Puutelista Privacy and Data Protection
This document describes how Puutelista handles personal data, complies with privacy regulations, and provides users control over their information.
Regulatory Framework
GDPR Compliance
Puutelista operates under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (1050/2018). The Finnish Data Protection Ombudsman (tietosuojavaltuutettu) serves as the supervisory authority.
Key compliance measures:
- Lawful Basis: Personal data is processed based on user consent (account creation) and legitimate interest (service functionality)
- Data Minimization: Only data necessary for the service is collected
- Purpose Limitation: Data is used solely for providing the shopping list service
- Storage Limitation: Data is retained only while the account is active
- Accuracy: Users can update their information at any time
- Integrity and Confidentiality: Data is encrypted at rest and in transit
Data Collection and Storage
Personal Data Collected
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Authentication, notifications | Consent | Until deleted |
| Full name | Display in household | Consent | Until deleted |
| Push tokens | Push notifications | Consent | Until logout |
User-Generated Content
We store households, lists, items, photos, and messages you create to provide the service. This content is kept until you delete it or your account.
Data Subject Rights
Puutelista provides tools for users to exercise their GDPR rights directly in the app:
- Right of Access: Settings > Privacy & Data > Export My Data
- Right to Erasure: Settings > Privacy & Data > Delete Account
- Right to Rectification: Update your profile in Settings
Data Deletion
When you request account deletion, your account enters a 30-day grace period during which you can cancel the deletion and restore your account. After this period, all your personal data (profile, photos, messages) is permanently and irreversibly removed. Households where you are the sole admin are also deleted.
Security
We use TLS encryption for data in transit and AES-256 encryption for data at rest. We do not store passwords (we use passwordless email login and OAuth).
Contact
Email:
Data Protection Authority: tietosuoja.fi
Last updated: