Privacy Policy
Updated 05.05.2025
Privacy policy statement has been expanded, specified, and clarified
CONTENTS:
- Who are we?
- Where do we receive personal data from?
- What information do we have about you?
- How long do we store your data?
- How and why are we processing your personal data?
- Disclosing and transferring information
- How do we protect your data?
- How do we use cookies
- How can I exercise my rights to my personal data?
- Updating this privacy policy statement
We care about your privacy!
We take seriously the protection of privacy of our customers and therefore, the processing of all personal data is done in accordance with the laws that are currently active and especially in accordance with the EU General Data Protection Regulation (henceforth GDPR). This privacy policy statement explains how we collect personal data, which data we process, and how we do it, and this document will also inform you about your rights.
This statement explains how we process the personal data in our register and what rights the data subject has.
1. Who are we?
If you have ordered from us, you are a customer of STR Nordic Oy (VAT no FI28928265). STR Nordic Oy is a part of STR Global Group Oy group. The data controllers are jointly STR Nordic Oy and STR Global Group Oy (VAT no FI23421641) which is the parent company of the STR Global Group Oy group.
If there are any questions related to data processing or the data register, please contact our customer service by email: customerservice@strnordic.ie
The following companies are part of the Group:
- STR Global Group Oy (2342164-1, Finland)
- STR Nordic Oy (2892826-5, Finland)
- STR Nordic AS (923 264 701, Norway)
- Soome Tervisetooted OÜ (12737711, Estonia)
- HOHDE OÜ (16279808, Estonia)
- ProBambu OÜ (16245241, Estonia)
2. Where do we receive personal data from?
We receive personal data when customers place orders. We also receive personal data when someone contacts our customer service. We also collect information from data subjects for marketing purposes. We collect personal information from customers for consumer reviews.
For telemarketing, we may also acquire from lawful intermediaries contact information lists of people who have already given their consent for telemarketing. We store this information only for a limited time.
Please note that in cases where we need to process your personal information due to contractual obligations, there may be certain effects if we do not receive this information from you.
2.1 Orders
If you have placed an order directly on our website or through a link to our website on social media or in an email, we have received your personal information directly from you.
2.2 Contacts
If you have contacted our customer service by emailing, contacting us through filling out any kind of form, or using any other channel, our customer service received your personal data.
2.3 Acquired contact information lists
We may acquire from lawful intermediaries contact information lists of people who have already given their consent for telemarketing. We store this information only for a limited time.
2.4 Own marketing lists
In certain situations we collect personal information directly from consumers for marketing purposes. If someone has separately signed up for tele- or email marketing, the use of their information for said marketing will be processed according to this privacy policy.
2.5 Consumer reviews
When submitting consumer reviews, personal information has potentially been collected directly from the data subject. If consumer reviews have been gathered through an anonymous questionnaire, the review does not contain personal information. In situations where someone provides their personal information through a questionnaire or, for example, answers one of our surveys or fills out a product review form on our page through Trustmary, the personal information included in the review has been received directly from the data subject. Personal information will be processed according to this privacy policy. See section 6 for information on the use of Trustmary.
2.6 Contractual obligation to provide information
Please note that we may either initially request information from you at the placing of an order or in the event that we need to process more information at a later point in order to fulfill our contractual obligations toward you. In cases where we do not receive the information required, there may be effects on our possibility to fulfill certain parts of the contract, for example failure to provide a valid shipping address for receiving the ordered product or email address for receiving order confirmations. When entering into a contract with us, you are responsible for providing us with the information required.
3. What information do we have about you?
The information we have on you is limited to the relationship we have with you. We may have your name and phone number and/or email address, as well as postal address. If you have ordered from us, we also have your order and payment history and information, as well as other information related to your customer account. The contact history of our customers and anyone else contacting the company is also stored, including additional information provided in the contents of emails, etc. Please see section 8 for information regarding cookie information.
You have the right to contact us and request to see the data we have about you.
3.1 New customer acquisition
We may make promotional calls to customers and individuals who have given their consent to receive promotional calls from us but who are not our customers. We have limited knowledge of such individuals: name, phone number, and possibly address, as well as the extent of their consent. In cases where explicit consent is required by the customer in order to make promotional calls, this consent will be acquired and documented. If a promotional call to a new customer leads to placing an order, the information is verified with the customer.
If you have signed up for one of our tele- or email marketing lists, we have the contact information you have provided us with: telephone number and/or email address and possibly first and last name.
3.2 Personal data of customers and potential customers
We have the following information about our customers: name, possibly their phone number, address, zip code, city, customer number, email address, order history, potentially their email history if they have contacted our customer service by email, as well as the possible history of former promotional calls.
We have the email history and history of former promotional calls also of those who are not our customers but have such history with us.
Consumer reviews may contain someone’s name, even if that individual is not otherwise in our customer register (such as in cases where they have used the product and left a review, even if they have not ordered it themselves from us).
If applicable, our system saves IP addresses of devices making orders.
3.3 Promotional phone calls and customer service data
We do not record possible marketing calls or calls to our customer service unless consent is obtained.
3.4 Sensitive personal data and identity code
We do not save any sensitive data to our customer register (e.g. ethnic origin, identity code, etc.). Our current records of phone calls recordings and email exchanges with customer service may contain sensitive health information on customers if the customer themself has of their own initiative provided that health information. This information is not processed for any additional purposes and we aim to delete this information as soon as possible. Regardless, we ask that our customers do not provide us with this type of personal information.
When you pay for products with an external payment gateway, you may be asked for additional verification or information such as your national identification number according to the card requirements and the obligations of payment providers. We will not receive this information and are not able to process it.
3.5 Children’s personal data
Principally, we do not process children’s personal data. However, in Internet sales, we may be unable to check the age of the customer. Nonetheless, our terms and conditions have outlined that our products are made available for purchase for those ages 18 and over, as the consumer needs to be able to enter into a contract with us for the purchase of goods through a subscription. Therefore those under 18 attempting to purchase our products and enter into a subscription are in breach of our terms and conditions and we are not intentionally intending to process their personal information.
3.6 Technical data
When placing an order through a link on social media or through our website, certain technical information such as log data is collected at that time. For additional information on data through cookies, see section 8.
4. How long do we store your data?
Personal data will be stored only as long as needed or until the customer asks us to remove it from our files. Customer data is generally stored as long as one remains a customer, as well as various periods after for different storage and usage purposes, but when marketing to prospective customers, the personal data will be stored only for a limited time.
New customer acquisition by phone employs data lists which are usually stored for three months.
We do not record telemarketing calls without your permission. If you give your consent to record the call, the recording is kept for three months.
The information of those who have given their consent for marketing purposes is saved until the consent is revoked.
The data of those who have ordered from us is kept in our register for ten years after processing the last order or shipment.
If you are not our customer, any emails that have been sent to customer service are saved until they are automatically deleted from our database. If you are our customer, any emails you have possibly sent to customer service are stored with your customer account according to our retention periods.
Information is stored as a part of consumer reviews for as long as we have permission or until information is anonymised and the individual can no longer be identified.
We are required to store some information for an even longer period of time due to different laws (e.g. Accounting Law).
4.1 Personal data online
Personal information listed in consumer reviews is available on the website until the individual has potentially revoked their permission for the use of the personal information or the personal information is deleted from the review. If there is the option to leave a product review through Trustmary on the website, the personal information will be stored until the individual requests for us to delete the review from Trustmary’s service. See section 6 for more information on the use of Trustmary.
4.2 Personal data and prospective customers acquisition by phone
If we have received your information as a part of a list for telemarketing (e.g. opt-in lists), we will store the information as long as you have given your consent for storing the information, as long as the intermediary of the list allows, or until you withdraw your consent, whichever first requires the information to be deleted.
The marketing lists are kept for three months. If the marketing call leads to a customership, your contact information will be checked before being transferred to our customer database and will be preserved so long as you remain our customer.
If someone has signed up for one of our tele- or email marketing lists by giving us consent, the information collected at sign up will be stored on its own list until the consent is revoked.
4.3 Storing phone sale recordings and call records
We will not store marketing call recordings unless you have given your consent to record the call. The calls are usually kept for three months for the purpose of verifying orders and in case of any ambiguities or conflicts.
Other log records from the phone call are stored in the system for two years, after which they are automatically deleted.
4.4 Storage of customers’ emails
Any emails sent to our customer service are stored in our customer register with other customer information. Emails are deleted along with the deletion of other customer data when the customership ends.
4.5 Customer and order information
The personal and order information of all customers is stored for ten years after their last order has been shipped. The retention period starts from the most recently shipped subscription product before the cancellation of the contract.
The customership of our subscribers (those customers who have a subscription with us) is considered to begin from the moment that a subscription order has been made. The same customership may contain more than one subscription. Personal information included in the customership is stored in the customer register for ten years from the last shipment of the last valid subscription. The customership is deleted after this time.
Once the customership has ended, the personal and order information is anonymized in our customer database and is deleted from our sales database, if necessary.
4.6 How long do our contractors’ store your personal data?
We have contractors to help us with various aspects of our processing and transfer certain information to them for those activities. (See section 6.1 for various types of contractors.) Contractors store information only as long as is necessary for the fulfillment of the services they provide the company, or only as long as the storage has a legal basis. They are then required to delete all data according to our agreements with them in line with predetermined retention periods for storage.
Contractors can never store personal data for their own purposes, except in the case of them functioning as a separate controller for certain processing or due to legal obligations for information retention, e.g. an accounting office needing to store bookkeeping records to fulfill their own legal obligations.
4.7 Storing information concerning marketing permissions
If you have consented to direct marketing by telephone, we will store the consent for as long as we store your personal information or until you revoke the consent.
If you have consented to email marketing, this consent will be stored until you revoke your consent. If you have opted-out of email marketing, this opt-out will be stored until you ask for the opt-out to be deleted. Additionally, information that you have not opted-out of email marketing will be saved until 12 months have passed from either the purchase or last marketing message, or until you opt-out of email marketing, after which the status of the marketing permission will be changed to not having permission to send email marketing messages.
4.8 Legal information storage
Even if personal data is deleted or requested to be deleted from certain lists or databases, the personal information required by law (e.g. Accounting Law, consent documentation obligations, records of sale, other legal obligations) may legally need to be preserved. However, this data is used only for the purposes designated by laws and regulations applicable to the business based on where the business is registered or active.
For information that cannot be deleted, the retention of this information is based on the legal lengths of retention and will be deleted once it is no longer necessary to be stored. For example, information to be retained by the business for accounting purposes needs to be stored for at least six years after the fiscal year the sale took place in.
4.9 Data anonymization
To maintain the proper functioning of our system, some essential information (such as data related to orders) is anonymized instead of being deleted once the retention period comes to an end. By doing this, there is no connection between the preserved data and a particular customer, yet it enables the normal functioning of the system. For more information, see ”The right of erasure/The right to be forgotten” below.
4.10 Data subject access requests
If the access request has been made through the typical customer service channels, the retention period is the same as in general for customer service correspondence. In cases where the data subject access request involves additional processing and the utilization of the DPO of STR Global Group Oy, the retention period after the access request has been completely processed is three years, with the exception of cases that would need to be retained for additional time due to legal reasons.
5. How and why are we processing your personal data?
We use the personal data of data subjects for providing the service for purchasing products, direct marketing, shipping products, maintaining the relationship with the customer, as well as for developing our overall operation.
If given consent, we use the data of our customers to inform them about interesting deals through telemarketing.
We perform electronic direct marketing on the basis of consent to those requesting marketing emails. We perform electronic direct marketing to customers based on the sale of our products (legitimate interest).
We also use personal information for training, statistics, and to fulfill legal obligations.
We will use your personal data only for justified bases listed in the EU General Data Protection Regulation, and they are discussed below.
According to the EU General Data Protection Regulation, legitimate interest means the lawful basis for processing personal data in, for example, marketing, for scientific or historical research purposes, or for statistical purposes. Yet these are subject to scrutiny (balancing test) and can be overridden in order to safeguard the rights and freedoms of the data subject. We also conduct compatibility tests in cases where information is processed beyond the original purpose.
5.1 New customers acquisition
We may acquire the contact details of consumers who have given their consent for direct marketing for new customers acquisition done by phone. We may use information intermediaries for acquiring such lists. Information intermediaries’ right of processing personal information is based on consent. If someone has signed up for one of our tele- or email marketing lists, we will either make telemarketing calls or send them marketing emails according to the type of list they have signed up for. The legal basis for this is consent.
5.2 Order fulfillment and processing returns
We process personal data in order to fulfill orders placed online and deliver ordered products to our customers. This requires the use of payment gateway providers as well for the processing of payments. We also use contractors who take care of the logistics of shipping and delivering the products to the customer. The legal basis for fulfilling customers’ orders is the performance of the contract.
We also process personal information in processing returns and reclamations, and in refunding payments. The legal basis for this is the performance of the contract.
5.3 Direct marketing by phone
We will call our customers and offer them new and interesting deals only if they have given their consent.
5.4 Protecting from fraud
The payment processor may process certain customer data for fraud prevention during the payment process. The basis for this is their legitimate interest.
5.5 General communications with customers
We can process your personal information in order to send you notifications concerning the status of your order or possible challenges in supply or shipping. We may also contact you in cases where there are issues with charging the card used for recurring subscription payments. In applicable situations, we may also contact a customer or potential customer according to their request to contact them. The basis for this is the performance of the contract.
5.6 Electronic direct marketing
We perform electronic direct marketing on the basis of consent to those requesting marketing emails. This may include customers or those otherwise interested in receiving electronically marketed materials on our products. We perform electronic direct marketing to customers based on the sale of our products (legitimate interest). Customers who have not opted-out receive email marketing materials on similar products.
5.7 Statistical reporting, surveys and reviews
We compile statistics on sales, customership, and campaigns, which are used for sales management. The basis for this is a legitimate interest.
It is possible to leave product reviews through surveys or separately through the website. The purpose of product reviews is to share consumers’ reviews of genuine use of products with other customers and potential customers. We also receive product feedback for product development purposes. We also perform surveys for the purpose of compiling statistics. The legal basis is either legitimate interest or consent. In cases where the review is published through Trustmary the legal basis is consent.
The personal information will not undergo automated processing, including profiling, that would have legal or similar effects without being able to demand human involvement in the process.
5.8 Accounting and other legal obligations
We use your personal data to fulfill the regulations of laws, courts, and decisions made by officials. Personal data is regularly processed for the purposes of fulfilling Accounting Law. Other various legal obligations relate to the retention of information for recordkeeping even if the information is not otherwise actively processed in the business activities. The legal basis of this is a legal obligation.
5.9 Providing the online services
Personal data needs to be processed in order to provide the online services that the website visitor has requested, e.g. in order for them to gain information on products they are interested in and purchase them over our website. This involves the processing of the IP-address in order to show the website. Personal data is also processed by contractors. The legal basis for this is the fulfillment of the contract.
Any additional processing on the online services not requested by the visitor and not necessary for the provision of the services is done with separate consent from the visitor. See information on cookies for more information.
5.10 Training and quality control
Personal information is processed for the purpose of training new employees, as well as for general quality control purposes. Personal information may contain information included in customer service processing (such as information in customer service emails), and personal information contained in the customer register (such as the customer file and shipping information). The legal basis is legitimate interest.
5.11 Reviewing and changing customer information and other rights
Customer information needs to be processed in order to confirm identity, make changes to information, and fulfill other requests of the data subject. Processing in relation to the consumer contract is a fulfillment of the contract. Processing due to a data subject access request is done based on legal obligation.
5.12 Targeted marketing
Personal information and the information on your purchases will be used to present you with advertisements we believe you will be interested in. This is done online through social media, for example. The legal basis is legitimate interest.
6. Disclosing and transferring information
We use contractors in shipping products, for sales, in managing systems, platforms, and when compiling statistics. We also transfer information within the Group for technical purposes and for the direct purpose of carrying out the processing to fulfill the contract with the customer.
We aim to process as much personal data as possible within the EEA. Some processing done by our contractors involves transferring data outside of the EEA.
When we use contractors, we only transfer to them the information they need to be able to carry out their tasks. We do not sell or give personal data to third parties for their own marketing.
We use social media platforms for marketing purposes. Due to having a business Facebook account, we are joint controllers with Meta Platforms Ireland Limited.
The legal basis for different transfers and disclosures is listed above in the previous section.
6.1. Transferring data to contractors/processors
We release data to our contractors and processors in situations that are related to transactions, deliveries, and certain advertising purposes so that we are able to carry out our services. Contractors and processors include the following:
- IT services
- Logistics partners
- Transport services
- Payment service partners
- Payment intermediaries when paying with payment cards
- Accountancy offices
- Banks
- Email, social media, and direct marketing partners
These contractors and processors listed above cannot use the data passed on to them for their own purposes in any situation. Under strict conditions, they receive only data that is relevant so that they can carry out the service they offer for the specific purposes defined by us. They cannot store data longer than instructed and agreed in our data processing contracts with them.
In cases a contractor (our processor that may also function as a separate controller, such as a bank) is legally obligated to retain or process the information for a longer period, the additional retention or processing falls under that contractor’s own legal obligations and they function as a controller for the processing in question.
a) Marketing purposes
Of those customers who have given their consent for telemarketing, we may transfer the lists containing their personal data to our contractors for telemarketing purposes. We transfer only the data of persons who have given their consent for direct marketing.
b) Logistics
We use contractors who carry out the delivering of the products and they will receive only the necessary information to carry out their task.
c) Technical systems
We use technical systems that are made and maintained by contractors for managing customer data, telemarketing, orders, and emails and also for different kinds of analyses.
6.2. Transferring data outside of the EEA
We aim to process as much personal data as possible within the EEA. Some processing done by our contractors involves transferring data outside of the EEA. Transfers done to countries outside of the EEA are done based on one of the following 1) European Commision’s adequacy decisions that a country’s data protection is at the same level as in the EEA, or 2) Standard Contractual Clauses, as well as possible supplementary measures, to ensure that the data is transferred and processed at the same level as within the EEA.
In certain cases, either we or the processors we use transfer information to the United States. The European Commission has decided that the EU-US Data Privacy Framework (EU-US DPF) provides an adequate level of protection for the processing of personal information in a third country.
If data transfers are not able to be made based on changes to adequacy decisions or the measures provided by a processor, we work towards ensuring that the data will be transferred to a processor who fulfills our requirements for data protection outside of the EEA or that the data will be processed within the EEA.
6.3 Transfers to Nets Denmark A/S
Our online store offers the possibility to pay by credit card through Nets (Nets Denmark A/S). Nets operates a payment gateway service. Nets operates as a separate controller for the information that it processes. When you pay through Nets, Nets directly collects the payment information of the customer. Nets collects the following information during a purchase: payment details, contact information, transaction information, and IT information.
For the full list of all possibly collected personal information, please see Nets’ Privacy Notice. In addition to processing customer information during payment transaction processing, Nets also processes personal data related to financial payments, for example, in order to fulfill the legal obligations they are subject to. You also have the right to directly contact Nets and make a Data Subject Request concerning your personal information. Please select “End-user (payer/cardholder)” from the list, or you can contact Nets by email or post according to the addresses provided on the website.
6.4 Joint controllership with Meta
Meta Platforms Ireland Limited (hereafter ”Meta”) and STR Nordic Oy are joint controllers in so far as applicable in the case of our Facebook page. Meta processes personal data following the privacy policy regulations which apply to it, information regarding Article 13(1)(a) and (b) of the GDPR can be found online: (https://www.facebook.com/about/privacy). Meta is primarily responsible for following the data protection legal framework and carrying out data security as well as the rights of the data subject when using their services. We are subject to the Meta’s Controller Addendum. (Please see: https://www.facebook.com/legal/controller_addendum)
We receive the data that other Facebook users are also able to see, meaning the names, public pictures, and other public information of individual users. The legal basis for this is a legitimate interest. Personal data is not transferred from the Facebook page or from comment sections to any other system without a separate notification. However, data such as private messages that convey information concerning changes in orders are registered in other systems.
Your personal data is used for example for reporting, advertisement, performing competitions and draws, receiving feedback, and partly for purchasing advertising space from Meta and measuring ads performance. Any data provided through optional actions, such as participation in draws, is done by participant consent or contract, and collected by us for our purposes. Together with Meta, we collect general information about actions such as likes, visits on our page, comments on posts, private messages, and statistics related to posts.
We use your personal data for targeting advertisements and creating audiences on Facebook. In this way we can provide you with the most relevant information on our products that you may find interesting. This is done in two ways: we transfer our customers’ contact information to Meta in order to target our advertising on social media. This shared information is only used for purposes decided by us. In this case we function as the controller and Meta as the processor of personal data. We also target advertising to those who are not yet our customers according to Meta’s Custom Audiences. This is done based on legitimate interest.
You have the right to object to the transferring of your personal data for targeting purposes on social media. Please contact us to notify us of your objection to the processing.
We use Page Insights to process data and therefore we are subject to the Page Insights Controller Addendum. (Please see: https://www.facebook.com/legal/terms/page_controller_addendum) Concerning cookies used on our website, see our Cookie Policy. Considering Meta’s use of cookies, please see Meta’s information provided on cookies.
If you wish to use your private data rights (e.g. concerning deleting your data) because you have ”liked” our Facebook page or you follow it, please contact your local Meta representatives. Data requests regarding Page Insights will be forwarded to Meta. For more information on how Meta uses personal data, the legal basis for the use of this data, and how to exercise rights, please see: https://www.facebook.com/about/privacy
6.5 Use of Trustmary
We use Trustmary to collect customer feedback, reviews, and recommendations. Trustmary is a service that helps us better understand our customers through various surveys such as NPS and CSAT, and to use the opinions of our satisfied customers in the form of public reviews in our marketing. Depending on the type of survey, various information about our customers is transferred to Trustmary, where we act as the data controller and Trustmary as the processor. The transferred information may include the customer’s name, phone number, email address, possible organization, customer image, and feedback, review, or recommendation in text or video format. Our customers see and approve the information sent when responding to the survey in Trustmary. Trustmary does not disclose the information or use it for its own purposes contrary to its terms of service. For more information, please refer to Trustmary’s terms of service.
6.6 Releasing data to authorities
We have the right and obligation to release personal data of data subjects to authorities, carrying out their requests in accordance with EU or member state legislation.
6.7 Intra-Group Data Transfers and Controllership
Data is transferred within the Group due to the parties responsible for controllership, customership, and technical systems.
a) Joint Controllership
The majority of processing by the Group falls within the scope of the joint controllership, with areas of responsibility either being STR Nordic Oy’s, STR Global Group Oy’s, or jointly between the two companies. Customership is always made in relation to the company marketing the product and listed in the consumer contract.
b) Data processing
Any additional processing of personal information falling outside the scope of the joint controllership between STR Nordic Oy and STR Global Group Oy is reliant on data processing agreements between different companies in the Group in relation to allocated employee and system resources.
Different companies in the Group may be responsible for different aspects of the processing. Intra-Group data processing transfers adhere to data processing agreements and those parties acting as processors do not process the data for uses outside what is stated by the controller.
c) Data subject access requests
STR Nordic Oy primarily handles data subject access requests (DSARs) made through customer service. In certain cases, however, the data subject access request can be transferred from STR Nordic Oy’s customer service to the Data Protection Officer (DPO) of the Group. The DPO will assist in answering the DSARs even if the request specifically relates to processing that STR Nordic Oy is primarily responsible for as the controller and would not otherwise relate to STR Global Group Oy’s own controller responsibilities.
6.8 Sales or Involvement in a Merger
In the event that either a subsidiary or the Group as a whole is involved in a sale or merger, the Group has the right to transfer all personal data to the respective parties as a result of the sale. The Group has the legitimate interest to fulfill such actions if deemed in the interests of the Group in the future.
In the event that one of the subsidiaries of the Group would be involved in an Intra-Group merger or acquisition, data related to the fulfillment of such actions would be transferred for those purposes.
7. How do we protect your data?
We protect your data with technical and organisational acts that ensure that your data is safe in our systems.
Our personal data file exists only as electronic files. This register is protected with passwords, encryption, and firewalls. The rights of those who can access the register are limited and correspond to their roles. Each person using the register has signed a life-long confidentiality agreement regarding the content of the register. The contractor in charge of our systems is responsible for sufficient technical and organisational measures that ensure the physical and technical protection of the register. The contracts with contractors define what contractors are able and unable to do with this data.
8. How do we use cookies
Cookies are text files that are stored on the terminal device by the Internet browser. Cookies may have a personal identifier that enables identifying the user. We utilize cookies to ensure that our online services are usable, of high-quality, and that we are equipped to develop these services, and cookies are also used in advertisement targeting. However, users are not individualized only by cookies.
We have provided more information on what types of cookies we use, how long they are stored, what they do, who they transfer data to, and your right to consent and revoke consent in our separate Cookie Policy. Read more about our use of cookies here.
9. How can I exercise my rights to my personal data?
If you are in our register, you have certain rights based on the EU General Data Protection Regulation. You have the right to know what information we process about you. You have the right to access your personal data that exists in our register as well as to demand correcting any erroneous information, deleting your data, and to prohibit releasing personal data.
You have the right to give your consent for direct telephone marketing as well as withdraw the consent you have given. You have the right to give your consent for email marketing as well as revoke the consent you have given. You have the right to opt-out of email marketing if you have received marketing on the basis of your customership.
Finally, you have the right to lodge a complaint about our activities to the Data Protection Authority.
In addition, you have the right to obtain a response to your questions within the time frame defined by GDPR (1 month), even though we aim to act faster than that.
9.1 You have the right to access your personal data in our files
This data can be delivered to you once we have sufficiently identified that the person asking for the data is you. The information can be delivered to you either over the phone, by email, or mail (paper version). In the case of repetitious paper version requests, we charge reasonable fees based on administrative costs (EU General Data Protection Regulation article 15.3).
9.2 You have the right to demand correcting any erroneous information or deleting your data
If you notice that we have any erroneous information concerning you, please inform us and we will correct it immediately.
9.3 You have the right to opt-in or opt-out of direct telephone and email marketing and revoke previously given consent for direct telephone and email marketing.
You can give your consent for telemarketing and you can also withdraw this consent at any time. The easiest way to do this is to contact our customer service.
We may send you emails based on your purchase history and customership. However, you can opt out any time. You can give your consent for email marketing and you can withdraw the consent you have already given. Every marketing email contains an unsubscribe button in the email, which can be clicked in order to revoke consent to email marketing and delete the email address from the email marketing list.
Customers can also object to social media marketing by contacting our customer service.
9.4 You have the right to the restriction or objection to the processing of your personal data.
In certain situations you have the right to request the restriction of processing or object to the processing instead of the deletion of information. You can contact us in this case.
9.5 You have the right to lodge a complaint about our activities to the Data protection authority
If you believe that we have violated your right to the protection of personal data, you have the right to lodge a complaint about our activities to the Data protection authority.
As the data controller is based in Finland, you can make a notification to your own Data Protection Authority, or to the Finnish Data Protection Ombudsman from the following link: https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman
9.6 You have the right to erasure (the right to be forgotten)
You have the right to ask all your personal data to be deleted from our systems. This right is called ”the right to be forgotten.” In this case, we will delete all of your personal data from all of our systems. Deleting personal data might not be possible in some situations, for example, if you have unpaid invoices or there are any legal proceedings in progress. Likewise, we cannot delete any information from our books that is required by the Accounting Law.
If you have placed a review through Trustmary or another survey you can separately request the deletion of the review.
9.7 You have the right to obtain a response to your question within the time frame defined by GDPR
We will reply to all questions concerning privacy policy ”without undue delay and in any event within one month of receipt of the request” (GDPR 12.3). Yet our aim is to provide you with the requested information at a clearly earlier date.
9.8 You have the right to request transfer of your personal data to another system.
The information you have provided us can be transmitted from our systems to another. If you would like to receive your information in a machine-readable format, it will be delivered to you in this format.
9.9 Right not to be subject to automated decision making
Your personal information will not undergo automated processing, including profiling, that would have legal or similar effects without you being able to demand human involvement in the process. At the moment we do not make decisions or profile based on automated processing that would have legal effects on you, and humans are involved in such decisions.
In cases that the payment acquiring company (Nets Denmark A/S) rejects a payment due to suspicion of fraud, the processing and decisions involved have been made with Nets acting as the controller of the processing and in accordance with the terms outlined by Nets for the use of their service. Please consult Nets in cases of ambiguity.
10. Updating this privacy policy statement
We update this privacy policy document regularly so that we can take into account the advances in the laws and regulations, new circumstances, as well as changes in policies and procedures.
This privacy policy document is visible on our website, and it has a date indicating when it has been updated. Please stay up-to-date on changes in our privacy policy by regularly checking for updates on our website. If major changes have been made to the policy, we will inform you in additional ways in accordance with what changes were made and which data subjects the changes apply to. We may use, for example, notifications on our website, email, or notices with our shipments.
For previous versions relating to the data processing of customers from 2021, please contact our customer service.
