This Privacy Policy applies to the Luju service, including the website luju.fi, the BILD website, the BILD mobile application, and related digital services (collectively, the "Service"). BILD is a service of Luju Oy. The data controller is Luju Oy (3612034-6), Helsinki, Finland ("Luju", "we", "us").

We take your privacy seriously. This policy explains what data we collect, why we collect it, and how we protect it.

Data controller contact: legal@luju.fi

1. Data We Collect

Data you provide

• Name and email address
• User account profile information
• Property and home information (structure, systems, condition)
• Maintenance notes, reminders, and home history
• Documents, attachments, and receipts
• Support and contact messages

Data collected automatically

• IP address
• Device information and operating system
• App version and usage logs
• Technical error logs

Public registry sources

• Building and property data (Finnish Digital and Population Data Services Agency, National Land Survey of Finland)
• Energy certificate data and other open government registries

Luju does not directly process payment card details.

2. Purposes and Legal Basis for Processing

We process personal data for the following purposes:

• Providing the Service and managing user accounts (GDPR Art. 6(1)(b) – performance of contract)
• Generating home maintenance reminders, cost estimates, and home data (GDPR Art. 6(1)(b))
• Improving the Service, ensuring security, and preventing misuse (GDPR Art. 6(1)(f) – legitimate interests)
• Compliance with legal obligations (GDPR Art. 6(1)(c))
• Newsletter and marketing communications, with your consent (GDPR Art. 6(1)(a))

3. Sharing of Data

We do not sell personal data. Data may be processed by the following sub-processors:

• AWS EU – database and file storage
• AWS Amplify – application hosting and authentication
• Apple / Google – mobile app distribution

We may share data with authorities where required by law.

4. International Data Transfers

Any transfers of personal data outside the EU/EEA are based on EU Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework. Supabase processes data within AWS EU regions.

5. Retention Periods

• Account data: for the duration of the account + 30 days after a deletion request
• Home-related data: for the duration of the account
• Technical logs: up to 12 months
• Customer service messages: up to 24 months
• Accounting records: 6 years (Finnish Accounting Act)

6. Your Rights

Under GDPR, you have the following rights:

• Right to access your personal data
• Right to rectify inaccurate data
• Right to request erasure of your data
• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time

You can delete your account directly within the app or by sending a request to legal@luju.fi.

7. Data Security

We protect your data with the following technical and organisational measures:

• TLS/SSL encryption for all data in transit
• Access controls and role-based permission management
• Secure cloud environment (AWS EU)
• Regular security reviews

8. Cookies

The BILD website does not currently use cookies or tracking technologies. Your language preference is stored locally in your own browser and never leaves your device. If the Service introduces cookies, we will update this policy and ask for your consent where required.

9. Minors

Our Service is not directed at persons under the age of 16. We do not knowingly collect data from children under 16.

10. Supervisory Authority

If you believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi

11. Changes to This Policy

We may update this Privacy Policy as the Service evolves. We will notify you of material changes by email or via an in-app notification. The current version is always available at luju.fi/legal/tietosuojaseloste.