Privacy Policy
Last updated: February 20, 2026
Fyrn Oy ("Fyrn", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website (fyrn.dev), our platform (app.fyrn.dev), and related services (collectively, the "Service").
We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the Finnish Data Protection Act (tietosuojalaki 1050/2018), and the Finnish Act on Electronic Communications Services (917/2014).
1. Data controller
2. Personal data we collect
We collect personal data in the following categories:
Account data
Name, email address, company name, and password hash when you create an account. If you sign up via a third-party provider (e.g., GitHub, Google), we receive your name, email, and profile identifier from that provider.
Usage data
Information about how you interact with the Service: pages viewed, features used, flow configurations created, API calls made, timestamps, and session duration.
Technical data
IP address, browser type and version, operating system, device type, and referral source. Collected automatically when you visit our website or use the Service.
Payment data
Billing address, company VAT number, and payment method details. Payment card information is processed directly by our payment processor (Stripe) and is not stored on our servers.
Communication data
Contents of emails, support tickets, or contact form submissions you send to us, including any personal data you include in those communications.
Integration data
When you configure flows, we process API credentials and connection metadata that you provide. Flow configurations (YAML DSL) may reference third-party system identifiers. We do not access or store the payload data that flows through your integrations beyond what is necessary for execution and error handling.
3. Legal basis for processing
Under GDPR Article 6, we process your personal data on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Processing payments and invoicing | Performance of contract (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Customer support | Performance of contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure that your rights and freedoms do not override our interests. You may request details of these assessments by contacting us.
4. AI and automated processing
Fyrn uses AI to generate flow configurations from natural language descriptions and to detect and fix schema drift in your integrations (self-healing). These AI features process your flow descriptions and API schema metadata. We do not use your data to train AI models. AI-generated configurations are always subject to your review and approval before deployment.
In accordance with GDPR Article 22, we do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. All automated suggestions require human confirmation.
5. Data sharing and recipients
We share your personal data only with the following categories of recipients, and only to the extent necessary:
- ● Infrastructure providers — Cloud hosting and CDN services (e.g., Cloudflare) for operating the Service.
- ● Payment processors — Stripe for payment processing. Stripe's privacy policy applies to payment data they handle.
- ● Analytics services — Privacy-focused analytics to understand how our website and Service are used. We do not use Google Analytics.
- ● AI model providers — For flow generation and self-healing features. Prompts sent to AI providers do not contain your personal data; they contain anonymized schema metadata only.
- ● Legal and regulatory — When required by Finnish or EU law, regulation, or legal process.
We do not sell your personal data to third parties. We do not share your data for advertising purposes.
6. International data transfers
Your data is primarily processed within the European Economic Area (EEA). Where we use service providers that process data outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V:
- ● EU-US Data Privacy Framework adequacy decision, where applicable
- ● Standard contractual clauses (SCCs) approved by the European Commission
- ● Supplementary measures where required by transfer impact assessments
7. Data retention
We retain your personal data only as long as necessary for the purposes outlined in this policy:
| Data category | Retention period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Usage data | 26 months (rolling) |
| Technical/server logs | 90 days |
| Payment records | 6 years (Finnish Accounting Act, kirjanpitolaki 1336/1997) |
| Support communications | Duration of account + 12 months |
8. Your rights
Under GDPR and Finnish data protection law, you have the following rights regarding your personal data:
Right of access (Art. 15)
Request a copy of the personal data we hold about you and information about how it is processed.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17)
Request deletion of your personal data, subject to legal retention obligations.
Right to restriction (Art. 18)
Request that we limit the processing of your personal data in certain circumstances.
Right to data portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to object (Art. 21)
Object to processing based on legitimate interests, including profiling. Object to processing for direct marketing at any time.
Right to withdraw consent (Art. 7(3))
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@fyrn.dev. We will respond within one month as required by GDPR Article 12(3). If we need additional time due to the complexity of your request, we will inform you within the initial one-month period.
9. Cookies and similar technologies
In accordance with the Finnish Act on Electronic Communications Services (917/2014, Section 205), we use cookies as follows:
Strictly necessary cookies
Required for the Service to function. These include session cookies for authentication and security tokens. No consent required under ePrivacy rules.
Analytics cookies
Used to understand how visitors interact with our website. These cookies are only set with your consent. You can manage your cookie preferences at any time via the cookie banner.
We do not use advertising or tracking cookies. We do not participate in cross-site tracking.
10. Data security
We implement appropriate technical and organizational measures to protect your personal data as required by GDPR Article 32. These include encryption in transit (TLS 1.2+) and at rest, access controls, regular security assessments, and incident response procedures. API credentials you store in Fyrn are encrypted with per-tenant keys.
11. Right to lodge a complaint
If you believe that our processing of your personal data violates GDPR or Finnish data protection law, you have the right to lodge a complaint with the Finnish supervisory authority:
Office of the Data Protection Ombudsman
(Tietosuojavaltuutetun toimisto)
P.O. Box 800, FI-00531 Helsinki, Finland
Email: tietosuoja@om.fi
Website: tietosuoja.fi
You also have the right to lodge a complaint with the supervisory authority of your habitual residence or place of work within the EEA.
12. Children's data
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. In accordance with GDPR Article 8 and Finnish implementation, the age of digital consent in Finland is 13, but our Service is designed for professional use and requires users to be at least 16.
13. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes via email or a prominent notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact us
For questions about this Privacy Policy or our data practices, contact us at:
Privacy inquiries: privacy@fyrn.dev
General inquiries: hello@fyrn.dev