Privacy Policy
Last updated: 29 June 2026 · Version: 2.0 (Pilot) · Operator: REAL E3 Systems Oy, Seinäjoki, Finland
Pilot notice. AURI is an early, invitation-only test. This policy describes what the service actually does today. It will be expanded (with a full Data Protection Impact Assessment and self-service data controls) before AURI is opened to the general public. If anything here is unclear, email info@real-e3systems.fi.
1. Who We Are
REAL E3 Systems Oy ("we", "us", "our") is a Finnish company registered in Seinäjoki, Finland. We operate AURI, an AI-powered relational companion service.
Data controller contact: info@real-e3systems.fi
2. What This Policy Covers
This policy explains what information we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and Finnish data protection law when you use AURI.
3. What We Collect and Why
3.1 Your conversation
When you use AURI, the messages you send and AURI's replies are:
- Processed in real time by third-party AI providers (see Section 5) to classify the conversation and generate AURI's responses;
- Stored on our servers in the EU, so we can operate the service, keep it safe, debug problems, and improve AURI's governance and response quality;
- Never sold, and never used to build an advertising or marketing profile about you.
We ask you not to share information you would not want stored. You consent to this storage when you start a session (see Section 4).
3.2 Governance / field data (stays with us)
For each turn, AURI's governance layer computes internal technical signals (its "field state" — numeric stability measures). These numbers are never sent to any AI provider. They are computed and held on our own servers and are used only to govern AURI's behavior and to improve the system.
3.3 Saved conversations (designated pilot accounts)
For a small, explicit set of pilot accounts, the conversation is saved so it can resume after a restart (so the tester does not lose their thread). This is an interim feature for the pilot; it will be replaced by proper user accounts with consent and self-service controls. General pilot users' sessions are held in memory for the duration of use and are not restored after a server restart, but may still appear in the operational logs described in 3.1/3.4.
3.4 Technical data
Standard web/server logs and operational records may include IP address, browser type, timestamps, access code used, and error/diagnostic information. This is used for security, abuse prevention, and service stability.
4. Legal Basis for Processing (GDPR Articles 6 and 9)
| Data type | Legal basis |
|---|---|
| Storing and improving your conversation | Consent (Article 6(1)(a)), given via the on-screen notice when you start a session |
| Sensitive content you choose to disclose | Explicit consent (Article 9(2)(a)) |
| Security, abuse prevention, service stability | Legitimate interest (Article 6(1)(f)) |
Because AURI is a relational companion, conversations may include sensitive personal information (for example about your wellbeing or relationships), which can be special-category data under GDPR Article 9. We process it only with your explicit consent, and you can withdraw that consent and request deletion at any time (Section 7). AURI does not make automated decisions that produce legal or similarly significant effects about you.
5. Who We Share Data With (Sub-processors)
We do not sell your data. Ever. We do not share it with advertisers, data brokers, or marketing companies. To run AURI we use the following processors, each under a data processing agreement:
- Google (Gemini API) — primary provider for classifying the conversation and generating responses. US-based; transfers are covered by Standard Contractual Clauses / the EU-US Data Privacy Framework. See policies.google.com/privacy
- Anthropic (Claude API) — fallback classifier and backup response provider. US-based; same transfer safeguards. See anthropic.com/privacy
- Mistral AI — EU-based provider used as an alternative / where configured (part of our move toward EU-resident processing). See mistral.ai
- Hetzner Online — server hosting in the EU. Processes data on our instructions only.
We are actively working to reduce reliance on non-EU providers (see our public data-governance notes).
6. Data Retention
This is a pilot; our retention schedule is being finalized as part of the pre-public DPIA. Currently:
| Data type | Retention |
|---|---|
| Stored conversations + governance metadata | Retained during the pilot to operate and improve AURI; deleted on request, and not kept longer than necessary for these purposes |
| Saved conversations (designated accounts) | Until the account is reset or deletion is requested |
| Technical / server logs | Kept for a limited period for security and stability |
You can ask us to delete your data at any time (Section 7).
7. Your Rights (GDPR Chapter III)
You have the right to: access a copy of your data; correct inaccurate data; delete your data; object to or restrict processing; withdraw consent; port your data; and lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).
To exercise any of these rights, email info@real-e3systems.fi. We will respond within 30 days. (Self-service controls are planned for the account system.)
8. Cookies
See our Cookie Notice. We use one strictly-necessary session cookie only — no analytics, advertising, or third-party tracking cookies.
9. Children and Minors
AURI is not intended for users under 16. See our Minor Protection Notice.
10. Changes to This Policy
We will notify users of material changes by updating the "Last updated" date and showing a notice in the service. Continued use after changes constitutes acceptance.
11. Contact
REAL E3 Systems Oy, Seinäjoki, Finland. info@real-e3systems.fi · Finnish Data Protection Ombudsman: tietosuoja.fi