DDScore.ai — Privacy Statement
Last updated: 6 May 2026
2026.05.06 10:55
This document is provided in accordance with the EU General Data Protection Regulation (GDPR). It describes how personal data is processed in connection with services provided by DDScore.ai.
1. Data Controller
Playful Pixels Oy
Business ID: 2410516-5
Address: Kotipolku 5, 02730 Espoo, Finland
Email: [email protected]
2. Contact Person for the Register
Name: Mikko Heilimo
Email: [email protected]
3. Name of the Register
DDScore User and Customer Register
4. Purpose of Processing Personal Data
Personal data stored in the register is used for:
- Providing and developing DDScore.ai services
- Customer communication and support
- Fulfilling legal obligations
- Managing user accounts and subscriptions
- Service analytics and improvement (including the use of anonymous, aggregated statistical data described in Section 7)
- Marketing communications (only with explicit user consent)
Data is not used for automated decision-making or profiling without user consent.
5. Legal Grounds for Processing
The processing of personal data is based on:
- User’s consent (Article 6 (1)(a) GDPR)
- Contractual necessity (Article 6 (1)(b) GDPR)
- Legal obligations (Article 6 (1)(c) GDPR)
- Legitimate interest (Article 6 (1)(f) GDPR), such as customer relationship management and security
6. Contents of the Register
The register may contain the following data:
- Name
- Email address
- Phone number
- Company name (if applicable)
- Country
- VAT ID (if applicable)
- IP address
- User account data
- User settings and consents within the service (e.g., language preferences, marketing consent)
- Payment details (processed by Stripe; not stored directly)
7. Processing of Personal Data in Analysis Context
DDScore.ai analyses submitted business documents on behalf of the user, using AI-powered analysis combined with mathematical methods, including proprietary Advanced Probabilistic Analysis. These documents may contain personal data relating to third parties, such as team members, founders, or other individuals mentioned in pitch decks or business plans.
Such data is:
- Processed solely for the purpose of generating the requested analysis
- Never added to the DDScore customer register
- Source files are deleted immediately upon completion of report generation; the generated report is deleted within 24 hours of generation (subject to limited exceptions described in Section 13)
- Processed under the legal basis of contractual necessity (Article 6 (1)(b) GDPR) on behalf of the submitting user
The submitting user is responsible for ensuring they have the right to share any personal data contained in uploaded documents.
Public sharing (share link function): If the user chooses to publish a report or main image via the in-service share link function, all personal data is removed from the published version. The Service applies a rule-based anonymization which removes from the published version the entire team section of the report and any other personal data appearing elsewhere in the report. The company name and the general analytical content of the report remain visible. The submitting user is responsible for verifying that the published content does not contain personal data they do not have the right to share, and is reminded by the user interface to do so before activating the share link.
Anonymous statistical data: After analysis, the Service retains anonymous, aggregated statistical data consisting of the 12 section scores, GICS-based industry classification, country/region, and timestamp. This data contains no link to the user or to the submitted material, is not personal data within the meaning of the GDPR, and is retained indefinitely for product development purposes only. It is not used to train machine learning models and is not transferred to third parties.
8. Regular Sources of Data
Personal data is collected from:
- Users themselves during account creation or usage
- Contact forms and support interactions
- Billing and payment systems
- Website usage and analytics tools
9. Regular Disclosures of Data
Data may be disclosed to:
- Payment processors (e.g., Stripe)
- Cloud hosting and enterprise API providers, under confidentiality and GDPR-compliant contracts
- Authorities upon valid legal request
If the user activates the in-service share link function, the published version of the report or main image is made publicly accessible via the open Internet at the user’s voluntary choice (see Section 7).
We never sell user data. Data is not disclosed to third parties for unrelated marketing.
10. Transfer of Data Outside the EU or EEA
Data is primarily stored and processed within the EU/EEA. If processing occurs outside the EEA, appropriate safeguards — such as Standard Contractual Clauses (SCCs) — are in place to ensure adequate protection in accordance with GDPR.
11. Data Protection Principles
Data is stored securely using industry best practices:
- TLS 1.3 encryption in transit and AES-256 encryption at rest
- Role-based access controls and multi-factor authentication for staff. In the context of support-request handling, access to submitted materials is restricted to the support team and the development team.
- Hard-coded automatic purge: uploaded source files are deleted immediately upon report completion, and generated reports are deleted within 24 hours of generation.
- Regular vulnerability scanning and third-party penetration testing
- Back-up, business-continuity and disaster-recovery plans for system infrastructure and metadata (excluding processed documents)
No Training: We do not use personal data, uploaded documents, or generated reports to train or fine-tune machine learning models. The anonymous statistical data described in Section 7 is also not used for training and is not transferred to third parties.
12. Right of Access and Correction
Users have the right to:
- Request access to their personal data
- Correct inaccurate data
- Withdraw consent at any time
- Request deletion (right to be forgotten)
- Restrict or object to data processing
- Receive their data in a portable format
- Lodge a complaint with the Finnish Data Protection Ombudsman
To exercise these rights, contact [email protected]. We reply within one (1) month, extendable by two (2) months for complex requests.
13. Data Retention (Zero Trace Policy)
| Data type | Retention period |
|---|---|
| Uploaded source files | Automatically and permanently deleted immediately upon completion of report generation |
| Generated analysis reports | Automatically and permanently deleted within 24 hours of generation, regardless of whether accessed |
| Published share content (when share link function is used) | Retained while the share link is active; removed from our servers immediately upon deletion of the share link or closure of the account |
| Support ticket attachments (report and any voluntarily attached source materials) | 14 days from submission, extendable by mutual agreement of both parties |
| Anonymous statistical data (12 section scores, GICS classification, country/region, timestamp) | Retained indefinitely for product development. Not personal data. |
| Account & subscription records | Duration of customer relationship + 10 years (Finnish Accounting Act) |
| Technical logs | 24 months |
| Support tickets (text content) | 24 months after last correspondence |
Please remember to download your analysis report before it expires; both the report and the source files are subject to the deletion schedule set out above.
© 2026 Playful Pixels Oy — All rights reserved.