Privacy Policy

This Privacy Policy explains what personal data Mianos processes about you, why we process it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act. It applies to the Mianos marketplace, our websites and mobile experience, and any related communications.

1. 01.Who we are

   Mianos is operated by Mianos Oy, a limited company registered in Helsinki, Finland. Mianos Oy is the data controller for personal data processed through the marketplace. You can contact us at privacy@mianos.com or by post at our registered office in Helsinki. If our company size or processing activities require us to appoint a Data Protection Officer, we will publish their contact details here.

2. 02.Data we collect

   We collect the following categories of personal data:

   • Account data: email address, username, display name, profile photo, bio, country and city, language preference, password hash, two-factor secrets;
   • Listing data: titles, descriptions, photographs, location coordinates, packaging and pricing, capacity and audience data;
   • Transaction data: orders, offers, escrow status, payouts, refunds, fee breakdowns, invoices and receipts (full payment-card numbers are never stored by Mianos and are handled directly by Stripe);
   • Communications data: in-platform messages between users, attachments, support tickets, emails you send to us;
   • Device and technical data: IP address, browser type and version, operating system, device identifiers, log data and timestamps;
   • Usage and analytics data: pages viewed, features used, click and scroll events, search queries, error reports;
   • Approximate location data derived from IP and, where you grant permission, precise device location used to render maps and search results;
   • KYC and verification data when required: identity-document data, business identifiers and tax numbers, processed by Stripe on our behalf for payout onboarding.

3. 03.How we use your data

   We use personal data to:

   • Provide and operate the marketplace, including authentication, listings, search, messaging, offers, escrow and reviews;
   • Process payments and payouts via Stripe and reconcile transactions;
   • Detect, investigate and prevent fraud, abuse, security incidents and other unlawful activity;
   • Comply with legal obligations such as accounting, tax, anti-money-laundering, sanctions screening and responding to lawful requests from authorities;
   • Improve and develop the service through analytics, experiments and aggregated reporting;
   • Communicate with you about transactions, account-security events, customer support and (with consent or where permitted) marketing.

4. 04.Legal bases under GDPR

   We process personal data on the following legal bases:

   • Performance of a contract (Art. 6(1)(b) GDPR) — to provide the marketplace, run transactions and offer customer support to you as a user;
   • Legal obligation (Art. 6(1)(c) GDPR) — to keep accounting and tax records, respond to lawful authority requests, and meet AML and sanctions obligations;
   • Legitimate interests (Art. 6(1)(f) GDPR) — to keep the platform safe, prevent fraud, develop the service, and conduct limited direct marketing to existing customers; balanced against your rights and freedoms;
   • Consent (Art. 6(1)(a) GDPR) — for non-essential cookies, optional analytics, optional marketing communications and any processing of special categories of data; consent can be withdrawn at any time without affecting prior lawful processing.

5. 05.Sharing and sub-processors

   We share personal data only as needed to operate the service or to comply with law:

   • Stripe (Stripe Payments Europe, Limited and affiliates) — payment processing, escrow and Connect payouts;
   • Supabase (Supabase Inc.) — managed Postgres database, authentication, file storage;
   • Vercel Inc. — hosting and edge networking for the website and APIs;
   • Resend (Resend, Inc.) — transactional email delivery;
   • PostHog Inc. — product analytics, feature flags and session replay (loaded only with consent);
   • Sentry (Functional Software, Inc.) — error monitoring and performance tracing;
   • MapTiler (MapTiler AG) — map tiles and geocoding;
   • Other counterparties to a transaction (the buyer or seller) receive limited information about you needed to complete the order, such as your username, location and message contents;
   • Law enforcement, regulators and courts where we are legally required to disclose information, or where disclosure is necessary to protect rights, property, safety or security.

   We do not sell your personal data to third parties.

6. 06.International transfers

   Mianos is operated from Finland and personal data is primarily processed in the EU/EEA. Some sub-processors (notably Stripe, PostHog, Sentry and Vercel) may process data in the United States or other countries outside the EEA. Where this happens, we rely on the European Commission's Standard Contractual Clauses, supplementary safeguards where appropriate, and adequacy decisions where applicable. You can request a copy of the relevant transfer mechanism from privacy@mianos.com.

7. 07.Retention

   We keep account data for as long as your account is active and for a reasonable grace period after closure (typically up to 12 months) to handle late disputes, fraud investigations and the exercise of legal rights. Transaction records (orders, invoices, payouts and related communications) are retained for at least seven (7) years to comply with the Finnish Accounting Act and applicable tax law. Server and security logs are retained for shorter periods (typically 90 days) unless needed for a specific incident.

   When retention periods end we delete or irreversibly anonymise the data so that it can no longer be linked to you.

8. 08.Your rights

   Subject to GDPR, you have the right to:

   • Access — request a copy of the personal data we hold about you;
   • Rectification — ask us to correct inaccurate or incomplete data;
   • Erasure — ask us to delete your data, subject to our legal retention obligations;
   • Restriction — ask us to limit our processing in defined situations;
   • Portability — receive certain data in a structured, machine-readable format and have it transmitted to another controller;
   • Object — object to processing based on legitimate interests, including profiling and direct marketing;
   • Withdraw consent at any time without affecting the lawfulness of prior processing;
   • Lodge a complaint with a supervisory authority. The competent authority in Finland is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi). In Sweden it is the Swedish Authority for Privacy Protection (IMY, imy.se). EU residents may also contact the supervisory authority of their habitual residence.

   To exercise any of these rights, email privacy@mianos.com. We may need to verify your identity. We aim to respond within thirty (30) days.

9. 09.Cookies and similar technologies

   Essential cookies are used for authentication, security and to remember your language preference; they are loaded without consent because the service cannot work without them. Optional analytics cookies (PostHog) and any future marketing cookies load only after you grant consent through our cookie banner. You can change your preferences at any time from the cookie settings link in the site footer. We do not use advertising cookies.

10. 10.Children

    Mianos is not directed at children under 16 and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@mianos.com and we will take steps to delete it.

11. 11.Security

    We apply appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, encryption at rest where supported by our sub-processors, role-based access controls, audit logging of administrator actions, mandatory two-factor authentication for staff with production access, and a documented incident-response process. No system is completely secure; we will notify users and the relevant supervisory authority of any personal-data breach as required by GDPR.

12. 12.Changes to this policy

    We may update this Privacy Policy from time to time. If we make material changes we will give at least thirty (30) days' notice by email or through the service before the changes take effect. Your continued use of Mianos after the effective date constitutes acceptance of the updated policy.

13. 13.Contact

    For privacy questions or to exercise your rights, contact Mianos Oy at privacy@mianos.com or by post at our registered office in Helsinki, Finland.