PRIVACY POLICY

INTRODUCTION AND SCOPE

snowLEX Oy (Business ID: 3304711-2, "Company", "we", "us", "our") respects your privacy and is legally committed to protecting your personal data. This Privacy Policy governs the collection, use, and protection of personal data when you use the snowLEX public website, the authenticated SaaS platform, and associated AI services (collectively, the "Service").

This Policy is strictly aligned with the EU General Data Protection Regulation (Regulation (EU) 2016/679 - "GDPR") and the Finnish Data Protection Act (Tietosuojalaki 1050/2018). It also addresses our transparency obligations under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689 - "AI Act").

The Service is strictly intended for use by legal professionals, corporate entities, and adults. It is not directed at minors, and we do not knowingly collect personal data from children under the applicable statutory age limits.

Data Controller & Contact Information:

• Company: snowLEX Oy
• Registered Office: c/o Maria 01, Lapinlahdenkatu 16, 00180 Helsinki, Finland
• Data Protection Officer (DPO) / Privacy Inquiries: privacy@snowlex.fi

OUR ROLE: CONTROLLER VS. PROCESSOR

Under the GDPR, our legal responsibilities depend on the nature of the data being processed and the capacity in which you use the Service:

• Data Controller (Account & Administrative Data): For your account registration, billing, and system administration data, snowLEX Oy acts as the Data Controller. We determine the purposes and means of processing this administrative data.
• Data Processor (B2B/Professional Users): When you, acting in a professional capacity, input prompts or upload legal documents containing personal data of third parties (e.g., your clients) into our AI engine, you act as the Data Controller. We act exclusively as the Data Processor processing data on your documented instructions. In this capacity, we act solely as a technical processor operating on the documented instructions of the user, which are governed by our separate Data Processing Agreement (DPA).
• Data Controller (B2C/Individual Consumers): If you are an individual citizen using the Service for personal legal matters, we act as the Data Controller for the personal data within your prompts. However, the exact same technical safeguards apply: your conversational data is processed ephemerally in RAM (stateless inference). Our infrastructure is architected to ensure that your prompt data is not retained beyond the immediate active session, nor is it used to train any AI models.

DATA SOVEREIGNTY & ZERO-TRAINING

We recognize that professional secrecy and attorney-client privilege are paramount. Unlike conventional AI platforms, snowLEX is architected with a strict "Privacy-by-Design" foundation:

• Data Sovereignty & Secure Gateways: All primary data processing and hosting operations are conducted exclusively within secure server environments located in the European Economic Area (EEA) / Finland. Any data transmitted to external foundational Large Language Models (LLMs) or third-party providers is routed strictly through secure, encrypted gateways. We contractually require all external model providers to operate under Zero Data Retention (ZDR) conditions, designed to prevent model training on user data.
• Stateless Inference & Ephemeral Processing: When you submit a prompt or document for legal analysis, the text is processed in a stateless, ephemeral "inference-only" mode. The system processes the conversational data in random-access memory (RAM) to generate your output. Once the session is resolved, the active AI is architected to drop the context. Unless you explicitly choose to save your session within your encrypted account dashboard, our infrastructure is designed to ensure conversational data is not persistently stored.
• Strict Zero-Training Architecture: We strictly ensure that your personal data, user prompts, and uploaded documents are not used to train, fine-tune, or improve our underlying foundational AI models or algorithms. This strict prohibition flows down to any third-party sub-processors we may engage.

CATEGORIES OF PERSONAL DATA WE COLLECT

We strictly adhere to the principle of Data Minimization (GDPR Art. 5(1)(c)), collecting and processing only the personal data that is strictly necessary for providing and maintaining our Service.

• Account Data: First name, last name, email address, password (securely encrypted), and professional affiliation (if applicable).
• Financial Data: Billing address, VAT number, and transaction history. (Note: Actual payment processing is handled by secure, PCI-DSS compliant third-party payment gateways; we do not store full credit card numbers).
• Technical & Usage Data: IP addresses, browser types, authentication logs, and essential security metrics strictly to prevent fraud, ensure platform integrity, and maintain cybersecurity. For information regarding non-essential tracking technologies, please refer to our separate Cookie Policy.
• Session Data (Ephemeral): The legal context, documents, and conversational prompts you upload. As stated in Section 3, this data is processed statelessly in RAM. Our infrastructure is architected to ensure this data is not retained by the AI engine once the immediate query is resolved.
• Special Categories of Personal Data (GDPR Art. 9 & 10): Given the nature of legal research, the documents or prompts you upload may incidentally contain highly sensitive information about third parties (e.g., health data, racial/ethnic origin, or criminal records). We do not intentionally solicit or structurally profile this data. For B2C users (where we act as a Data Controller), any incidental processing of such sensitive data is strictly limited to the establishment, exercise, or defence of legal claims (GDPR Art. 9(2)(f) and Section 7(1)(1) of the Finnish Data Protection Act). If provided by you, it is processed exclusively as ephemeral Session Data (in RAM) based on your explicit instructions, and our systems are architected to instantly purge it upon session resolution.
• Voluntary Feedback & Audit Data: If you explicitly choose to use the "Report" function within the Platform to flag an issue, hallucination, or safety concern, that specific interaction is voluntarily decrypted and securely shared with our engineering team. This specific data is retained securely in an isolated environment solely for bug resolution and EU regulatory audit compliance purposes and is scheduled for permanent deletion thereafter.

LEGAL BASIS FOR PROCESSING

We process your personal data relying on the following lawful bases under GDPR Article 6:

• Performance of a Contract (Art. 6(1)(b)): To create your account, manage your subscription, process payments, and deliver the snowLEX Service. If you are a B2C individual consumer, this also serves as the legal basis for processing your conversational prompts ephemerally in RAM to generate the requested legal analysis.
• Consent (Art. 6(1)(a)): For sending direct marketing communications, deploying non-essential cookies, and specifically for processing your decrypted conversational data when you voluntarily use the "Report" function for system debugging. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legitimate Interests (Art. 6(1)(f)): To ensure network and information security, detect fraud, and provide administrative customer support, provided these interests do not override your fundamental rights.
• Legal Obligation (Art. 6(1)(c)): To comply with mandatory Finnish tax, accounting, and corporate laws.

(Note for B2B/Professional Users: When you use the Service in a professional capacity and input third-party personal data, you act as the Data Controller. You are solely responsible for establishing the appropriate Article 6 legal basis for such data before submitting it to our system. We process that data strictly as a Data Processor under our separate Data Processing Agreement).

AUTOMATED DECISION-MAKING AND AI TRANSPARENCY

In compliance with Article 50 of the EU AI Act and GDPR transparency principles, we expressly inform you that the analytical outputs provided by snowLEX are generated by an Artificial Intelligence system.

• No Legal Decisions (GDPR Art. 22): snowLEX acts purely as an advisory and preparatory tool. It does not engage in "solely automated decision-making" that produces legal effects or similarly significantly affects you or your clients under Article 22 of the GDPR. All legal analysis provided by the system is designed to support, not replace, human judgment. For professional users (B2B), independent human verification (Human-in-Command) by a qualified professional is mandatory before the application of any output.
• Explainability & Traceability: To mitigate the opacity inherently associated with generative AI ("black box" processing), our Retrieval-Augmented Generation (RAG) architecture is designed to ensure that outputs are traceable. The system is architected to provide explicit citations to official legal databases (e.g., Finlex, EUR-Lex), allowing you to independently audit the statutory sources underlying the generated content.
• Machine-Readable Marking: Pursuant to the AI Act’s transparency obligations regarding synthetic content (Art. 50(2)), outputs generated by the Service are technically marked and detectable in a machine-readable format to clearly indicate they are artificially generated.

DATA RETENTION

We strictly adhere to the GDPR's storage limitation principle (Art. 5(1)(e)), ensuring personal data is kept no longer than necessary for the purposes for which it is processed:

• Administrative & Financial Data: Your account profile data is retained for the duration of your active subscription. Upon account termination, standard account data is deleted without undue delay, while financial and billing records are securely archived for up to the statutory periods required by Finnish accounting and tax laws before permanent deletion.
• User Content (Stateless Inference): As a fundamental architectural principle, your prompt data and uploaded documents are processed ephemerally in RAM during the active session. Our infrastructure is architected to ensure they are not retained by the AI engine. If you explicitly choose to save outputs within your account dashboard, they remain encrypted and stored only until you actively delete them, terminate your account, or your account remains inactive for a continuous period of 24 months (after which they are scheduled for automated deletion).
• Log & Audit Data: General system and security logs (completely stripped of conversational context) are retained for up to 6 months, unless required for longer to support security investigations, ensure platform security, prevent fraud, and comply with AI traceability standards. Decrypted conversational data voluntarily submitted by you via the "Report" function is retained in an isolated environment strictly for the minimum time necessary to resolve the reported bug or fulfill EU regulatory audits, after which it is scheduled for secure deletion.

DATA SHARING AND SUB-PROCESSORS

• We strictly do not sell, rent, monetize, or trade your personal data. We only share data with carefully vetted third-party service providers (Sub-processors) strictly necessary for operating our infrastructure (e.g., secure cloud hosting, payment gateways, and foundational AI model providers).
• Strict DPAs & Zero Data Retention: All sub-processors are bound by strict Data Processing Agreements (DPAs). Crucially, we contractually require any external Large Language Model (LLM) providers engaged by the Service to operate under strict Zero Data Retention (ZDR) conditions, designed to ensure that your conversational data is not retained by them beyond the immediate inference process, nor is it used to train their models.
• Data Residency and International Transfers: Your data is primarily hosted and processed within the European Economic Area (EEA) / Finland. To the extent any operational data or system metrics must be transferred outside the EEA to provide the Service, we ensure such transfers are strictly protected under GDPR Chapter V mechanisms, utilizing the European Commission’s Standard Contractual Clauses (SCCs) or relying on applicable Adequacy Decisions.
• Transparency: An up-to-date list of our authorized sub-processors is continuously maintained and made available to users on a dedicated page on our official website.

YOUR RIGHTS AS A DATA SUBJECT

Under the GDPR and the Finnish Data Protection Act, you possess comprehensive rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request the correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): You can request the deletion of your personal data when it is no longer necessary.
• Right to Restrict Processing & Object: You can limit or object to how we process your data, particularly for direct marketing.
• Right to Data Portability: You can request to receive your data in a structured, machine-readable format.

Please note that because your conversational prompts and uploaded documents are processed ephemerally in RAM, our infrastructure is architected to ensure they are not retained beyond the active session (unless you explicitly choose to save them to your account dashboard). Consequently, we are architecturally limited from subsequently accessing, isolating, or retrieving specific conversational data once your session is resolved. The Service’s architecture inherently supports your right to erasure by default.

To exercise any of these rights—primarily concerning your Account or Administrative Data—please contact our Data Protection Officer at the email provided below. For your protection, we may require you to verify your identity before fulfilling your request.

COMPLAINTS TO THE SUPERVISORY AUTHORITY

If you believe that our processing of your personal data infringes upon applicable data protection laws, you have the legal right to lodge a complaint with a national supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement.

In Finland, the competent authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu):

• Address: Lintulahdenkuja 4, 00530 Helsinki, Finland (PL 800, 00531 Helsinki, Finland).
• Website: www.tietosuoja.fi

CONTACT INFORMATION

To exercise your rights outlined in Section 9, or for any privacy-related inquiries, please contact our Data Protection Officer at privacy@snowlex.fi. (Full corporate registry details are provided in Section 1).