Privacy Policy
This Privacy Policy explains how Balagan Childhood ("we", "us", "our") collects, uses, and protects personal data when you visit www.balaganchildhood.com or use our client dashboard at dash.balaganchildhood.com (together, "the Service").
We are based in Finland and subject to the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act. Your rights under GDPR apply regardless of where you are located.
1. Who We Are (Data Controller)
Balagan Childhood
Y-tunnus (Business ID): 3634062-1
VAT number: FI36340621
Finland
Contact: [email protected]
For any privacy-related question, request, or complaint, please contact us at the address above. We aim to respond within 30 days.
2. What Data We Collect and Why
2.1 Account Data
When you create an account we collect:
- Email address — to identify your account, send transactional emails (order confirmation, password reset, email verification), and allow you to log in.
- Password — stored as a salted and peppered cryptographic hash (PBKDF2). We never store your password in plain text.
- Display name (optional) — used in the dashboard interface.
Legal basis: contract performance (Article 6(1)(b) GDPR) — an account is required to purchase and download products.
2.2 Billing Data
When you place an order we collect:
- Full legal name and, for business customers, company name and VAT/business ID
- Billing email address
- Phone number
- Billing address (street, postal code, city, country)
- Customer type (private individual or business)
- Invoice reference (optional, for business customers)
- Timestamps recording when you accepted our Terms of Use and Privacy Policy
Legal basis: contract performance (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) — billing records are required for VAT compliance and invoicing obligations under Finnish and EU law.
2.3 Order, Invoice, and Payment Data
- Order amounts, line items, currency, and status
- Invoice PDFs (stored securely in EU-based cloud storage)
- Payment method type and payment status (we do not store card numbers — card processing is handled entirely by Mollie B.V. or your bank)
Legal basis: contract performance and legal obligation. Invoice records are retained for at least 6 years to comply with Finnish accounting law.
2.4 Download and Session Data
- Download events — we log which files you download, the timestamp, and a one-way hash (SHA-256) of your IP address and browser user-agent. Raw IP addresses are not stored.
- Authentication sessions — when you log in we store a hashed refresh token, a hashed IP address, and a hashed user-agent to detect session anomalies. Raw IP addresses are not stored in session records.
- Access tokens — short-lived JSON Web Tokens (JWT) used to authorise API requests. Not stored server-side beyond the session record.
Legal basis: legitimate interests (Article 6(1)(f)) — protecting our service against fraud and unauthorised access, and verifying licence entitlements.
2.5 Email Newsletter (Optional)
If you subscribe to our newsletter or monthly freebie emails, we store your email address for that purpose. You can unsubscribe at any time using the link in any email we send.
Legal basis: consent (Article 6(1)(a)). You may withdraw consent at any time without affecting your account or any prior purchases.
2.6 Contact Form
If you contact us via our contact form, we collect your name, email address, and message content in order to respond to your enquiry.
Legal basis: legitimate interests (responding to your request).
3. How We Protect Your Data
- Email addresses are stored encrypted (AES encryption) in our database. We also store a normalised hash of each email to allow lookups without decrypting at scale.
- Passwords are stored as PBKDF2 hashes with a server-side pepper — never in recoverable form.
- IP addresses are never stored raw — only one-way SHA-256 hashes.
- All data is stored on Cloudflare infrastructure with EU-jurisdiction data residency.
- All connections to our services are encrypted via TLS.
- Access to administrative systems is restricted to authorised personnel only and is logged.
4. Who We Share Your Data With
We do not sell your personal data. We share data only with the following processors, under data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Database, file storage, CDN, Workers (compute) | EU data residency |
| Mollie B.V. | Payment processing for private customers (cards, bank transfer, and other methods) | Netherlands (EU) |
| Scaleway SAS | Transactional email delivery | France (EU) |
Business (institution) customers pay by invoice via bank transfer. No payment processor is involved in those transactions; your billing details are used only to generate and send the invoice.
We may also disclose data if required by law, court order, or to protect our legal rights.
5. International Transfers
All primary data storage is within the EU. Cloudflare, Mollie, and Scaleway are EU-based or EU-compliant processors under GDPR Chapter V. If any transfer to a third country is required, we ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.
6. How Long We Keep Your Data
| Data category | Retention period |
|---|---|
| Account and billing data | For the duration of your account, then 6 years after last transaction (Finnish accounting law) |
| Invoice records | Minimum 6 years (Finnish Accounting Act) |
| Download event logs | 24 months, then deleted |
| Authentication session records | Until session expires or is revoked, maximum 90 days |
| Email newsletter subscription | Until you unsubscribe, then deleted within 30 days |
| Contact form messages | 12 months after last correspondence |
7. Cookies and Tracking
We use only strictly necessary cookies and browser storage to operate the Service (for example, to keep you logged in). We do not currently use any analytics, advertising, or third-party tracking cookies. If we introduce optional cookies in the future, we will update this policy and request your consent.
See our Cookie Policy for full details.
8. Your Rights Under GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to our legal retention obligations (e.g., invoices must be kept for 6 years).
- Restriction — ask us to restrict processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent (e.g., newsletter), withdraw at any time without affecting prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi.
9. Children's Privacy
Our Service is intended for use by adults — parents, educators, and early childhood professionals. We do not knowingly collect personal data from children under the age of 16. Our materials are designed for use with young children by supervising adults; the children themselves do not create accounts or submit personal data through our Service. If you believe a child has provided us with personal data without appropriate consent, please contact us immediately and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and update the "Last updated" date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
All privacy enquiries: [email protected]
Balagan Childhood, Finland