Privacy Policy

Last updated: 31.10.2025

1. Data Processor

Finchmind Solutions OÜ
Registry code: 14209689
E-mail: info@finchmind.ee

2. Scope

  1. This Privacy Policy describes what personal data Finchmind Solutions OÜ collects, what it is used for, how it is stored, and what rights data subjects have regarding the use of our web application ("Service").
  2. This Privacy Policy applies to all users of our Service. Use of the Service assumes that you have read and understood this Privacy Policy.

3. Personal Data Collected, Purpose of Processing, and Legal Basis

We process personal data to provide and manage our Service, ensure its security, and comply with legal obligations. The main legal bases for data processing are performance of a contract (provision of service to your organization) and legitimate interest (ensuring security, service development, customer support, and prevention of misuse).

Personal Data Purpose Retention Period
User Account Data: Username, name, e-mail address, encrypted password hash, related organization, roles/permissions. Service provision, user authentication and authorization, communication with the user. During the validity of the contract and up to 7 years after the termination of the contract (for accounting and legal claims).
Employee Data: Employee name, position, standard hours, department. Enabling the creation and management of work schedules. During the validity of the contract and up to 7 years after the termination of the contract (for accounting and legal claims).
Technical and Session Data: IP address, browser info, session cookies, CSRF tokens, CAPTCHA data. Ensuring service functionality, ensuring security (incl. login protection), prevention of attacks. Session data until the end of the session; logs up to 12 months.
Work Schedule Data: Entered info (incl. preferences, restrictions, vacations), change history (incl. name of the user who performed the action, role, and timestamp), schedules and their generation info. Providing the core functionality of the Service, auditing, and dispute resolution. During the validity of the contract and up to 7 years after the termination of the contract (for accounting and legal claims).
Application Usage Logs: System activity logs, error messages, user actions (e.g., logging in and out, changing data). Monitoring technical performance of the Service, diagnosing errors, investigating security incidents, and providing customer support. Up to 12 months. Critical logs may be retained longer if necessary for investigating security incidents or ensuring system reliability.

4. Data Retention and Location

  1. We retain personal data only as long as necessary to fulfill the purposes described above or as required by law. After the retention period expires, the data is securely deleted or anonymized.
  2. Data backups are kept in a secure environment for up to 90 days to ensure the capability to restore the Service in case of incidents.
  3. We use servers located in the European Economic Area (EEA) to host the application and data, ensuring data protection compliance with GDPR requirements.

5. Cookies

  1. We use only technically necessary cookies for the operation and security of the Service. We do not use cookies for marketing purposes.
    • Session cookies: These are necessary for managing the logged-in session and ensuring security (e.g., CSRF protection). They are automatically deleted when you close your browser.
    • Security cookies (e.g., 2FA): If you activate Two-Factor Authentication (2FA) and mark your device as "trusted," we store a persistent cookie (e.g., 2fa_device_token) to remember your device for subsequent logins. This cookie is strictly necessary to make the security feature more convenient and expires after 180 days.
    • CAPTCHA cookies: We use these to prevent spam and automated attacks.
  2. Since we use only cookies strictly necessary for the operation of the Service, we do not ask for separate consent for their use. You can disable cookies in your browser settings, but in that case, the Service may not function correctly.

6. Transfer of Data to Third Parties

We do not share, sell, or transfer your personal data to third parties, except in the following cases:

7. Data Security

  1. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.
  2. Data exchange takes place via encrypted HTTPS protocol.
  3. Passwords are stored in the database as encrypted hash codes.
  4. To increase security, we offer Two-Factor Authentication (2FA).
  5. All users are obliged to keep their password confidential and not share it with third parties.

8. Action in Case of a Data Breach

In the event of a data breach or security incident that poses a likely risk to the rights and freedoms of users, we will notify the Data Protection Inspectorate and the relevant data subjects as soon as possible in accordance with the procedure provided by law.

9. User Rights

Within the framework of this Service, Finchmind Solutions OÜ acts primarily as a Data Processor for your organization (our client). Your organization is the Data Controller for the data you enter (e.g., work schedules, employee data).

According to the GDPR, you have the following rights regarding your personal data:

  1. Right of access: You have the right to receive information on whether and which personal data is being processed.
  2. Right to rectification: You have the right to request the correction of inaccurate or incomplete personal data.
  3. Right to erasure ("right to be forgotten"): You have the right, under certain conditions, to request the deletion of your data, for example, if the data is no longer necessary for the purpose for which it was collected.
  4. Right to restriction of processing: You have the right, in certain cases, to request the restriction of the processing of your data.
  5. Right to object: You have the right to object to data processing if it is based on the processor's legitimate interest.
  6. Right to data portability: In certain cases, you have the right to receive personal data concerning you in a structured and machine-readable format. This right does not cover data created or derived by the processor.

If you wish to exercise your GDPR rights (e.g., deletion of data), please contact your organization first.

Requests concerning data processing addressed to Finchmind Solutions OÜ should be sent digitally signed to the e-mail address info@finchmind.ee. We will respond to your request within 30 days.

If you find that your rights have been violated, you have the right to file a complaint with the local Data Protection Inspectorate.

10. Changes to Privacy Policy

Finchmind Solutions OÜ has the right to unilaterally change this Privacy Policy at any time. The valid version is always available in our web application.

If you have any questions, please contact us via e-mail: info@finchmind.ee