Privacy Policy
Bruukki - Learning Material Creator Platform
Effective Date: February 1, 2026
Last Updated: May 29, 2026
1. Data Controller
Bruukki Oy
Myllykatu 4 A 10, 70110 Kuopio, Finland
Business ID: 3595475-2
Email: privacy@bruukki.com
2. Contact for Privacy Matters
Data Protection Officer: Eero Manninen
Email: eero.manninen@bruukki.com
3. Purpose and Legal Basis for Processing
3.1 Purposes of Processing
| Purpose | Description |
|---|---|
| Service provision | User account creation and management, material creation and storage |
| Customer support | Handling support requests and resolving issues |
| Service improvement | Usage analytics and service enhancement |
| Communication | Product updates, tips, guides and offers (with consent) |
| Billing | Managing paid subscriptions |
| Acquisition attribution | Recording the marketing channel that brought each user to the service |
| Security and abuse prevention | Protecting signup and sign-in from automated abuse (bot protection) and maintaining audit logs |
3.2 Legal Bases (GDPR Art. 6)
- Contract (Art. 6.1.b): Providing the service to the user
- Legitimate interest (Art. 6.1.f): Service development, security, analytics, acquisition-channel attribution, bot and abuse prevention on authentication
- Consent (Art. 6.1.a): Marketing communications, cookies
- Legal obligation (Art. 6.1.c): Accounting, taxation
4. Personal Data We Process
4.1 User Data
| Category | Data |
|---|---|
| Identification data | Name, email address |
| Account data | Username, authentication method (Google OAuth / Microsoft Entra OIDC / Email OTP) |
| Organization data | Workspace (school/institution), role |
| Acquisition attribution | UTM parameters from the signup URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term) |
| Payment data | Billing address, payment method reference (no card numbers) |
Note: We do not store passwords. Authentication is handled through Google OAuth, Microsoft Entra (Sign in with Microsoft), or Email OTP (one-time passwords sent to your email).
4.2 Usage Data
| Category | Data |
|---|---|
| Technical data | IP address, browser type, operating system |
| Access logs | Login times, actions in the service |
| Analytics data | Page views, feature usage |
4.3 Content Data
| Category | Data |
|---|---|
| Materials | Learning materials created by users |
| AI conversations | AI chat history |
Note: We do not collect personal data of students. The service is intended for educators.
5. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| User account and content | Duration of account. Deleted after account deletion in accordance with our Data Processing Agreement. |
| Acquisition attribution | Duration of account (erased with the account) |
| Access logs | 12 months |
| Analytics data | 24 months (anonymized) |
| Email delivery diagnostics | 90 days (email address + SES message ID + delivery outcome for transactional emails we send; automatically deleted by a daily retention job) |
| Accounting records | 6 years (legal requirement) |
6. Data Recipients
6.1 Subprocessors
| Provider | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, data storage, email (SES) | EU (Ireland) | DPF + SCCs ¹ |
| Aiven | Database hosting (PostgreSQL) | EU (Finland) | -- ² |
| Anthropic | AI service (Claude) | USA | SCCs |
| OpenAI | AI service (embeddings, text-to-speech) | USA | SCCs |
| Mistral AI | AI service (alternative) | EU (France) | -- ² |
| Cartesia | Text-to-speech service | USA | SCCs |
| Google Cloud | Authentication (Google OAuth) | EU/USA | DPF + SCCs ¹ |
| Microsoft Entra ID | Authentication (Sign in with Microsoft) — OIDC ID-token claims only | EU/USA | DPF + SCCs ¹ |
| Stripe | Payment processing | EU/USA | DPF + SCCs ¹ |
| Attio | Customer relationship management (marketing-site contact submissions and user-account signup metadata) | UK | Adequacy + SCCs ³ |
| LangFuse | AI service monitoring | EU (Ireland) | -- ² |
| Plausible Analytics | Website analytics (marketing site only, anonymous aggregate data, no cookies) | EU (Estonia) | -- ² |
¹ EU-U.S. Data Privacy Framework certified. Standard Contractual Clauses (SCCs) applied as supplementary safeguard in case the DPF adequacy decision is invalidated (Schrems III preparedness).
² EU/EEA-based company with EU data processing; no international transfer required.
³ UK adequacy decision (EU Commission, June 2021). SCCs applied as supplementary safeguard in case the adequacy decision is not renewed.
Payment processing (Stripe). When you subscribe to Bruukki Pro, Stripe, Inc. processes your payment on our behalf as a subprocessor. Stripe receives your email, billing address, payment method (tokenised — card numbers stay with Stripe and never reach Bruukki), and identifiers that link the subscription to your Bruukki account. Stripe does not receive any of your learning material content, authentication credentials, or usage data. The legal basis is contract (necessary to process your subscription payment). The transfer is covered by the EU-U.S. Data Privacy Framework (Stripe, Inc. is DPF-certified) with Standard Contractual Clauses as a supplementary safeguard. Subscription-state metadata held in Bruukki's database is deleted when you delete your account; invoice-level records are retained for 6 years to meet the Finnish Accounting Act (Kirjanpitolaki 1336/1997). For Stripe's own privacy practices see the Stripe Privacy Center.
6.2 Other Recipients
- Authorities to fulfill legal obligations
- Auditors for accounting requirements
7. International Data Transfers
Some of our subprocessors operate outside the EU/EEA. We ensure adequate data protection through:
- EU-U.S. Data Privacy Framework (DPF): For DPF-certified U.S. providers, combined with SCCs as a supplementary safeguard
- EU Standard Contractual Clauses (SCCs): For all non-EU/EEA transfers, using the 2021 version adopted by the European Commission
- UK adequacy decision: For UK-based providers, combined with SCCs as a supplementary safeguard
- Supplementary technical and organizational measures (encryption, access controls, data minimization)
- Transfer Impact Assessments for each third-country transfer
8. Your Rights
You have the following rights under GDPR:
| Right | Description |
|---|---|
| Right of access | Right to know what personal data we process about you |
| Right to rectification | Right to request correction of inaccurate data |
| Right to erasure | Right to request deletion of your data ("right to be forgotten"). Account deletion erases all personal data on the user record, including acquisition-attribution fields. |
| Right to restriction | Right to request restriction of processing |
| Right to data portability | Right to receive your data in machine-readable format |
| Right to object | Right to object to processing based on legitimate interest |
| Right to withdraw consent | Right to withdraw consent at any time |
Exercising Your Rights
You can exercise your rights by:
- Using the service settings (profile editing)
- Sending a request to privacy@bruukki.com (account deletion, data export, and other requests)
We will respond to your request within 30 days.
9. Data Security
We protect your personal data through the following measures:
- Encryption: Data encrypted in transit and at rest (TLS 1.3, AES-256)
- Access control: Role-based access control
- Logging: All access and changes are logged
- Backups: Automatic daily backups
- Regular audits: Security audits and vulnerability testing
- Bot protection: Signup and sign-in pages are protected against automated abuse using a self-hosted proof-of-work CAPTCHA (Altcha). No data is shared with any third party for this purpose.
10. Cookies
We use cookies to ensure service functionality and improve user experience. See our Cookie Policy for details.
11. Changes to This Privacy Policy
We may update this privacy policy. Significant changes will be communicated:
- Via email to registered users
- Through notifications in the service
12. Supervisory Authority
If you believe your personal data is being processed unlawfully, you can file a complaint with the supervisory authority:
Finnish Data Protection Ombudsman
Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Email: tietosuoja@om.fi
Phone: +358 29 566 6700
Website: https://tietosuoja.fi/en
For users in other EU/EEA countries, you may also contact your local data protection authority.
For UK users, see Section 13 below.
For users in the United States, see Section 14 below.
13. Additional Information for UK Users
If you are located in the United Kingdom, the following provisions apply to you in addition to the rest of this privacy policy:
Applicable Law
Your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. References to "GDPR" in this privacy policy include the UK GDPR where applicable to UK users.
International Transfers
Where your personal data is transferred outside the UK, we rely on:
- UK adequacy decisions: For transfers to countries deemed adequate by the UK Secretary of State (including EU/EEA countries)
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs: For transfers to countries without a UK adequacy decision, including the United States
- Supplementary technical and organizational measures as described in Section 7
Your Supervisory Authority
If you believe your personal data is being processed unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Phone: +44 (0)303 123 1113
Website: https://ico.org.uk
Complaints: https://ico.org.uk/make-a-complaint/
14. Additional Information for Users in the United States
If you are located in the United States, the following provisions apply to you in addition to the rest of this privacy policy. References to "personal information" in this section have the meaning given to them by applicable U.S. state privacy law (e.g., the California Consumer Privacy Act).
14.1 Children's Privacy (COPPA)
Bruukki is intended for use by educators (teachers and other school staff). We do not knowingly collect personal information from children under the age of 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@bruukki.com.
14.2 Student Data (FERPA)
Bruukki is a teacher-preparation tool. We do not collect, process, or store student personal information, student rosters, grades, or any data identifying individual students. We are not a "school official" under the Family Educational Rights and Privacy Act (FERPA) and we do not enter into FERPA-implicating arrangements with U.S. schools or school districts.
If a U.S. teacher uses Bruukki, the data we process is the teacher's own account data and the materials the teacher creates. Teachers should not enter student-identifying information (such as student names, IDs, or grades) into Bruukki content or AI prompts.
14.3 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
| Right | Description |
|---|---|
| Right to know | The categories and specific pieces of personal information we have collected about you |
| Right to delete | The deletion of your personal information |
| Right to correct | The correction of inaccurate personal information |
| Right to opt out of sale or sharing | We do not sell your personal information, and we do not share it for cross-context behavioral advertising |
| Right to limit use of sensitive personal information | We do not use sensitive personal information for purposes other than providing the service |
| Right to non-discrimination | We will not discriminate against you for exercising these rights |
The categories of personal information we collect about California residents are described in §4 above (Personal Data We Process). The purposes for which we collect them are described in §3 above. The categories of recipients are described in §6.
To exercise these rights, contact privacy@bruukki.com. We will respond within 45 days, with a possible 45-day extension if reasonably necessary.
We do not sell your personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law. Therefore, no "Do Not Sell or Share My Personal Information" link is required.
Bruukki does not currently process Global Privacy Control (GPC) signals. Because we do not sell or share personal information, no opt-out via GPC is required.
14.4 Other U.S. State Privacy Rights
Residents of states with comprehensive privacy laws — including (without limitation) Colorado, Connecticut, Delaware, Iowa, Indiana, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia — have rights analogous to those described in §14.3 above. To exercise any of these rights, contact privacy@bruukki.com.
14.5 Commercial Email (CAN-SPAM)
Our physical mailing address is: Bruukki Oy, Myllykatu 4 A 10, 70110 Kuopio, Finland.
If you receive a commercial email from us, you may opt out of further commercial emails by replying to the email or by contacting privacy@bruukki.com. We will honor opt-out requests within 10 business days as required by the CAN-SPAM Act.
14.6 Governing Law and Disputes
Per our Terms of Service, Finnish law governs your use of the service, and disputes are resolved in Finnish courts. Notwithstanding the foregoing, U.S. residents retain rights under their state's consumer-protection and privacy laws that cannot be waived by contract.
14.7 Contact
For questions or to exercise any of the rights described in this section, contact privacy@bruukki.com.
15. Contact Us
For questions about this privacy policy or our data practices:
Email: privacy@bruukki.com
This privacy policy has been prepared in accordance with the requirements of the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR).