Legal

Privacy Policy

Last updated: 2026-05-13 Effective: 2026-05-13

Privacy Policy — Delivery Zone

Version: 1.0 Last updated: 2026-05-13 Effective date: 2026-05-13

1. Who Is Responsible for Your Data (Data Controller)

Gn-projects (Business ID: 2696016-5, Niittymäentie 13, 04350 Nahkela, Finland) ("Delivery Zone", "we", "us") is the data controller for personal data collected when you use the Delivery Zone service.

Contact for privacy matters: [email protected]

2. What Data We Collect

We collect the following categories of personal data:

2.1 Account Data

Email address, display name, bcrypt-hashed password (plaintext never stored), email verification status and timestamp, MFA status and enablement timestamp.

2.2 Organisation Data

Organisation name and your role within it (e.g., Owner, Member).

2.3 API Usage Logs

For each API request: the postcode queried, timestamp, HTTP response status, organisation ID, and API key prefix (not the secret). We do not log end-consumer names, full addresses, or payment data submitted by your end customers.

2.4 Billing Data

Subscription plan and status, Stripe customer ID. Payment card details are processed and stored exclusively by Stripe and are never stored on our servers.

2.5 Security and Audit Data

A one-way SHA-256 hash of the IP address at account registration (for fraud prevention and terms-acceptance audit). Timestamps for login events, token issuance and revocation events, email verification events, and MFA activation events. Raw IP addresses used for token operations (login, refresh) are stored in refresh token records for security audit purposes and are subject to the retention period in Section 5. This data is used for fraud prevention, abuse detection, and security audit purposes.

2.6 Communication Data

Content of emails or support messages you send to us.

2.7 Authentication Cookies

HttpOnly, Secure session cookies (dz_access, dz_refresh) used solely for authentication. See our Cookie Policy.

3. Why We Process Your Data — Legal Bases (GDPR Article 6)

| Processing Activity | Legal Basis | Details | |---|---|---| | Providing the service, managing your account and subscription | Contract performance (Art. 6(1)(b)) | Necessary to perform the service you signed up for | | Billing and payment | Contract performance (Art. 6(1)(b)) | Required to operate the subscription | | Security monitoring, fraud prevention, rate limiting | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest in protecting the platform and our customers | | Audit logging of API usage | Legitimate interests (Art. 6(1)(f)) | Billing accuracy, dispute resolution, and abuse prevention | | Retaining billing records | Legal obligation (Art. 6(1)(c)) | Finnish Accounting Act (Kirjanpitolaki 1336/1997) requires 7-year retention | | Sending transactional emails (verification, billing alerts) | Contract performance (Art. 6(1)(b)) | Necessary to deliver the service | | Authentication cookies | Strictly necessary (ePrivacy Directive) | No consent required for authentication-only cookies | | Optional product newsletters or announcements | Consent (Art. 6(1)(a)) | Only where you have opted in; withdrawable at any time |

We rely on legitimate interests only where our interests are not overridden by your fundamental rights. We have assessed this balance internally. You have the right to object (see Section 6).

4. Who We Share Data With

We do not sell your personal data. We share data only with the sub-processors necessary to operate the service:

  • Stripe, Inc. — payment processing and subscription management (EU data region available;

SCCs in place for US transfers).

  • Our infrastructure/hosting provider(s) — cloud hosting within the EU (see

Subprocessors list).

  • Scaleway SAS — transactional email delivery (Scaleway TEM); EU-based provider.
  • Cloudflare, Inc. — frontend hosting and CDN (Cloudflare Pages); global CDN with EU DPA.

We may disclose personal data to law enforcement agencies, regulatory authorities, or courts if required by Finnish or EU law, or in response to a valid legal order. We will notify you of such requests where legally permitted to do so.

We do not transfer your personal data to any country outside the EU/EEA except as described in Section 8 below.

5. Data Retention

| Data Category | Retention Period | Reason | |---|---|---| | Account data | While your account is active; up to 90 days after account deletion | Service delivery and dispute resolution | | API usage logs | Up to 12 months | Billing, security, and abuse investigation | | Security / audit logs | Up to 12 months | Fraud prevention and security monitoring | | Billing records (invoices, transaction history) | 7 years from transaction date | Finnish Accounting Act legal obligation | | Email verification / MFA tokens | Until used or expired; then deleted within 7 days | Security hygiene | | Communication data (support emails) | Up to 3 years | Dispute resolution |

You can request deletion of your account and personal data via the dashboard settings or by contacting [email protected]. We will process deletion requests within 30 days. Note that some data (such as billing records) must be retained to comply with legal obligations even after account deletion.

6. Your Rights Under GDPR (Chapter III)

As a data subject, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your data,

subject to legal retention obligations.

  • Right to restriction of processing (Art. 18): Request that we limit how we process your

data in certain circumstances.

  • Right to data portability (Art. 20): Receive your personal data in a structured,

machine-readable format.

  • Right to object (Art. 21): Object to processing based on legitimate interests. We will

cease processing unless we can demonstrate compelling legitimate grounds.

  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw

it at any time without affecting the lawfulness of prior processing.

  • Right not to be subject to solely automated decisions (Art. 22): We do not make

significant decisions about you through solely automated means.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (extendable to 90 days for complex requests with notice).

You also have the right to lodge a complaint with the Finnish supervisory authority:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) PO Box 800, FI-00521 Helsinki, Finland https://tietosuoja.fi/en/home

7. Cookies and Session Tokens

We use HttpOnly, Secure cookies strictly for authentication session management. We do not use third-party tracking, advertising, analytics, or social media cookies. Because we use only strictly necessary cookies, EU cookie law (ePrivacy Directive) does not require a consent banner, but we explain our use transparently.

See our Cookie Policy for the full list of cookies used.

8. Data Transfers Outside the EU/EEA

We aim to store and process all personal data within the EU/EEA. Where a sub-processor operates globally or is based in a third country (such as Stripe, Inc. in the USA), we rely on one or more of the following transfer mechanisms to ensure adequate protection:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where the destination country has been deemed adequate by the EU.
  • Sub-processor EU-specific data region options where available.

See the Subprocessors list for details on each provider.

9. Customer Data Processed via the API (B2B — Controller / Processor)

If you are a business customer using the Delivery Zone API to check delivery availability for your end customers, you are the data controller for any personal data of your end customers (e.g., delivery addresses linked to identifiable persons) that passes through our API. Delivery Zone acts as a data processor in that context.

A Data Processing Agreement (DPA) is incorporated by reference into our Terms of Service. It is available to read at /legal/dpa. If you require a countersigned copy, contact [email protected].

10. Postcode Reference Data

Postcode and geographic reference data used by the service is licensed from a third-party Finnish postcode data provider. This reference data is used solely for delivery zone calculations within the Delivery Zone service and is not redistributed.

We are not the official Finnish postcode authority (Posti Group Oyj).

11. Security

We use reasonable technical and organisational measures to protect your personal data, including: encrypted connections (TLS 1.2+), bcrypt-hashed passwords, HMAC-SHA256-hashed API key secrets, HttpOnly/Secure authentication cookies, role-based access controls, and structured security logging. See our Security Policy for more information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before changes take effect. The current version and effective date are always shown at the top of this document and at /legal/privacy.

13. Contact

Privacy enquiries and data subject requests: [email protected] General legal matters: [email protected] Full legal contact information