Suomen pyörärekisteri
Log in

Privacy Policy (GDPR)

Updated: 17 May 2026

1. Data controller

The Suomen pyörärekisteri service is operated by Safelight Productions Oy. Safelight Productions Oy (Business ID 2564182-4) is the data controller for user personal data in this service. Official contact and address details are available from the Finnish Business Information System (YTJ).

2. What data we collect

We only collect data necessary for operating the service:

  • account email address and login-related data
  • bike data added by the user (for example frame number, make, model)
  • technical usage logs for service security
  • IP address captured at signup for abuse prevention
  • automated content checks on anonymous sighting forms (/check, /stolen) before the message is stored (rule-based; no human reads the text before rejection); rejected messages are not stored

3. Public frame check and stolen listings

Features available without sign-in may show only limited bike-related information needed for the service. The aim is to help owners and buyers and to share information in theft situations without exposing your full identity.

  • Frame number check (`/check`): search uses the full frame number you enter. The response masks the frame number (for example showing only the last characters). The result may include make, model, colour, bike status (ok or stolen), time of theft marking, and the display name set on your account only when the bike is not marked as stolen. Your email address or other sign-in identifiers are not shown in the public result.
  • Public list of stolen bikes (`/stolen`): the listing may show information you reported, such as make, model, colour, last part of the frame number, location text you provide, report time, and a bike photo published with the theft report. The owner’s personal contact details (for example email) are not shown in the listing.

4. Purpose and legal basis of processing

We process personal data to provide the service, manage accounts, prevent misuse, and verify bike ownership and status. The table below lists typical processing activities and their usual legal basis under the GDPR.

ProcessingTypical legal basis
Account and bike data management, sign-in, and core service featuresContract (GDPR Art. 6(1)(b))
Public frame number check and stolen listings (limited bike data only, as described above)Legitimate interests (Art. 6(1)(f)); for you as the data subject, contract (Art. 6(1)(b)) in part where the data is information you have submitted yourself
Security, abuse prevention, technical logging, rate limiting, and reducing spam and automation (including Cloudflare Turnstile on sighting forms)Legitimate interests (Art. 6(1)(f))
Data export and erasure requests via profile settings and logging of those requestsContract (Art. 6(1)(b)) and, where applicable, legal obligation or exercising your rights (Art. 6(1)(c))
Service-related update emails (e.g. new features) to registered usersLegitimate interests (Art. 6(1)(f)) and contract (Art. 6(1)(b)); you may opt out in your profile or via a link in the message — your choice is stored on your account
Any non-essential cookies or analytics if we introduce them laterConsent (Art. 6(1)(a))

5. Cookies and similar technologies

We currently use only cookies that are strictly necessary for service operation. We do not use analytics or advertising cookies without separate rollout and consent handling. On anonymous sighting forms (/check, /stolen) we use Cloudflare Turnstile to reduce spam and automated abuse; technical processing is performed by Cloudflare under their privacy policy.

CookiePurposeCategoryRetention
site_localeStores the user's language preference (fi/sv/en) so the UI opens in the selected language.Strictly necessary12 months
sb-*-auth-token*Supabase Auth session cookies that enable secure sign-in and access to protected pages.Strictly necessarySession-based / token lifetime
  • First-party cookies are set only to support core service functionality.
  • Analytics and marketing cookies are not currently in use.
  • If we introduce non-essential cookies (for example analytics/ads), we will request consent before setting them.
  • Cloudflare Turnstile (third party) may set cookies or similar identifiers on Cloudflare domains while the challenge runs. Turnstile typically evaluates browser/device signals and interaction for bot mitigation; it does not replace how the sighting message itself is stored in our service. Cloudflare: https://www.cloudflare.com/privacypolicy/

6. Data retention

We retain data only as long as required for service purposes or legal obligations. In profile settings, users can request a data report and data erasure with email confirmation.

  • GDPR report download links expire in 48 hours
  • Expired report files are removed automatically
  • Erasure requests are processed automatically after confirmation
  • Old request logs are cleaned automatically based on retention period

7. How GDPR requests are handled

Data subjects can submit requests directly from profile settings (after sign-in) by choosing either a data export request or a data erasure request.

  • Each request requires email confirmation before processing.
  • Data erasure requests use a 24-hour safety period after confirmation before final deletion.
  • Data reports are generated automatically and delivered via a single-use download link.
  • The download link and report file expire automatically after the set period.
  • Erasure requests are processed automatically in the background after confirmation.
  • Request statuses are logged in the system (for example pending confirmation, queued, processing, completed, expired).
  • All deletion events are recorded as separate audit log entries.

Our goal is to process requests without undue delay. If a request requires clarification, administration may contact the data subject.

8. Disclosure and international transfers

We do not sell personal data. To run the service, data is processed in cloud infrastructure (Supabase: including database, authentication, and file storage). Web traffic and bot protection may be routed through Cloudflare, Inc. (Turnstile and any CDN). Subprocessors may be located inside or outside the EU/EEA. If data is processed outside the EU/EEA, we use appropriate transfer mechanisms (for example the European Commission’s standard contractual clauses or other safeguards under GDPR Article 46). More detail on subprocessors and processing locations is available from administration. Cloudflare Turnstile: https://www.cloudflare.com/privacypolicy/

9. Security and personal data breaches

We protect personal data with common technical and organisational measures (including TLS-encrypted transfer, access controls, and data minimisation). If a personal data breach affects you, we will where required notify the supervisory authority and data subjects under applicable law without undue delay.

10. Data subject rights

You have the right to:

  • access your personal data
  • request correction of inaccurate data
  • request data erasure
  • restrict or object to processing where permitted by law
  • lodge a complaint with a supervisory authority

If you consider the processing unlawful, you may lodge a complaint with a supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).

In other EU/EEA countries you may also contact your local supervisory authority.

11. Contact

For privacy-related requests, you can contact service administration by email: info@suomenpyorarekisteri.fi.