Back to Limino

Privacy Policy

Last updated: 5 April 2026

Who We Are

Purpose Labs Oy (Y-tunnus 3575936-7), Messitytönkatu 9 C 50, 00180, Helsinki, Finland (“we”, “us”, “our”) operates the Limino platform, including the Studio dashboard (studio.limino.app), the Student Portal (limino.app), and the Telegram bot. For data protection inquiries, contact us at hello@purposelabs.eu.

What Data We Collect

Account information. When you sign in with Google, we receive your email address, name, and profile picture. Telegram users are identified by their Telegram ID and display name. We also store your language preference and timezone if provided.

Course activity. We track your enrollment, lesson progress, poll answers, free-text task responses, and bot conversation transcripts (including AI-generated scores and feedback). We log key events such as registration, login, course enrollment, and lesson completion with timestamps.

Payment information. For paid courses, we store the transaction amount, currency, payment status, and the payment provider's reference ID. We do not store card numbers or bank details — all card processing is handled by the payment provider.

Uploaded content. Admin users may upload images, videos, and audio as course content. These are stored in Cloudflare R2.

Generated reports. PDF session reports summarising a student's course activity may be generated and stored in Cloudflare R2.

Technical data. We use Sentry for error monitoring, which collects IP addresses, browser information, error details, and may include your email and name in error reports. No advertising or analytics trackers are used.

Why We Process Your Data

PurposeLegal basis (GDPR Art. 6(1))Data categories
Provide the Service (authentication, course delivery, progress tracking, payments, reports)(b) Contractual necessityAccount information, course activity, payment information, uploaded content, generated reports
AI-powered bot conversations and evaluations(b) Contractual necessityCourse activity (conversation transcripts, task responses)
Error monitoring and service reliability(f) Legitimate interest: ensuring platform stability, diagnosing errors, and preventing service disruptionsTechnical data (IP address, browser information, error details, and in some cases email and name)
Email marketing (product launch notifications)(a) Consent — opt-in onlyEmail address

Providing your data. Account data is required to use the Service; if you do not provide it, you will not be able to sign in or access any courses. Payment data is required only for paid courses; without it, the transaction cannot be completed. Marketing consent is entirely optional and does not affect your access to the Service.

Who We Share Data With

We share data with the following service providers as necessary to operate the platform. For each processor, we indicate which categories of personal data may be shared.

  • Google authentication (OAuth). Receives: email address, name, profile picture (as part of the sign-in flow). Privacy Policy
  • Telegram bot messaging and payments. Receives: Telegram ID, display name, message content. Privacy Policy
  • OpenAI AI bot responses and evaluations. Receives: conversation transcripts and task responses. Privacy Policy
  • Anthropic AI bot responses and evaluations. Receives: conversation transcripts and task responses. Privacy Policy
  • Sentry error monitoring (EU region). Receives: IP address, browser information, error details, and in some cases email and name. Privacy Policy
  • Cloudflare R2 file storage. Receives: uploaded media files, generated PDF reports, database backups. Privacy Policy
  • Railway hosting and database. Receives: all data stored in the platform database. Privacy Policy

When paid courses are introduced, the payment provider and its privacy policy will be listed here.

We do not sell your data to third parties.

Cookies

We set only strictly necessary authentication cookies:

  • __Secure-authjs.session-token — session authentication
  • __Secure-authjs.callback-url, __Secure-authjs.pkce.code_verifier, __Secure-authjs.state — OAuth security (temporary, max 15 minutes)

All cookies are first-party, HttpOnly, and Secure. No advertising or tracking cookies are used.

We also use browser local storage to remember your email marketing preference and UI settings (sidebar state). These do not contain personal data.

International Transfers

Some processors operate outside the EEA:

  • OpenAI and Anthropic process data in the United States. Transfers are governed by Standard Contractual Clauses included in their data processing agreements.
  • Google processes data in the United States under the EU–US Data Privacy Framework.
  • Cloudflare may process data in various locations globally. Transfers are governed by Standard Contractual Clauses included in their data processing agreement.
  • Sentry processes data in the EU (Frankfurt). No transfer outside the EEA occurs.
  • Railway hosts data in the United States. Transfers are governed by Standard Contractual Clauses included in their data processing agreement.

You may request a copy of the relevant safeguards by contacting us at hello@purposelabs.eu.

Data Retention

We retain your data for as long as your account is active and for 30 days after account deletion. Payment records are kept for six years to comply with Finnish accounting obligations (kirjanpitolaki). Sentry error logs are retained for 90 days. Database backups run nightly and are retained for 7 days.

After retention periods expire, data is deleted or anonymised.

Your Rights

Under the GDPR, you can:

  • Access your personal data (Art. 15)
  • Correct inaccurate data (Art. 16)
  • Delete your data (Art. 17)
  • Restrict processing (Art. 18)
  • Export your data in a portable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time for marketing communications (Art. 7(3)); withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

Contact hello@purposelabs.eu to exercise any of these rights. We will respond within one month.

You also have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

Automated Decision-Making

AI models generate conversation responses and evaluate student answers with scores and feedback. These evaluations are educational feedback only and do not produce legal or similarly significant effects on users. No automated decisions restrict access to the Service or determine outcomes beyond the learning context.

Children

The Service is not intended for children under 16. We do not knowingly collect data from children and do not implement age verification. Contact us if you believe a child has used the Service.

Security

Data in transit is encrypted via TLS. Sensitive values stored in the database are encrypted at rest. Authentication cookies use HttpOnly, Secure, and SameSite attributes. Database backups are automated nightly.

Changes to This Policy

We will update the “Last updated” date when this policy changes. For material changes, we will notify affected users by email or in-app notice.

© 2025–2026 Purpose Labs Oy

Business ID (Y-tunnus): 3575936-7

Messitytönkatu 9 C 50, 00180, Helsinki, Finland

hello@purposelabs.eu

Company Information