Legal
Privacy Policy
Effective date: 1 July 2026
1. Introduction
Center UX (“Center UX”, “we”, “us”, “our”) operates the Center UX digital product platform available at centerux.com and its subdomains (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Service, and describes your rights under the EU General Data Protection Regulation (GDPR) 2016/679 and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller responsible for your personal data is:
If you have questions about this policy or wish to exercise your rights, contact us at the address above.
3. Personal Data We Collect
We collect personal data in the following categories:
- Account data — name, email address, and password hash when you register; profile picture if you sign in via Google or GitHub.
- Organisation data — workspace name, organisation slug, and settings you configure within the platform.
- Project and feedback data — project details, questions, answers, NPS scores, timestamps, and any free-text feedback submitted through forms or widgets you create or respond to.
- Usage and analytics data — pages visited, features used, session duration, view counts, and similar interaction metrics.
- Technical data — IP address, browser type and version, operating system, network state, device type, and crash reports.
- Communications data — messages you send to our support team or via in-app support requests.
- Mobile app data — when you use the Center UX mobile application, we collect the same account and usage data described above. The app stores a local encrypted cache of your workspace data on your device to enable offline access.
We do not collect payment card numbers directly. Payment processing is handled by our payment provider and is subject to their own privacy policy.
4. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)) — processing your account data, organisation data, and project data to deliver the Service you have subscribed to.
- Legitimate interests (Art. 6(1)(f)) — usage analytics to improve and secure the Service, fraud prevention, and communicating about Service updates. We have balanced these interests against your rights and concluded they do not override your privacy interests.
- Legal obligation (Art. 6(1)(c)) — retaining billing records and other data required by Finnish accounting law (Kirjanpitolaki 1336/1997).
- Consent (Art. 6(1)(a)) — where we ask for your specific consent, for example for optional marketing communications. You may withdraw consent at any time.
5. How We Use Your Data
We use the data we collect to:
- Create and manage your account and workspace.
- Provide, maintain, and improve the Service.
- Authenticate access and sync your data between the mobile app and our servers.
- Display workspace and project performance metrics (NPS trends, response rates, etc.).
- Send transactional emails (account creation, password reset, project invitations).
- Send service and billing notifications.
- Send marketing communications about new features or offers, where you have consented or we rely on legitimate interest under applicable law.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
- Resolve disputes and enforce our Terms of Use.
6. Data Retention
We retain personal data only as long as necessary for the purposes set out in this policy:
- Account and workspace data — retained for the duration of your account and deleted within 90 days of account closure, unless a longer retention period is required by law.
- Project responses — retained until you delete them or close your account. Enterprise customers may configure custom retention periods.
- Billing records — retained for 10 years as required by Finnish accounting law.
- Support communications — retained for 3 years after the ticket is closed.
- Usage analytics — aggregated and anonymised after 24 months.
7. Sharing Your Data
We do not sell your personal data. We share it only in the following circumstances:
- Service providers — we engage processors such as cloud infrastructure providers (database hosting, file storage, email delivery) that act on our instructions under Data Processing Agreements.
- Within your organisation — workspace administrators and members in your organisation can see data according to the roles and permissions you configure.
- Integrations — if you connect third-party integrations (e.g. Slack, webhooks), data is shared with those services as instructed by you.
- Legal requirements — we may disclose data when required by Finnish or EU law, a court order, or a competent authority.
- Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.
8. International Data Transfers
Our servers are primarily located within the European Economic Area (EEA). Where we transfer data outside the EEA (for example, to US-based cloud providers), we ensure appropriate safeguards are in place, such as:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission.
- Transfers to countries or organisations covered by an EU adequacy decision.
You may request information about the transfer safeguards applicable to your data by contacting us at [email protected].
9. Your Rights
Under the GDPR and Finnish data protection law, you have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your personal data under certain conditions (“right to be forgotten”).
- Right to restriction of processing (Art. 18) — ask us to restrict how we use your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting prior processing.
- Rights related to automated decision-making (Art. 22) — we do not make solely automated decisions with legal or similarly significant effects on you.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.
10. Cookies and Tracking
We use strictly necessary cookies to maintain your session and preferences. We do not use third-party advertising cookies or cross-site tracking. You can control cookies through your browser settings; disabling session cookies will prevent you from logging in.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption at rest and in transit, access controls, and regular security reviews.
No transmission over the internet is completely secure. If you believe your data has been compromised, contact us immediately at [email protected].
12. Children
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us so we can delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page and, where the changes are material, notify you by email or by a prominent notice in the Service at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, contact us: