Privacy policy

This privacy policy explains how bobi (“I”, “me”) processes personal data when you use the bobi website, mobile app, and related services in Turku and elsewhere in Finland.

I process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Finnish Data Protection Act (1050/2018), and other applicable Finnish legislation.

Data controller: bobi (private individual)

Address: Turku, Finland

Email: privacy@bobi.fi

I have not appointed a separate Data Protection Officer. For all privacy matters, contact me at privacy@bobi.fi.

Depending on how you use bobi, I may process the following categories of personal data:

• Account data: name, email address, and authentication credentials (managed via AWS Cognito). • Profile and preferences: selected interest categories and saved events. • Location data: approximate coordinates you provide or that I derive to show events near you (only when you use location-based features). • Usage data: pages viewed, events opened, and interactions needed to operate and improve the service. • Technical data: IP address, browser or device type, session identifiers, and server logs. • Mobile data: push notification tokens if you enable notifications in the bobi app. • Content you submit: event information and images if you publish events as an organizer.

I process personal data for the following purposes:

• Providing the service, creating and managing your account, and displaying relevant events — legal basis: performance of a contract (GDPR Art. 6(1)(b)). • Personalising recommendations based on your interests and location — legal basis: legitimate interests in operating a relevant local event guide (GDPR Art. 6(1)(f)); you may object to this processing. • Publishing and moderating organizer content — legal basis: contract and legitimate interests (GDPR Art. 6(1)(b) and (f)). • Ensuring security, preventing abuse, and maintaining service reliability — legal basis: legitimate interests (GDPR Art. 6(1)(f)). • Complying with legal obligations — legal basis: legal obligation (GDPR Art. 6(1)(c)).

Where I rely on legitimate interests, I balance my interests against your rights and only process data that is necessary.

I use strictly necessary cookies to keep you signed in and to protect the service (for example session and authentication cookies). These cookies are required for the service to function and do not require consent under the Finnish Information Society Services Act.

I do not use non-essential analytics or advertising cookies at this time. If this changes, I will update this policy and, where required, ask for your consent before setting such cookies.

I share personal data only when necessary to operate bobi:

• Amazon Web Services (AWS) — authentication (Cognito), hosting, and file storage (S3) in the EU (eu-north-1, Stockholm region). • Google Maps Platform — when you choose to open a venue in Google Maps, Google may process data under its own terms. • Expo — push notification delivery for the mobile app, if enabled.

These processors act on my instructions under data processing agreements. I do not sell your personal data.

I primarily store and process data within the European Economic Area. If a processor transfers data outside the EEA, I ensure appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision, as required by GDPR Chapter V.

I retain personal data only as long as necessary for the purposes described in this policy:

• Account data is kept while your account is active and deleted or anonymised within a reasonable period after you delete your account, unless longer retention is required by law. • Server logs and security records are typically retained for up to 12 months. • Organizer event content may remain published until removed or archived according to content policies.

Under the GDPR, you have the right to:

• access your personal data; • request rectification of inaccurate data; • request erasure (“right to be forgotten”) in certain circumstances; • restrict processing in certain circumstances; • data portability for data you provided, where processing is based on contract or consent and carried out by automated means; • object to processing based on legitimate interests; • withdraw consent at any time, where processing is based on consent (without affecting prior lawful processing).

To exercise your rights, contact me at privacy@bobi.fi. I respond within one month, as required by law.

If you believe I have processed your personal data unlawfully, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu): https://tietosuoja.fi/en/home.

I may update this privacy policy when the service or legal requirements change. I will publish the updated version on this page and adjust the “Last updated” date. For material changes affecting how I use your data, I will provide additional notice where required by law.

For questions about this privacy policy or your personal data, contact:

bobi Turku, Finland privacy@bobi.fi