Privacy Policy
Last updated: 13 June 2026
This Privacy Policy is also the statutory data-file register description (Finnish: tietosuojaseloste; formerly rekisteriseloste) under Articles 13–14 GDPR. The register’s controller, purposes, data categories, retention, legal basis, and your rights are set out in the sections below.
1. Data Controller
Pauhu AI Ltd (Pauhu AI Oy)
Business ID (Y-tunnus): 3477255-1
Helsinki, Finland
Email: dpo@pauhu.ai
2. What We Process
- Account data: email address, organisation name (if provided), collected at checkout.
- Request data: the bounded request your coding assistant sends to compose code (an intent and the limited context it includes). We do not receive or store your repository, it stays in your own tool. Request payloads are processed to produce the response and retained only briefly for security and debugging.
- Usage receipts: per-call records of the tokens and energy a deterministic call avoided, the operations called, and timestamps, linked to your subscription for billing and usage reporting.
- Technical data: IP address (truncated to /24), client type.
- Payment data: processed by Stripe. We receive a customer reference and subscription status; we do not store card numbers.
3. Legal Basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)): account, subscription, composition, billing.
- Legitimate interest (Art. 6(1)(f)): security monitoring, abuse and fraud prevention, service improvement.
- Legal obligation (Art. 6(1)(c)): tax and accounting records.
4. Processing Location and Processors
The compiler runs in the European Union:
- Hosting / composition: Hetzner Online GmbH, Helsinki, Finland (EU).
One processor is outside the EU and is disclosed here in full:
- Stripe, Inc. (payments, USA). Payment is handled by Stripe so that you can subscribe with a card globally. Transfers to Stripe rely on the EU Standard Contractual Clauses and Stripe’s certification under the EU–US Data Privacy Framework. Stripe’s own privacy terms apply to card data, which we never see or store.
Your code and repository are never transferred to a payment processor or any third country. Only the bounded request needed to compose a response reaches our EU compiler.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of subscription + 6 months |
| Request payloads | Up to 7 days (security/debugging), then deleted |
| Usage receipts | Duration of subscription (usage/billing) |
| IP addresses | 7 days (security), truncated to /24 |
| Billing records | 6 years (Finnish Accounting Act) |
6. Your Rights (GDPR Art. 15–22)
- Access (Art. 15), rectification (Art. 16), erasure (Art. 17)
- Restriction (Art. 18), portability (Art. 20), objection (Art. 21)
To exercise any right, email dpo@pauhu.ai. We respond within 30 days.
7. Cookies
The pauhu.dev site uses only strictly necessary storage for your preferences. The checkout flow is operated by Stripe, which may set cookies necessary to process payment; see Stripe’s cookie notice. We use no advertising or cross-site tracking cookies.
8. Supervisory Authority
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
P.O. Box 800, 00521 Helsinki, Finland
https://tietosuoja.fi