Privacy Policy
Our privacy policy outlines what kind of information we collect from you and how we will use it.
1. Introduction
This Privacy Policy describes how RTJ Group Oy ("we", "us", "our") collects, uses, and protects personal data through the Gatekeeper OAuth2 Authorization Server ("Gatekeeper", "the Service").
Gatekeeper provides centralized authentication and authorization services for the Seneram Services platform.
RTJ Group Oy
Business ID: 2354125-6
Vihiluodontie 261, 90440 Kempele, Finland
Phone: 075 3285 390
Email: privacy@seneram.pro
2. Personal Data We Collect
2.1 Account Information
| Data Type | Purpose | Retention |
|---|---|---|
| Username | Account identification | Duration of account |
| Email address | Account recovery, notifications | Duration of account |
| Password (hashed) | Authentication | Duration of account |
| Full name | Display and identification | Duration of account |
2.2 Authentication Data
| Data Type | Purpose | Retention |
|---|---|---|
| IP address | Security, fraud prevention | 90 days |
| Login timestamps | Audit trail, security | 90 days |
| User agent string | Security, device recognition | 90 days |
| Failed login attempts | Account protection | 90 days |
2.3 OAuth2 Session Data
| Data Type | Purpose | Retention |
|---|---|---|
| Authorized scopes | Access control | Duration of authorization |
| Client application ID | Session management | Duration of session |
| Access tokens (hashed) | API authentication | 1 hour |
| Refresh tokens (hashed) | Session continuity | 1 month |
| Consent decisions | Remember preferences | Until revoked |
3. Legal Basis for Processing
We process personal data under the following legal bases (GDPR Article 6):
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract - Necessary for service provision |
| Security logging and fraud prevention | Legitimate Interest - Protecting users and systems |
| OAuth2 token issuance | Contract - Core service functionality |
| Audit logging | Legal Obligation - Security requirements |
4. How We Use Your Data
Primary Purposes
- Authentication: Verifying your identity when you sign in
- Authorization: Controlling access to connected applications
- Account Security: Protecting your account from unauthorized access
- Service Delivery: Providing OAuth2 tokens to authorized applications
5. Data Sharing
With Authorized Applications
When you authorize a third-party application via OAuth2, we share your user identifier and requested profile information based on granted scopes. You control this through the OAuth2 authorization flow.
6. Data Security
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections |
| Password storage | Bcrypt with cost factor 10+ |
| Token storage | SHA-256 hashed, never stored in plain text |
| Account protection | Automatic lockout after 5 failed attempts |
| Two-factor authentication | Available for all users |
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of account |
| Authentication logs | 90 days |
| Audit logs | 1 year |
| Access tokens | 1 hour (automatic expiry) |
| Refresh tokens | 1 month (automatic expiry) |
| Deleted accounts | 30 days (recovery period) |
8. Your Rights (GDPR Articles 15-22)
- Right of Access (Article 15) - Request a copy of your data
- Right to Rectification (Article 16) - Correct inaccurate data
- Right to Erasure (Article 17) - Request deletion
- Right to Restriction (Article 18) - Limit processing
- Right to Data Portability (Article 20) - Receive data in JSON format
- Right to Object (Article 21) - Object to processing
- Right to Withdraw Consent - At any time without affecting prior processing
To exercise your rights, contact: privacy@seneram.pro
9. Cookies
Gatekeeper uses only essential cookies required for authentication:
| Cookie | Purpose | Duration |
|---|---|---|
GATEKEEPER_SESSION | Session management | 2 hours |
csrf_token | Security (CSRF protection) | Session |
We do NOT use analytics, advertising, or third-party tracking cookies.
10. International Data Transfers
All data is processed and stored within the European Union (Finland). Currently, no personal data is transferred outside the EU.
11. Supervisory Authority
You have the right to lodge a complaint with:
Finnish Data Protection Ombudsman (Tietosuojavaltuutettu)
Lintulahdenkuja 4, 00530 Helsinki
Phone: +358 29 566 6700
Website: tietosuoja.fi
12. Contact Information
13. OAuth2 Scopes and Data Access
When you authorize an application, the scopes determine what data is shared:
| Scope | Data Shared |
|---|---|
basic | User ID |
email | Email address |
profile | Name, username |
openid | Standard OIDC claims (sub, iss, aud) |
organizations | Organization memberships |
You can review and revoke application authorizations at any time through your account settings.