// Legal

Privacy Notice

Last updated: June 13, 2026

1. Controller

CARIO Intelligence Oy ("CARIO", "we", "us"), registered in Finland, is the data controller for personal data processed in connection with the CARIO INTEL platform (the "Service"). You can reach us at privacy@carionexus.com.

2. Personal data we collect

Account data: name, email address, hashed credentials, organisation, role.
Authentication data: login timestamps, OAuth provider identifiers (e.g. Google), session tokens.
Usage and telemetry: pages viewed, features used, scan queries, error logs, device and browser information, IP address.
Customer content: investigation inputs, uploaded files, notes, and outputs you generate inside the Service.
Support data: messages you send to us and related correspondence.
Billing data: collected and processed by Paddle (our Merchant of Record). We receive limited transactional metadata (plan, status, last 4 digits, country) — we do not store full payment card details.

3. Purposes and legal bases

Provide the Service (contract) — create your account, run scans, store your workspace.
Billing and subscription management (contract) — via Paddle as Merchant of Record.
Security and fraud prevention (legitimate interests, legal obligation) — abuse detection, audit logs, access control.
Product improvement (legitimate interests) — analytics on feature usage and performance.
Customer support (contract / legitimate interests) — handling your requests.
Marketing (consent or legitimate interests) — product updates; you may opt out at any time.
Legal compliance (legal obligation) — responding to lawful requests, tax records.

4. How we share data

We share personal data with:

Hosting and infrastructure providers that operate our database, storage, and edge runtime.
Paddle.com as our Merchant of Record for the sale of subscriptions, payment processing, tax compliance, invoicing, and refunds. Paddle's privacy practices are described at paddle.com/legal/privacy.
AI model providers we use to power assistant and correlation features, under data-processing terms that prohibit training on your content.
Analytics and error monitoring vendors strictly to operate and improve the Service.
Professional advisers (legal, accounting) when necessary.
Authorities when required by applicable law, court order, or to protect rights and safety.

We do not sell personal data.

5. International transfers

Some of our providers are located outside the EU/EEA. Where data is transferred internationally, we rely on safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and adequacy decisions.

6. Retention

We retain account data for the duration of your subscription and for a reasonable period afterwards to handle disputes, comply with tax and accounting obligations, and protect our legal rights. Customer content is retained according to the Vault retention applicable to your plan. Billing records are retained for the period required by applicable tax law (typically 6–10 years). Data no longer required is deleted or anonymised.

7. Your rights

Under the GDPR and equivalent laws, you have the right to access, rectify, erase, restrict, or port your personal data, to object to certain processing, and to withdraw consent at any time. You also have the right to lodge a complaint with your supervisory authority (in Finland, the Office of the Data Protection Ombudsman). To exercise these rights, email privacy@carionexus.com. We will respond within one month.

8. Security

We apply appropriate technical and organisational measures, including encryption in transit, encryption at rest for sensitive fields, role-based access control, audit logging, and routine security review.

9. Cookies

We use strictly necessary cookies to operate authentication and security features. We may use analytics cookies to understand aggregate usage; where required, we ask for your consent before setting them. You can manage cookies via your browser settings.

10. Changes

We may update this Privacy Notice. Material changes will be notified by email or in-app notice.