Privacy policy
EFFECTIVE 19.5.2026
This Privacy Policy (the “Policy”) describes how Thumbmark Oy (“Thumbmark”, “we”, “us”, “our”) processes personal data in connection with (i) our website at www.thumbmarkjs.com and the subdomains we operate (the “Website”) and (ii) the ThumbmarkJS API, user console and related services (together with the Website, the “Services”).
This Policy applies when you interact with us directly - for example as a visitor to the Website, a registered user of the Services, or a paying subscriber. It does not cover personal data that we process on behalf of our customers when they integrate Thumbmark into their own websites, applications or services. In that context, the customer is generally the controller of its end users' personal data and Thumbmark acts as a processor under a data processing agreement. The customer is responsible for providing privacy information to its end users.
When our customers use Thumbmark on their own websites, applications or services, Thumbmark may process browser, device and request signals, IP-derived data, fingerprint identifiers, visitor identifiers, risk signals and API metadata on the customer's behalf. Please refer to the relevant customer's own privacy policy for information about that processing.
1 Controller
The controller of the personal data described in this Policy is:
Company: Thumbmark Oy
Business ID: 3570706-5
Registered address: Tuohivirsu 1 A 5, 02130 Espoo, Finland
Email: contact@thumbmarkjs.com
For any questions relating to this Policy or to our processing of your personal data, contact us at the email or address above.
2 Personal data we process
We process the following categories of personal data:
2.1 Website access data. When you visit the Website, our servers record your IP address, browser and device information, request timestamps and response codes, and the referring page. We use cookies, local storage and comparable technologies, including browser fingerprinting, as described in Section 7.
2.2 Demo-page identifiers. Our demo page at /resources/demo generates a 32-character browser fingerprint together with associated risk signals (bot, VPN and threat indicators) from characteristics of your device, browser and request. Generating the fingerprint is the purpose of the demo and is integral to the functionality you request by using the demo page.
2.3 Account data. When you register for the Services, we process your name, email address and hashed password, and the records of your account (creation, modification and authentication events).
2.4 Service usage data. We process records of the API keys you create and of their use, including call volumes, timestamps and technical identifiers used to operate the Services, enforce usage limits, provide support, maintain security and support billing.
2.5 Billing data. For paid subscriptions, we process your billing details (name, address, and VAT number where relevant) and records of your subscriptions, invoices and payment transactions. Card details are collected and handled by our payment provider (Section 4) and do not pass through our systems.
2.6 Correspondence. We process the content of any messages you send us and the contact details you provide.
2.7 Visitor identification data. Where configured, we use a third-party B2B visitor identification service to identify the organisations associated with IP addresses visiting the Website and to understand which organisations are interested in our Services. Depending on the configuration, the service may process your IP address, IP-derived organisation information, pages viewed, time and date of visit, traffic source, session or visit information, and a first-party tracking or local-storage identifier. Cookies, local storage or comparable technologies used for this purpose are used only in accordance with Section 7.
2.8 Marketing and sales data. Where you have signed up to receive marketing communications from us, interact with our marketing communications, or are contacted by us in your professional capacity for proportionate B2B sales purposes, we process your name, business contact details, organisation, role or title, communication preferences, and records of our communications and your interactions with them (such as opens and clicks, where measured).
We collect this data directly from you, automatically through your use of the Website and the Services, from the service providers listed in Section 4 where they act on our behalf, and, for proportionate B2B sales communications, from publicly available business sources or business contact providers where we use them.
3 Purposes and legal bases
We process personal data for the following purposes, on the legal bases indicated:
PURPOSE | LEGAL BASIS |
|---|---|
Operating and securing the Website and Services | Legitimate interests (Art. 6(1)(f)), namely maintaining the availability, functionality and security of our infrastructure |
Website analytics, including analytics using cookies, local storage, fingerprinting or comparable technologies | Consent (Art. 6(1)(a)) for analytics technologies requiring consent; legitimate interests (Art. 6(1)(f)) only for strictly necessary, aggregated or server-side analytics where no consent is required. |
Generating demo-page fingerprints | Legitimate interests (Art. 6(1)(f)), namely demonstrating our technology to visitors who actively use the demo page. |
Account creation, authentication and administration | Performance of a contract (Art. 6(1)(b)) |
Providing the Services and related support | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for service security, abuse prevention and support operations not strictly necessary for contract performance |
Billing and payment | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)), including the Finnish accounting and tax laws |
Service-related communications | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)), namely keeping you informed of matters affecting your use of the Services |
Marketing to existing customers | Legitimate interests (Art. 6(1)(f)), namely offering similar services to existing customers; you may opt out at any time |
Identifying organisations visiting the Website for B2B sales and marketing purposes | Legitimate interests (Art. 6(1)(f)), namely understanding which organisations are interested in our Services and engaging in proportionate B2B outreach. Cookies, local storage and comparable tracking technologies that support this purpose are used only with your consent. |
B2B sales outreach to prospective customers in their professional capacity | Legitimate interests (Art. 6(1)(f)), namely proportionate business-to-business sales communications relevant to the recipient's professional role; you may object at any time |
Detection and prevention of abuse and security threats | Legitimate interests (Art. 6(1)(f)), namely protecting the Services and our customers from fraud, abuse and unauthorised use |
Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Establishment, exercise or defence of legal claims | Legitimate interests (Art. 6(1)(f)), namely protecting our legal rights |
Corporate transactions and business succession | Legitimate interests (Art. 6(1)(f)), namely ensuring the continuity of our business and facilitating any change of control or transfer of our business or assets |
Anonymisation and aggregation of personal data | Legitimate interests (Art. 6(1)(f)), namely reducing privacy risk and supporting research, product development and statistical analysis |
4 Recipients
We do not sell your personal data, and we do not disclose it to third parties for their own marketing purposes.
Processors
The following processors handle personal data on our behalf under agreements compliant with Article 28 GDPR:
RECIPIENT | ROLE |
|---|---|
Amazon Web Services EMEA SARL (and group companies) | Cloud infrastructure, storage and database hosting |
Stripe Payments Europe, Ltd | Payment processing (acts as an independent controller for the data it collects) |
Alphabet, Inc.Amazon Web Services EMEA SARL | Delivering transactional and support email |
Google Analytics | Website analytics, used only in accordance with Section 7 |
Dealfront Group GmbH. (Leadfeeder) | B2B visitor identification and B2B website analytics, used only in accordance with Section 7 |
Other recipients
We may also disclose personal data:
to public authorities, where legally required;
to our professional advisers (legal, tax, financial and audit) in connection with legal claims, compliance obligations, or any contemplated or actual corporate transaction; and
in connection with any actual or proposed merger, acquisition, reorganisation, consolidation, financing, change of control, sale of all or part of our business or assets, insolvency or similar proceeding (including any due diligence preceding it), to the counterparty, its advisers and any successor entity.
Third-party services linked from the Website
The Website may contain links to services we do not operate, including GitHub, Discord and other third-party services. Those services are governed by their own privacy policies. Subdomains operated by Thumbmark remain covered by this Policy unless a separate notice is provided.
5 International transfers
Some of our processors may be established, or may process personal data, outside the EU and EEA. Where this is the case, we rely on one or more of the transfer mechanisms permitted under Chapter V GDPR — in particular (i) a European Commission adequacy decision (including the EU–U.S. Data Privacy Framework where applicable) or (ii) the European Commission’s Standard Contractual Clauses, supplemented where necessary by appropriate technical and organisational measures. Details of the safeguards used are available on request.
6 Retention
We retain personal data only for as long as necessary for the purpose for which it was collected or to satisfy a legal obligation:
CATEGORY | RETENTION PERIOD |
|---|---|
Server logs | Up to 12 months |
Cookies and local-storage identifiers | Per-cookie or local-storage item, up to 14 months, or until deleted in your browser |
Fingerprint identifiers (Website analytics) | Up to 90 days |
Account data (active) | For the duration of the account, including correspondence relating to the account |
Account data (after closure) | Deleted or anonymised within 90 days of closure, except where a legal obligation, security need or legal claim requires longer retention |
Accounting and tax records | 6 or 10 years from the end of the relevant financial year, depending on the type of record and the applicable Finnish accounting and tax law requirement |
Marketing records | Until you withdraw consent or object |
Visitor identification data | Up to 12 months |
We may process personal data in irreversibly anonymised or aggregated form indefinitely for product and technology development, research, statistical analysis, benchmarking and system testing. We do not attempt to re-identify individuals from such data.
7 Cookies and fingerprinting
The Website uses cookies, local storage and comparable technologies, including browser fingerprinting. We use these technologies for the purposes described in this Policy and in our cookie settings.
Strictly necessary technologies. We use strictly necessary technologies without consent only where they are necessary to operate the Website or the Services, maintain security, remember your privacy choices, or provide a feature you have expressly requested, such as generating the fingerprint shown on the demo page.
Analytics, marketing and B2B visitor identification. We use analytics, marketing and visitor-identification cookies, local storage, fingerprinting or comparable technologies only with your consent where consent is required. You can give, refuse or withdraw consent at any time.
Demo page. If you use the demo page, we generate a browser fingerprint and related risk signals to show how Thumbmark works. The demo is not used to make decisions about you.
Fingerprint identifiers are derived from technical browser, device and request characteristics. They do not contain information you typed into the Website, but they may still qualify as personal data where they single out your browser or can be linked with other information.
8 Your rights
You have the rights of access, rectification, erasure, restriction, data portability and objection set out in Articles 15 to 22 GDPR, together with the right to withdraw any consent you have given (without affecting the lawfulness of processing carried out before withdrawal). To exercise any of these rights, contact us at the details in Section 1. We respond within one month and may extend that period by up to two further months where a request is complex or we receive a large number of requests. We may ask you to verify your identity before acting on a request.
Some Website analytics, cookie, fingerprint and visitor-identification records are pseudonymous and may not directly identify you to us. Where we cannot identify the data relating to you, we may ask you to provide additional information, such as the relevant browser identifier, visitor ID, cookie ID, approximate visit time or IP address, to help us locate the data. If we are unable to identify you from the data we process, some rights may not be practically exercisable in relation to those records.
You may also lodge a complaint with a supervisory authority - in particular, the authority of your habitual residence, place of work or the place of the alleged infringement. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.
9 Security
We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls on a least-privilege basis, logging and monitoring, backup testing, personnel training and written agreements with our processors. In the event of a personal data breach, we comply with our notification obligations under Articles 33 and 34 GDPR.
10 Changes to this Policy
We may update this Policy to reflect changes in applicable law, our business, the Services or our data practices. The current version, together with its effective date, is available on this page. Where changes materially affect how we process personal data, we will take appropriate steps to inform you. Where legally required, we will obtain your consent or give you an opportunity to object before the relevant change takes effect.