Aitta Privacy Notice

Last updated: May 7, 2026

Table of Contents

  1. Controller
  2. Contact person for register-related matters
  3. What are the legal grounds for processing personal data?
  4. What are the purposes of processing personal data?
  5. Do we use automated decision-making or profiling?
  6. What data do we process?
  7. Where do we get your data from?
  8. To whom do we disclose your data?
  9. Do we transfer data outside the EU or EEA or to international organizations? Or to which countries do we transfer data and what are the grounds for these transfers?
  10. How long do we keep your data?
  11. How do we protect your data?
  12. What are your rights as a data subject?
  13. Who should you contact?
  14. Changes to the privacy policy

Controller

CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo, Finland
Tel. +358 (0)9 457 2821 (operator) servicedesk@csc.fi
Business ID: 0920632-0 www.csc.fi
(Hereinafter referred to as "we" or "CSC")

Contact person for register-related matters

Data asset owner: servicedesk@csc.fi
Data Protection Officer: privacy@csc.fi

What are the legal grounds for processing personal data?

The data subjects for this processing activity are users of the service. Processing of personal data is based on a contract.

What are the purposes of processing personal data?

Personal data is processed in order to provide the service and basic service monitoring.

Do we use automated decision-making or profiling?

Data is not used for profiling purposes. We may use automated decision-making in some cases, if the law allows it, or if you have given your consent separately, or if it's necessary for the execution of the contract.

What data do we process?

We are processing the following personal data:

  • CSC username or Puhuri username
  • Unique ID for the system
  • Project memberships
  • Service access timestamps
  • IP addresses

Where do we get your data from?

We receive all the personal data concerning the data subject from the data subject themselves.

In case of authenticating through European identity providers, we get the personal data via our partners from where you have found the service, and you authenticate yourself through while consenting to identity attribute release.

To whom do we disclose your data?

We can hand over your personal data to others to the extent required by law and as necessary for the provision of services and compliance with agreements.

Do we transfer data outside the EU or EEA or to international organizations? Or to which countries do we transfer data and what are the grounds for these transfers?

Personal data is not transferred outside the European Union (EU) or the European Economic Area (EEA). If the transfer of data is necessary to provide the service, this has been separately announced or agreed upon.

How long do we keep your data?

Personal data is retained only as long as it is necessary for providing the service or according to the statutory retention periods. Content of the prompts and model responses are not stored to permanent memory. Personal data is stored during active usage, but it is stored only to volatile memory and not permanently.

Once the retention period for personal data has expired and there are no longer grounds for processing them within the limits permitted by data protection legislation, the personal data will be deleted.

How do we protect your data?

Only persons who have the right to process the personal data on behalf of CSC can access the data files in accordance with their job descriptions. Access to personal data is restricted. Encryption is used for in-transit data.

What are your rights as a data subject?

Data subjects have the rights under the General Data Protection Regulation to, among other things, inspect their own data, access personal data and demand the correction of incorrect data concerning them. The right of inspection or access to data is carried out according to resources without undue delay, but always within the time limit required by the General Data Protection Regulation at the latest. The identity of the data subject is checked before providing the information. On request, the information is provided in written form.

The controller must, independently or at the request of the data subject, correct or supplement the incorrect or deficient information. The controller shall, independently or at the request of the data subject, remove unnecessary or outdated data, unless the law or the contract entitles or obligates the controller to retain data.

The data subject has the right to withdraw the consent she has given, if the processing is based on consent. Withdrawal of consent does not affect the processing that took place before the withdrawal.

The data subject has the right to request restriction of processing or to object to processing within the limits and in accordance with applicable data protection legislation. Data subjects have the right to transfer data from one system to another, i.e., to receive the personal data concerning them in a structured and commonly used format, and to transfer it to another controller within the limits and in accordance with applicable data protection legislation.

You can send the above requests and questions regarding this privacy policy and CSC's processing of personal data to privacy@csc.fi.

You also have the right to lodge a complaint with the Data Protection Ombudsman. The contact details of the Data Protection Ombudsman can be found on the Data Protection Ombudsman's website at tietosuoja.fi.

Who should you contact?

All communications and requests regarding this policy should be made in writing or in person to the contact person named in section "Contact person for register-related matters".

Changes to the privacy policy

Changes to this policy will be dated. We may inform you of any significant changes by email or notice on our website.