Kivikanta logoKivikanta

Privacy Policy for kivikanta.fi

Last Updated:May 26, 2025

This Privacy Policy describes how kivikanta.fi ("we", "us", or "our") collects, uses, and shares information in connection with your use of our web application kivikanta.fi (the "Service").

We are committed to protecting your privacy. This Privacy Policy is intended to comply with the General Data Protection Regulation (GDPR) and relevant Finnish data protection laws (Tietosuojalaki).

1. Data Controller

The data controller for the personal data processed in connection with the Service is:

kivikanta.fi
Contact Email for data protection inquiries: support@kivikanta.fi

2. Personal Data We Collect

We collect the following types of personal data:

  • Account Information: When you create an account directly via email and password on kivikanta.fi, we collect your email address and username. If you use Google Sign-In, we also collect some data provided by Google (see below) This information is stored in our database, which is managed using Supabase.
  • Information via Google Sign-In: If you choose to register or log in using your Google account, we receive certain information from Google, subject to your Google account settings and the permissions you grant during the sign-in process. This includes your email address, full name, profile picture, and a unique Google identifier. We use this to create or link yourkivikanta.fi account.
  • User-Generated Content: We collect data you voluntarily provide when using the Service, including:
    • Tags you add (e.g., "Trash," "Potential").
    • Comments you post.
    • Images you upload.
    This content is linked to your user account.
  • Data Processed by Third-Party Services (Supabase, Vercel & Google):

    Our Service uses Supabase (authentication, storage, database), Vercel (hosting), and Google (authentication). These services may automatically collect technical information when you access or interact with kivikanta.fi. This can include:

    • IP addresses: For security, logging, and preventing abuse.
    • Log data: Server logs may include information like your IP address, access times, browser type, and operating system. Vercel collects logs for a short period for operational purposes.
    • Device and browser information.
    • Interaction data (e.g., related to the Google Sign-In process).
  • Location Data (Client-Side GPS Feature):

    The Service includes a feature that can use your device's GPS to show your current location on a map. This feature is only activated upon your explicit action and your browser will ask for permission before accessing your location.

    Your precise location data is processed only within your browser to display your position on the map and is NOT sent to or stored on our servers.

3. How We Collect Personal Data

  • Directly from you: When you register for an account, provide your username and email, post comments, upload images, or tag rocks.
  • Via Third-Party Authentication: When you choose to sign in using Google, we receive data from Google.
  • Automatically: Some technical data (like IP addresses in server logs) is collected automatically by our hosting provider (Vercel) and authentication/database service provider (Supabase) when you interact with the Service. Information is also stored locally in your browser (see Section 9 on Cookies and Local Storage).

4. Purpose and Legal Basis for Processing Personal Data

We process your personal data for the following purposes and based on the following legal grounds (under GDPR Article 6):

  • To Provide and Maintain the Service:

    Processing your email, username/name, and Google ID is necessary to create and manage your account, allow you to log in (either directly or via Google), and identify you as the author of your contributions (tags, comments, images).

    Legal Basis: Performance of a contract (the terms of service implicitly agreed to when you sign up and use kivikanta.fi).

  • To Manage User-Generated Content:

    To display your tags, comments, and images on the platform and associate them with your user profile. This is essential for the functionality of the Service, which is to identify climbable rocks based on user input.

    Legal Basis: Performance of a contract.

  • To Prevent Abuse and Ensure Service Integrity:

    We require user registration (including via Google) to prevent spam, inappropriate content uploads, and other forms of abuse. Linking content to user accounts helps maintain accountability.

    Legal Basis: Legitimate interests (our interest in maintaining a safe and functional platform for our users).

  • To Provide Client-Side GPS Functionality:

    To display your current location on the map feature within the application, if you choose to use this feature and grant permission.

    Legal Basis: Your explicit consent (obtained by your browser when you activate the feature).

  • To Comply with Legal Obligations and Respond to Legal Requests:

    We may process your data if required by law or in response to valid legal requests from public authorities.

    Legal Basis: Legal obligation.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your personal data with the following third parties who act as our data processors:

  • Supabase (Database and Authentication):

    We use Supabase for our database, file storage, and as the backend for our authentication (including processing Google Sign-In credentials received from Google). Your account information and user-generated content are stored with Supabase.

    The primary data storage region for your kivikanta.fi data within Supabase is eu-north-1 (Stockholm, Sweden), which is within the European Union.

    Supabase (Supabase, Inc.) is a US-based company. While your primary data is stored in the EU, administrative access by Supabase personnel, processing of metadata, or use of other Supabase services might involve data transfers to the US or other countries where Supabase or its sub-processors operate. Such transfers are covered by safeguards like Standard Contractual Clauses (SCCs), which are part of Supabase's Data Processing Addendum (DPA), ensuring an adequate level of data protection.

    You can find more information about Supabase's privacy practices here: https://supabase.com/privacy and their DPA.

  • Vercel (Hosting):

    We use Vercel to host kivikanta.fi. Vercel may process technical data such as IP addresses and server logs as part of its hosting services.

    Vercel is a US-based company and operates a global Edge Network. This means that technical data and cached versions of the website may be processed in countries outside the EU/EEA. Such transfers are typically covered by safeguards like Standard Contractual Clauses (SCCs) under Vercel's Data Processing Addendum (DPA).

    You can find more information about Vercel's privacy practices here: https://vercel.com/legal/privacy-policy and their DPA.

  • Google (Authentication Provider):

    If you choose to use Google Sign-In (including One-Tap), you are directly interacting with Google's authentication services. We use Google's client libraries to facilitate this process. Google provides us with your profile information (email, name, picture, Google ID) to authenticate you and set up your profile on our Service. Google processes your data according to its own privacy policy during this interaction. Google is a US-based company, and its processing of your data is governed by its terms and privacy policies.

    Google Privacy Policy: https://policies.google.com/privacy

  • Public Authorities:

    We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order or a subpoena) in Finland or other relevant jurisdictions.

6. Data Retention

We retain your personal data for the following periods:

  • Account Information (Email, Username/Name, Google ID): As long as your account remains active onkivikanta.fi. If you request to delete your account, this data will be deleted from our active systems typically within 30 days, unless a longer retention period is required by law.
  • User-Generated Content (Tags, Comments, Images):

    If you delete your account, your tags, comments, and images will be anonymized. This means the content itself may remain on the platform (as it contributes to the collective knowledge about the rocks), but any direct link between the content and your deleted user account will be removed.

  • Server Logs (Processed by Vercel and Supabase): These logs, which may contain IP addresses and other technical data, are typically retained by Vercel and Supabase for a limited period (e.g., Vercel states logs are kept for a "short time," and providers often retain security/diagnostic logs for 30-90 days) for security, monitoring, and troubleshooting purposes, after which they are deleted or anonymized according to their policies.

7. User Rights under GDPR

As a user from the EU/EEA, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): You can request that we delete your personal data under certain conditions.
  • Right to Restriction of Processing: You can request that we restrict the processing of your personal data under certain conditions.
  • Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: You can object to the processing of your personal data if it is based on our legitimate interests, under certain conditions.
  • Right to Withdraw Consent: If processing is based on your consent, you can withdraw your consent at any time.
  • Right Not to Be Subject to Automated Decision-Making: The Service does not currently engage in such activities.

To exercise any of these rights, please contact us at support@kivikanta.fi. We may need to verify your identity before processing your request.

8. Data Security

We take the security of your data seriously. While we rely on the robust security measures provided by our third-party service providers, we are committed to ensuring appropriate protections are in place:

  • Supabase Security: Supabase implements security measures for its database and authentication services, including data encryption at rest and in transit, access controls, and other industry-standard practices. We configure our Supabase project with security in mind (e.g., utilizing HTTPS, secure authentication methods, and data storage in an EU region).
  • Vercel Security: Vercel provides a secure hosting environment with measures such as HTTPS by default and protection against common web threats.
  • Your Responsibility: You are responsible for keeping your account credentials (managed via Supabase authentication methods) secure.
  • Our Measures: We strive to implement appropriate technical configurations within the Supabase and Vercel platforms to protect data, such as using Row Level Security in Supabase where applicable to limit data access.

Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

9. Cookies and Local Storage

Our Service uses cookies and browser local storage to provide essential functionality.

What are Cookies and Local Storage?

  • Cookies are small text files stored on your device by your web browser.
  • Local Storage is a type of web storage that allows websites/applications to store data in a user's browser with no expiration date (unless explicitly cleared).

Items We Use:

  • NEXT_LOCALE (Cookie): This cookie is used by the Next.js framework (which your application utilizes) to store your language or locale preference for the Service. This helps provide a consistent user experience by remembering your chosen language settings across sessions.
  • sb-puwkkchklptmvmzvrlnf-auth-token (Local Storage Item): This item is set by Supabase and stored in your browser's local storage. It contains your authentication token, which is essential for keeping you logged in to your kivikanta.fi account and managing your session securely. The puwkkchklptmvmzvrlnf part is a unique reference to our Supabase project.
  • Google Sign-In/One-Tap Cookies/Storage: When you interact with Google Sign-In or One-Tap, Google's services may set their own cookies (e.g.,G_AUTHUSER_H, G_ENABLED_IDPS) or use storage. These are controlled by Google to manage your Google authentication session and preferences. Their use is governed by Google's policies and is necessary for Google Sign-In to function.

Purpose and Necessity:

These items are strictly necessary for the core functionality of the Service, such as remembering your locale preference and enabling user authentication and session management. Without them, you would not be able to log in or use certain features of the Service effectively.

Consent for These Items:

Because these items are strictly necessary for providing the Service you have requested (e.g., logging in, viewing the site in your preferred language), we do not implement a separate consent banner for them. Their use is based on our legitimate interest in providing a functional and secure service and for the performance of our contract with you (providing the service).

Managing Cookies and Local Storage:

  • Most web browsers allow you to control cookies through their settings preferences (e.g., view, manage, delete). TheNEXT_LOCALE cookie can be managed this way.
  • Local storage items likesb-puwkkchklptmvmzvrlnf-auth-token can typically be cleared through your browser's settings (often under "Clear browsing data," "Application Storage," or similar options).
  • However, if you block or delete these essential items, parts of our Service, particularly login functionality and language presentation, may not function correctly.

No Third-Party Tracking Cookies for Advertising: We do not currently use third-party cookies or similar technologies for advertising or non-essential analytics tracking.

10. Children's Privacy

kivikanta.fi is not directed at children under the age of 13 (or a higher age threshold as required by local law in Finland or other EU member states for consent to information society services). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to remove that information from our servers. If you believe that we might have any information from or about a child, please contact us at support@kivikanta.fi.

11. International Data Transfers

As mentioned in Section 5 (Data Sharing and Disclosure):

  • Our authentication and database service provider, Supabase, stores your primary kivikanta.fi data (account information, user-generated content) in the eu-north-1 (Stockholm, Sweden) region within the European Union. Supabase (Supabase, Inc.) is a US-based company. Therefore, while your primary data resides in the EU, data access by Supabase personnel for support or maintenance, processing of metadata, or use of other Supabase platform services might originate from the US or other countries where Supabase or its sub-processors operate. Such potential data transfers are protected by appropriate safeguards, primarily Standard Contractual Clauses (SCCs), as outlined in Supabase's Data Processing Addendum (DPA).
  • Our hosting provider, Vercel, is a US-based company and operates a global network. Technical data (like logs) and cached versions of the website processed by Vercel may be transferred to and stored in countries outside of your country of residence, including the United States. Vercel utilizes SCCs and other mechanisms to ensure lawful data transfers from the EU/EEA.
  • Google: As a global US-based company, your interaction with Google Sign-In involves processing and potential transfer of data to the US and other countries, governed by Google's policies and transfer mechanisms.

By using the Service, you acknowledge these processing arrangements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. We encourage you to review this Privacy Policy periodically for any changes.

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data infringes GDPR or Finnish data protection law. The lead supervisory authority in Finland is:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: https://tietosuoja.fi/en/home
Contact information is available on their website.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: support@kivikanta.fi