Policy Doctor Privacy Policy

Last updated: 2.6.2026

1 General

This privacy policy contains information on how Politiikkatohtori Oy, as the data controller, collects and processes users' personal data in the Policy Doctor application. The privacy policy is updated when necessary or if applicable legislation changes.

2 Data controller

Politiikkatohtori Oy, Business ID 2785242-2

Data Protection Officer:
Antti Kähkönen
antti@politiikkatohtori.fi
050 405 3311

3 For what purpose does Politiikkatohtori collect personal data? On what grounds is personal data processed?

Politiikkatohtori collects, stores, and processes personal data concerning users of the Policy Doctor application (hereinafter also the "Service") in order to ensure the delivery of the service agreed in the service contract to the customer organizations represented by the users (hereinafter "customer"), as well as the proper use and technical functionality of Policy Doctor.

Politiikkatohtori also collects information on persons participating in the preparation of government projects from the online services of the Government and Parliament. These include project contact persons and their job duties, members of working groups and the organizations they represent, and the minister responsible for the project.

Politiikkatohtori processes data on the basis of contract, consent, and legitimate interest. Information about the user's organization is based on the contract with the customer. Other data collected about the user is collected and processed on the basis of the user's consent. Information on users and logins of customer organizations is processed on the basis of legitimate interest for the implementation of the contract, for maintaining and developing the service, and for investigating and preventing misuse.

What personal data is collected from the user and from what sources?

Politiikkatohtori receives personal data concerning the user of the application from the user's OIDC identity provider when the user signs in. In relation to users, Politiikkatohtori collects and processes the following personal data for authentication, account linking, access control, and service operations:

  • a unique user identifier
  • email address
  • basic profile details provided by the identity provider, such as name and username

The connected AI chatbot or assistant platform does not forward customer prompt content to Policy Doctor. Policy Doctor receives only derived metadata about tool usage (such as which tools are used and when).

Who processes the user's personal data, and is it disclosed to third parties?

User data is processed by Politiikkatohtori's employees and subcontractors who deliver the services included in the customer's order and train users in the use of the Policy Doctor application. Politiikkatohtori has the right to use subcontractors in connection with the performance of contractual obligations.

Is the user's personal data transferred outside the EU?

As a rule, personal data is not transferred outside the EU, but because data is stored in electronic form, for example the data centers used for cloud storage may be located outside the EU. If personal data is transferred outside the EU, it is nevertheless the responsibility of the data controller to ensure that the processing, transfer, and storage of personal data are carried out on legally required grounds and with sufficient safeguards.

How is data stored and protected?

Data is stored in Supabase's cloud service, which is protected in accordance with general industry best practices. Personal data is kept confidential and is not disclosed to others unnecessarily.

4 What rights and means of influence does the user have?

Withdrawal of consent

If the data controller processes personal data on the basis of consent, the user may withdraw consent at any time by notifying the data controller. To use Policy Doctor, the user must give consent to the processing of their personal data. Use of the service requires that consent to the processing of personal data described above remains in force. The user may withdraw the consent they have given to the processing of personal data or object to the processing of personal data. After withdrawing consent, the user can no longer use Policy Doctor, because in order to provide the service, users must be distinguishable from one another, meaning their personal data must be processed.

The user can withdraw previously given consent to the processing of personal data by contacting the Data Protection Officer of Politiikkatohtori Oy using the same email address with which consent was originally given, i.e. the one used for Policy Doctor. The user receives an email confirmation when their data and user account have been deleted from Policy Doctor.

Access to data

The user has the right to receive confirmation of whether the data controller processes personal data concerning them and to know what personal data concerning them is being processed. In addition, the user has the right to receive supplementary information on the grounds for processing personal data. Regarding data saved in the application, the user has the possibility in the Policy Doctor user interface to review and download the data in tabular format.

Right to have errors corrected

The user has the right to request that incorrect, outdated, or otherwise incomplete personal data concerning them be corrected.

Right to object to processing

If the data controller processes personal data on the basis of public interest or legitimate interest, the user has the right to object to the processing of personal data concerning them insofar as there is no compelling reason for the processing that overrides their rights, or the processing is not necessary for the handling of a legal claim.

Right to restrict processing

In certain situations, the user has the right to require that the data controller restrict the processing of their personal data.

Right to data portability

If the data controller processes the user's personal data on the basis of consent or for the performance of a contract, the user has the right to receive the data they have provided electronically in a commonly used format so that the data can be transferred to another service provider.

5 How can the user exercise their rights?

The user can exercise the rights described above by contacting the data controller. However, the data controller must verify identity before providing data so that personal data is not disclosed to the wrong person. If the user considers that the processing of their personal data is not lawful, they may file a complaint with the competent supervisory authority, i.e. the Data Protection Ombudsman.