Skip to content
PikkuRetki
PikkuRetki

Privacy Policy

The privacy policy explains how PikkuRetki handles information related to the web service and public content.

Last updated: 30 May 2026

PikkuRetki helps parents and caregivers find kid-friendly events and activities in Helsinki, Espoo, and Vantaa. You can browse public content without creating an account.

This Privacy Policy explains what personal data PikkuRetki uses, why it is used, who may process it, how long it is kept, and what choices and rights you have.

Controller

PikkuRetki is run by an individual based in Finland.

Controller: Nicolas Louis Contact: contact@pikkuretki.com

Short version

PikkuRetki is designed to collect as little personal data as reasonably possible.

  • PikkuRetki does not sell personal data.
  • Public browsing does not require an account.
  • Accounts are optional and used for saved favorites and additional features.
  • Privacy choices are stored locally on your device.
  • Plausible Analytics is optional and used only if you allow it.
  • Nearby discovery can use your device location, but PikkuRetki does not save your exact location.
  • Approximate distance display is optional, account-gated, and uses browser location only after you enable it on a device.
  • Travel estimates can use your device location and send route coordinates to Digitransit/HSL only after you request an estimate.
  • Embedded maps and external links may cause third-party services to process normal technical request data.

Providing Personal Data Is Optional

Most PikkuRetki features can be used without providing personal data beyond ordinary technical request data.

You only need to provide personal data when you choose an optional feature that needs it. For example, an email address is needed for an account, a support reply, a newsletter, or a marketing message; browser location is needed for nearby discovery, approximate distance display, or a travel estimate; and a support or correction message is needed if you want PikkuRetki to reply or investigate a correction.

If you do not provide the data needed for an optional feature, you can keep using PikkuRetki, but that specific feature may not be available.

Data PikkuRetki Processes

Public browsing and service security

Technical service providers may process IP address, browser or device information, requested pages or URLs, timestamps, DNS and routing data, security logs, and diagnostics.

This is used to provide, secure, maintain, debug, and protect the service. The legal basis is legitimate interest.

For logs and diagnostics controlled by PikkuRetki, routine operational records are normally deleted or anonymized within 90 days. They may be kept longer if needed for security incidents, troubleshooting, abuse prevention, legal claims, or service reliability. Provider-managed service logs follow the provider's own retention settings.

Local privacy choices and app preferences

PikkuRetki stores privacy choices, analytics choices, dismissed prompts, and similar app preferences locally on your device.

This is used to remember your choices and operate the preferences you selected.

The legal basis for storing necessary local choices and preferences is legitimate interest. When a choice controls an optional feature such as analytics, the legal basis for that optional feature is consent.

On the web version, these choices are stored in browser localStorage. They stay on your device until you clear browser, or device storage.

Optional account and saved favorites

You can create an optional account for saved favorites, account export, profile self-service, and account deletion.

When you sign in, PikkuRetki may store Hanko (auth provider) user ID, primary email address, preferred language, account timestamps, consent records, saved favorites, and limited deletion status if needed.

This is used to provide account features you choose to use, secure those features, support account export, and handle account deletion.

The legal basis is performance of the account service you request when you create or use an account. Security, abuse prevention, limited deletion status, and reasonable support status are based on legitimate interest. Optional consent records are based on consent where they relate to consented features.

Account data and saved activity favorites are kept while the account is active. Saved event favorites may be removed automatically after the event date has passed. When you delete the account, PikkuRetki deletes saved favorites and removes or anonymizes the local account record, except limited deletion or support status if needed.

PikkuRetki does not store exact browser coordinates or location history, support message text, analytics identifiers, authentication secrets, or private editorial data in public user account records.

Authentication through Hanko

Account sign-in is handled by Hanko. Depending on the method you choose, Hanko may process your email address, login method data, passkey data, two-factor authentication data, session data, and related authentication records.

Hanko uses this data to register accounts, sign users in, keep sessions valid, and support profile self-service.

For PikkuRetki's use of Hanko as the account sign-in provider, the legal basis is performance of the account service you request and legitimate interest in keeping accounts secure.

PikkuRetki does not receive or store your password, passcode, passkey secret, or TOTP secret. Hanko-side data is handled according to Hanko's service settings and deletion flows.

Newsletter and marketing messages

Newsletter and marketing messages are optional and separate. PikkuRetki uses your email address and consent records only if you give the matching consent.

The legal basis is consent. You can refuse consent, leave consent unchecked, or withdraw consent later from the account page.

Consent records are kept until you withdraw consent or delete the account, unless limited records are needed to prove or handle the withdrawal.

Optional Plausible Analytics

If you allow analytics, PikkuRetki uses Plausible Analytics to understand how public pages and features are used and how they can be improved.

Analytics may record allowlisted public pageviews, coarse product events, safe campaign parameters, aggregate engagement metrics, and dashboard dimensions such as browser, operating system, device type, referrer, and approximate geography derived by Plausible from request metadata such as IP address.

The legal basis is consent. PikkuRetki does not use Plausible Analytics for advertising, does not sell analytics data, and does not send exact browser location, account identifiers, email addresses, form message text, private editorial data, or full external URLs to Plausible through PikkuRetki code.

Analytics data follows the active Plausible dashboard and plan retention settings. PikkuRetki does not keep a separate raw analytics export.

Nearby discovery

If you use a nearby feature, your browser or device will ask for location permission.

Your exact latitude and longitude are sent to PikkuRetki only for the current nearby request. PikkuRetki uses your location and search radius temporarily to find, filter, rank, and return nearby public results with distance values.

The legal basis is consent.

PikkuRetki does not save your exact location to its backend database or send it to Plausible Analytics through PikkuRetki code.

You can use PikkuRetki without allowing location access.

Approximate distance display

If you sign in and enable approximate distance display, PikkuRetki stores your account consent for that feature.

Your browser or device still asks separately before sharing location with the website. The current browser location is kept in memory on your device and used to calculate approximate distance to events and activities with verified public coordinates.

The legal basis is consent.

PikkuRetki does not save your exact browser coordinates, location history, or per-listing distance history to your account, backend database, local storage, cookies, URLs, Plausible Analytics, Hanko, OpenFreeMap, support forms, or correction forms.

You can turn off distance display from the account page. You can also deny or block browser location permission and keep using PikkuRetki.

Optional travel estimates

If you request a travel estimate, your browser or device may ask for location permission.

Your current browser coordinates, the public destination coordinates, selected departure time, and locale are sent to PikkuRetki for the current request. PikkuRetki forwards the route estimate details needed by Digitransit/HSL to estimate public transport and walking routes.

The legal basis is consent. This feature is optional and is used only to return the travel estimate you requested.

PikkuRetki does not save your exact browser coordinates, travel origins, route history, or per-user travel estimate history.

Digitransit/HSL request logs are handled according to the provider's own policy and infrastructure settings. PikkuRetki does not control those retention periods.

You can use PikkuRetki without requesting travel estimates.

Embedded maps

If you open an embedded map, your browser may request map styles or tiles from a map provider. These requests may include IP address, browser or device information, referring page, requested tile or style URL, and timestamps.

This is used to show optional map-based discovery and maintain map reliability. The legal basis is legitimate interest.

PikkuRetki does not send saved favorites, support messages, private editorial data, exact nearby-search location, or travel-estimate origin to the map tile provider.

Map provider request logs are handled according to the provider's own policy and infrastructure settings. PikkuRetki does not control those retention periods.

Support, feedback, and correction messages

If you contact PikkuRetki by email or through a support, feedback, or correction form, PikkuRetki uses your email address, your message, and any information you choose to include.

This is used to reply to you, investigate corrections, improve content quality, keep reasonable records, and protect the service.

The legal basis is legitimate interest in replying to requests, correcting content, maintaining reasonable records, and protecting the service.

The public forms are protected by Cloudflare Turnstile, Cloudflare may process challenge data, verification tokens, IP address, browser or device information, timestamps, and related security data.

Email delivery is configured via Brevo, which receives the outgoing email payload needed to deliver the message to PikkuRetki. This may include your name, email address, message, selected topic, and content context that you submitted.

Please do not send unnecessary personal data about children or other people.

Messages are reviewed for deletion or anonymization within 12 months after the request is closed. They may be kept longer if needed for unresolved correction work, abuse prevention, legal claims, or service security.

Internal editorial and operator access

Authorized maintainers may use repository workflows, hosting and database systems, service consoles, and command-line processes to publish reviewed content and operate PikkuRetki.

For these people, PikkuRetki may process maintainer email address or account identifier, access logs, publication and review actions, content changes, timestamps, security logs, and audit logs.

This is used to protect the service, prevent misuse, and keep editorial changes accountable. The legal basis is legitimate interest.

Short-lived access, security, and diagnostic logs follow the technical service log criteria above. Repository commits, publication history, review actions, and audit records needed for editorial accountability may be kept for the life of the repository or content history.

Cookies and Local Storage

PikkuRetki app code does not use cookies for favorites, privacy choices, app preferences, or analytics consent.

On the web version, PikkuRetki uses browser localStorage to remember privacy choices and app preferences. If you clear browser storage, these choices may be removed.

If you sign in, Hanko uses the hanko session cookie for authentication. Cloudflare, Hanko, browsers, and hosting systems may also use their own cookies or similar technologies for security, authentication, traffic management, analytics, abuse prevention, diagnostics, or service operation.

Service Providers and Transfers

PikkuRetki uses the main providers below. The role named for each provider describes its main role for PikkuRetki's use. Some providers may also process limited data for their own security, service operation, legal compliance, billing, or abuse-prevention purposes under their own terms.

  • Hetzner: service provider / processor for production website hosting infrastructure, with provider-managed security and operations processing under Hetzner's own terms.
  • Postgres database hosting: service provider / processor for server-owned account data storage for PikkuRetki account metadata, consents, deletion markers, and synced favorites.
  • Hanko: mixed role provider for account registration, login, email verification, passcodes, password and passkey flows, two-factor authentication, session management, profile self-service, and current-user account deletion. For PikkuRetki account features, Hanko mainly acts as the authentication service provider, while Hanko may also process service, security, and legal-compliance data under its own terms.
  • Brevo: service provider / processor for email delivery for public support, feedback, correction, suggestion, and contact forms when configured, with provider-managed account, delivery, security, and abuse-prevention processing under Brevo's own terms.
  • Cloudflare: mixed role provider for domain services, DNS, routing, security, performance, reliability, infrastructure analytics, email routing, and Turnstile form protection when configured. Some Cloudflare network and security processing is handled under Cloudflare's own terms.
  • Plausible Analytics: service provider / processor for optional product analytics when you allow analytics, with provider-managed service, security, and operations processing under Plausible's own terms. Plausible is incorporated in Estonia and says visitor data is processed and stored in the EU on European-owned infrastructure.
  • OpenFreeMap: independent controller / third-party provider for embedded map styles and tiles when maps are opened. OpenFreeMap is operated by Hyperknot Software Kft. in Hungary and uses OpenStreetMap-based map data and delivery infrastructure that may include Cloudflare.
  • Digitransit/HSL: independent controller / third-party provider for optional public transport and walking travel estimates when you request a travel estimate.

Where PikkuRetki controls the deployment or storage region for its own project resources, European regions are chosen, including Finland where available and practical.

Some processing, support, security, routing, diagnostics, analytics, email-delivery, or provider-managed operations by Cloudflare, Hanko, Plausible Analytics, Brevo, Digitransit/HSL, map providers, or their delivery infrastructure may involve infrastructure outside Finland or outside the EU/EEA.

Where required, transfers outside the EU/EEA are handled under applicable safeguards such as adequacy decisions, EU standard contractual clauses, provider data processing terms, or other transfer mechanisms used by the relevant provider. You can contact PikkuRetki at contact@pikkuretki.com to ask which safeguard applies to a specific provider or processing activity and how to access the relevant public provider terms, data processing terms, adequacy decision information, or standard contractual clauses where available.

Cloudflare infrastructure analytics are separate from optional Plausible Analytics and are used by PikkuRetki only to operate and protect the service.

External Links

PikkuRetki may link to event organizers, venues, booking pages, ticketing services, public transport services, map services, support flows, and other external websites.

If you open an external link, that service may process data under its own terms and privacy policy.

Map links and some support flows may open Google services outside PikkuRetki.

Children

PikkuRetki is intended for parents and caregivers. Public browsing does not require children to create accounts, and PikkuRetki does not intentionally collect children's personal data through public browsing.

If a support or correction message accidentally includes children's personal data, PikkuRetki will use it only to handle the request. It will not be used for analytics or advertising.

Your Choices

You can:

  • use PikkuRetki without a public user account
  • create an optional account for saved favorites
  • download an account data export
  • delete your account
  • leave newsletter and marketing consent unchecked
  • withdraw newsletter or marketing consent later from the account page
  • leave distance display off or withdraw distance-display consent later from the account page
  • reject optional Plausible Analytics or turn it off later from Privacy choices
  • deny browser or device location permission
  • use PikkuRetki without nearby discovery
  • use PikkuRetki without requesting travel estimates
  • use PikkuRetki without opening embedded maps
  • clear local privacy choices and app preferences by clearing browser storage
  • avoid sending support or correction messages if you do not want to share contact details

Your Rights

Where applicable, you may have the right to:

  • access your personal data
  • correct inaccurate personal data
  • request deletion of personal data
  • restrict processing
  • object to processing
  • request data portability
  • withdraw consent for optional Plausible Analytics
  • withdraw consent for newsletter or marketing communication
  • withdraw consent for distance display
  • withdraw consent for travel estimates by not requesting an estimate or by denying or blocking browser location permission
  • lodge a complaint with a data protection authority

To make a request, contact:

contact@pikkuretki.com

Because public browsing does not require an account and many choices are stored only on your device, PikkuRetki may not always be able to identify you from public browsing alone.

If your request relates to local privacy choices or app preferences, you can remove them by clearing browser storage on your device. If your request relates to a support message, please contact PikkuRetki from the same email address you used when sending the message.

PikkuRetki does not use automated decision-making that produces legal or similarly significant effects for you.

Data Protection Authority

If you believe your personal data has been processed in violation of data protection law, you may contact the Finnish data protection authority:

Office of the Data Protection Ombudsman Website: https://tietosuoja.fi/en

Changes to This Policy

PikkuRetki may update this Privacy Policy when the service, technical implementation, providers, or legal requirements change. The "Last updated" date shows when this policy was last changed.

If a change is important, PikkuRetki may provide a clearer notice in the app or on the website.

Contact

For privacy questions or requests, contact:

contact@pikkuretki.com