GDPR & Privacy Policy

1. Data Controller

The data controller responsible for personal data processed through the osmioai.com website and related services is:

For any questions regarding the processing of your personal data or to exercise your rights, please contact us at the email address above.

2. What We Collect

Osmio AI operates a company website that does not require registration or login. We process only the minimum data necessary. Depending on how you interact with the site, we may process:

2.1 Data you provide directly

• Email address – when you contact us via email (hello@osmioai.com)
• Message content – any information you include in emails or enquiries

2.2 Data collected automatically

• Server logs – IP address, browser type, referring URL, pages visited, and timestamps, retained briefly by Cloudflare's infrastructure
• Cookies / local storage – see Section 10 for details

We do not collect special categories of personal data (e.g. health, biometric, or financial data) through this website.

3. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6:

• Legitimate interests (Art. 6(1)(f)) – for server logs and security monitoring necessary to operate a safe website
• Performance of a contract / pre-contractual steps (Art. 6(1)(b)) – when you contact us regarding a potential collaboration or service enquiry
• Consent (Art. 6(1)(a)) – for any optional analytics or tracking cookies, if and when these are introduced

4. Purpose of Processing

• Responding to enquiries and communications sent to us
• Operating, securing, and improving the website
• Complying with legal obligations
• Detecting and preventing abuse, fraud, or security threats

We do not use your personal data for automated decision-making or profiling.

5. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected:

• Email correspondence – retained for up to 3 years or until the relevant business relationship ends, whichever is earlier
• Server / infrastructure logs – typically retained by Cloudflare for up to 30 days for security and performance purposes

After the applicable retention period, data is securely deleted or anonymised.

6. Third-Party Service Providers

We use a limited number of trusted third-party providers to operate our services. These providers act as data processors under GDPR and are contractually bound to process data only on our behalf:

• Cloudflare, Inc. – DNS, CDN, DDoS protection, and website hosting. Cloudflare may process server log data as described in their Privacy Policy.
• GitHub, Inc. – Source code hosting via GitHub Pages or Actions used in our CI/CD pipeline.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

7. International Data Transfers

Some of our third-party providers are located outside the European Economic Area (EEA). Where personal data is transferred to non-EEA countries, we ensure appropriate safeguards are in place, such as:

• European Commission Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable

Cloudflare and GitHub maintain compliance with GDPR and standard data transfer mechanisms. You can request further information about these safeguards by contacting us at hello@osmioai.com.

8. Your Rights Under GDPR

As a data subject under the EU General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15) – obtain confirmation of what data we hold about you
• Right to rectification (Art. 16) – request correction of inaccurate data
• Right to erasure (Art. 17) – request deletion of your personal data where no legitimate ground for retention exists
• Right to restriction of processing (Art. 18) – request that we limit processing in certain circumstances
• Right to data portability (Art. 20) – receive your data in a structured, machine-readable format
• Right to object (Art. 21) – object to processing based on legitimate interests
• Right to withdraw consent – where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at hello@osmioai.com. We will respond within one month. If you are not satisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These measures include:

• HTTPS encryption for all website traffic (TLS 1.2+)
• Cloudflare DDoS protection and WAF
• Access controls and principle of least privilege for internal systems
• Regular review of third-party security practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Cookies

The osmioai.com website is a static informational site. We do not currently set analytics or advertising cookies.

Cloudflare may set strictly necessary cookies for security purposes (e.g. __cf_bm for bot management). These cookies do not require consent under the ePrivacy Directive as they are essential for the security and integrity of the site.

If we introduce optional analytics in the future, we will update this policy and obtain your consent before setting such cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page will always indicate the most recent revision. We encourage you to review this page periodically.

Significant changes will be communicated where feasible (e.g. a notice on our homepage).

12. Contact & Supervisory Authority

For any questions or requests regarding this Privacy Policy or your personal data, please contact:

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman if you consider that our processing of your data violates the GDPR: