About PUROSI The Method The Program Contact 日本語

 

Website, Cookie and Data Processing Policy

Privacy & Cookie Policy

PUROSI  •  Effective 1 April 2026  •  v2.0

This Privacy & Cookie Policy explains how PUROSI collects, uses, and protects personal data when you visit our website (purosi.fi), download our materials, or interact with us online. It applies to website visitors and prospective participants, and is distinct from the separate Personal Data Handling & Security Policy that governs data processing within the PUROSI program platform.

PUROSI is a brand of Ahlman & Tag Ltd., Finland. PUROSI is committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and Finland’s national data protection legislation.

1. Information We Collect

Contact and Enquiry Forms

When you submit an enquiry or request via our website, we collect your name, email address, and any other information you choose to include in your message.

Downloadable Materials

When you download materials from our website (such as guides, reports, or resources), we may ask for your name and email address in order to send you the materials and relevant follow-up information. You may opt out of further communications at any time.

Program Registration

If you register for a PUROSI program via our website, we collect the information necessary to create your account and deliver the service. Data processing within the program platform is governed by our separate Personal Data Handling & Security Policy.

Technical and Usage Data

We may collect standard technical data when you visit our website, including your IP address, browser type, device type, and pages visited. This data is used solely for security and to maintain and improve website performance.

2. How We Use Your Information

  • To respond to your enquiries and provide requested information
  • To deliver downloadable materials and relevant follow-up communications
  • To provide access to the PUROSI program, tools, and resources
  • To send program-related communications such as updates and announcements
  • To maintain and improve our website security and performance

We do not use your personal data for advertising, sell it to third parties, or use it to build marketing profiles.

3. Legal Basis for Processing (GDPR)

  • Article 6(1)(a) — Consent: where you have actively provided your information, for example by completing a form or downloading materials
  • Article 6(1)(b) — Contractual necessity: where processing is required to deliver a service you have requested
  • Article 6(1)(f) — Legitimate interest: for website security, performance monitoring, and improving our services

You may withdraw consent at any time by contacting us at [email protected]. Withdrawal does not affect the lawfulness of any processing carried out prior to withdrawal.

4. Cookies

Cookies are small text files placed on your device when you visit a website. We use only the cookies strictly necessary for our website to function correctly.

Strictly Necessary Cookies

These cookies are essential for the website to operate and cannot be switched off. They are typically set in response to actions such as logging in or filling in a form. They do not store any personally identifiable information.

What We Do Not Use

We do not use advertising cookies, marketing tracking cookies, or third-party cookies that monitor your browsing behaviour across other websites.

Managing Cookies

You can control and delete cookies through your browser settings. Please note that disabling strictly necessary cookies may affect the functionality of the website. 

5. Information Sharing

PUROSI does not sell or rent personal data to third parties. We may share your information only in the following circumstances:

  • With trusted service providers who assist in operating our website and services (such as our cloud hosting provider UpCloud, based in Finland), under strict data protection obligations
  • Where required by law or in response to a valid legal request from a competent authority

All third-party service providers are bound by appropriate data protection agreements and may not use your data for their own purposes.

6. Data Retention

We retain personal data collected via the website only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Enquiry and contact data is generally retained for up to 24 months unless you request earlier deletion. You may request deletion of your data at any time by contacting us.

7. Your Rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your data
  • Withdraw consent at any time without affecting prior processing
  • Request a portable copy of your data (GDPR Art. 20)
  • Object to processing based on legitimate interests
  • Lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu, tietosuoja.fi) or your local data protection authority

We will respond to all rights requests within one month of receipt. To exercise any of these rights, contact: [email protected]

8. Updates to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via our website. The latest version is always available at purosi.fi/privacy.

9. Contact

For any questions, concerns, or requests regarding this policy or our data practices, please contact: [email protected]

Personal Data Handling & Security Policy

Effective 1 April 2026  •  v2.0

Summary

This policy explains how PUROSI collects, uses, stores, and protects personal data in compliance with the EU General Data Protection Regulation (GDPR) and Japan’s Act on the Protection of Personal Information (APPI). It applies to personal data processed in connection with the delivery of the PUROSI program.

  • PUROSI processes personal data lawfully and securely in accordance with GDPR and APPI.
  • The PUROSI platform is hosted on UpCloud, a European cloud provider headquartered in Finland, serving participants globally.
  • AI-powered coaching interactions are processed using Microsoft Azure.
  • The Client Organisation determines the default AI session storage policy. Participants may opt out of AI session content storage at any time.
  • Personal notes, AI chat interactions, and exercise responses are strictly confidential and are never shared with the Client Organisation.
  • Identifiable personal data is deleted within 12 months of program end. Usage and results data is anonymised within the same period and may be retained for program effectiveness analysis.
  • Participants have the right to access, correct, restrict, object to, or request deletion of their personal data at any time.

For any privacy-related enquiries: [email protected]

1. Data Controller

The data controller responsible for personal data processed in connection with the PUROSI program is:

Ahlman & Tag Ltd. (trading as PUROSI), Finland

PUROSI does not currently meet the threshold for appointing a Data Protection Officer. A designated person within PUROSI oversees compliance with this policy.

2. Types of Personal Data Collected

PUROSI collects the following categories of personal data:

Identification Data

Name, email address, job title, organisation, and any other profile information the participant voluntarily provides (e.g. a profile photo). Legal basis: contractual necessity (Art. 6(1)(b)).

Program-Related Data

Assessment responses, progress tracking, community interactions, action plans, exercise responses, and other content the participant chooses to share within the platform. Legal basis: contractual necessity (Art. 6(1)(b)); consent for optional assessments, individual feedback sharing, and community sharing (Art. 6(1)(a)).

Individual assessment results and feedback responses may be shared with the Client Organisation where the participant has given explicit consent. Consent is sought clearly before such data is collected or shared, and participants are informed of what will be shared and with whom. Participants may decline to share individual results without this affecting their access to the program.

Platform Usage Data

Data on how participants engage with the platform, including module completion, time spent on content, and activity patterns. This data is used to provide participants with personalised progress tracking and results, and to generate anonymised, aggregated program reports for the Client Organisation. Legal basis: contractual necessity (Art. 6(1)(b)); legitimate interests in program quality and effectiveness (Art. 6(1)(f)).

AI Coach Interaction Data

AI Coach interaction data comprises two distinct layers:

  • AI Coach usage metrics — always collected: number of sessions, session duration, timestamps, and frequency of use. Used to provide progress insights and program-level reporting. Legal basis: contractual necessity (Art. 6(1)(b)).
  • AI Coach chat content — collected only where the Client Organisation has enabled session storage and the individual participant has given consent. Used exclusively to support continuity and personalisation of the coaching experience. Legal basis: consent (Art. 6(1)(a)). Participants may withdraw consent and opt out of chat content storage at any time.

AI Coach chat content is never shared with the Client Organisation. Only anonymised, aggregated usage metrics may be included in program reporting.

Technical Data

Login time, device type, browser type, IP address, and cookies required for platform functionality. Legal basis: legitimate interests in platform security and operation (Art. 6(1)(f)).

Sensitive and Special Category Data

PUROSI does not intentionally collect special category data as defined under GDPR Article 9 (such as health, medical, or biometric data). However, given the personal development and coaching nature of the program, participants may choose to share sensitive personal information — for example relating to health, wellbeing, or personal circumstances — within their AI Coach sessions or personal notes. Any such information is treated as strictly confidential participant content, subject to the same protections described in Section 4, and is never shared with the Client Organisation or any third party.

Data Minimisation

PUROSI collects only the personal data that is necessary for the purposes described in this policy. Participants are not required to provide more information than is needed to access and use the program.

How Consent Is Collected

Participants are asked to consent to the collection and processing of their personal data when logging in to the PUROSI platform for the first time. Without this consent, access to the program cannot be granted. Consent may be withdrawn at any time by contacting PUROSI, without affecting the lawfulness of processing carried out prior to withdrawal.

3. Legitimate Interests

Where PUROSI relies on legitimate interests (Art. 6(1)(f)) as the legal basis for processing, those interests are:

  • Maintaining the security, integrity, and availability of the platform
  • Monitoring and improving the quality and effectiveness of the program
  • Detecting and preventing fraud, unauthorised access, and misuse
  • Fulfilling reporting obligations to the Client Organisation using only anonymised, aggregated data

PUROSI has assessed that these interests are not overridden by participants’ rights and freedoms, given the limited, non-intrusive nature of the data involved and the safeguards applied. Participants have the right to object to processing based on legitimate interests at any time (see Section 8).

4. Confidentiality and Access

Individual-level data is strictly confidential by default. The Client Organisation does not have access to individual participant data unless the participant has given explicit consent. The Client Organisation may receive:

  • Anonymised, aggregated activity data (e.g. overall completion rates, engagement levels) — always
  • Group-level assessment results — always anonymised and aggregated
  • Individual assessment results and feedback — only where the participant has given explicit, informed consent, communicated clearly before the data is collected

Participants are always informed in advance of what individual data may be shared, with whom, and for what purpose. Consent to share individual results is voluntary and does not affect access to the program.

Community Feature

The PUROSI platform includes an online peer community where participants can connect and share experiences. Participants’ names and any content they choose to share in the community will be visible to other program participants. Participants are advised not to share sensitive personal information in community spaces.

Within PUROSI, only authorised staff (administration, technical support, and developers) have access to personal data, strictly on a need-to-know basis.

5. Third-Party Processors

PUROSI determines the technical means and methods used to deliver the services, including the operation of the platform and AI functionalities. The Client Organisation determines the business context in which the services are used, including participant selection and program objectives. PUROSI acts as an independent data controller and engages the following key subprocessors:

  • UpCloud Oy (Finland) — cloud infrastructure, data hosting and storage. UpCloud is headquartered in Helsinki and operates data centres globally. As a Finnish company, UpCloud is subject to EU data protection law and applies Standard Contractual Clauses (SCCs) for transfers to infrastructure outside the EEA, ensuring an equivalent level of protection.
  • Microsoft Azure — AI processing and coaching interactions. AI processing for Japan-based participants occurs within Microsoft Azure data centres in Japan. For other regions, processing occurs within EU or Asia-Pacific infrastructure.

Additional subprocessors may be engaged where necessary to support service delivery. PUROSI ensures that all subprocessors operate under appropriate data protection obligations, including standard contractual terms and industry-recognised security and privacy frameworks.

All third-party processors are obligated to: maintain the confidentiality and security of personal data; not sell personal data or use it for advertising; and process data only as instructed by PUROSI.

6. Data Hosting and Cross-Border Transfers

The PUROSI platform is hosted on UpCloud, a Finnish cloud provider. UpCloud operates data centres globally to ensure performance and availability for participants across regions, including Europe and Asia-Pacific. The storage environment is ISO 27001 certified and SOC 2 Type II compliant, with encryption applied to data both at rest and in transit.

Where data is processed or stored outside the European Economic Area (EEA), PUROSI ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) where applicable.

Note for Japan-Based Participants (APPI)

For participants based in Japan, personal data may be transferred to and processed within the European Union (Finland and other UpCloud server locations in the EU). The EU has been recognised by the Japanese Personal Information Protection Commission as providing an adequate level of protection for personal data, consistent with the APPI. AI processing for Japan-based participants is performed within Microsoft Azure data centres located in Japan where possible.

7. AI Processing and Model Training

AI-powered coaching interactions are processed using Microsoft Azure Infrastructure. AI functionalities are designed to support participant reflection and development. They do not make automated decisions that produce legal or similarly significant effects on participants.

AI Session Storage Options

The Client Organisation determines the default storage policy for AI Coach sessions:

  • Processing and Storage — Interactions are processed and securely stored in UpCloud infrastructure to enable continuity and personalisation of the coaching experience.
  • Processing Only — Interactions are processed in real time but are not stored once the session ends.

Regardless of the Client Organisation’s default setting, each participant retains the right to opt out of AI session content storage at any time.

AI Model Training Restriction

PUROSI does not use participant data — including chat content, action plans, assessment responses, or personal notes — to train or improve its own AI models or those of third-party providers, unless explicitly agreed in writing with the Client Organisation.

8. Security Measures

PUROSI implements appropriate technical and organisational measures to protect personal data, including:

  • Encrypted data transfer (HTTPS/TLS)
  • Password protection and role-based access control
  • ISO 27001 certified and SOC 2 Type II compliant cloud infrastructure
  • Regular updates, backups, and monitoring for unauthorised access
  • Staff training on data protection obligations and secure handling of personal data

Data Breach Notification

In the event of a personal data breach:

  • PUROSI will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, in accordance with GDPR Article 33 and APPI Article 26.
  • Where the breach is likely to result in a high risk to participants’ rights and freedoms, affected individuals will be notified without undue delay, in accordance with GDPR Article 34.
  • The Client Organisation will be notified in writing without undue delay in the event of any breach affecting their participants’ personal data.

9. Participant Rights (GDPR & APPI)

Participants have the following rights regarding their personal data:

  • Right of access — request a copy of the personal data PUROSI holds about you (GDPR Art. 15)
  • Right to rectification — request correction of inaccurate or incomplete data (GDPR Art. 16)
  • Right to erasure — request deletion of your data where it is no longer necessary or where consent is withdrawn (GDPR Art. 17)
  • Right to restriction — request that processing of your data be temporarily paused in certain circumstances, e.g. while accuracy is contested (GDPR Art. 18)
  • Right to data portability — request a copy of your data in a structured, machine-readable format (GDPR Art. 20)
  • Right to object — object to processing based on legitimate interests at any time. PUROSI will cease such processing unless it can demonstrate compelling legitimate grounds that override your interests (GDPR Art. 21)
  • Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing
  • Right to lodge a complaint — lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu, tietosuoja.fi) or your local data protection authority (GDPR Art. 77)
  • Under Japan’s APPI — request disclosure, correction, addition, deletion, or suspension of use or third-party provision of your personal information held by PUROSI

PUROSI will respond to all rights requests within one month of receipt. In complex or numerous cases, this period may be extended by up to two further months, in which case you will be informed of the extension and the reasons for the delay.

To exercise any of these rights, contact: [email protected]

10. Data Retention and Deletion

Personal data is retained only for as long as necessary to fulfil the purposes of the program or as required by applicable law. Upon expiry of the retention period:

  • Identifiable personal data (such as names, email addresses, and individual content) is permanently deleted within 12 months of the end of the program, or upon earlier request by the participant or Client Organisation.
  • Usage and results data (such as engagement metrics, completion rates, and assessment outcomes) is anonymised within the same period, so that it can no longer be linked to an individual, and may be retained by PUROSI for program effectiveness analysis.

When a Client Organisation’s contract with PUROSI ends, participant personal data associated with that organisation is deleted or anonymised in accordance with the above timelines, unless a shorter period is agreed in writing or required by law.

Personal data is not disclosed to third parties except where required by law or where subprocessors are engaged to deliver the program. PUROSI ensures all subprocessors operate under appropriate data protection obligations.

11. Updates to This Policy

This policy may be updated to reflect changes in law, technology, or operational practices. Updates will be communicated through the PUROSI platform or directly to clients when necessary. The latest version is always available at purosi.fi/privacy or upon request.

12. Contact

For any questions, concerns, or rights requests relating to this policy:

Nora TĂĄg

Ahlman & Tag Ltd.

[email protected]