Ochrana osobních údajů
Updated 03.11.2023
Privacy policy statement has been expanded, specified, and clarified
CONTENTS:
- Who are we?
- Where do we receive personal data from?
- What information do we have about you?
- How long do we store your data?
- How and why are we processing your personal data?
- Disclosing and transferring information
- How do we protect your data?
- How do we use cookies
- How can I exercise my rights to my personal data?
- Updating this privacy policy statement
We care about your privacy!
We take seriously the protection of privacy of our customers and therefore, the processing of all personal data is done in accordance with the laws that are currently active and especially in accordance with the EU General Data Protection Regulation (henceforth GDPR). This privacy policy statement explains how we collect personal data, which data we process, and how we do it, and this document will also inform you about your rights.
This statement explains how we process the personal data in our register and what rights the data subject has.
1. Who are we?
If you have ordered from us, you are a customer of STR Nordic Oy (2892826-5, Finland). STR Nordic Oy is a part of STR Global Group Oy group. The data controllers are jointly STR Nordic Oy and STR Global Group Oy (Business ID 2342164-1, Finland) which is the parent company of the STR Global Group Oy group.
If there are any questions related to data processing or the data register, please contact our customer service by email: customerservice@strnordic.ie
The following companies are part of the Group:
- STR Global Group Oy (2342164-1, Finland)
- STR Nordic Oy (2892826-5, Finland)
- STR Nordic AS (923 264 701, Norway)
- Soome Tervisetooted OÜ (12737711, Estonia)
- HOHDE OÜ (16279808, Estonia)
- ProBambu OÜ (16245241, Estonia)
2. Where do we receive personal data from?
We receive personal data when customers place orders. We also receive personal data when someone contacts our customer service.
For telemarketing, we may also acquire from lawful intermediaries contact information lists of people who have already given their consent for telemarketing. We store this information only for a limited time.
If we have your personal data, we have received it for one of the following reasons.
2.1 Orders
If you have placed an order on our website or online store, at our exhibition booth, over the phone, through customer service, or using some other channel.
2.2 Contacts
If you have contacted our customer service by calling, emailing, contacting us through filling out any kind of form, or using any other channel, our customer service has had to process your personal data.
2.3 Acquired contact information lists
We may acquire from lawful intermediaries contact information lists of people who have already given their consent for telemarketing. We store this information only for a limited time.
3. What information do we have about you?
We may have basic contact information on data subjects (name, phone number, and postal or email address) and in some cases also their age. Regarding customers who have ordered from us, we know their order history as well as some other details. Also, the contact history of our customers is recorded. See separate information on cookies in section 8 for more information regarding cookie information.
You have the right to contact us and request to see the data we have about you.
3.1 New customer acquisition via phone
We may make promotional calls to customers and individuals who have given their consent to receive promotional calls from us but who are not our customers. We have limited knowledge of such individuals: name, phone number, and possibly address, as well as the extent of their consent. In cases where explicit consent is required by the customer in order to make promotional calls, this consent will be acquired and documented. If a promotional call to a new customer leads to placing an order, the information is verified with the customer.
3.2 Personal data of customers and potential customers
We have the following information about our customers: name, phone number, address, zip code, city, customer number, possibly their email address, age, possibly gender, order history, potentially their email history if they have contacted our customer service by email, as well as the possible history of former promotional calls.
We have the email history and history of former promotional calls also of those who are not our customers but have such history with us.
If applicable, our system saves IP addresses of devices making orders, history of using our online store, as well as information collected through cookies (for example, which channel the customer used entering our online store).
3.3 Promotional phone calls and customer service data
We do not record possible marketing calls or calls to our customer service unless consent is obtained.
3.4 Sensitive personal data and identity code
We do not save any sensitive data to our customer register (e.g. ethnic origin, identity code, etc.). Our current records of phone calls recordings and email exchanges with customer service may contain sensitive health information on customers if the customer themself has of their own initiative provided that health information. This information is not processed for any additional purposes and we aim to delete this information as soon as possible. Regardless, we ask that our customers do not provide us with this type of personal information.
If you pay for products with an external payment gateway, you may be asked for additional identification, such as your identity code, for purposes such as checking your credit score according to the terms of using that service. We will not receive this information and are not able to process it.
3.5 Children’s personal data
Principally, we do not process children’s personal data. However, in Internet sales, we may be unable to check the age of the customer. Nonetheless, we assume that if children place orders in our online store, they do that either with their parents or have their parents’ consent placing orders.
3.6 Bank information
In the event that customer’s need to be refunded or reimbursed for the purchase of a product, we have the bank account information provided by the customer.
3.7 Technical data
When placing an order through a link on social media or through our website, certain technical information such as log data is collected at that time. For additional information on data through cookies, see section 8.
4. How long do we store your data?
Personal data will be stored only as long as needed or until the customer asks us to remove it from our files. Customer data is generally stored as long as one remains a customer but when acquiring new customers, the personal data will be stored only for a limited time.
New customer acquisition by phone employs data lists which are usually stored for three months.
We do not record telemarketing calls without your permission. If you give your consent to record the call, the recording is kept for three months.
The data of those who have ordered from us is kept in our register for three years after processing the last order or shipment.
If you are not our customer, any emails that have been sent to customer service are saved until they are automatically deleted from our database. If you are our customer, any emails you have possibly sent to customer service are stored with your customer account according to our normal practices.
We are required to store some information for an even longer period of time due to different laws (e.g. Accounting Law).
4.1 Personal data and online customer accounts
If we offer you the possibility to create an online account, the personal data of those who have created said accounts will be stored for as long as their accounts exist.
4.2 Personal data and new customers acquisition by phone
If we have received your information as a part of a list for telemarketing (e.g. opt-in lists), we will store the information as long as you have given your consent for storing the information, as long as the intermediary of the list allows, or until you withdraw your consent, whichever first requires the information to be deleted.
The marketing lists are kept for three months. If the marketing call leads to a customership, your contact information will be checked before being transferred to our customer database and will be preserved so long as you remain our customer.
4.3 Storing phone sale recordings
We will not store marketing calls unless you have given your consent to record the call. The calls are usually kept for three months for the purpose of verifying orders and in case of any ambiguities or conflicts.
4.4 Storage of customers’ emails
Any emails sent to our customer service are stored in our customer register with other customer information. Emails are deleted along with the deletion of other customer data when the customership ends.
4.5 Personal information of customers
The personal information for all customers is stored for three years after the order has been shipped. If a new order is placed or shipped during this time, this increases the storage duration to three years from the most recent order.
The personal information of our subscribers (meaning those customers who have a subscription with us) are processed for as long as the customership is active. Because the shipment interval between subscription products can be quite long, the customership is considered to have begun when the subscription has been placed. The customership ends three years after this date if new orders have not been placed or the subscription has been canceled. Every shipped subscription product increases the duration of the retention of customer information by three years.
Once the customership has ended, the personal and order information is anonymized in our customer database and is deleted from our sales database, if necessary.
4.6 How do our contractors use your personal data?
We have contractors to help us with various aspects of our processing (see section 6.3 for various types of contractors). Contractors store information only as long as it is necessary, and they will delete all data after there is no need for it according to our contracts with them.
When information has been forwarded to contractors (for example, so that they can mail items), they keep the received information only as long as it has a legal basis; after that, they are obligated to delete the information from their systems. Contractors have the right to use or process personal data only for purposes that have been detailed to them for the fulfillment of the services they provide the company. Contractors can never process personal data for their own purposes.
4.7 Storing information concerning marketing permissions
If you have consented to direct marketing, we will store the consent for as long as we store your personal information. If a customer has consented to email marketing, this consent will be stored until they revoke their consent.
4.8 Legal information storage
Even if personal data is deleted, the information required by law (e.g. Accounting Law) has to be preserved. However, this data is used only for the purpose designated by the laws and regulations.
4.9 Data anonymization
To maintain the proper functioning of our system, some essential information (such as data related to orders) is anonymized instead of being deleted. By doing this, there will be no connection between the preserved data and a particular customer, yet it enables the normal functioning of the system. For more information, see ”The right of erasure/The right to be forgotten” below.
5. How and why are we processing your personal data?
We use the personal data of data subjects for providing the service for purchasing products, direct marketing, shipping products, maintaining the relationship with the customer, as well as for developing our overall operation.
We use the data of our customers to maintain the relationship with them and, if given consent, to inform them about interesting deals.
We perform electronic direct marketing on the basis of consent.
We will use your personal data only for justified bases listed in the EU General Data Protection Regulation, and they are discussed below.
According to the EU General Data Protection Regulation, legitimate interest means the lawful basis for processing personal data in, for example, marketing, for scientific or historical research purposes, or for statistical purposes. Yet these are subject to scrutiny and can be overridden in order to safeguard the rights and freedoms of the data subject.
5.1 New customers acquisition by phone: processing information
We may acquire contact details lists of consumers who have given their consent for direct marketing for new customers acquisition done by phone. We may use information intermediaries for acquiring such lists. Information intermediaries’ right of processing personal information is based on consent.
5.2 Delivering products
We deliver ordered products to customers. We use contractors who take care of shipping and delivering the products to the customer. The performance of the contract is the legal basis for the actions related to order completion.
We use personal information in processing orders, returns, and reclamations, and the processing is necessary for the performance of the contract; this is the legal basis for this action.
5.3 Direct marketing by phone
We will call our customers and offer them new and interesting deals only if they have given their consent.
5.4. Protecting from fraud
If the customer has left invoices unpaid or has not fulfilled their obligations, we can use certain personal data for these kinds of situations when invoices are left unpaid. The basis for this is protection against fraud which is in accord with the purposes of the legitimate interest.
5.5. Collecting Payments
If customers have overdue invoices, we will contact them with reminders, and if that is of no avail, we will transfer the collection of the payments to a collection agency. The legal basis for this is legitimate interest.
5.6 General communications with customers
We can send you notifications concerning the status of your order or possible challenges in supply or shipping. The basis for this is the performance of the contract.
5.7 Electronic direct marketing
We perform electronic direct marketing on the basis of consent.
5.8 Statistical reporting and other procedures
We compile statistics on sales, customership, and campaigns, which are used for sales management. We also perform surveys for the purpose of compiling statistics. The basis for this is a legitimate interest.
The data in the register will not undergo automatic profiling subject to an authorization which would have legal effects on the data subject.
We use your personal data to fulfill the regulations of laws, courts, and decisions made by officials. Personal data is regularly processed for the purposes of fulfilling Accounting Law. The legal basis of this is a legal obligation.
5.9 Providing the services
Personal data needs to be processed in order to provide the services that the customer has requested, e.g. in order for the customer to gain information on products they are interested in and purchase them over our website. This involves the processing of personal data by contractors. The legal basis for this is consent and the fulfillment of the contract.
5.10 Confirming and reviewing customer information
Customer information needs to be checked in order to confirm identity, make changes to information, and fulfill the requests of the data subject. This is a legal obligation and the fulfillment of the contract.
5.11 Targeted marketing
Personal information and the information on your purchases will be used to present you with advertisements we believe you will be interested in. The legal basis is legitimate interest.
6. Disclosing and transferring information
We use contractors in shipping products, for sales, in managing systems, platforms, and when compiling statistics. We also transfer information within the Group for technical purposes and for the direct purpose of carrying out the processing to fulfill the contract with the customer.
We aim to process as much personal data as possible within the EEA. Some processing done by our contractors involves transferring data outside of the EEA.
When we use contractors, we only transfer to them the information they need to be able to carry out their tasks. We do not sell or give personal data to third parties for their own marketing.
Due to having a business Facebook account, we are joint controllers with Meta Platforms Ireland Limited.
6.1. Transferring information to contractors
a) Marketing purposes
Of those customers who have given their consent for telemarketing, we may transfer the lists containing their personal data to our contractors for telemarketing purposes. We transfer only the data of persons who have given their consent for direct marketing.
NB! Contractors cannot use personal data for advertising their own business nor can they store data longer than has been instructed or after the contract ends. Rather, the contractors process data only for the specific purposes defined by us.
We have made appropriate contracts concerning processing data and data protection with our contractors.
b) Logistics
We use contractors who carry out the delivering of the products and they will receive only the necessary information to carry out their task.
c) Technical systems
We use technical systems that are made and maintained by contractors for managing customer data, telemarketing, orders, and emails and also for different kinds of analyses. We have made appropriate contracts with these parties to ensure the adequate safety of personal data also in these systems.
6.2. Transferring data outside of the EEA
We aim to process as much personal data as possible within the EEA. Some processing done by our contractors involves transferring data outside of the EEA. Transfers done to countries outside of the EEA are done based on one of the following 1) European Commision’s adequacy decisions that a country’s data protection is at the same level as in the EEA, or 2) Standard Contractual Clauses, as well as possible supplementary measures, to ensure that the data is transferred and processed at the same level as within the EEA.
If data transfers are not able to be made based on changes to adequacy decisions or the measures provided by a processor, we work towards ensuring that the data will be transferred to a processor who fulfills our requirements for data protection outside of the EEA or that the data will be processed within the EEA.
6.3. Transferring data to contractors/processors
We release data to our contractors and processors in situations that are related to transactions, deliveries, and certain advertising purposes so that we are able to carry out our services. Contractors and processors include the following:
- IT services
- Logistics partners
- Transport services
- Payment service partners
- Payment intermediaries when paying with payment cards
- Accountancy offices
- Credit intermediaries when choosing invoice or installment as a method of paying
- Email, social media, and direct marketing partners
These contractors and processors listed above cannot use the data passed on to them for their own purposes in any situation. Under strict conditions, they receive only data that is relevant so that they can carry out the service they offer.
6.4 Collecting unpaid payments
In situations where the customer has overdue invoices and has failed to pay despite multiple reminders, we disclose the customer’s personal data related to the collection of these invoices, and transfer the unpaid invoices to third parties providing collection services.
6.5. Joint controllership
Meta Platforms Ireland Limited (hereafter ”Meta”) and STR Nordic Oy are joint controllers in so far as applicable in the case of our Facebook page. Meta processes personal data following the privacy policy regulations which apply to it, information regarding Article 13(1)(a) and (b) of the GDPR can be found online: (https://www.facebook.com/about/privacy). Meta is primarily responsible for following the data protection legal framework and carrying out data security as well as the rights of the data subject when using their services. We are subject to the Meta’s Controller Addendum. (Please see: https://www.facebook.com/legal/controller_addendum)
We receive the data that other Facebook users are also able to see, meaning the names, public pictures, and other public information of individual users. The legal basis for this is a legitimate interest. Personal data is not transferred from the Facebook page or from comment sections to any other system without a separate notification. However, data such as private messages that convey information concerning changes in orders are registered in other systems.
Your personal data is used for example for reporting, advertisement, performing competitions and draws, receiving feedback, and partly for purchasing advertising space from Meta and measuring ads performance. Any data provided through optional actions, such as participation in draws, is done by participant consent, and collected by us for our purposes. Together with Meta, we collect general information about actions such as likes, visits on our page, comments on posts, private messages, and statistics related to posts.
We use your personal data for targeting advertisements and creating audiences on Facebook. In this way we can provide you with the most relevant information on our products that you may find interesting. This is done in two ways: we transfer our customers’ contact information to Meta in order to target our advertising on social media. This shared information is only used for purposes decided by us. In this case we function as the controller and Meta as the processor of personal data. We also target advertising to those who are not yet our customers according to Meta’s Custom Audiences.
You have the right to object to the transferring of your personal data for targeting purposes on social media. Please contact us to notify us of your objection to the processing.
We use Page Insights to process data and therefore we are subject to the Page Insights Controller Addendum. (Please see: https://www.facebook.com/legal/terms/page_controller_addendum) Concerning cookies used on our website, see our Cookie Policy. Considering Meta’s use of cookies, please see Meta’s information provided on cookies.
If you wish to use your private data rights (e.g. concerning deleting your data) because you have ”liked” our Facebook page or you follow it, please contact your local Meta representatives. Data requests regarding Page Insights will be forwarded to Meta. For more information on how Meta uses personal data, the legal basis for the use of this data, and how to exercise rights, please see: https://www.facebook.com/about/privacy
6.6 Releasing data to authorities
We have the right and obligation to release personal data of data subjects to authorities, carrying out their requests.
6.7 Intra-Group Data Transfers
Data is transferred within the Group due to the parties responsible for controllership, customership, and technical systems. Data is transferred for the fulfillment of the contract and the maintenance for the customer registers, as different subsidiaries in the Group are responsible for different aspects of the processing. Intra-Group transfers adhere to processing agreements and those parties acting as processors do not process the data for uses outside what is stated by the controller.
In the event that one of the subsidiaries of the Group would be involved in an Intra-Group merger or acquisition, data related to the fulfillment of such actions would be transferred for those purposes.
6.8 Sales or Involvement in a Merger
In the event that either a subsidiary or the Group as a whole is involved in a sale or merger, the Group has the right to transfer all personal data to the respective parties as a result of the sale. The Group has the legitimate interest to fulfill such actions if deemed in the interests of the Group in the future.
7. How do we protect your data?
We protect your data with technical and organisational acts that ensure that your data is safe in our systems.
Our personal data file exists only as electronic files. This register is protected with passwords, encryption, and firewalls for hacking. The rights of those who can access the register are limited and correspond to their roles. Each person using the register has signed a life-long confidentiality agreement regarding the content of the register. The contractor in charge of our systems is responsible for sufficient technical and organisational measures that ensure the physical and technical protection of the register. The contracts with contractors define what contractors are able and unable to do with this data.
8. How do we use cookies
Cookies are text files that are stored on the terminal device by the Internet browser. Cookies may have a personal identifier that enables identifying the user. We utilize cookies to ensure that our online services are usable, of high-quality, and that we are equipped to develop these services, and cookies are also used in advertisement targeting. However, users are not individualized only by cookies.
We have provided more information on what types of cookies we use, how long they are stored, what they do, who they transfer data to, and your right to consent and revoke consent in our separate Cookie Policy. Read more about our use of cookies here.
9. How can I exercise my rights to my personal data?
If you are in our register, you have certain rights based on the EU General Data Protection Regulation. You have the right to know what information we process about you. You have the right to access your personal data that exists in our register as well as to demand correcting any erroneous information, deleting your data, and to prohibit releasing personal data.
You have the right to give your consent for direct marketing as well as withdraw the consent you have given. You have the right to give your consent for email marketing as well as revoke the consent you have given. Finally, you have the right to lodge a complaint about our activities to the Data Protection Authority.
In addition, you have the right to obtain a response to your questions within the time frame defined by GDPR (1 month), even though we aim to act faster than that.
9.1 You have the right to access your personal data in our files
This data can be delivered to you once we have sufficiently identified that the person asking for the data is you. The information can be delivered to you either over the phone, by email, encrypted email or mail (paper version). In the case of repetitious paper version requests, we charge reasonable fees based on administrative costs (EU General Data Protection Regulation article 15.3).
9.2 You have the right to demand correcting any erroneous information or deleting your data
If you notice that we have any erroneous information concerning you, please inform us and we will correct it immediately.
9.3 You have the right to opt-in or opt-out of direct and email marketing and revoke previously given consent for direct and email marketing.
You can give your consent for telemarketing and you can also withdraw this consent at any time. The easiest way to do this is to contact our customer service.
You can give your consent for email marketing and you can withdraw the consent you have already given. Every marketing email contains an unsubscribe button in the email, which can be clicked in order to revoke consent to email marketing and delete the email address from the email marketing list.
9.4 You have the right to the restriction or objection to the processing of your personal data.
9.5 You have the right to lodge a complaint about our activities to the Data protection authority
If you believe that we have violated your right to the protection of personal data, you have the right to lodge a complaint about our activities to the Data protection authority.
As the data controller is based in Finland, you can make a notification to your own Data Protection Authority, or to the Finnish Data Protection Ombudsman from the following link: https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman
9.6 You have the right to erasure (the right to be forgotten)
You have the right to ask all your personal data to be deleted from our systems. This right is called ”the right to be forgotten.” In this case, we will delete all of your personal data from all of our systems. Deleting personal data might not be possible in some situations, for example, if you have unpaid invoices or there are any legal proceedings in progress. Likewise, we cannot delete any information from our books that is required by the Accounting Law.
9.7 You have the right to obtain a response to your question within the time frame defined by GDPR
We will reply to all questions concerning privacy policy ”without undue delay and in any event within one month of receipt of the request” (GDPR 12.3). Yet our aim is to provide you with the requested information at a clearly earlier date.
9.8 You have the right to request transfer of your personal data to another system.
10. Updating this privacy policy statement
We update this privacy policy document regularly so that we can take into account the advances in the laws and regulations, new circumstances, as well as changes in policies and procedures.
This privacy policy document is visible on our website, and it has a date indicating when it has been updated. Please stay up-to-date on changes in our privacy policy by regularly checking for updates on our website. If major changes have been made to the policy, we will inform you in additional ways in accordance with what changes were made and which data subjects the changes apply to. We may use, for example, notifications on our website, email, or notices with our shipments.
Update notice 03.11.2023
The privacy policy has had the following changes made to it:
- changes to the name of the parent company of the Group (section 1). Suomen Terveysravinto Oy is now STR Global Group Oy. The data controller in the joint-controllership is the same, the company name has merely changed. This change in name does not result in changes to the processing of data subjects’ personal information in any way.
Update notice 25.10.2022
The privacy policy has had the following changes made to it:
- clarifications were made to certain parts to improve their understandability
- more information on the storage of email history was added (section 4.4)
- the text on customers and subscribers was changed in order to better describe the processing of personal information (especially section 4.5)
Update notice 9.3.2022
The privacy policy has had the following changes made to it:
- corrections in grammar, conciseness, and understandability of the policy
- updates and clarification on how information is processed to reflect changes in processing within the Group
- clarification on controller, addition of subsidiaries, and company customership is made with (section 1)
- additional information added regarding information we have on the data subject (section 3)
- additional information regarding the purposes for which data is processed (section 5)
- general clarification on the transferring of data (section 6)
- new information on transfers outside of EEA (section 6.2)
- updates to information on joint controllership with Meta, also taking into account future changes to marketing practices and how to opt-out of targeted marketing on social media (section 6.5)
- clarification on data subject rights according to the GDPR (section 9)