Legal

Privacy Policy

Draft — pending legal review. Published for transparency while Alchemis is in pre-launch. It reflects how the service actually handles data today, but it hasn't yet been reviewed by a lawyer and may change before we open to makers. Highlighted items (like this) are business details still being finalised.

Effective date: [pending]
Service: Alchemis (alchemis.net, also served at alchemis.renolas.fi)
Controller: [LEGAL ENTITY NAME], [BUSINESS ADDRESS], [COUNTRY] ([REGISTRATION / VAT No.])
Contact: [PRIVACY CONTACT EMAIL]

This policy explains how we handle personal data when you use Alchemis, a production, inventory, and compliance tool for small-batch makers.

1. Who is the controller of what

Your account & how you use Alchemis: we ([LEGAL ENTITY NAME]) are the data controller.
The business data you put into your workspace — including any contact details of your customers, suppliers, or consignment partners (names, emails, phone numbers, addresses) — you are the controller and we are your processor. You are responsible for having a lawful basis (e.g. consent or legitimate interest) to store that data in Alchemis, and for responding to your own customers' data-subject requests. See the Terms of Service and our processor commitments below.

2. Personal data we collect

You provide when you register and use your account

Email address (required; your sign-in identifier)
First and last name (optional)
Password (stored only as a salted hash — we never see it)
Two-factor authentication settings and, if you use email codes, a short-lived hashed one-time code

Generated automatically

Account creation date and last login time
Security/audit events (sign-ins, lockouts, and — for administrators — platform actions), and your IP address for those security events
Your subscription tier/status and, if you subscribe, your Stripe customer/subscription identifiers (we do not store card numbers — see §6)
Minor preferences and UI state stored in your browser

Business data you enter (you are the controller of any third-party personal data here)

Recipes, batches, ingredients, inventory, packaging, labels, photos you upload
Sales records, which may include customer name, email, phone, and notes
Supplier and consignment-partner records, which may include contact name, email, phone, address

3. Why we use it and our legal bases (GDPR Art. 6)

Purpose	Legal basis
Create and run your account; provide the service	Performance of a contract
Authentication, 2FA, lockout, audit logs, abuse prevention	Legitimate interests (securing the service) / legal obligation
Billing and subscription management via Stripe	Performance of a contract
Transactional email (confirmation, password reset, 2FA codes, important notices)	Performance of a contract / legitimate interests
Storing your business data on your behalf	Performance of a contract (and, for your customers'/suppliers' data, you are the controller)
Responding to support requests and legal claims	Legitimate interests / legal obligation

We do not use your data for advertising, we do not sell it, and we do not run third-party analytics or behavioural tracking in the product.

4. Where your data is stored

Alchemis is self-hosted on our own server in [COUNTRY] (EU). The application database (PostgreSQL) and uploaded photos (MinIO object storage) run on that infrastructure — not on a third-party cloud. Backups are kept on the same infrastructure.

The limited exceptions where data leaves our infrastructure are the subprocessors in §6.

5. How long we keep it

Account data: for as long as your account exists. When you request deletion (§8), your account enters a 30-day grace period during which you can cancel, after which it is scheduled for permanent erasure.
Inactive accounts: to avoid holding personal data longer than necessary (GDPR Art. 5(1)(e)), an account with no sign-in for 12 months is scheduled for automatic deletion. We send warning emails beforehand (around 9 months, 1 month, and 1 week prior), each with a one-click "I'm still here" link; signing in or clicking that link keeps your account and resets the clock. Accounts with an active paid subscription are not subject to this automatic cleanup while subscribed.
Business/workspace data: until you delete it, or until the owning workspace/account is deleted.
Security & audit logs: retained for a limited period for security and legal-defence purposes, then deleted.
Billing records: retained as required by applicable tax/accounting law.

6. Who we share it with (subprocessors)

We share the minimum necessary with the providers below, under data-processing terms:

Stripe — payment processing. We send your email and subscription metadata; Stripe stores your card details, not us. Stripe may process data outside the EU under appropriate safeguards (Standard Contractual Clauses).
Email delivery — our self-hosted SMTP server, to send transactional emails to your address.
Google Fonts — our pages load fonts from Google's servers (fonts.googleapis.com, fonts.gstatic.com), which means your browser's IP address is sent to Google (US) when fonts load.

We may also disclose data if required by law, or to protect our rights, safety, or the integrity of the service.

7. International transfers

Your data is stored in the EU. The transfers to Stripe and Google (US) described above rely on appropriate safeguards (e.g. EU Standard Contractual Clauses and/or the providers' own compliance frameworks).

8. Your rights (GDPR)

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent where processing is based on consent. In Alchemis:

Access / portability: export your account profile and workspace memberships from Settings → your account. For a copy of your full business data, contact us.
Erasure: request account deletion from your account settings (requires password confirmation). A 30-day grace period applies; sign in or contact us within 30 days to cancel. If you are the sole owner of a shared workspace, you must transfer ownership or remove other members first.
Rectification: edit your profile and data in the app, or contact us.
Complaints: you may lodge a complaint with your local data-protection authority (in [COUNTRY], the [SUPERVISORY AUTHORITY]).

To exercise any right, email [PRIVACY CONTACT EMAIL]. For data you control (your customers' data stored in your workspace), please handle your own customers' requests directly; we will assist as your processor.

9. Security

Passwords are hashed; access tokens are encrypted and short-lived; two-factor authentication is available; accounts lock after repeated failed sign-ins; all traffic is served over HTTPS; and the service applies modern security headers. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data.

10. Children

Alchemis is a business tool not directed at children and is not intended for anyone under 16 (or the minimum age in your country).

11. Changes

We may update this policy; we will post the new version here with a revised effective date and, for material changes, notify you by email or in-app.

12. Contact

[LEGAL ENTITY NAME], [BUSINESS ADDRESS] — [PRIVACY CONTACT EMAIL].