Privacy Policy
Bruukki - Learning Material Creator Platform
Effective Date: February 1, 2026
Last Updated: April 22, 2026
1. Data Controller
Bruukki Oy
Myllykatu 4 A 10, 70110 Kuopio, Finland
Business ID: 3595475-2
Email: privacy@bruukki.com
2. Contact for Privacy Matters
Data Protection Officer: Eero Manninen
Email: eero.manninen@bruukki.com
3. Purpose and Legal Basis for Processing
3.1 Purposes of Processing
| Purpose | Description |
|---|---|
| Service provision | User account creation and management, material creation and storage |
| Customer support | Handling support requests and resolving issues |
| Service improvement | Usage analytics and service enhancement |
| Communication | Service notifications and news (with consent) |
| Billing | Managing paid subscriptions |
| Acquisition attribution | Recording the marketing channel that brought each user to the service |
| Security and abuse prevention | Protecting signup and sign-in from automated abuse (bot protection) and maintaining audit logs |
3.2 Legal Bases (GDPR Art. 6)
- Contract (Art. 6.1.b): Providing the service to the user
- Legitimate interest (Art. 6.1.f): Service development, security, analytics, acquisition-channel attribution, bot and abuse prevention on authentication
- Consent (Art. 6.1.a): Marketing communications, cookies
- Legal obligation (Art. 6.1.c): Accounting, taxation
4. Personal Data We Process
4.1 User Data
| Category | Data |
|---|---|
| Identification data | Name, email address |
| Account data | Username, authentication method (Google OAuth / Email OTP) |
| Organization data | Workspace (school/institution), role |
| Acquisition attribution | UTM parameters from the signup URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term) |
| Payment data | Billing address, payment method reference (no card numbers) |
Note: We do not store passwords. Authentication is handled through Google OAuth or Email OTP (one-time passwords sent to your email).
4.2 Usage Data
| Category | Data |
|---|---|
| Technical data | IP address, browser type, operating system |
| Access logs | Login times, actions in the service |
| Analytics data | Page views, feature usage |
4.3 Content Data
| Category | Data |
|---|---|
| Materials | Learning materials created by users |
| AI conversations | AI chat history |
Note: We do not collect personal data of students. The service is intended for educators.
5. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| User account and content | Duration of account. Deleted after account deletion in accordance with our Data Processing Agreement. |
| Acquisition attribution | Duration of account (erased with the account) |
| Access logs | 12 months |
| Analytics data | 24 months (anonymized) |
| Accounting records | 6 years (legal requirement) |
6. Data Recipients
6.1 Subprocessors
| Provider | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, data storage, email (SES) | EU (Ireland) | DPF + SCCs ¹ |
| Aiven | Database hosting (PostgreSQL) | EU (Finland) | -- ² |
| Anthropic | AI service (Claude) | USA | SCCs |
| OpenAI | AI service (embeddings, text-to-speech) | USA | SCCs |
| Mistral AI | AI service (alternative) | EU (France) | -- ² |
| Cartesia | Text-to-speech service | USA | SCCs |
| Google Cloud | Authentication (Google OAuth) | EU/USA | DPF + SCCs ¹ |
| Stripe | Payment processing | EU/USA | DPF + SCCs ¹ |
| Attio | Customer relationship management (marketing-site contact submissions and user-account signup metadata) | UK | Adequacy + SCCs ³ |
| LangFuse | AI service monitoring | EU (Ireland) | -- ² |
| Plausible Analytics | Website analytics (marketing site only, anonymous aggregate data, no cookies) | EU (Estonia) | -- ² |
¹ EU-U.S. Data Privacy Framework certified. Standard Contractual Clauses (SCCs) applied as supplementary safeguard in case the DPF adequacy decision is invalidated (Schrems III preparedness).
² EU/EEA-based company with EU data processing; no international transfer required.
³ UK adequacy decision (EU Commission, June 2021). SCCs applied as supplementary safeguard in case the adequacy decision is not renewed.
6.2 Other Recipients
- Authorities to fulfill legal obligations
- Auditors for accounting requirements
7. International Data Transfers
Some of our subprocessors operate outside the EU/EEA. We ensure adequate data protection through:
- EU-U.S. Data Privacy Framework (DPF): For DPF-certified U.S. providers, combined with SCCs as a supplementary safeguard
- EU Standard Contractual Clauses (SCCs): For all non-EU/EEA transfers, using the 2021 version adopted by the European Commission
- UK adequacy decision: For UK-based providers, combined with SCCs as a supplementary safeguard
- Supplementary technical and organizational measures (encryption, access controls, data minimization)
- Transfer Impact Assessments for each third-country transfer
8. Your Rights
You have the following rights under GDPR:
| Right | Description |
|---|---|
| Right of access | Right to know what personal data we process about you |
| Right to rectification | Right to request correction of inaccurate data |
| Right to erasure | Right to request deletion of your data ("right to be forgotten"). Account deletion erases all personal data on the user record, including acquisition-attribution fields. |
| Right to restriction | Right to request restriction of processing |
| Right to data portability | Right to receive your data in machine-readable format |
| Right to object | Right to object to processing based on legitimate interest |
| Right to withdraw consent | Right to withdraw consent at any time |
Exercising Your Rights
You can exercise your rights by:
- Using the service settings (profile editing)
- Sending a request to privacy@bruukki.com (account deletion, data export, and other requests)
We will respond to your request within 30 days.
9. Data Security
We protect your personal data through the following measures:
- Encryption: Data encrypted in transit and at rest (TLS 1.3, AES-256)
- Access control: Role-based access control
- Logging: All access and changes are logged
- Backups: Automatic daily backups
- Regular audits: Security audits and vulnerability testing
- Bot protection: Signup and sign-in pages are protected against automated abuse using a self-hosted proof-of-work CAPTCHA (Altcha). No data is shared with any third party for this purpose.
10. Cookies
We use cookies to ensure service functionality and improve user experience. See our Cookie Policy for details.
11. Changes to This Privacy Policy
We may update this privacy policy. Significant changes will be communicated:
- Via email to registered users
- Through notifications in the service
12. Supervisory Authority
If you believe your personal data is being processed unlawfully, you can file a complaint with the supervisory authority:
Finnish Data Protection Ombudsman
Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Email: tietosuoja@om.fi
Phone: +358 29 566 6700
Website: https://tietosuoja.fi/en
For users in other EU/EEA countries, you may also contact your local data protection authority.
For UK users, see Section 13 below.
13. Additional Information for UK Users
If you are located in the United Kingdom, the following provisions apply to you in addition to the rest of this privacy policy:
Applicable Law
Your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. References to "GDPR" in this privacy policy include the UK GDPR where applicable to UK users.
International Transfers
Where your personal data is transferred outside the UK, we rely on:
- UK adequacy decisions: For transfers to countries deemed adequate by the UK Secretary of State (including EU/EEA countries)
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs: For transfers to countries without a UK adequacy decision, including the United States
- Supplementary technical and organizational measures as described in Section 7
Your Supervisory Authority
If you believe your personal data is being processed unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Phone: +44 (0)303 123 1113
Website: https://ico.org.uk
Complaints: https://ico.org.uk/make-a-complaint/
14. Contact Us
For questions about this privacy policy or our data practices:
Email: privacy@bruukki.com
This privacy policy has been prepared in accordance with the requirements of the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR).