Privacy Policy

Last updated: 28 April 2026 · Effective: 28 April 2026

Masto Control Oy ("Masto Control", "we", "us") is the data controller for personal data collected through the Masto Control service and this website. We are registered in Finland (Y-tunnus: 0000000-0) and operate under Finnish law and the EU General Data Protection Regulation (GDPR).

This policy explains what data we collect, why we collect it, how long we keep it, and what rights you have.

1. What data we collect

Account data

When you create an account we collect your email address, password (hashed — never stored in plain text), your craft field (e.g. candles, ceramics), and preferred language. If you sign up via Google or Microsoft we receive your name and email from that provider.

Billing data

Subscription and payment data (card type, last four digits, billing address) is collected and stored by our payment processor. We do not store full card numbers. We receive confirmation of successful payments and invoice records.

Usage data

If optional analytics are enabled after consent, we collect anonymised data about how visitors use the website and service - which features are used, how often, and general performance metrics. This data does not identify you individually and helps us improve the product.

Support communications

When you contact us by email or chat we retain the content of those messages to handle your request and improve our support.

Cookies

We use strictly necessary cookies and browser storage to keep the service secure and usable. Optional analytics or marketing cookies are disabled until you consent through the website cookie banner. We do not load advertising cookies or cross-site ad tracking without opt-in.

2. Legal basis for processing

• Contract performance — processing account and billing data to provide the service you signed up for.
• Legitimate interests - fraud prevention, service security, and operational diagnostics.
• Legal obligation — keeping financial records as required by Finnish accounting law.
• Consent - optional analytics, marketing cookies, and marketing communications where consent is required.

3. How long we keep your data

• Account data — for the duration of your subscription, plus 30 days after cancellation (to allow account recovery), then deleted.
• Billing records — 7 years, as required by Finnish accounting legislation (Kirjanpitolaki).
• Usage analytics — aggregated and anonymised; retained indefinitely.
• Support messages — 2 years from the last interaction.

4. Who we share your data with

We do not sell personal data. We share data only with the following sub-processors, all operating under GDPR-compliant data processing agreements:

• Hosting / infrastructure — cloud provider hosting the service (EU region).
• Payment processing — our payment processor handles card transactions.
• Email delivery — transactional emails (account confirmation, invoices) are sent via an email API provider.

We may disclose data to Finnish authorities if required by law.

5. Data location

All personal data is stored and processed within the European Economic Area (EEA). We do not transfer personal data to countries outside the EEA.

6. Your rights under GDPR

As a data subject in the EU/EEA you have the following rights. To exercise any of them, email us at privacy@mastocontrol.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

7. Security

We use industry-standard measures to protect your data: HTTPS encryption in transit, encrypted storage at rest, hashed passwords, and access controls limiting who can see personal data. We will notify you and the relevant authorities in the event of a data breach as required by GDPR.

8. Changes to this policy

We may update this policy as the service evolves. If we make material changes we will notify you by email at least 14 days before the changes take effect. The current version is always available at this URL.

9. Contact

For any privacy-related questions or to exercise your rights: