Register and Privacy Policy

This is Siimli Oy's register and privacy policy in accordance with the EU's General Data Protection Regulation (GDPR). Prepared on January 1, 2025. Last updated on January 7, 2025.

 

1. Data Controller

Siimli Oy Ulvilantie 29

00350 HELSINKI Finland

Business ID: 3460932-4

 

Contact information for matters concerning the register:

Siimli Oy

info@siimli.com

+358 50 3802608

 

2. Name of the Register

Customer Register

 

3. Legal Basis and Purpose of Processing Personal Data

Personal data is processed for managing the customer relationship, fulfilling contracts, and developing the service. The processing is based on our legitimate interest in maintaining active customer relationships, providing services that meet customer needs, processing orders and contracts, and developing our business. In some cases, the processing is based on the data subject's voluntary consent, which the data subject can withdraw at any time.

 

Purpose of Processing Personal Data and Use of the Register

Personal data is processed for the following predefined purposes: providing the service and managing the customer relationship (including service delivery, communication, maintaining customer information, managing contracts, and invoicing), analyzing service usage (statistics and research), targeting advertising, and developing services (planning new features and functionalities).

 

4. Personal Data Stored in the Register

Our customer register may contain the following information:

  • Basic Information: Name, customer number, username/unique identifier, (encrypted) password.
  • Contact Information: Email address, phone number, address.
  • Company/Association Information (if applicable): Company/association name, business ID/registration number, contact person information.
  • Customer Relationship and Contract Information: Contracts, orders, purchase history, invoicing information, transaction details.
  • Profile and Behavioral Information: Personal profile (if created), usage data of online services.

5. Rights of the Data Subject

The data subject has the following rights, requests for the exercise of which should be sent to info@siimli.com:

  • Right of Access: The data subject can check the personal data we have stored about them.
  • Right to Rectification: The data subject can request the correction of inaccurate or incomplete data concerning them.
  • Right to Object: The data subject can object to the processing of personal data if they believe that the personal data has been processed unlawfully.  
  • Right to Prohibit Direct Marketing: The data subject has the right to prohibit the use of their data for direct marketing purposes.
  • Right to Erasure ('Right to be Forgotten'): The data subject has the right to request the deletion of their data if the processing of the data is no longer necessary. We will process the deletion request, after which we will either delete the data or inform the data subject of a justified reason why the data cannot be deleted. It should be noted that the data controller may have a statutory or other right not to delete the requested data. The data controller is obliged to retain accounting records in accordance with the Accounting Act. Therefore, accounting-related material cannot be deleted before the expiration of the statutory period. 
  • Right to Withdraw Consent: If the processing of personal data concerning the data subject is based solely on consent, and not, for example, on a customer relationship or membership, the data subject can withdraw their consent.   
    Right to Lodge a Complaint with a Supervisory Authority: The data subject can complain to the Data Protection Ombudsman if they feel that we are violating the applicable data protection legislation when processing personal data.
  • Right to Restriction of Processing: The data subject has the right to demand that we restrict the processing of disputed data until the matter is resolved.
  • Right to Lodge a Complaint: The data subject has the right to lodge a complaint with the Data Protection Ombudsman if they feel that we are violating applicable data protection legislation when processing personal data. Data Protection Ombudsman's contact information: www.tietosuoja.fi/en/index/yhteystiedot.html 

6. Regular Sources of Information

As a rule, information is obtained directly from the data subject themselves, for example, when a customer relationship begins, through online forms, when using services, in customer service situations, or in other direct contacts.

We may also collect and update personal data from public and generally available sources, such as the trade register, the Finnish Patent and Registration Office (PRH), or the Tax Administration. We may also receive information from third parties, such as credit information companies and marketing partners, if the data subject has given consent for the disclosure of their data for marketing purposes.

 

7. Regular Disclosures of Information

Personal data is not primarily disclosed to other parties. However, data may be disclosed with the customer's consent, when required by law, or to service providers necessary for the implementation of our services. We only disclose the necessary information for each purpose. Such service providers include IT service providers (server maintenance, software provision), marketing and sales service providers (email marketing, analytics), payment service providers (online payment processing), debt collection agencies (invoice collection), law firms (legal advice), and cloud service providers (data storage). Our service providers comply with data protection legislation.

 

8. Principles of Data Security

Care is taken in the processing of personal data, and appropriate data security measures are implemented. Information systems and data stored on internet servers are appropriately protected by physical and digital security measures. Only authorized employees process data confidentially. We regularly assess the necessity of data retention in accordance with legislation. During the customer relationship, data is generally processed, and invoicing data is retained in accordance with the Accounting Act.

 

9. Data Processors

Personal data is processed by the data controller and its employees who, by virtue of their work, have the right to process customer data. We may also outsource the processing of personal data in part to a third party, in which case we ensure through contractual arrangements that personal data is processed in accordance with applicable data protection legislation and otherwise appropriately. Such parties include accounting firms, IT support, or other outsourced services of the company that have access to information systems. Data is collected in databases that are protected by firewalls, passwords, and other technical means.   

 

10. Data Transfer Outside the EU and EEA

In some cases, data may be regularly transferred outside the EU or the European Economic Area if we use service providers located outside the EU/EEA. If data is transferred outside the EU and EEA, we ensure an adequate level of protection for personal data, among other things, by agreeing on matters related to the confidentiality and processing of personal data in the manner required by law. We always ensure that there is an appropriate legal basis for the transfer and that the level of data protection is adequate.   

 

11. Automated Decision-Making and Profiling

We do not use automated decision-making based solely on automated processing, which has legal effects on the data subject or otherwise significantly affects them.

 

12. Changes to the Privacy Policy

Siimli Oy reserves the right to change the content of this privacy policy without separately notifying the data subject. It is the data subject's responsibility to review the content of the privacy policy regularly.

Every person in the register has the right to check their data stored in the register and demand the correction of any incorrect information or the completion of incomplete information. A person in the register has the right to request the deletion of their personal data from the register. Requests should be sent to the data controller. The data controller may, if necessary, ask the requester to prove their identity.