Privacy Policy
We collect what we need to run OakWiki for you (account, workspace, billing, the content you create in pages) and nothing else. We don’t sell data. We don’t use your page content to train models. You can export everything in Markdown / HTML / JSON, delete everything, and email our DPO directly.
This Privacy Policy describes how OakWiki Oy processes personal data in the course of operating the OakWiki platform. We are the controller for the data described in section 2 unless otherwise noted, and we operate from Helsinki, Finland, under the General Data Protection Regulation (EU 2016/679) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).
01 Who we are
OakWiki Oy, Y-tunnus 3318-872-1, Tehtaankatu 27-29, 00150 Helsinki, Finland. Our Data Protection Officer is Mikko Virtanen; reachable at dpo@oakwiki.com.
02 What we collect
- Account data: email, name, hashed password, organisation membership, OAuth identity (if you signed in via Google / Microsoft).
- Billing data: billing email, address, VAT number, payment method tokens held by Stripe (we do not store card numbers).
- Workspace data: workspace name, members, settings, custom templates, group memberships.
- Page content: the pages you create, comments, attachments, page history. Processed under your instructions; we are a processor for this category.
- Activity data: who opened which page, when. Retained 30 days for security; aggregated indefinitely.
- Search queries: what you searched for in your workspace. Retained 30 days for relevance tuning; aggregated.
03 Why we collect it
- To provide the Service you requested (legal basis: contract).
- To bill you for usage above the free tier (legal basis: contract).
- To detect abuse and protect platform integrity (legal basis: legitimate interest).
- To comply with Finnish tax and accounting law (legal basis: legal obligation).
04 How it is shared
We do not sell personal data. We do not share it for advertising. We share data with a small list of subprocessors who help operate the Service:
- Stripe Payments Europe Ltd — billing (Ireland).
- Amazon Web Services EMEA — primary infrastructure (Stockholm + Frankfurt).
- Postmark (ActiveCampaign LLC) — transactional email (US, SCCs in place).
- Plausible Insights OÜ — cookie-free analytics for the marketing site (Estonia).
- Sentry GmbH — error tracking with EU data residency option (US, SCCs in place).
The current list is maintained at /subprocessors. We notify Org-plan customers at least 30 days before adding a new subprocessor.
05 Where it’s stored
Primary data is stored in AWS Stockholm (EU-North). Backups are replicated to AWS Frankfurt. Page content is stored encrypted at rest. Org-plan customers may request EU-only data residency with no backup outside the EU.
06 Retention
- Account & billing data: for the life of your account and 7 years after closure (Finnish accounting law).
- Page content: until you delete it, or 60 days of read-only access plus 30 days of export window after workspace closure.
- Activity logs & search queries: 30 days in detailed form, indefinitely as monthly aggregates.
- Page history: indefinitely while the page exists (Team and Org); 30 days on Free.
- Support communications: 24 months.
07 Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can exercise most of these from the workspace settings. To exercise any of them by other means, email dpo@oakwiki.com — we respond within 30 days at no charge for the first request in any 12-month period.
You can also lodge a complaint with the Finnish Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi.
08 Security
All data is encrypted in transit (TLS 1.3, modern cipher suites only) and at rest (AES-256-GCM). Production access is restricted to Aino and Mikko, gated by hardware security keys, and logged. We would notify affected customers within 72 hours of becoming aware of a qualifying breach in line with Finnish notification rules.
Security disclosures are welcomed at security@oakwiki.com and our PGP key is at /.well-known/security.txt. We don’t run a paid bug bounty but we credit researchers.
09 Cookies
The dashboard uses a single first-party session cookie for authenticated sessions. We do not set advertising or third-party tracking cookies. Plausible Analytics is configured for cookie-less measurement.
10 DPO contact
Mikko Virtanen acts as our Data Protection Officer. Reach him at dpo@oakwiki.com or by post at the address in section 1.
We will post material changes to this Policy at least 30 days before they take effect, and email account holders. The current version is always at this URL.