Legal
Privacy Policy
Last updated: April 12, 2026
This policy explains how Tuhkunen Oy collects, uses, and protects personal data when you use Maren, our AI-powered research interview platform at maren.so, app.maren.so, and interview.maren.so.
Related: Terms of Service · Security & Compliance
1. Who this policy covers
This policy applies to two groups:
- Customers who create accounts, build projects, invite participants, and review interview data.
- Participants who take part in interviews through a shared link.
It also applies to visitors of our website at maren.so.
2. Roles under GDPR
For customer account, billing, and workspace data, Tuhkunen Oy is the data controller.
For participant interview data, the customer running the research project is the data controller and Tuhkunen Oy acts as a data processor on that customer’s behalf. We offer a Data Processing Agreement (DPA) for this relationship — contact privacy@maren.so to request one.
3. What we collect
From customers
- Account information: name, email address, and authentication data provided through Google OAuth or email sign-in.
- Workspace and project data: workspace name, member list, project configurations, discussion guides, interview settings, and invitation messages.
- Billing information: payment details are collected and processed by Stripe. We do not store credit card numbers on our servers. We receive billing metadata such as subscription status, plan type, and invoice history.
- Usage data: how you interact with the service, including features used and actions taken. This data is collected in aggregate and does not include interview content.
From participants
- Email address (only for invited participants — anonymous participants via shareable links are not identified).
- Interview responses: the full conversational transcript between the participant and the AI interviewer.
- Technical metadata: browser type, device type, IP address (for security and fraud prevention), session duration, and timestamp.
We do not intentionally collect sensitive personal data (as defined in GDPR Article 9) from participants. The consent screen instructs participants not to share personal identifying information. Customers have tools to manually redact any sensitive information that appears in transcripts.
From website visitors
- Analytics data: page views, referral source, and general geographic region. We use privacy-respecting analytics that do not track individuals across sites.
4. How we use data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the service (running interviews, generating summaries, storing transcripts) | Performance of contract (Art. 6(1)(b)) |
| Account management and authentication | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (invitations, reminders, thank-yous, notifications) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Improving the service (aggregated usage analytics) | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and ensuring security | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (tax records, law enforcement requests) | Legal obligation (Art. 6(1)(c)) |
Your research data is private to your workspace. We may use aggregated, de-identified patterns derived from service usage to improve interview quality and the service overall. We do not share identifiable transcripts, participant responses, or research content with other customers or make it publicly accessible. Our staff may access workspace data when necessary to operate, maintain, or support the service.
We do not sell personal data.
5. AI processing and sub-processors
Maren uses AI models to moderate interviews and generate analysis. Interview conversations are processed through AI model APIs to generate responses, summaries, and synthesis. The AI provider’s usage policies prohibit them from using API inputs or outputs for model training.
All AI processing and primary data storage occurs within the European Union. Interview content sent to AI models is processed in the EU and is not retained by the model provider beyond the duration of the request.
Where data leaves the EU or EEA, we rely on appropriate transfer mechanisms such as EU Standard Contractual Clauses.
A full list of sub-processors with their purposes and locations is available on our Security & Compliance page. We notify customers at least 14 days before adding a new sub-processor.
6. Data retention
| Data type | Retention period |
|---|---|
| Account and workspace data | Until account deletion, plus 30 days for data export |
| Project data and interview transcripts | Until the project or account is deleted by the customer |
| Billing and tax records | 6–10 years after the end of the financial year (Finnish Accounting Act: 6 years for source documents, 10 years for core accounting books) |
| Participant email addresses | Until the project is deleted or the participant requests deletion |
| Technical logs and IP addresses | 90 days |
| Analytics data (aggregated) | 24 months |
When a customer deletes a project, all associated interview data (transcripts, summaries, synthesis, participant records) is permanently deleted within 30 days. When a customer deletes their account, all workspace data is permanently deleted within 30 days after an export window.
7. Your rights under GDPR
If you are in the European Economic Area, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data (subject to legal retention obligations).
- Restriction — request that we limit how we process your data in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format. The service supports JSON export of interview data.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
Customers: exercise your rights by contacting privacy@maren.so or through your account settings (data export, account deletion).
Participants: if you took part in a Maren interview and wish to exercise your data rights, contact the researcher who invited you (they are the data controller for your interview data). You may also contact us at privacy@maren.so and we will help route your request.
We respond to data subject requests within 30 days, as required by GDPR.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Finland, this is the Office of the Data Protection Ombudsman (tietosuoja.fi).
8. Cookies
Maren uses a minimal set of cookies:
- Strictly necessary cookies — required for authentication, session management, and security. These cannot be disabled.
- Analytics cookies — used to understand how the service is used in aggregate. Only set with your consent.
We do not use advertising or tracking cookies. We do not participate in cross-site tracking networks.
9. Security
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, row-level security policies for workspace isolation, and access controls limiting internal access on a need-to-know basis.
For full details on our security measures, data residency, and infrastructure, see our Security & Compliance page.
If we become aware of a data breach likely to result in a risk to your rights, we will notify affected individuals and the relevant supervisory authority within 72 hours, as required by GDPR.
10. Children’s privacy
The service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If customers use the service to interview minors, they are responsible for obtaining appropriate parental or guardian consent as required by applicable law.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify customers by email or through the service at least 30 days before the changes take effect. The “last updated” date at the top indicates when the most recent revision was made.
Contact
- Privacy & DPA requests: privacy@maren.so
- General: hello@maren.so
Tuhkunen Oy
Kontiontie 3 D 32, 20110 Espoo
Supervisory authority: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) — tietosuoja.fi