PRIVACY POLICY
Privacy policy in accordance with the EU General Data Protection Regulation (2016/679, GDPR)
Created: February 17, 2026
Last updated: February 17, 2026
1. Data controller
Virtasalmen Viljatuote
Business ID: 2887618-6
Suholanrannantie 231
77330 Virtasalmi
Phone: 0208 348 000
Email: info@virtasalmenviljatuote.fi
2. Contact person for data protection matters
Pekka Hänninen
Email: info@virtasalmenviljatuote.fi
Phone: 0208 348 000
3. Purposes and legal grounds for processing personal data
3.1 Processing online store orders
- order receipt and processing
- payment management
- delivery arrangements
- customer service
Legal basis: Performance of a contract (GDPR 6.1.b)
3.2 Legal obligations
- bookkeeping
- documentation of payment transactions
- regulatory reporting
Legal basis: Legal obligation (GDPR 6.1.c)
3.3 Customer relationship management and development
- customer communication
- feedback processing
- service development
Legal basis: Legitimate interests of the controller (GDPR 6.1.f)
The legitimate interest of the controller is based on maintaining customer relationships, developing services, and securing business operations. The data subject has the right to object to such processing at any time.
3.4 Direct marketing
- newsletters
- product recommendations
- campaign communication
Legal basis:
Consent (GDPR 6.1.a) or legitimate interest in accordance with applicable law.
The data subject has the right to object to direct marketing at any time.
3.5 Analytics and marketing
- website visitor tracking
- conversion tracking
- remarketing
- marketing targeting
Legal basis: Consent (GDPR 6.1.a)
3.6 Chatbot customer service
- responding to customer surveys
- customer service implementation
- service development
- quality assurance
Chatbot conversations can be recorded for quality assurance purposes.
Legal basis:
Contract (GDPR 6.1.b) or legitimate interest of the controller (GDPR 6.1.f), depending on the situation.
The legitimate interest is based on the implementation and development of customer service. The data subject has the right to object to the processing unless the processing is necessary for the performance of a contract.
4. Personal data processed
- First and last name
- Company name (business customers)
- Postal address
- E-mail address
- Phone number
- IP address
- Order history
- Payment transaction details
- Delivery information and shipment tracking information
- Customer feedback
- Chatbot conversations
Some personal data is necessary for concluding a contract and processing orders. If mandatory information is not provided, the order cannot be processed.
5. Sources of information
Information is obtained from:
- via online store (WooCommerce / WordPress)
- in connection with orders
- customer registration
- via chatbot
- by email or telephone
- using cookies and analytics
6. Recipients and processors of personal data
Personal data may be disclosed to the following service providers:
6.1 Online store and hosting
- WordPress + WooCommerce
- Web hosting and server services (Seravo Oy)
6.2 Payment service providers
- Klarna Bank AB
- Paytrail Plc
- Stripe Payments Europe Ltd
Payment service providers operate partly as independent data controllers.
The data controller does not store payment card details in its own systems.
6.3 Transport and logistics services
- Posti Ltd
- PostNord Inc.
6.4 Email marketing
- Mailchimp (The Rocket Science Group LLC)
6.5 Analytics and marketing
- Google Ireland Ltd (Google Analytics, Google Ads)
- Meta Platforms Ireland Ltd (Facebook & Instagram marketing)
6.6 Chatbot service
- Smilee Oy (chatbot service utilizing ChatGPT technology)
Data processing agreements in accordance with the GDPR have been concluded with all processors of personal data.
7. Transfers of personal data outside the EU/EEA
Some service providers (e.g., Google, Meta, Mailchimp) may process data outside the EU/EEA.
Transfers will be carried out:
- In accordance with the EU–US Data Privacy Framework
- Based on the Standard Contractual Clauses (SCC) approved by the European Commission
- in accordance with other transfer mechanisms approved by the GDPR
Upon request, we will provide further information on the applicable transfer protection measures.
8. Data retention period
- Customer data: for the duration of the customer relationship and for a maximum of 5 years after its termination.
The retention period is based on possible complaints, warranty and liability periods, and business documentation requirements. - Accounting records: 6–10 years in accordance with the Accounting Act
- Marketing information: until consent is withdrawn
- Chatbot conversations: up to 24 months
- Analytics data: up to 26 months
9. Rights of the data subject
The data subject has the right to:
- access their data
- correct information
- request deletion of data
- restrict processing
- object to processing
- transfer data from one system to another
- withdraw consent at any time
- file a complaint with the Data Protection Authority
The data subject may exercise their rights by contacting the contact details mentioned in section 1. Requests will generally be responded to within one month in accordance with the GDPR.
Office of the Data Protection Ombudsman:
www.tietosuoja.fi
10. Information security
Personal data is protected by appropriate technical and organizational measures, such as:
- SSL/TLS encryption
- with firewalls
- access rights management
- with logging
- staff training
- data processing agreements
Only persons who are authorized to do so on the basis of their job duties may process the data.
11. Cookies
The site uses:
- essential cookies
- analytics cookies (Google Analytics)
- marketing cookies (Google Ads, Meta Pixel)
Non-essential cookies are only set with the user's consent.
Further information about cookies can be found in our separate cookie policy.
12. Automated decision-making and profiling
The website uses profiling for marketing targeting and analytics. Profiling is not used to make automated decisions about registered users that would have legal or similar significant effects.
