Privacy Policy

The data controller for your personal data is:

Finlern is registered with the Finnish Data Protection Authority (Tietosuojavaltuutetun toimisto) and maintains full compliance with GDPR, Finnish Data Protection Act (1050/2018), and all applicable Finnish and EU data protection regulations. We implement industry-standard security measures and conduct regular compliance audits to safeguard your personal information.

We process your personal data based on the following legal grounds under GDPR Article 6 and Finnish Data Protection Act:

• Contract performance (Article 6(1)(b)) - To provide educational services, language courses, violin lessons, relocation assistance, professional networking events, and all contracted services
• Legal obligation (Article 6(1)(c)) - To comply with Finnish educational regulations, tax laws (accounting records retention), labor laws, and regulatory reporting requirements
• Legitimate interests (Article 6(1)(f)) - For service improvement, platform security, fraud prevention, business analytics, quality assurance, and customer support optimization
• Consent (Article 6(1)(a)) - For marketing communications, promotional emails, optional analytics, social media integration, and non-essential features (you may withdraw consent at any time)
• Vital interests (Article 6(1)(d)) - In emergency situations affecting health or safety of data subjects

We do not sell, rent, or trade your personal information to third parties under any circumstances. We may share your information only in the following limited situations:

• Service Providers & Processors: Trusted third-party vendors who assist in operations (hosting, email delivery, analytics, customer support) under strict data processing agreements compliant with GDPR Article 28
• Payment Processors: Secure, PCI-DSS compliant payment service providers for transaction processing (we do not store full payment card details)
• Cloud Infrastructure: Google Firebase and Vercel for hosting, database management, and authentication services (with Standard Contractual Clauses for data transfers)
• Legal Authorities: Finnish law enforcement, courts, regulatory bodies, or tax authorities when legally required by court order, subpoena, or applicable Finnish/EU law
• Educational Partners: Accredited educational institutions or certification bodies (with your explicit consent) for credential verification or program partnerships
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred (you will be notified and can exercise your rights under GDPR)
• Emergency Situations: When necessary to protect vital interests, safety, or prevent illegal activities

All third-party data processors are contractually obligated to implement appropriate technical and organizational security measures and to process data only as instructed by Finlern.

We implement comprehensive, military-grade security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption: TLS/SSL encryption for data in transit, AES-256 encryption for sensitive data at rest
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege
• Security Audits: Regular penetration testing, vulnerability assessments, and code security reviews
• Secure Infrastructure: Firewalls, intrusion detection systems (IDS), DDoS protection, and rate limiting
• Data Integrity: Input validation, sanitization, CSRF protection, and SQL injection prevention
• Authentication Security: Secure JWT token management, session expiration, and timing-attack resistant comparisons
• Bot Protection: Multi-layer honeypot system, CAPTCHA, and behavioral analysis for form submissions
• Monitoring: Real-time security monitoring, audit logging, and incident response procedures
• Staff Training: Regular security awareness training for all employees and contractors
• Backup & Recovery: Encrypted backups, disaster recovery plans, and business continuity procedures

In the event of a data breach affecting your personal information, we will notify you and the Finnish Data Protection Authority within 72 hours as required by GDPR Article 33.

As a data subject under GDPR, you have the following rights:

• Right to access (Article 15) - Request a copy of all personal data we hold about you, including processing purposes and data recipients
• Right to rectification (Article 16) - Request correction of inaccurate or incomplete personal data
• Right to erasure/"Right to be forgotten" (Article 17) - Request deletion of your data when no longer necessary, consent withdrawn, or unlawfully processed (subject to legal retention obligations)
• Right to restrict processing (Article 18) - Request temporary limitation on how we use your data while verifying accuracy or addressing objections
• Right to data portability (Article 20) - Receive your data in a structured, commonly used, machine-readable format (CSV, JSON) and transfer it to another service provider
• Right to object (Article 21) - Object to processing based on legitimate interests or for direct marketing purposes (we will cease processing unless compelling legitimate grounds exist)
• Right to withdraw consent (Article 7(3)) - Revoke consent at any time for consent-based processing (does not affect lawfulness of prior processing)
• Right not to be subject to automated decision-making (Article 22) - Request human review of decisions made solely by automated processing with legal or significant effects

To exercise any of these rights, please contact us at info@finlern.fi with "GDPR Data Subject Request" in the subject line. We will respond within one month as required by GDPR Article 12(3), or within two months for complex requests (we will inform you of any extension). We may require identity verification to process your request. Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.

If you are not satisfied with our response or believe we have violated your data protection rights, you have the right to lodge a complaint with the Finnish Data Protection Authority (Tietosuojavaltuutetun toimisto) at tietosuoja.fi, or with the supervisory authority in your EU member state.

Finlern primarily processes data within the European Economic Area (EEA). However, some service providers (Google Firebase for authentication/database, Vercel for hosting) may process data in the United States or other third countries. We ensure full compliance with GDPR Chapter V requirements for international data transfers through:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (Decision 2021/914) for all transfers to third countries, including the US
• EU-US Data Privacy Framework: Partnering with providers certified under the EU-US Data Privacy Framework (DPF) where applicable
• Additional Safeguards: Encryption, pseudonymization, access controls, and contractual obligations beyond SCCs as required by CJEU Schrems II ruling
• Transfer Impact Assessments (TIAs): Regular evaluation of third countries' legal frameworks and surveillance laws affecting data protection
• Data Localization Preferences: Prioritizing EEA-based processing and storage where technically feasible
• Vendor Due Diligence: Ongoing assessment of third-party processors' compliance with GDPR and Finnish data protection laws
• Transparency: Maintaining updated records of cross-border data transfers as required by Finnish Data Protection Act Section 30

You have the right to obtain information about the safeguards we have in place for international transfers by contacting info@finlern.fi.

Finlern provides educational services to learners of all ages, including children and teenagers. We take children's privacy extremely seriously and comply with GDPR Article 8, the Finnish Data Protection Act, and the Finnish Act on the Protection of Privacy in Electronic Communications regarding children's data:

• Age Verification: We process personal data of users under 16 years old only with verifiable parental or legal guardian consent
• Parental Consent: Parents/guardians must provide explicit consent via signed enrollment forms or verified electronic consent mechanisms
• Consent Validation: Teachers, administrators, and staff are trained to verify proper consent is obtained before processing minors' data
• Enhanced Safeguards: We implement additional technical and organizational security measures for children's personal information
• Transparent Communication: We provide age-appropriate, clear information about data processing to both children and parents/guardians
• Limited Collection: We collect only the minimum necessary data for educational purposes and do not use children's data for marketing
• Parental Rights: Parents/guardians can exercise all GDPR rights on behalf of their children, including access, rectification, and erasure requests
• No Third-Party Sharing: Children's data is never shared with third parties for commercial purposes

If you believe we have inadvertently collected personal data from a child without proper consent, please contact us immediately at info@finlern.fi, and we will take prompt action to delete such information.

We reserve the right to update this Privacy Policy to reflect changes in our data processing practices, legal requirements, or service offerings. Any modifications will fully comply with GDPR, Finnish Data Protection Act (1050/2018), and all applicable Finnish and EU privacy regulations.

Notification Process:

• For material changes affecting your rights or how we process personal data, we will notify you via email at least 30 days before the changes take effect
• We will display a prominent notice on our website homepage and within the platform
• The "Last updated" date at the top of this policy will always reflect the most recent revision
• Continued use of our services after the effective date constitutes acceptance of the updated policy
• If you disagree with changes, you may terminate your account and request data deletion before the effective date

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your personal information. Previous versions of this policy are available upon request at info@finlern.fi.