Privacy Policy

Effective: March 22, 2026

Who we are

Varjosoft Oy (Y-tunnus: 3360588-2), Topeliuksenkatu, 00260 Helsinki, Finland. Managing Director: Hannu Varjoranta. Contact: privacy@varjosoft.com

What we collect

We collect only what you give us or what is technically necessary to serve the site.

• Contact form submissions: your email address and any message you choose to write. We also store which intent you selected (advisory, investor, Spegling, etc.) if you clicked one.
• Server logs: IP address, request path, timestamp, user agent. These are standard web server logs retained for security and debugging. They are not linked to your identity.
• Browser storage: the Spegling presence on this site uses your browser's localStorage to remember your visit. This storage is only written after you give explicit consent. Before consent, no data is stored on your device.

What we do not collect

• We do not use cookies.
• We do not use third-party analytics (no Google Analytics, no tracking pixels).
• We do not load external resources that track you (fonts are self-hosted).
• We do not fingerprint your browser or device.
• We do not sell, share, or trade your data with anyone.

How we use your data

• Email addresses are used to respond to your inquiry or to notify you about Spegling early access if you joined the waitlist. Nothing else.
• Server logs are used for security monitoring and debugging. They are not analyzed for marketing purposes.
• localStorage data is used by the Spegling presence to provide continuity on return visits (remembering what you read, offering relevant context). This data is only written after explicit consent.

Legal basis (GDPR)

• Contact form: performance of a contract or pre-contractual measures (Art. 6(1)(b)). You are requesting us to respond to your inquiry.
• Server logs: legitimate interest (Art. 6(1)(f)). Security and availability of the service.
• Spegling sessions and browser storage: consent (Art. 6(1)(a)). Explicit consent is obtained before any data is stored on your device or on our server. You may decline without consequence.

Spegling presence sessions

If you consent to creating a Spegling session, the following additional data is stored on our server:

• A random session ID (not linked to your identity unless you authenticate)
• Which sections of the site you explored
• Your active time on the page (tracked server-side in intervals)
• Your approximate city-level location (derived from your IP address using a local geolocation database. The lookup happens entirely on our server — your IP is never sent to any third party for this purpose. The raw IP address is not stored. Only the derived city and country names are kept.)
• Chat messages if you reach the chat stage
• An evolving context summary generated from your conversations (used to maintain continuity across sessions. This is AI-generated from your messages, not a raw transcript.)

You can opt out at any point by clearing your browser's localStorage for this domain. If you authenticated with a social login, you can request deletion of your account and all associated data by contacting privacy@varjosoft.com.

AI-generated content

Spegling's chat responses are generated by artificial intelligence. They may be inaccurate, incomplete, or inappropriate. Spegling does not provide professional advice (legal, financial, medical, or otherwise). Varjosoft Oy is not liable for actions taken based on AI-generated responses.

Your chat messages are not used to train AI models by Varjosoft or any AI provider. They are stored only for your conversation continuity and are processed by our AI providers solely for generating responses.

Data retention

• Contact form submissions: retained for 24 months after last interaction, then deleted.
• Server logs: retained for 90 days.
• Spegling sessions (anonymous): retained for 12 months, then automatically deleted.
• Spegling sessions (authenticated): retained until you request deletion.
• Chat messages: retained as long as the session exists.
• Context summaries: retained as long as the user account exists.

Where your data is stored

All data is stored on servers in the EU, primarily in Finland. We currently use Hetzner (Helsinki) and may use OVH (EU data centers) or UpCloud (Helsinki) as the project grows.

International data transfers

Our primary AI provider (Nebius Token Factory) processes data within the EU. We may use additional AI providers (Anthropic, OpenAI, Perplexity) for benchmarking and specific tasks. These providers operate in the United States. When used, your chat messages (without personal identifiers) may be processed outside the EU/EEA. We rely on the providers' Standard Contractual Clauses and API Terms of Service as the legal basis for these transfers under GDPR Chapter V.

Your rights

Under the GDPR, you have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent at any time (without affecting the lawfulness of prior processing)
• Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi)

To exercise any of these rights, contact privacy@varjosoft.com. We will respond within 30 days.

Children

This site and the Spegling chat are intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@varjosoft.com and we will delete it.

AI processing

Spegling uses large language models to generate chat responses. Our primary AI provider is Nebius Token Factory, which processes data in EU data centers (Netherlands/Finland). We use Nebius because it allows us to keep AI processing within the EU.

We reserve the right to use additional model providers for benchmarking, research, and specific high-intelligence tasks. These may include Anthropic (Claude), OpenAI, and Perplexity. When these providers are used, your chat messages are sent to their APIs for response generation. No personal identifiers (name, email, IP address) are included in any AI API request regardless of provider.

Spegling is in an active research and development phase. We aim to use EU-based models and processing wherever possible. This section will be updated with more specific details as development proceeds.

Third parties and data processors

Infrastructure:

• Hetzner Online GmbH (Helsinki, Finland) — primary server hosting
• OVH (EU data centers) — potential additional hosting
• UpCloud (Helsinki, Finland) — potential additional hosting
• Let's Encrypt — TLS certificates
• DB-IP — IP geolocation database (CC BY 4.0). Downloaded and queried locally on our server. No visitor data is sent to DB-IP.

AI providers (data processors):

• Nebius Token Factory (EU data centers) — primary AI model provider for Spegling
• Anthropic (Claude API) — used for benchmarking and select high-intelligence tasks
• OpenAI — used for benchmarking and select tasks
• Perplexity — used for benchmarking and select tasks

No AI provider receives personal identifiers. No AI provider uses your data for model training. We are in the process of establishing Data Processing Agreements with all providers that process user-generated content.

Changes

This project is in active development. This policy will be updated as the product matures. We may add or remove providers, but the core commitment remains: EU-based processing where possible, no personal identifiers sent to AI providers, no data sold or traded. The effective date at the top will change with each update. No retroactive changes to how existing data is used.

Contact

Varjosoft Oy
Topeliuksenkatu, 00260 Helsinki, Finland
Y-tunnus: 3360588-2
Email: privacy@varjosoft.com