Information We Collect
Account Information
Email address, name, and basic account preferences.
Receipt Metadata
Only vendor name, amount, date, and expense category extracted by AI on your device.
Receipt Images
Original receipt images stored securely for tax compliance and AI model improvement.
Usage Analytics
Anonymous technical data about app performance and feature usage.
Support Communications
Messages you send to our support team for assistance.
Local & Cloud AI Processing
Palautus AI leverages both local and cloud-based AI processes to ensure accurate, secure, and compliant tax deduction management:
- Local Receipt Parsing: Receipt images are initially processed on your device, extracting essential metadata (vendor, date, amount, and expense category). This minimizes data exposure by sending only relevant information to our servers.
- Secure Cloud Validation: Extracted metadata is securely transmitted to our backend, where specialized AI validates expenses against specific tax regulations, optimizing your deductions.
- Receipt Image Storage: Original receipt images are securely stored for 7 years in compliance with Finnish tax authority requirements. These stored images are used internally to improve and train the local AI parsing models, enhancing future accuracy directly on your device.
- EU Data Residency: All metadata and receipt images are securely stored within Finland, strictly adhering to EU and Finnish data protection laws.
How We Use Your Data
Tax Optimization Services
- Analyze receipt metadata to identify tax deduction opportunities
- Generate tax-compliant reports for Finnish and European tax systems
- Provide personalized tax optimization recommendations
- Calculate potential tax savings based on your expenses
Service Improvement
- Improve AI accuracy using stored receipt images and anonymized, aggregated metadata
- Enhance app performance and user experience
- Develop new features based on user feedback
- Ensure platform security and fraud prevention
Legal Basis (GDPR)
- Contract Performance: Providing tax optimization services
- Legitimate Interest: Service improvement, security, and regulatory compliance
- Receipt Image Storage: Legitimate interest (regulatory compliance and service improvement)
- Consent: Marketing communications (with explicit permission)
Your Rights Under GDPR
You have comprehensive rights over your personal data:
Access Your Data
Request a complete copy of all personal data we hold about you.
Correct Information
Update any inaccurate or incomplete personal data.
Delete Your Data
Request deletion of your personal data (subject to legal requirements).
Restrict Processing
Limit how we process your data while keeping your account active.
Data Portability
Download your data in a portable format to transfer elsewhere.
Object to Processing
Object to data processing for marketing or legitimate interest purposes.
Data Security & Storage
Technical Security
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Finnish Servers: Data hosted exclusively in Finland with SOC 2 compliance
- Access Controls: Strict role-based permissions with multi-factor authentication
- Regular Audits: Quarterly security assessments and penetration testing
- Data Breach Response: In the unlikely event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR
Data Retention
- Account Data: While account is active, plus 3 years after deletion
- Receipt Metadata: 7 years (Finnish tax record-keeping requirements)
- Receipt Images: 7 years (Finnish tax record-keeping requirements and AI model improvement)
- Usage Analytics: 2 years (anonymized data)
- Support Messages: 3 years for quality assurance
Data Sharing
We Never:
- Sell your personal data to third parties
- Share data with advertisers or marketing companies
- Use your data for purposes beyond our tax optimization service
Limited Sharing with GDPR-Compliant Partners:
- Cloud Infrastructure: Secure hosting and data storage in Finland
- Authentication Services: EU-based secure login and account management
- Analytics Providers: Anonymous usage statistics for service improvement
- Legal Requirements: When required by Finnish or EU law
All third-party processors are bound by Data Processing Agreements (DPAs) ensuring the same level of protection as this policy.
International Data Transfers
Your data is primarily processed within Finland and the EU. When transfers outside the EU are necessary, we ensure protection through:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Explicit consent for specific transfers when required
Children's Privacy
Palautus AI is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.
If you are a parent and believe your child has provided us with personal data, please contact us immediately at privacy@hgb.fi.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements.
When we make significant changes, we will:
- Notify you through the mobile app
- Send email notification to your registered address
- Provide 30 days advance notice for material changes
- Update the "Last Updated" date at the top of this policy