Privacy Policy
General Data Protection Regulation (GDPR) Compliance Statement
Data Controller
Oy Equine Innovations Ltd, Business ID 2588058-5
Purasentie 12, 39150 Pinsiö, Finland
Register Name
Oy Equine Innovations Ltd Customer, Order, Billing, and Marketing Data Register
Principles of Personal Data Processing
We adhere to the following principles regarding personal data:
a) Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently in relation to the data subject.
b) Purpose Limitation: Data must be collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing for archiving in the public interest, scientific or historical research purposes, or statistical purposes is not considered incompatible with the original purposes according to Article 89(1) (“Purpose Limitation”).
c) Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“Data Minimization”).
d) Accuracy: Personal data must be accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that inaccurate or incomplete data is erased or rectified without delay (“Accuracy”).
e) Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the data is processed. Personal data may be kept for longer periods if processed solely for archiving in the public interest, scientific or historical research purposes, or statistical purposes under Article 89(1), provided that appropriate technical and organizational measures are implemented to protect the rights and freedoms of data subjects (“Storage Limitation”).
f) Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“Integrity and Confidentiality”).
Customers have the right to access their personal data stored in our system, to correct it, and to request its deletion. Data is not processed outside the EEA except for anonymous web analytics (e.g., Google Analytics, Facebook). Data is retained until the customer requests its deletion. Retention is done, for example, for web analytics purposes (statistical reasons) and to facilitate future orders (customer benefit).
Purpose of the Register
The purpose of the register is to manage customer communication, maintain and develop customer and commercial relationships, and use data for reporting and statistical purposes. Oy Equine Innovations Ltd uses these and other data generated during the customer relationship for planning product and service offerings and targeting these offerings.
Personal data is used within the limits allowed and required by data protection laws. The register is not disclosed to third parties.
Email addresses of newsletter subscribers are used for sending newsletters. Information from contact forms is used to respond to inquiries.
Data Included in the Register
The customer register consists of several separate registers organized by their primary purpose. The collected data about customers includes:
- Contact information and details necessary for ordering: first and last name, street address, postal code, city, country, language, phone number, email address, and personal identification number. For business, association, and organization customers: company name and business ID.
- Customer group information, discount class, and other customer-specific additional details.
- Billing address and other billing information.
- Possible consent to receive direct marketing.
- Information about customer orders, deliveries, and returns.
- Other text-based information related to the customer relationship, such as the purpose of contact requests or delivery time preferences.
Personal data is deleted upon the user’s request.
Data Disclosure and Transfer
Data is not disclosed to external parties except as required by legal authorities. Due to data processing, some data may be located with the company’s subcontractors.
Regular Data Sources
Contact and customer data is obtained from customer notifications during and after the establishment of the customer relationship. A customer relationship is established when an order is placed, direct marketing is requested, or a purchase is made. A customer relationship can also begin at the customer’s request, for example, based on a phone conversation.
For electronic direct marketing (email and SMS), consent is obtained separately from the customer in accordance with data protection laws. Information on creditworthiness at the time of ordering is obtained from Checkout Finland Oy (Business ID 2196606-6), DFC Nordic Oy (Business ID 1998514-5), and/or Suomen Asiakastieto Oy (Business ID 0111027-9).
Legal Grounds for Data Processing
Data processing must have a legal basis. We process personal data based on consent (e.g., subscribing to a newsletter), contract (e.g., placing an order), legal obligations of the data controller (e.g., products requiring a statutory license), protection of vital interests (e.g., training or course requiring personal health information), or legitimate interests of the data controller or a third party (e.g., web analytics).
Data Protection
Access to the register requires special permissions. Access is restricted to information necessary for performing job duties and requires the use of personal user credentials. The customer register and the systems handling it are located in secure data centers. Hardware and software updates are carried out regularly, appropriately, and any threats are responded to immediately. In case of disruptions, data is regularly backed up. The system is protected by a firewall against external connections.
Employees handling customer register data are bound by confidentiality. Information is disclosed only based on legal obligations, such as customer requests or legal authorities’ requests.
Data Retention
Customer data is retained for 20 years. The retention period is based on recommendations from authorities, customer interests, the average duration of customer relationships, and the seller’s responsibilities under legislation (e.g., product liability directive). The necessity of data retention has been discussed with trade representatives. Personal data is deleted upon request without undue delay or, at the latest, when it is no longer necessary for its intended purposes.