Jard Privacy Policy

Version 1.0 · Effective from 16 May 2026

This Privacy Policy describes how Yardscape Oy ("Jard") processes personal data in connection with the Jard platform ("Platform"). This Policy forms part of Jard's terms.

1. Controller

Yardscape Oy (trading as Jard) Business ID: 3579881-7 Address: Mikael Lybeckin tie 4 B, 02700 Kauniainen, Finland Email: info@jard.fi Phone: +358 44 972 0836

Yardscape Oy is the controller responsible for the processing of your personal data as described in this Policy.

Scope of controllership. This Policy concerns the processing of personal data on the Platform. When a Partner (service provider) receives a Customer's data into its own systems for the purpose of performing the service, the Partner acts as an independent controller for those data with its own obligations.

2. What data we process

2.1 All users (Customers and Partners)

Account data: email address, password (stored as a hash via Firebase Authentication), account creation time, user role
Contact data: name, phone number
Technical data: device identifier, push notification tokens (Expo Push Token, Apple Push Notification Service identifiers), operating system, app version, IP address, login logs
Communication: chat message content between Customer and Partner, notifications and their status
Support communication: email and other contact with Jard's customer support

2.2 Customers

Profile data: profile photo (optional), address or addresses, postal code
Request data: service category, description of the service, details of the location, scheduling preferences, photos, location coordinates
Activity data: sent requests, accepted offers, cancellations, reviews left
Safety actions: user reports (reporting other users), block lists, any complaint information

2.3 Partners (service providers)

Business data: company name, Business ID, VAT ID (alv-numero), register entries (Trade Register, Prepayment Register, VAT Register)
Profile data: company description, tagline, service category, years of experience, profile photo
Location data: service area, service location coordinates
Onboarding documents: insurance certificate, possible criminal record extract (processed briefly during the background check; the original document is not retained, only the result of the check)
Activity data: offers sent, accepted jobs, cancellations, response times, customer ratings and scores
Financial data: lead-fee transaction history, Stripe customer and payment-method references (Jard does not store card numbers or other payment instrument data in its own systems)
Algorithmic metrics: internal bid score (computeBidScore) and other metrics affecting ranking (see section 11)

2.4 What we do not process

Jard does not process the service payment between Customer and Partner — the Customer pays the Partner directly in the manner indicated by the Partner. Only the Partners' lead fees to Jard flow through the Platform, processed via Stripe.

3. Purposes of processing

We process your personal data for the following purposes:

Account management: creating and maintaining your user account, authentication
Service delivery: routing Customer requests to Partners, displaying offers, enabling the formation of the service contract, enabling communication in the Platform's chat
Marketplace matching: showing relevant requests to Partners based on category, location, and other factors; showing Partners to Customers
Lead-fee processing: charging the Partner via Stripe for an accepted lead
Push and email notifications: informing Users of new offers, messages, and account events
User safety and moderation: handling user reports and blocking, moderating content (messages, reviews, listings), addressing rule violations, suspending and closing accounts
Fraud prevention and abuse mitigation: identifying suspicious activity, performing background checks, detecting fraudulent offers and leads
Dispute resolution: investigating and helping resolve complaints and disagreements between a Customer and a Partner
Service development and quality monitoring: monitoring the operation and usability of the Platform and Partner performance
Legal obligations: accounting (Finnish Accounting Act 1336/1997), taxation, responding to lawful requests from authorities
Communications from Jard: essential service messages (such as changes to the terms, security matters) and — subject to your consent — marketing

4. Legal bases for processing

We process your data on the following GDPR legal bases:

Performance of a contract (GDPR art. 6(1)(b)): creation and maintenance of the account, delivery of the service, processing of lead fees, matching Customer with Partner
Legitimate interest (GDPR art. 6(1)(f)): Platform safety, fraud prevention, handling user reports, service development, internal analytics, dispute resolution, monitoring compliance with the off-platform prohibition. You may at any time object to processing based on legitimate interest (see section 9).
Legal obligation (GDPR art. 6(1)(c)): accounting and tax obligations, responding to requests from authorities
Consent (GDPR art. 6(1)(a)): marketing communications and other processing for which we ask your explicit consent. You may withdraw consent at any time.

5. Processors and other recipients

We use the following third-party service providers, who process personal data on our behalf:

Firebase (Google Ireland Limited / Google LLC): user authentication (Authentication), database (Firestore), file storage (Storage), Cloud Functions backend logic. Data is stored primarily in the EU.
Stripe (Stripe Payments Europe, Ltd.): processing of Partners' lead fees. Stripe acts as an independent controller for data concerning its own payment service.
Expo (Expo Inc.): routing of push notifications, app updates
Apple Push Notification Service (Apple Inc.): delivery of push notifications to iOS devices
Google Maps Platform (Google Ireland Limited / Google LLC): location services for determining service area and the location of the property
Email and support services: the email provider used by Jard for Customer and Partner communication
Hosting services: maintenance of the website and the technical platform

We may also disclose data to authorities to comply with a legal obligation, and to legal counsel or other advisors in connection with the handling of legal claims.

6. Transfers outside the EU/EEA

Data is stored primarily in the EU. However, certain data may be transferred outside the EU/EEA, in particular to the United States, in the following cases:

Stripe may process payment and account data in the United States
Group companies of Google (Firebase, Maps) and Apple (APNs) may have technical access to data in connection with support activities
Expo may process push notification routing data in the United States

Such transfers are made under the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses, in accordance with the requirements of Chapter V of the GDPR. You may request a copy of the safeguards applied by contacting info@jard.fi.

7. Retention periods

We retain personal data only for as long as is necessary for the purposes described in this Policy or required by law:

Account and profile data: for the duration of active use of the account. Deleted within 30 days of a deletion request, unless a longer retention period set out below applies
Financial data and lead-fee transactions: 6 years from the end of the accounting period, in accordance with the Finnish Accounting Act (1336/1997)
Chat messages and offer history: until the limitation period for contractual and legal claims has expired, and in any event at least until the off-platform monitoring period (12 months after the end of the Partner relationship) has lapsed
Reviews: published reviews remain on the Platform in the interest of other Users even after the reviewer's account is closed, pseudonymised where possible
Complaint and dispute data: until the end of the limitation period, generally 3 years, and up to 10 years in consumer matters where applicable
Fraud prevention and moderation data, suspended or closed accounts: up to 5 years to prevent misuse and to detect re-registrations
Original documents submitted for background checks (such as a criminal record extract): only for the duration of the check; thereafter the result of the check is retained, but the original document is destroyed

8. Information security

We protect personal data with reasonable technical and organisational measures, including:

Encryption in transit: all connections to the Platform use HTTPS/TLS
Encryption at rest: Firebase automatically encrypts stored data
Access control: Firestore Security Rules restrict read and write access on a per-user basis
Protection of authentication credentials in the mobile app: iOS SecureStore (Keychain) and the corresponding secure storage on Android for authentication tokens
Password hashing: Firebase Authentication; passwords are never stored in clear text
Restricted internal access: only a limited number of Jard personnel have access to personal data, and only to the extent required by their duties
Logging and monitoring: key operations are logged to detect anomalies

We notify the Data Protection Ombudsman and, where necessary, data subjects of a personal data breach in accordance with the GDPR.

9. Your rights

You have the following rights under the GDPR in relation to the processing of your personal data:

Right of access: you may request a copy of the personal data we hold about you
Right to rectification: you may request correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten"): you may request deletion of your data, unless retention is necessary by law or for a legitimate interest
Right to restriction of processing: you may request restriction of processing in certain situations
Right to data portability: you may receive the data you have provided in a machine-readable format and transmit it to another controller
Right to object: you may object to processing based on legitimate interest on grounds relating to your particular situation, including direct marketing
Right to withdraw consent: for processing based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal
Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with the Office of the Data Protection Ombudsman if you consider that the processing of your personal data infringes the GDPR. Contact: tietosuoja.fi

You may exercise these rights by sending a request to info@jard.fi. We will respond to your request within one month at the latest. We may ask you to verify your identity before processing the request.

10. User safety and moderation

The Platform includes several features that support user safety:

User reporting: you may report another user whose conduct violates the terms or the law
User blocking: you may block another user, preventing messages or notifications from that user reaching you
Account deletion cascade: when an account is deleted, the personal content associated with it is deleted or pseudonymised in accordance with the retention periods set out in this Policy
Deletion audit log: an internal log of account deletions is kept to prevent misuse (for example, repeated re-registration by the same person after an enforcement action)

We use these data to maintain the safety of the Platform and to respond to requests from authorities where there is a legal basis to do so.

11. Automated decision-making and profiling

We use limited algorithmic scoring to determine the visibility ranking of Partners' offers to a Customer (internal computeBidScore calculation). The score considers factors such as price, response time, distance from the property, the Partner's ratings, and quality metrics from previous jobs.

This does not constitute solely automated decision-making within the meaning of GDPR art. 22 producing legal or similarly significant effects on the data subject. The final contracting decisions are made by the Customer and the Partner themselves. You may contact info@jard.fi for more information about the main principles of the scoring.

12. Mobile app permissions (iOS and Android)

The app may request the following device permissions as needed:

Photo library: to upload a profile picture and photos for a service request
Camera: to take photos directly for a service request
Location (while in use): to determine the service area and the location of the property
Push notifications: to deliver new offers, messages, and account events

You may change these permissions in your device settings at any time. Denying a permission may limit certain features but does not prevent use of the Platform altogether.

13. Cookies and similar technologies

Jard uses only necessary cookies and similar mechanisms essential to the operation of the Platform:

Maintenance of session and authentication (including Firebase Authentication tokens)
Security features and fraud prevention (including Stripe's m cookie in connection with lead-fee payments)
Operation of the map service (Google Maps cookies set when map components are loaded)

We do not use tracking, advertising, or third-party analytics cookies on the Platform. Cookies that are essential for the operation of our processors' services (such as Stripe and Google) may be set as part of their functioning.

14. Minors

The Platform is intended for persons aged 18 or over. We do not knowingly collect data about persons under 18. If we become aware that a person under 18 has created an account, we will close the account and delete the related data.

15. Changes to this Policy

We may update this Privacy Policy as our practices, the service, or legal requirements change. We will notify registered users of material changes by email or via the Platform at least 30 days before they take effect. The current version number and effective date are always shown at the top of this Policy.

16. Contact

For privacy-related questions and to exercise your rights, please contact:

Yardscape Oy info@jard.fi +358 44 972 0836 Mikael Lybeckin tie 4 B, 02700 Kauniainen, Finland

Supervisory authority: Office of the Data Protection Ombudsman (tietosuoja.fi)