Compliance Built In

02/07/2026

Petteri Sulonen

Co-Founder, CEO & CTO

Every company operating in Europe has to be compliant with the General Data Protection Regulation, or GDPR. This is especially important for a company like Tarinoi Works, since we're operating a SaaS, which requires us to collect some information about our users. This can be a huge headache if you only think about it when you trip over it. That's one reason why we wanted to build GDPR compliance into Tarinoi from the ground up.

The GDPR is all about personally identifying information (PII). This means any information that can either in isolation or in combination with other information, be used to identify a single human individual. The regulation outlines the rights and responsibilities of anyone storing or using such information, and your rights to your PII. I'm kind of a fan, actually, because PII can be abused in all kinds of ways, and I would like to feel much more secure than I actually do about where my PII resides and what it's being used for. So this isn't about compliance for its own sake, it's more about respecting our customers' data — the reason the compliance requirement is there in the first place.

Who owns what — the controller and the processor

One key distinction in the GDPR is that between the controller and the processor of your PII. A controller makes all the decisions about the data it controls and is fully responsible for it, whereas the processor holds the data and processes it in accordance with the instructions the controller gives them. For example, if you sign up for our newsletter, we are the controller of the information you submitted, but Brevo, our e-mail platform, is the processor.

In our case this also relates to data ownership. Any game content you create in Tarinoi is yours — you hold the intellectual property rights and you're fully in control of where and how it's used. That also means you're responsible for all the legal aspects of it. On the other hand, we are responsible for the account data you provide us when signing up, and all the technical stuff that makes it possible to operate the service.

In GDPR terms, Tarinoi Works Oy is the controller of data you have given us when registering and using an account with the service, and you, our customer, are the controller of the game content you create in Tarinoi — we're just the processor.

This split is reflected in Tarinoi's data architecture. We store the PII we callect in a small number of database tables that are set up specifically for the purpose. We only store the actual plaintext information in one place, and connect it to everywhere else using an opaque key — something that can't be used to identify you outside Tarinoi. This means that it's very hard to even accidentally leak PII into a log or let it slip anywhere it shouldn't appear. Moreover, we don't collect any PII that lands in project data, but we can't stop you or anyone else in the project from entering such data – for example, by typing your name and e-mail into a card.

We've also segregated tenant-controlled data at a structural level. In practice, we use a PostgreSQL feature called row-level security (RLS for short) to prevent cross-tenant access to such data. Although you may be a member in any number of organisations, you're only signed into one at a time, and when you are, you're only able to access that organisation's data.

The upshot is that it's very easy for us to keep track of who controls what data, where the PII we collect is, and then make it as easy as possible for you — the end user — to exercise your GDPR rights over your PII.

Your rights to access, portability, restriction of processing, and erasure as they appear in Tarinoi.

Your rights under the GDPR

The rights GDPR grants everyone — and that anyone processing PII needs to respect — are the rights to access, portability, rectification, erasure, and restriction of processing. With our data architecture, supporting these is pretty straightforward.

Right of access and right to portability: We have a button that lets you download all your PII in a single, portable JSON bundle.

Right of rectification: We have a UI that lets you update your profile info at any time.

Right of erasure: Should you choose to delete your account, we just delete the PII we hold. The opaque IDs used to refer to it can stay — they no longer refer to anything identifiable and can no longer be associated with you.

Right of restriction of processing: You can disable your account at any time. That stops you or anyone else from signing in with it until and unless you re-activate it. Organisation admins can still see it and, for example, remove you from their organisation. We can't effectively stop this because that would conflict with the organisation's business need to manage their membership. This is considered a legitimate purpose to continue processing the data despite the suspension, as it is specified, explicit, and there is a legitimate interest and genuine, documented business reason to do so.

The upshot is not just that we need to comply with the GDPR, but we want to support the rights the GDPR grants you. Privacy and control over your data is important, and we don't want to contribute to a world where these aspects are continuously eroded.

#features
#updates