Privacy Policy
This Privacy Policy describes how Lapidary ("we", "the Service", "the operator") collects, uses, and protects your personal data. The Service is operated by an individual based in Finland and is subject to the General Data Protection Regulation (GDPR) as applicable under Finnish and European Union law.
1. Data Controller
The data controller for personal data processed through the Service is the individual operator of Lapidary, based in Finland. For data-related enquiries, please use the contact form available on the Lapidary website.
2. Data We Collect
We collect the following categories of personal data:
- Account data: email address and hashed password, collected at registration
- User content: collection entries, descriptions, notes, photographs, tags, and any other content you choose to add to the Service
- Usage data: basic technical data such as timestamps of actions within the Service (e.g. when a stone was added or deleted), stored as part of the history log feature
We do not collect device identifiers, IP addresses for tracking purposes, advertising identifiers, or any data beyond what is necessary to provide the Service.
3. How We Use Your Data
Your data is used solely to provide and maintain the Service. Specifically:
- Your email address is used for authentication and account recovery
- Your collection data is stored and displayed back to you within the Service
- No data is used for advertising, profiling, or marketing purposes
- No data is sold or shared with third parties for commercial purposes
4. Legal Basis for Processing (GDPR)
Under the GDPR, our legal basis for processing your personal data is:
- Contract performance (Article 6(1)(b)): processing your account data and user content is necessary to provide the Service you have signed up for
- Legitimate interests (Article 6(1)(f)): basic security and operational logging necessary to maintain the Service
5. Administrative Access to Your Data
Important: The Service does not implement end-to-end encryption. The operator of Lapidary has technical administrative access to all data stored on the platform, including your collection entries, photographs, notes, and account information, by virtue of administrative access to the underlying infrastructure (Google Firebase). This is an inherent technical characteristic of the Service's current architecture.
The operator undertakes not to access, review, copy, share, or otherwise process any individual user's personal data except in the following limited circumstances:
- Where required to comply with a legal obligation under Finnish or EU law
- Where necessary to investigate a specific, credible security incident directly affecting the Service
By creating an account and using the Service, you acknowledge and accept this characteristic of the Service's architecture.
6. Data Isolation Between Users
Your data is isolated from other users through security rules enforced at the database level. No other user of the Service can access, view, or modify your data through normal use of the application.
7. Third-Party Infrastructure
The Service is built on the following third-party infrastructure providers, each of which processes data as a data processor on our behalf:
- Google Firebase (Google LLC / Google Ireland Limited) — authentication, database storage, and file storage. Data is stored in the European Union (europe-west3, Frankfurt). Firebase is subject to Google's data processing terms and the EU Standard Contractual Clauses.
- Netlify, Inc. — hosting of the application frontend. Netlify processes minimal technical data to serve the application.
We do not use analytics services, advertising networks, or tracking tools.
8. Data Retention
Your data is retained for as long as your account exists. If you delete your account, your personal data will be deleted from the Service within a reasonable period, subject to any legal retention obligations. Photographs stored in Firebase Storage will be deleted as part of the account deletion process.
9. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access (Article 15): you may request a copy of the personal data we hold about you
- Right to rectification (Article 16): you may correct inaccurate data directly within the Service
- Right to erasure (Article 17): you may delete your account and all associated data at any time
- Right to restriction of processing (Article 18): you may request that we restrict processing of your data in certain circumstances
- Right to data portability (Article 20): you may request an export of your data in a machine-readable format
- Right to object (Article 21): you may object to processing based on legitimate interests
To exercise any of these rights, please use the contact form on the Lapidary website. We will respond within 30 days.
10. Right to Lodge a Complaint
If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), the supervisory authority for data protection in Finland.
11. Cookies and Tracking
The Service does not use cookies for tracking or advertising purposes. Authentication tokens necessary for maintaining your logged-in session are stored in your browser's local storage or session storage and are not used for any purpose other than keeping you signed in.
12. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you become aware that a child has provided us with personal data, please contact us.
13. Changes to This Policy
This Privacy Policy may be updated from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of the Service following any changes constitutes acceptance of the updated policy.
14. Contact
For any questions, data requests, or privacy-related concerns, please use the contact form available on the Lapidary website. We aim to respond to all enquiries within 30 days.