1. Introduction

This Privacy Policy explains how Aihio Labs Oy ("we", "us", "our") collects, uses, and protects your personal data when you use the Countries for Sale platform. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), the Finnish Data Protection Act, and applicable US privacy laws including the California Consumer Privacy Act (CCPA).

2. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on:

• Contract Performance: To provide our services and fulfill purchases
• Legitimate Interests: For fraud prevention, security, and service improvement
• Consent: For marketing communications and optional features
• Legal Obligations: For tax, accounting, and regulatory compliance

3. Information We Collect

Account Information:

• Username, email address, and password (encrypted)
• Account creation date and login history
• Profile information you choose to provide

Transaction Data:

• Purchase history and virtual territory ownership
• Payment information (processed securely via Stripe - we do not store card details)
• Custom descriptions and uploaded images

Technical Data:

• IP address (anonymized in analytics)
• Browser type and device information
• Usage patterns and feature interactions

4. How We Use Your Information

• Create and manage your user account
• Process virtual territory purchases and customizations
• Provide customer support and respond to inquiries
• Prevent fraud and ensure platform security
• Improve our services through anonymized analytics
• Send service-related communications
• Comply with legal obligations

5. Data Sharing and Third Parties

Service Providers:

• Stripe: Payment processing (Stripe's privacy policy applies)
• Matomo: Self-hosted analytics (no third-party data sharing)
• Cloud hosting: Secure data storage within EU

We Do NOT:

• Sell your personal data to third parties
• Share data with advertisers
• Use third-party tracking (Google Analytics, Facebook Pixel, etc.)

Legal Disclosure:

We may disclose data when required by law, court order, or to protect our legal rights.

6. Cookies and Analytics

We use cookies for:

• Essential Cookies: Required for login, shopping cart, and basic functionality
• Analytics (Matomo): Self-hosted, privacy-focused analytics with anonymized IP addresses

You can manage cookie preferences through your browser settings. See our Cookie Policy for details.

7. Your Rights

EU Users (GDPR Rights):

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate information
• Erasure ("Right to be Forgotten"): Delete your account and data
• Data Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain types of processing
• Withdraw Consent: Withdraw consent at any time

US Users (CCPA Rights for California Residents):

• Right to Know: What personal information we collect and how it's used
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of sale of personal information (we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices

To exercise your rights, contact us at [email protected] or use the "Delete Account" feature in your account settings.

8. Data Retention

• Account Data: Retained while your account is active, deleted within 30 days of account closure
• Transaction Records: 6 years for legal and tax compliance (Finnish accounting law)
• Analytics Data: Anonymized, retained up to 12 months
• Marketing Consents: Until you withdraw consent

9. Data Security

We protect your data with:

• Encryption in transit (TLS/SSL) and at rest
• Secure password hashing (bcrypt)
• Access controls and authentication
• Regular security assessments
• Data hosted within EU jurisdiction

10. International Data Transfers

Your data is primarily processed within the EU/EEA. If data is transferred outside the EU (e.g., to Stripe in the US), we ensure adequate protection through:

• EU-US Data Privacy Framework
• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission

11. Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or platform notification. Continued use of our service after changes constitutes acceptance of the updated policy.

13. Complaints

If you have concerns about our data practices, you can:

• Contact us at [email protected]
• Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi)
• EU users may contact their local supervisory authority

14. Contact Us