Privacy Policy
Version: 2026-04-21
Current deployment note: This site currently operates under "legitimate interest" server-side logging only (Section 2.1 below). The active browser fingerprinting described in Section 2.2 is not enabled on this deployment, and no consent banner is shown. Sections 2.2 and 3.1 describe capabilities of the underlying module that may be enabled on other sites or in future versions.
This Privacy Policy explains what personal data this site collects about you, why it is collected, how it is used, how long it is retained, who has access to it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki).
This policy applies to the Life Cycle Cost (LCC) calculator application. Reading this policy requires no account; the application itself can also be used anonymously.
1. Controller and contact
The data controller responsible for the processing described below is the operator of this site. For questions about this policy, to exercise any of your rights under Section 6, or to submit a complaint, please contact the operator using the contact method provided in the application's footer or in any communication you have received about this site.
You also have the right to lodge a complaint with the Finnish supervisory authority, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi.
2. What we collect
Personal data processed by this site falls into two categories, which are collected under two different legal bases. Both are described in detail below.
2.1 Server-side request information (always collected)
Every time you open a page on this site, the server records the following information automatically from the HTTP request itself:
| Attribute | Example | Purpose |
|---|---|---|
| IP address | 203.0.113.42 | Fraud and abuse detection, geolocation at country level, network reputation checks. |
| User-Agent string | Mozilla/5.0 (Windows NT 10.0; …) | Identifying the browser and operating system for anti-abuse scoring. |
| Accept-Language / Accept-Encoding | en-US,en;q=0.9 | Distinguishing real browsers from automated clients. |
| Referer header | https://example.com/page | Diagnosing where traffic originates. |
| Sec-CH-UA headers | "Chromium";v="130" | Modern client-hints equivalents of User-Agent. |
| TLS fingerprint (JA3 / JA4) | a hash of the TLS handshake | Detecting automated clients and VPN usage. Only populated when the hosting infrastructure surfaces it; typically null in the current deployment. |
| Requested path and timestamp | /calculator, 2026-04-21T14:22:01Z | Correlating abuse patterns to specific features. |
| Session cookie | vfp_session (a random identifier) | Correlating the above signals within a single visit. |
This data is processed on the legal basis of legitimate interest (GDPR Article 6(1)(f)) — specifically, the operator's interest in detecting and preventing fraud, abuse, automated scraping, and denial-of-service attacks against this site. A Legitimate Interest Assessment (LIA) has been performed and documents this balance.
None of this information is used for advertising, profiling for marketing purposes, or automated decision-making that produces legal effects concerning you.
2.2 Active browser fingerprint (only if you accept)
If you click "Accept" on the consent banner shown on first visit, the site additionally collects the following information from your browser via JavaScript:
| Attribute | Source | Purpose |
|---|---|---|
| Canvas rendering signature | A small image rendered offscreen and hashed | Device identification. Varies with GPU, drivers, and anti-aliasing. |
| WebGL renderer / vendor | WebGL API, unmasked renderer string | Identifies the GPU model. |
| AudioContext signature | An audio waveform rendered offscreen and hashed | Device identification. Varies with OS audio stack. |
| Installed fonts | Measured text widths for a known font list | Device identification. |
| Screen size, color depth, pixel ratio | screen.*, window.devicePixelRatio | Device identification. |
| Hardware concurrency, device memory | navigator.* | Device identification. |
| Timezone | Intl.DateTimeFormat | Consistency check against declared locale. |
| Languages | navigator.languages | Consistency check. |
| Viewport size, connection type, touch support | Browser APIs | Secondary signals with shorter stability. |
| An opaque visitor identifier | Computed from the attributes above by the open-source FingerprintJS library | A stable per-browser identifier used to recognise returning visitors. |
| Browser storage of a consent record | localStorage under key vfp_consent |
Remembering your decision so you are not asked again on every page load. |
This active fingerprinting is processed on the legal basis of your explicit
consent (GDPR Article 6(1)(a), and the Finnish Sähköisen viestinnän
palveluista annetun lain Article 205 implementing the EU ePrivacy Directive
Article 5(3)). If you do not accept, no active fingerprint is collected and no
localStorage beyond the record of your refusal is written by this site.
2.3 What we do NOT collect
- We do not use third-party advertising or analytics trackers.
- We do not share data with advertising networks, social networks, or marketing services.
- We do not profile you for commercial purposes.
- We do not read data that the browser does not freely expose to JavaScript (we cannot access other tabs, your file system, your clipboard without a gesture, your camera or microphone without a prompt, etc.).
- We do not attempt to deanonymise you or link your visit to external identities.
3. How the data is processed
3.1 Hashing
The collected attributes are combined into two hashes using the SHA-512 algorithm:
- A strict hash over stable attributes (canvas, WebGL, audio, fonts, hardware, timezone, platform) that remains consistent across sessions as long as your device does not change.
- A loose hash that additionally incorporates volatile attributes (viewport size, network type, IP address).
These hashes together with the underlying attributes are stored so that the operator can recognise returning visitors and investigate patterns of abuse.
3.2 Storage
Records are stored in Microsoft Azure Table Storage, in a data center selected by the operator (typically within the European Union / European Economic Area unless another jurisdiction is explicitly disclosed). Access is restricted to administrative personnel of the operator and to automated processes operated by them.
3.3 Session cookie
The session cookie named vfp_session contains a random identifier with no
personal meaning and is used solely to correlate multiple requests within one visit. It
is set with the HttpOnly and Secure flags (the latter on HTTPS
connections) and uses SameSite=Lax. It has a lifetime of up to one year.
This cookie is classified as strictly necessary for the operation of the fraud-prevention
function described in Section 2.1 and does not, by itself, require consent under ePrivacy
rules.
4. Retention
Retention periods are set by the operator's data governance policy. As a general rule:
- Server-side request events are retained for the minimum period required to fulfil their fraud-prevention purpose, typically 180 days.
- Consent records are retained for as long as necessary to evidence that you were asked and what you decided, typically at least 12 months after your last interaction, in accordance with the GDPR accountability principle.
- Visitor identity records (the SHA-512 hashes and associated attribute bundle) are retained on a best-effort basis until you exercise your right to erasure, or until the operator determines the record is no longer needed.
Retention is enforced by separate operational tooling and not by the application itself. Exact retention periods in effect at any time may be obtained by contacting the operator as described in Section 1.
5. Recipients
Your data is accessible to:
- The operator of this site and their authorised personnel.
- Microsoft Corporation, acting as a data processor, in its capacity as the provider of Azure Storage. Microsoft's processing is governed by its Data Protection Addendum and its Privacy Statement.
- The open-source FingerprintJS library executes entirely in your browser. It does not transmit data to its publisher or any third party. It is loaded on demand from the publisher's public content delivery network; loading the library file causes your IP address to be visible to that CDN, in the same way as any other public internet resource your browser loads.
Your data is not sold, rented, or shared for marketing purposes.
6. Your rights
Under the GDPR, as a data subject you have the following rights. To exercise any of them, contact the operator as described in Section 1. A response will be provided within one month, in accordance with Article 12(3) of the GDPR.
- Right of access (Article 15) — you may request a copy of the
personal data held about you. A self-service endpoint
/api/visitor/my-datareturns the data associated with your current session cookie and, if provided, your stored visitor hash. - Right to rectification (Article 16) — you may request correction of inaccurate data.
- Right to erasure (Article 17) — also known as "the right to be forgotten". You may request deletion of the data held about you. The operator will honour such requests unless retention is required by a specific legal obligation or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20) — the self-service endpoint above returns JSON that is suitable for portability.
- Right to object (Article 21) — you may object to processing based on legitimate interest. The operator will cease such processing unless compelling grounds override your interests.
- Right to withdraw consent (Article 7(3)) — at any time, for the
processing described in Section 2.2. Clearing
localStoragefor this site will cause the consent banner to be shown again on your next visit, at which point you may choose differently. - Right to lodge a complaint with a supervisory authority — in Finland, the Office of the Data Protection Ombudsman (tietosuoja.fi).
7. Transfers outside the EEA
If the Azure Storage region selected by the operator is outside the European Economic Area, transfers rely on the Standard Contractual Clauses (SCCs) incorporated into Microsoft's Data Protection Addendum, and on the EU-U.S. Data Privacy Framework where applicable. The operator's default configuration stores data within the EEA.
8. Security
Data is transmitted over HTTPS. Storage credentials are held only by server-side configuration and are not exposed to the browser. Access to the storage account is restricted to administrative personnel. The operator applies reasonable technical and organisational measures consistent with the nature and volume of the data.
9. Changes to this policy
This policy may be updated from time to time. A version identifier is shown at the top of this page. Whenever the version changes, the consent banner will be shown again on your next visit so that you may review and re-consent to the new version before any further active fingerprinting takes place. Historical consent records reflect the version of this policy in force at the time each decision was made.
10. Automated decision-making
No automated decision-making within the meaning of GDPR Article 22 takes place on this site. Fraud and abuse signals may influence whether specific requests are rate-limited or blocked, but such actions are reviewable, non-legal in nature, and do not produce significant effects on you as an individual.
11. Children
This site is not directed at children under the age of 16 and does not knowingly collect personal data from them.