Privacy Policy

1. Data Controller

Soulbond Oy, VAT: FI33721656
Uudenkaupungintie 7 B 26, 00350 Helsinki, Finland
johanna@bondingkey.com

2. Contact Person for Data Protection

Johanna Valkonen — johanna@bondingkey.com

3. Name of the Register

Soulbond Oy Customer and Marketing Register for the Bonding Key® service.

4. Legal Basis and Purpose of Processing

We process personal data on the following legal bases under GDPR (EU 2016/679):

• Contract performance — to deliver the Bonding Key® Toolkit you have purchased and to manage your customer relationship
• Consent — for newsletter subscriptions and marketing communications (documented, voluntary, specific, informed and unambiguous)
• Legitimate interest — for maintaining and developing the service and customer relationship

Personal data is processed for: delivering the purchased product, managing access to the Bonding Key® Toolkit, sending transactional emails (magic link authentication, purchase confirmation, receipt), sending newsletters to subscribers who have given consent, and developing the service.

You have the right to withdraw consent and opt out of direct marketing at any time.

5. Data We Collect

• Email address (required for purchase and authentication)
• Purchase information (product, amount paid, currency, date)
• Authentication data (magic link sessions, session tokens)
• Newsletter subscription status and consent timestamp
• Analytics data (page views, traffic source — collected without cookies via Plausible Analytics)

We do not collect names, phone numbers, postal addresses, or payment card details. Payment card data is processed exclusively by Stripe and never stored by Soulbond Oy.

6. Sources of Data

Data is collected directly from you when you purchase the Bonding Key® Toolkit, sign in using a magic link, subscribe to the newsletter, or use the bondingkey.com service.

7. Retention Period

• Purchase records — retained for 7 years in accordance with Finnish accounting law (Kirjanpitolaki 1336/1997)
• Authentication session data — deleted upon session expiry
• Newsletter subscriber data — retained until you unsubscribe
• Analytics data — aggregated and anonymised, no individual retention

8. Data Processors and Third-Party Services

We do not transfer personal data outside the European Economic Area except where the processors above maintain EU-based infrastructure as listed.

9. Security

• All data in transit is encrypted using TLS/HTTPS
• Supabase Row Level Security (RLS) restricts data access per authenticated user
• Authentication is handled via magic links — no passwords are stored
• Service role keys are stored securely as environment variables and never exposed client-side
• Access to personal data is limited to Johanna Valkonen (Soulbond Oy)

10. Your Rights Under GDPR

• Right of access — request a copy of your personal data
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion ("right to be forgotten")
• Right to restriction — request restricted processing in certain circumstances
• Right to data portability — request your data in machine-readable format
• Right to object — object to processing based on legitimate interest, including direct marketing
• Right to withdraw consent — withdraw at any time without affecting prior processing

Contact: johanna@bondingkey.com — we respond within one month as required by GDPR.
Supervisory authority: Finnish Data Protection Ombudsman (tietosuoja.fi)

11. Cookies and Analytics

bondingkey.com uses Plausible Analytics — cookieless, no personally identifiable information collected. No cookie consent required for analytics.

We use one strictly necessary cookie for authentication session management (keeping you signed in). This does not require consent under GDPR.

12. Changes to This Policy

We may update this Privacy Policy periodically. The effective date reflects the most recent revision. Registered users will be notified of material changes by email.