Privacy Policy
Introduction
Codebowl Oy (Business ID 2928570-8) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our Next.js web application (“the Service"). The Service is a login-only application (accessible to everyone) that allows you to input and track general data of your choosing (e.g. daily ratings of your day, personal tags, trackable entries over time). The purpose of the Service is to help you visualize and analyze your own inputs over time. We process all personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable laws. Users under 18 are not allowed to use the Service, and we do not knowingly collect data from children under 18. By using the Service, you confirm that you are at least 18 years old.
Data Controller and Contact
The data controller responsible for your personal data is Codebowl Oy (Y-tunnus: 2928570-8), a company based in Finland. If you have any questions about this Privacy Policy or wish to exercise your data rights (explained below), please contact us at privacy@floreza.app. We will be happy to assist with any privacy-related inquiries.
Personal Data We Collect
We only collect personal data that is necessary to operate the Service and provide you with a secure, personalized experience. This includes:
- Account and Authentication Data: You can authenticate with the Service using either third-party providers (Google, Microsoft Entra ID, or Facebook) or direct email authentication. When you log in via third-party providers, we receive certain information from these providers to create and authenticate your account. This typically includes your name, email address, and an identifier from the provider. We do not receive or store your third-party account password (authentication is handled by the respective provider). When you choose email authentication, you provide your email address directly to us, which we use for account creation and login verification. Additional authentication providers may be added in the future. If account access is granted via a manual order, we may also collect basic contact details from you (such as your name and email) to set up your user account. This account data is used to identify you in the Service and to manage your login sessions.
- User-Provided Content: The Service allows you to input data that you define — for example, daily scores rating how good or bad your day was, personal tags or categories, and other trackable data entries you choose to log. All such input is entirely determined by you. We do not require you to provide any specific type of information, and the app is not specifically intended to collect any particular category of personal data. Importantly, any data you log is private to your account: it is stored securely and cannot be accessed by other users or the public without your authorization. You control what you input, and you can edit or delete your entries at any time.
- Session and Technical Data: To maintain your logged-in session and ensure the Service functions properly, we collect certain technical data automatically. This includes assigning you a session identifier and storing it as a cookie on your device (see Cookies below). We may log basic technical information such as your IP address, browser type, and timestamps of logins or requests, solely for security, debugging, and audit purposes. This technical data is kept to a minimum and is not used to track your activities beyond your use of the Service. We do not use any analytics or tracking services, so we do not collect behavioral data about how you navigate the app for marketing or advertising purposes.
How We Use Your Data
We use the collected personal data only for the following purposes:
- Providing and Personalizing the Service: We process your Account and Authentication Data to log you in and verify your identity, allowing you secure access to the app. We use your User-Provided Content to display back to you your logged entries, compute visualizations or summaries (if the app offers charts or analysis of your data), and otherwise perform the core functionality you expect. In short, your data is used to deliver the features of the Service you choose to use – for example, to chart your daily scores over time or filter your entries by tags as per your requests. This processing is necessary to perform our contract with you in providing the Service (GDPR Article 6(1)(b)).
- Maintaining Security and Functionality: We use Session and Technical Data (such as session cookies, IP addresses, and login timestamps) to protect your account and our Service. This includes preventing unauthorized access, remembering your login status, and detecting fraudulent or malicious activity. For example, the session cookie keeps you logged in as you navigate the app's pages, and our systems may use IP information or logs to detect multiple failed login attempts for security monitoring. We rely on our legitimate interests (GDPR Article 6(1)(f)) in ensuring the security and proper functioning of the Service for this processing, as it is necessary to protect both your data and our infrastructure.
- Customer Support and Communication: If you contact us with a support question or feedback, we will use your contact information and relevant account or usage data to respond. For instance, if you email us about a problem, we may review your account details or relevant app entries (with your permission) to help troubleshoot. We may also use your email to send essential service-related notices, such as updates to this Privacy Policy or important security or performance updates. We will not send any marketing or promotional emails without your explicit consent.
- Legal Compliance: In certain cases, we may need to process or disclose your data to comply with a legal obligation. For example, if we are required by law enforcement or regulatory authorities to retain or provide certain data, or to comply with tax and accounting requirements (if applicable, e.g. records of any purchase transactions), we will do so as required by law (GDPR Article 6(1)(c)). We may also process data as needed to establish, exercise, or defend legal claims.
We want to emphasize that we do not use your personal data for any form of advertising, profiling, or selling of data. All processing of your data is strictly limited to what is necessary for the Service that you have signed up for and expect from us.
Legal Bases for Processing
Under the GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal grounds, corresponding to the uses outlined above:
- Performance of a Contract (Art. 6(1)(b) GDPR): We process most of your data on this basis, because it is necessary for us to provide the Service you requested. This includes handling your login authentication and displaying or analyzing the data you choose to input. Without this data, we cannot fulfill the core functionality of the app that we contractually promise to deliver to you.
- Legitimate Interests (Art. 6(1)(f) GDPR): We process certain technical and minimal personal data for our legitimate interests in maintaining a secure, reliable Service. For example, ensuring account security, preventing fraud, and improving the user experience (in terms of stability and performance) are interests we balance against your privacy rights. In these cases, we strictly limit the data used and implement safeguards so that your privacy is not overridden (for instance, security logs are protected and only used when necessary).
- Legal Obligation (Art. 6(1)(c) GDPR): If we are required by applicable law to retain or disclose certain information, we will do so to comply with those obligations. For example, Finnish accounting laws might require us to keep records of any payments (if the Service is paid) for a certain period, or we might have to comply with lawful requests from authorities. In such cases, that legal requirement is our basis for processing the data strictly for those purposes.
- (Note: We do not generally rely on "Consent" as a legal basis for processing your data in the core Service, since the processing is either inherent to the service contract or under legitimate interest as described. If we ever seek to process your data for a new purpose that requires consent, we will request it explicitly and you have the right to withdraw consent at any time.)
Cookies and Local Storage
Cookies are small text files stored on your device to keep track of certain information. When you use our app, we set a session cookie (and related cookies as needed) that are strictly necessary for the Service to function. For example, after you log in, a secure session cookie keeps you authenticated as you move between pages, so you don't have to log in again on every click. These cookies are considered "strictly necessary cookies" because they enable core functionality (access to the secure, login-only areas of the Service). According to EU privacy rules, such cookies do not require prior consent, though we must still inform you about them gdpr.eu. We do not use any non-essential cookies that track you for analytics or advertising. This means we do not display a cookie consent banner, since we are not using any cookies beyond what is essential for providing the service (in line with the ePrivacy Directive's consent exemption for necessary cookies gdpr.eu). We still want you to know what cookies we use and why:
- Session Cookie: A token stored in your browser that identifies your logged-in session. It contains a random identifier (not your personal info) and is used by our server to verify your login status. This cookie is temporary (it may be a session cookie that clears when you log out or close the browser, or it may have an expiration requiring periodic logins for security). Without this cookie, the app cannot know who you are between page loads, so it is absolutely required for the Service to work.
- CSRF/Protection Cookies (if applicable): The application may use additional security cookies or tokens (for example, to prevent cross-site request forgery or to remember certain preferences like language or UI settings). Any such cookies are also strictly for functionality and security. We do not use them to track your behavior.
You can control cookies through your browser settings (for instance, you can delete or block cookies). However, please be aware that if you block necessary cookies like our session cookie, the Service will not function properly (you won't be able to log in or maintain a session).
Local Storage: In addition to cookies, the app may use your browser's local storage for storing data on your device. Local storage is used for purposes such as caching some of your data or saving user interface preferences to improve your experience (for example, storing a setting for how you view data, or temporarily saving input until it's submitted). Like cookies, any data stored in local storage is only used to support the functionality you request; for example, caching your input data locally so the app can quickly show it to you without always pulling from the server. We do not use local storage to store any information that is not strictly necessary for your use of the Service. Data in local storage stays on your device and is not automatically transmitted to us (unless needed for the app's function when you sync it). You are free to clear your browser's local storage at any time, though doing so might reset some settings or cached data in the app.
In summary, we only use essential cookies and local storage, and no personal data is collected through cookies beyond what's needed for login and core functionality. Because we have no advertising or analytics cookies, no separate cookie consent is required under law for our Service's usage of cookies. We still maintain transparency by explaining our use of these technologies here.
Data Sharing and Transfers
We treat your personal data as confidential and do not share it with third parties except in the limited circumstances described below, which are all tied to operating the Service or complying with the law. We never sell your data or disclose it for independent commercial purposes. The cases in which we might share data are:
- Service Providers (Processors): We use a few trusted third-party services to help us run the Service. These providers process data only under our instruction and only for the purposes of providing the Service to you. They do not get to use your data for their own purposes. The key service providers we use are:
- Authentication Providers: Currently, we allow login through Google, Microsoft Entra ID, Facebook, or direct email authentication. When you choose third-party authentication, you will be redirected to the respective provider to authenticate. In that process, the provider will confirm your identity and share back with us your basic profile information (like name and email). We do not send your personal data to these providers beyond the authentication request itself, but they will know that your account is using their login service. When you choose email authentication, you authenticate directly with our service without involving third-party providers. Additional authentication providers may be added in the future. Each third-party provider acts as an independent data controller for the authentication process, which means their respective privacy policies apply to the data they collect during login. We recommend you review the privacy policies of Google, Microsoft, and Facebook if you have concerns. Once we receive your info from any provider or through direct email authentication, we handle it under our Privacy Policy (as described in Personal Data We Collect above).
- Hosting and Infrastructure (Vercel): We host our application with Vercel, Inc., which provides the cloud platform and Edge Network on which the Service runs. Our Vercel Functions are specifically deployed in the Frankfurt, Germany region (fra1) to ensure European data residency. All of your data (account info, user-provided content, etc.) is stored on secure servers operated by Vercel on our behalf. Vercel acts as a data processor for us, meaning they only process data under our instructions to keep the Service running (they do not access your content except as needed for infrastructure purposes). We have a Data Processing Agreement in place with Vercel to ensure GDPR compliance. For European users, your data is stored and processed within the European Union, specifically in Frankfurt, Germany. Vercel participates in the EU-U.S. Data Privacy Framework and is certified to it, which the EU deems as providing adequate protection for personal data transfers. In addition, Vercel employs standard contractual clauses and industry-standard security measures to safeguard data transfers. In summary, our hosting provider ensures that your data is protected and GDPR-compliant with European data residency.
- Database and Storage (Neon): Your data is stored in a Neon database, a serverless PostgreSQL database service. Our Neon database is specifically located in Frankfurt, Germany, ensuring European data residency for all user data. Neon acts as a data processor under our instructions and is GDPR-compliant with ISO 27701 certification for privacy information management systems. The database is accessible only by our application with proper authentication and encryption. Neon implements comprehensive security measures including encryption at rest and in transit, strict access controls, and regular security audits. All data transfers and processing comply with GDPR requirements, with data remaining within the European Union.
- Email Service (Resend): For email authentication, we use Resend, an email service provider hosted in Ireland (eu-west-1) to ensure European data residency. Resend acts as a data processor under our instructions and is used solely to send login links to your provided email address. We do not use email for marketing or promotional purposes. Resend implements appropriate security measures and GDPR compliance for email processing within the European Union.
- Legal Requirements and Protection: We may disclose your personal data to third parties if we determine that such disclosure is reasonably necessary to (a) comply with any applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or investigate potential violations thereof; or (c) protect the rights, property, or safety of Codebowl Oy, our users, or the public as required or permitted by law. For example, if law enforcement provides a lawful subpoena or court order for certain data, we may be obligated to comply. We will ensure any request is valid and only the minimum necessary data is disclosed.
- Business Transfers: If in the future Codebowl Oy is involved in a merger, acquisition, investment, or sale of all or a portion of its assets, your personal data may be transferred to the involved parties as part of that transaction. We would only do this under appropriate confidentiality and security arrangements, and we would notify you (for example, by email or a notice on the Service) of any such change in ownership or control of your personal information, giving you an opportunity to exercise your rights (e.g. to delete your data) if applicable.
Aside from the instances above, no third parties have any access to your personal data. We do not share, rent, or sell user data to data brokers or advertisers. Within Codebowl Oy, access to personal data is restricted to the personnel who need to process it (in this case, Codebowl is a small company, and only authorized staff/developers have access, bound by confidentiality). Your data remains your own, and we use it solely to provide the service back to you.
Data Storage and Security
Storage Locations: We use Vercel's infrastructure and Neon database services, both specifically configured for the Frankfurt, Germany region to ensure European data residency. All user data is stored within the European Union, specifically in Frankfurt, Germany. This includes both application data processed by Vercel Functions and database information stored in Neon. We do not transfer personal data outside the European Economic Area (EEA) for processing or storage, ensuring full compliance with GDPR data residency requirements. Both Vercel and Neon maintain comprehensive security measures and GDPR compliance certifications to protect your data.
Security Measures: We take data security very seriously. Codebowl Oy implements appropriate technical and organizational measures to safeguard your personal data against loss, theft, misuse, and unauthorized access. Some of the security measures in place include: encryption, access control, and network security practices. In particular, our hosting provider Vercel encrypts data at rest and in transit. Your data is encrypted when stored on disk using strong encryption standards (AES-256) and transmitted over the internet via secure TLS connections vercel.com. This means that whether your data is in the database or moving between our server and your browser, it's protected from eavesdropping. Additionally, we restrict access to production databases and servers to authorized personnel only, and we monitor for any suspicious activity. We also regularly update our software dependencies and apply security patches to address potential vulnerabilities promptly. While no system can guarantee 100% security, we strive to follow best practices and industry standards (such as OWASP guidelines and cloud security benchmarks) to minimize risks. In the unlikely event of a data breach that affects your personal data, we will follow all applicable breach notification laws, including informing you and authorities as required.
Data Retention: We retain your personal data only for as long as necessary to fulfill the purposes described in this policy. In practice, this means we keep your account information and user-provided data for as long as you maintain an account with us and use the Service. If you decide to cancel your account or if your access expires, we will either delete your personal data or anonymize it after a reasonable period, unless we are required to keep it longer for legal reasons. For example, if you request account deletion, we will remove or anonymize all your entries and personal identifiers in our production systems within a short timeframe (we will inform you of the completion of this process). Some data may persist in secure backups for a limited duration (our backups are kept for disaster recovery purposes for a fixed retention period, after which they are automatically deleted). We will not use your data in backups for any active purpose, and backups are encrypted and protected. If we must retain certain information to comply with legal obligations (such as financial records or logs), we will store that information securely and isolate it from active use. Once the retention period expires, we ensure the data is permanently deleted or anonymized.
Your Rights Under GDPR
As a user of our Service and a data subject under the GDPR (if you are in the EU/EEA or where similar laws apply), you have certain rights regarding your personal data. We are committed to honoring these rights. You may exercise these rights at any time by contacting us (see Data Controller and Contact above). These rights include:
- Right of Access: You have the right to obtain confirmation whether we are processing your personal data, and if so, request a copy of the data we hold about you, as well as information about how we use it. We will provide this in a commonly used electronic form. For example, you can ask for a export of all your logged data and account details that we have.
- Right to Rectification: If any of your personal data that we have is inaccurate or incomplete, you have the right to request that we correct or update it. Within the app, you may be able to correct some data yourself (e.g. edit your profile or entries). For any other corrections, contact us and we will fix any verified inaccuracies promptly.
- Right to Erasure: Also known as the "right to be forgotten," this allows you to request deletion of your personal data. You can request that we delete your account and remove all personal data associated with it through a dedicated action available within the application. This feature allows you to immediately and permanently clear all data associated with your account and logs you out automatically. Do note that this right is not absolute – for instance, we might need to retain certain data for legal obligations – but we will honor it to the fullest extent and will inform you if any data cannot be immediately deleted (and the timeframe when it will be deleted).
- Right to Restrict Processing: You have the right to ask us to restrict or pause the processing of your data in certain circumstances. For example, if you contest the accuracy of the data or object to our processing, you can request a restriction while the issue is being resolved. During restriction, we will store your data securely but not actively use it (aside from storing it) until the restriction is lifted.
- Right to Data Portability: You have the right to receive your personal data that you provided to us in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another service (or ask us to transfer it for you, where technically feasible). In practice, this means you can ask for an export of your data (for example, a CSV or JSON file of all your entries and associated data) to import into another application or just for your own records. As the data is user-provided, we will make sure you can get it out easily.
- Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests. In such cases, we will review your objection and unless we have a compelling legitimate ground to continue processing, or the processing is needed for legal claims, we will cease the processing in question. Given that we do not use your data for marketing, you will not receive marketing communications from us that would require an objection. If in future we consider sending any, we would seek consent; otherwise, any direct marketing would also carry the right to object or opt-out.
- Right Not to Be Subject to Automated Decisions: We do not make any decisions about you that have legal or significant effects based solely on automated means (no profiling or automated decision-making occurs in our Service). If that ever changes, you would have the right to human review of any such decision.
- Right to Withdraw Consent: As noted, we generally do not process data based on consent (except perhaps cookie consent which is not applicable here since only essential cookies are used). However, if you have given consent for any specific processing, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing done before the withdrawal. If, for example, you had separately consented to receive a newsletter, you could unsubscribe at any time.
We will respond to requests regarding these rights as soon as possible, and in any case within the timeframe required by law (generally within one month, extendable if the request is complex – we will inform you if an extension is needed). Exercising your rights is free of charge. If you make a request electronically, we will attempt to provide the information in a commonly used electronic form as well.
Additionally, if you believe our processing of your personal data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with a supervisory data protection authority. For example, in Finland you can contact the Office of the Data Protection Ombudsman. If you are in another EU country, you may contact your local Data Protection Authority. We would, however, appreciate the chance to address your concerns directly first, so we encourage you to reach out to us with any issue so we can try to resolve it.
Children's Privacy
As stated in the introduction, our Service is not intended for children under the age of 18. We do not knowingly solicit or collect personal information from anyone under 18 years old. If you are under 18, you are not permitted to use this Service or provide any personal data to us. If we learn that we have inadvertently collected personal data from a child under 18 (for instance, if a child misrepresents their age to gain access), we will take prompt action to delete that information from our records. If you are a parent or guardian and discover that your child under 18 has an account or has provided personal data to us, please contact us immediately. We will work with you to remove the data and terminate the child's account. We abide by the age limitations set by GDPR and relevant local laws for data processing consent, and since we do not obtain verifiable parental consent, we choose to simply disallow any use by minors under 18 to ensure compliance and protect children's privacy.
Changes to This Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify you by appropriate means – for example, by emailing you at the address associated with your account or by displaying a prominent notice within the Service. The "last updated" date at the bottom of this Policy will always indicate when the latest changes were made. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any modifications to the Policy will signify your acknowledgment of the updated terms. If changes require your consent (for example, if we were to introduce new processing that requires consent), we will obtain that consent as needed.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. The quickest way to reach us is by emailing privacy@floreza.app. You can also reach out to us through any contact form or details provided on our official website. We will address your inquiry as soon as possible and do our best to resolve any issues to your satisfaction.
Thank you for trusting Codebowl Oy with your data. We are dedicated to maintaining that trust by keeping your data secure and private.
Last updated: July 20, 2025