU.
5.3 Email (EU)
- Mailtrap SIA (MailerSend) — Transactional email delivery. Riga, Latvia. EU jurisdiction. No third-country transfer.
5.4 Payment (third-country transfer — Art. 13(1)(f))
- Stripe, Inc. — Payment processing. US. Transfer safeguard: Stripe DPA with EU SCCs (Commission Decision 2021/914, Module 2). Stripe never receives query text, search results, or document content — only billing events.
All processors are bound by data processing agreements (Art. 28 GDPR).
6. Data Location
Our primary infrastructure (databases, object storage, compute, models) is located exclusively within the European Union (Cloudflare EU data centers, Hetzner Helsinki). Your queries, documents, and search results are processed entirely within the EU and never leave EU jurisdiction.
The only exceptions are authentication tokens exchanged with third-party OAuth providers (Section 5.2) and payment data processed by Stripe (Section 5.4), where EU Standard Contractual Clauses apply. You can avoid all third-country transfers by using email/password authentication and the free tier.
7. Your Rights (GDPR)
- Access your personal data
- Rectify inaccurate data
- Erase data ("right to be forgotten")
- Port data to another service
- Object to processing
- Lodge complaint with supervisory authority
To exercise these rights, contact dpo@pauhu.ai.
8. Cookies & Tracking
This site uses no cookies, no analytics, and no tracking of any kind. We store only your theme and text size preferences in your browser's localStorage, which never leaves your device.
9. Regulatory Evaluation
Pauhu is currently under evaluation by the Finnish Transport and Communications Agency (Traficom) as part of the national AI solutions assessment programme under the Alt-EDIC (Alternative European Digital Infrastructure Consortium) initiative. This evaluation covers:
- Data sovereignty and EU jurisdiction compliance
- NIS2 Directive (EU) 2022/2555 conformance
- Browser-native AI inference and privacy implications
- Suitability for public sector deployment across Finnish government organisations
During this evaluation, Traficom personnel may access Pauhu’s staging environment for testing purposes. No personal data from Traficom evaluators is retained beyond the evaluation period. Contact: kyberturvallisuus@traficom.fi
10. Supervisory Authority
Finnish Data Protection Ombudsman
tietosuoja.fi
tietosuoja@om.fi
Pauhu Ltd
Helsinki, Finland
EU jurisdiction