Privacy Policy

We ensure that your personal data is processed appropriately, in compliance with applicable laws, and with respect for your privacy. On this page, you will find detailed information on how we handle your personal data.

We continuously develop our services and therefore reserve the right to update this privacy policy as needed.

Drafted on March 31, 2024, last updated on March 31, 2024.

Data Controller and Contact Information

Name: SP-Apu Oy / Caravan Keidas Oy (Company ID: 2863252-8)

Contact information:
Janne Pyrrö, janne@spapu.fi
Etanakuja 22, 01480 Vantaa.

 

What Personal Data Do We Process?

Essential Data for Operational Purposes

We process data necessary for managing customer relationships and our operations. This includes information related to cooperation, customer, and contractual relationships, as well as data needed for the production, management, and development of services. We also process personal data to fulfill the rights and obligations of the parties involved. Additionally, we handle data concerning customers, stakeholders, and information required for training, events, or other external or internal projects. The processed data may also include information about potential partners, customers, stakeholders, and their employees or other representatives.

The processed data relates to the contact details, identification, or background information of the mentioned parties or their representatives. Information may also be collected based on joint activities, depending on their nature. This data may include, for example, names, positions, organizations, billing information, contact details, order information, identification details, or other relevant information. Data is primarily collected directly from the mentioned parties or their representatives.

The legal basis for processing is legitimate interest, based on customer relationships, other relationships, service provision, or billing. Additionally, the legal basis may include contract preparation and fulfillment, as well as compliance with statutory obligations (such as accounting and taxation). Consent may also serve as a legal basis. Data may be collected to avoid conflicts of interest.

Marketing and Customer Communication

We process data for sales and marketing purposes. Information about potential customers is also processed for communication and informational purposes. Data may be processed, for example, for sending invitations and newsletters, conducting opinion or market research, or other surveys. The collected data may include names, contact details, or other identification information. The legal basis for processing is legitimate interest, consent, or contract.

Website information

We process cookies and website visitor data to develop our business and ensure website functionality. The collected data may include pages visited and visit duration. The primary legal basis for processing is consent.

We also process data of website visitors and commenters to facilitate spam detection. The collected data may include details in the comment form, IP addresses, browser version information, and hash data. The primary legal basis for processing is consent.

Website content may include embedded content, such as articles, videos, or images. Accessing embedded content from other websites is comparable to visiting a third-party website. These websites may collect data about you, use cookies, embed third-party tracking cookies, and monitor your interaction with embedded content, including tracking your interaction if you are logged into the site as a user.

Other information

We process information about job applicants and employees for recruitment decisions and employer obligations. Other processed data may include information voluntarily provided by the data subject, such as feedback, contact requests, or other communication channels. The legal basis for processing is consent, contract, or legitimate interest.

How Do We Process and Store Your Data?

We retain data for the duration of the customer or partnership relationship and thereafter for an indefinite period. Data can be deleted upon the customer’s request after the end of the relationship. Information related to purchases of services or products is stored in email archives and accounting records for seven years. Comments and their metadata are retained indefinitely to automatically recognize and approve subsequent comments instead of holding them in a moderation queue. For other types of information, specific retention periods, either shorter or longer, may be indicated. Data collected for direct marketing is deleted immediately after processing the deletion request.

We follow careful practices in storing and processing data, ensuring data security through firewalls, passwords, and various widely accepted technical methods. Manually maintained records are stored in locked facilities, restricting access to unauthorized persons. Data storage and processing are carried out through service providers known for their security. Data is protected by strictly limited access rights and is processed solely for the purpose it was collected. All personal data is handled confidentially.

As a general rule, we do not disclose or transfer data to third parties unless specific consent has been given. Exceptions may include obligations related to legislation or regulatory requirements, which are always reviewed for legal compliance on a case-by-case basis. An exception may also be the sharing of registry information with the data controller’s subcontractors, for instance, for providing infrastructure and IT services. In these cases, adequate data security and registry processing are ensured through the EU-U.S. Privacy Shield arrangement and/or contractually using procedures approved by data protection legislation. If data disclosure is based on a contractual relationship with a service provider that may process data to perform the service for the data controller, the appropriate and lawful processing of personal data is ensured through agreements and, if necessary, confidentiality agreements.

Data may be transferred outside the EU or EEA. For example, providers of tools and file management services may be located outside the mentioned areas.

What are your rights?

You have the right to access information about the data stored about you, as well as details regarding what data we process and the purposes for which it is processed.

You have the right to request the restriction and correction of data, for example, in cases of incorrect or incomplete information. You may request the restriction of data processing or the deletion of data based on legal grounds if the retention of data is not required for compliance with a legal obligation.

You have the right to withdraw your consent to the use of your personal data if the processing is based on consent. However, the withdrawal does not affect the legality of the processing carried out before the withdrawal. If data processing is based on consent, you also have the right to receive this data in a machine-readable format and transfer it to another data controller.

You have the right to object to the processing, profiling, and other actions involving your personal data. You have the right to object when your personal data is processed for direct marketing purposes or when processing is based on legitimate interest. The situation should be specified in the objection request, which we may refuse to comply with only on legal grounds.

You have the right to file a complaint with the competent supervisory authority if you believe that we have not complied with data protection regulations.