Public information

Privacy notice

This privacy notice explains how OmaLeima and T:mi Aslan Dogan Marketing process personal data on the public website, in the OmaLeima mobile app, during pilot enquiries, and in early business communications.

Last updatedMay 6, 2026

1. Controller

The controller for this public website and related pilot communications is the Finnish sole trader listed below.

Controller: T:mi Aslan Dogan Marketing
Business ID: 3346878-5
Email: contact@omaleima.fi
Phone: 045 124 2459
Business address: Sarvivälkkeentie 3 C 27, 90240 Oulu
Mailing address: Sarvivälkkeentie 3 C 27, 90240 Oulu

2. What data we process

This notice covers the current public website, mobile app, pilot operations, and direct communication channels.

Basic technical request data such as IP address, browser request metadata, and server log timestamps when you visit the public website.
Mobile account data such as name, email address, role access, student profile tags, business or club memberships, and support requests.
Event operation data such as registrations, QR token metadata, leima scans, scanner account/device identifiers, reward claim status, leaderboard progress, and fraud-review signals.
Device and permission-related data when you use mobile features, including push notification tokens, camera/photo usage for QR scanning or media uploads, and scanner location proof for event-day fraud review.
Contact details and message content when you contact us by email or through social media.
Business and event context details that you share voluntarily when asking about pilots, club rollouts, or partnerships.

3. Purposes and legal bases

We process personal data only for defined purposes and on an appropriate legal basis under the GDPR.

Legitimate interest: to keep the public website available, secure, and abuse-resistant.
Contract or pre-contractual steps: to provide the OmaLeima mobile app, account access, event participation, QR scanning, leima tracking, rewards, support, and organizer operations.
Legitimate interest: to prevent QR replay, duplicate leimas, scanner misuse, reward abuse, and event-day fraud.
Pre-contractual steps or legitimate interest: to answer pilot, partnership, and product enquiries.
Legal obligation: to retain records when accounting, tax, or other Finnish legal duties require it.

4. Data sources

We do not state or rely on additional hidden data sources here.

Directly from you when you email us or contact us through linked channels.
Directly from you when you sign in, manage your profile, register for events, show or scan QR codes, claim rewards, upload approved images, or send support requests in the mobile app.
From event organizers, approved businesses, scanner staff, and system-generated audit events when they operate OmaLeima during an event.
Automatically from your browser and hosting infrastructure when you load the website.

5. Recipients of data

We limit access to parties that need the data for the stated purpose.

Website hosting and infrastructure providers acting on our behalf.
Backend, authentication, database, storage, and push-notification service providers acting on our behalf.
Apple, Google, Expo, Supabase, and similar platform providers where their services are used for sign-in, app distribution, push delivery, hosting, or event operations.
Email and communications providers where needed to receive and reply to your messages.
Professional advisers or authorities if required by law or to protect legal rights.

6. International transfers

The public website is hosted on infrastructure that may involve processing outside Finland. When personal data is transferred outside the EEA, we rely on the lawful transfer mechanism used by the relevant service provider, such as an adequacy decision or standard contractual clauses.

7. Retention

We do not keep personal data longer than necessary for the purpose for which it was collected.

Technical logs are kept only for as long as needed for security, troubleshooting, and service continuity.
Enquiry and pilot communication records are kept only for as long as the conversation, onboarding, or related business follow-up requires.
Mobile account, event, leima, reward, support, and audit records are kept for as long as needed to provide the service, resolve event-day disputes, prevent fraud, and meet legal obligations.
You can request account deletion or data deletion from the mobile app support flow or by contacting us by email. We may need to verify your identity before acting on the request.
Data may be retained longer where Finnish law, tax rules, or defence of legal claims requires it.

8. Your rights

You can use your rights, request account deletion, or request data deletion through the in-app support form or by contacting contact@omaleima.fi. We may need to verify your identity before acting on a request.

Right of access
Right to rectification
Right to erasure where applicable
Right to restriction of processing
Right to object to processing based on legitimate interest
Right to data portability where applicable
Right to lodge a complaint with the Finnish Data Protection Ombudsman

9. Account and data deletion requests

This section is the public web resource for OmaLeima account deletion and associated data deletion requests.

In the mobile app, open Profile or Settings, choose Support, then select the account and data deletion request template.
On the web, send an account deletion or data deletion request to contact@omaleima.fi and include the email address used for OmaLeima.
We may need to verify your identity before deleting an account or associated personal data.
Some records may be retained where required for legal obligations, fraud prevention, security, accounting, or defence of legal claims.

10. Cookies, local storage, and mobile app data

The public website uses strictly necessary first-party cookies and similar local storage for secure sessions, dashboard authentication, language preference, form protection, and remembering cookie choices. These include our consent preference cookie (omaleima_cookie_consent) and Supabase authentication session tokens (sb-access-token and sb-refresh-token).

OmaLeima does not currently load optional analytics or marketing cookies on the public website. If optional tracking is introduced later, it should remain disabled until you give consent in the cookie settings.

The mobile app uses necessary device storage for signed-in sessions, privacy acknowledgement, language/theme preferences, QR scanning, push notification delivery, support requests, and fraud-prevention controls.

11. Security and changes

We use proportionate technical and organisational safeguards such as access controls, limited access, and service-level security controls from our infrastructure providers.

Back to home