Privacy policy.

How we handle your data in plain language, under GDPR and Finnish law.

Effective: March 15, 2026 · First Mate Solutions Oy · Business ID: 3392354-9

TL;DR

  • Primary storage is in the EU. Persistent service data is hosted on AWS in Stockholm (eu-north-1).
  • AI model inference may involve transfers outside the EU/EEA. We use SCCs and other lawful transfer safeguards.
  • We do not sell customer data and we do not use customer data to train public or shared AI models.
  • First Mate staff access is strictly need-to-know, logged, and covered by confidentiality obligations.
  • You can request export or deletion of your data. Service data is deleted within 30 days after termination, subject to legal retention duties.

1. Controller details

  • Company: First Mate Solutions Oy
  • Business ID: 3392354-9
  • Address: Lapinlahdenkatu 16, 00180 Helsinki, Finland
  • Email: juuso@firstmate.work
  • Privacy contact: Juuso Heikkinen, juuso@firstmate.work

2. Scope

This policy explains how First Mate processes personal data on firstmate.work and in the First Mate service, including the AI employee, dashboard, communication channels, and related tooling.

3. Categories of data we process

  • Account data: name, email, company, billing details.
  • Payment data: transaction data through Stripe. We do not store full card numbers.
  • Communication data: messages and attachments sent to or through your AI employee.
  • Operational data: task history, logs, persistent memory, configuration, and tool access metadata.
  • Usage data: credit consumption, timestamps, system metrics, and error logs.
  • Website data: required consent storage and analytics as described in this policy and the Cookie Policy.

4. Purposes and legal bases

We process personal data to:

  • deliver and operate the service
  • bill and account for usage
  • protect security and investigate incidents
  • comply with legal obligations
  • improve reliability using aggregated or anonymized data

Legal bases under GDPR Article 6 are: contract performance (6(1)(b)), legal obligation (6(1)(c)), legitimate interests (6(1)(f)), and consent (6(1)(a)) where consent is required.

5. Operational access and confidentiality

First Mate, its employees, and contractors may access customer data only to the extent required to provide, support, secure, monitor, and maintain the service, respond to incidents, or comply with law.

All authorized personnel are bound by written confidentiality obligations that survive employment or engagement. Access is role-based, logged, and auditable.

We do not sell customer data, use customer data for advertising, or use customer data to train public or shared AI models. We do not disclose customer data to third parties for their independent purposes.

6. Sub-processors and transfers

We use sub-processors only as needed to provide the service:

Sub-processor Purpose Location Transfer basis
Amazon Web Services EMEA SARL Infrastructure and storage EU (Stockholm) Primary storage in EU
Supabase, Inc. Database and authentication EU/UK SCCs plus UK adequacy
Anthropic, PBC and OpenAI, LLC AI model inference United States SCCs plus provider DPAs
Stripe, Inc. Payment processing EU/US DPF plus SCCs
Vercel Inc., Cloudflare, Inc., Google LLC (optional) Website delivery and analytics Global DPF plus SCCs or consent-based processing
AgentMail, Inc. Email inboxes for AI employees United States SCCs plus provider DPA
Resend, Inc. Transactional email (payment confirmations) United States DPF plus SCCs

We provide advance notice of material sub-processor changes. You may object in writing within a reasonable period after notice.

7. Retention

  • Active subscription: data is retained to provide the service.
  • After termination: service data is deleted within 30 days, unless a legal retention duty applies.
  • Accounting records: retained as required by Finnish accounting law.
  • Support and security logs: retained for limited periods based on support and security needs.

8. Your rights

You have GDPR rights including access, rectification, erasure, restriction, portability, and objection. You can also withdraw consent where processing is consent-based.

Contact juuso@firstmate.work to exercise your rights. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman at tietosuoja.fi.

9. Automated processing and profiling

The AI employee uses automated processing (language models) to generate content, research information, and perform tasks. However, the AI employee does not make decisions that produce legal effects or similarly significant effects on individuals within the meaning of GDPR Article 22. All consequential business decisions remain under human control.

If you configure your AI employee for activities that could constitute automated decision-making with significant effects (e.g., screening job applications), you are responsible for Article 22 compliance, including ensuring the right to human intervention and conducting a DPIA where required.

10. Security

  • encrypted transport channels (TLS)
  • encryption at rest
  • customer-level infrastructure isolation
  • role-based access controls and MFA for admin access
  • logging, monitoring, and incident response procedures

11. Changes to this policy

We may update this policy as our service or legal obligations change. Material changes are announced in advance and the effective date is updated at the top of this page.

12. Contact

  • Email: juuso@firstmate.work
  • Company: First Mate Solutions Oy
  • Address: Lapinlahdenkatu 16, 00180 Helsinki, Finland
  • Business ID: 3392354-9

Related documents

Terms of service → Data processing agreement → Cookie policy → Security and compliance →