Privacy Policy

1. Data controller

The data controller for personal data processed in connection with the Service is Connexa Oy, business ID 3631365-8, PL 999, 42011 YRITYSLOKERO, Finland. The controller can be contacted at support@k50plus.fi.

2. Purposes of processing

Personal data is processed for the following purposes: providing and operating the Service, managing User accounts, facilitating contact between Service Providers and Customers, communicating with Users about the Service, preventing fraud and abuse, complying with legal obligations (including accounting and consumer-protection requirements), and analysing and improving the Service.

3. Legal basis for processing

Processing is based on the following lawful grounds under Article 6(1) of the GDPR:

• Article 6(1)(b) — performance of a contract: providing the Service to Users and managing accounts.
• Article 6(1)(c) — legal obligation: retaining accounting records under the Finnish Bookkeeping Act and complying with applicable law-enforcement requests.
• Article 6(1)(f) — legitimate interests: securing the Service, preventing fraud and abuse, and analysing usage to improve the Service.
• Article 6(1)(a) — consent: where required (for example, certain non-essential cookies); consent may be withdrawn at any time without affecting the lawfulness of prior processing.

4. Categories of personal data processed

K50Plus processes the following categories of personal data:

• Identification and contact data: name, email address, phone number, profile photo, languages spoken.
• Account data: hashed password, account creation date, login history, role.
• Listing and transactional data: Listings published, inquiries sent and received, ratings and reviews given and received.
• Communications data: messages exchanged between Users via the Service.
• Technical data: IP address, browser type and version, device identifiers, timestamps, and similar metadata generated when accessing the Service.
• Usage and analytics data: pages viewed, searches performed, features used.

5. Sources of data

Personal data is obtained primarily from the User directly, at registration and through subsequent use of the Service. Technical and usage data is generated automatically when the User accesses the Service.

6. Disclosure to other Users

Information published as part of a Listing or User profile (such as name, profile photo, languages, listings, and the city or area in which services are offered) is visible to other Users and to non-registered visitors of the Service. When a Customer initiates an inquiry to a Service Provider, the inquiry message and the contact details exchanged through the inquiry are visible to the relevant counterparty.

7. Processors and sub-processors

K50Plus uses the following processors to operate the Service. Each is bound by a data-processing agreement compliant with Article 28 of the GDPR:

• Vercel Inc. — application hosting, edge network, serverless functions (United States, with processing in the European Union).
• Neon Inc. — managed Postgres database (European Union region).
• Resend, Inc. — transactional email delivery (United States, with European Union sub-processors).
• Functional Software, Inc. d/b/a Sentry — application error monitoring and observability (United States).
• Vercel AI Gateway — routing of natural-language search queries to Claude Haiku 4.5 (Anthropic PBC, United States); only the query text is shared with the model, not other personal data.

8. International transfers

Where processors are located outside the European Economic Area, transfers are protected by the European Commission's Standard Contractual Clauses pursuant to Article 46(2)(c) of the GDPR, supplemented by appropriate technical and organisational measures. A copy of the safeguards in place is available upon request to the data controller.

9. Retention periods

Account data is retained for the duration of the User's account. Following account deletion, personal data is deleted within thirty (30) days, except for: data subject to a statutory retention obligation (in particular, accounting records under the Finnish Bookkeeping Act, retained for six years from the end of the financial year); data necessary to defend or pursue legal claims (retained until the relevant limitation period expires); and anonymised aggregate data, which may be retained indefinitely. Technical logs are retained for up to twelve (12) months.

10. Data subject rights

Subject to the conditions set out in the GDPR, the User has the following rights, which may be exercised by contacting the data controller:

• Right of access (Article 15) — obtain confirmation of and a copy of personal data processed.
• Right to rectification (Article 16) — correct inaccurate or incomplete personal data.
• Right to erasure (Article 17) — request deletion of personal data in defined circumstances.
• Right to restriction of processing (Article 18) — request limitation of processing in defined circumstances.
• Right to data portability (Article 20) — receive personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21) — object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint with a supervisory authority (Article 77) — in Finland, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi).

11. Security of processing

K50Plus implements technical and organisational measures appropriate to the risk of processing, including transport-layer encryption (TLS) for all traffic, encryption at rest for the database, bcrypt password hashing with a per-account salt, scoped access controls for personnel, and prompt patching of known vulnerabilities. No method of transmission or storage is entirely secure; Users are responsible for keeping their own credentials confidential.

12. Cookies and similar technologies

The Service uses cookies and equivalent technologies that are strictly necessary for its operation, such as session and authentication cookies. K50Plus does not currently use third-party advertising or cross-site tracking cookies. Where any non-essential cookies are introduced in the future, they will only be set with the User's prior consent in accordance with the Finnish Information Society Code (917/2014).

13. Changes to this Privacy Policy and contact

K50Plus may amend this Privacy Policy from time to time. Material changes will be notified to registered Users by email and announced on the Service at least thirty (30) days before they take effect. For questions about this Privacy Policy or to exercise your rights, contact Connexa Oy, PL 999, 42011 YRITYSLOKERO, Finland, email support@k50plus.fi. Complaints may also be addressed to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki, Finland — tietosuoja.fi.