PRIVACY POLICY
1. Data Controller
TAPP Oy, 3431737-2
Kappelinmäentie 240, Vaasa
Phone: +358 50 5461473
2. Contact Person for Data Protection Matters
TAPP Oy
CEO Pia-Maria Eriksson
Kappelinmäentie 240, Vaasa
Phone: +358 50 5461473
firstname.lastname(at)tapp.fi
3. Name of the Register
TAPP Oy Customer Register
4. Purpose of Processing Personal Data
The primary purpose of the register is to manage, maintain, and handle customer relationships. The personal data in the register is used for providing and delivering services to customers, for communication with customers, for invoicing and collecting payments from customers, and for targeting advertising and/or direct marketing.
The legal basis for processing personal data is the legitimate interest of the data controller.
5. Data Content of the Register
The personal register may include the following information:
- Name
- Email address
- Mobile and/or other phone number
- Language code
- Purchase history
- Contracts
- Invoices
- Deliveries
- Contact logs
- Responsible person affiliations
6. Retention Period of Personal Data
Data is retained for 10 years after the termination of the customer relationship or for the duration of the warranty period. The data will be deleted if the data subject requests the deletion of their personal data after the end of the customer relationship, provided that all rights and obligations between the customer and the data controller have been fulfilled. The personal data of potential customers is retained in the direct marketing register as long as the data subject holds positions relevant to the product or service being marketed, provided that the data subject has not prohibited direct marketing. In such cases, the information about the prohibition of direct marketing may be retained in the direct marketing register. Personal data may be retained for a longer period if required by applicable legislation or the company's contractual obligations to third parties.
7. Regular Sources of Data
Personal data is collected at the establishment of the customer relationship, during the customer relationship, and in the course of activities aimed at establishing a potential customer relationship. The data is primarily collected from the data subject themselves. Data can also be collected and supplemented with the subject's consent (e.g., by using cookies), from the population register, and from other third-party registers. Data may also be collected during various marketing activities, such as events.
8. Regular Disclosures of Data
Data may be disclosed for the purposes described in section 4 of this privacy policy, to the data controller’s direct marketing register, and to other potential personal registers of the data controller, always in compliance with data protection legislation and its restrictions. The data controller will not disclose personal data in the register to third parties without the data subject’s explicit consent, except when necessary for the fulfillment of the data subject’s and the data controller’s rights and obligations, or as required by Finnish authorities.
9. Transfer of Data Outside the EU or EEA
Data is not transferred outside the EU or EEA.
10. Principles of Register Protection
A. Manual Data
Stored in a space accessible only to authorized personnel.
B. Electronically Stored Data
Personnel involved in the processing of data and external parties acting on behalf of the data controller are bound by confidentiality regarding all customer data. Access to the register is protected by usernames, passwords, and user rights.
11. Profiling
The data controller may use personal data for profiling purposes. Profiling is done using an identifier, which allows the data subject’s information generated during the use of the service to be combined. The created profile can then, for example, be compared to profiles created for other data subjects.
The purpose of profiling is to assess the demand for services and customer behavior.
12. The Data Subject’s Right to Object to the Processing of Personal Data and Direct Marketing
The data subject has the right to object to profiling and other processing activities performed by the data controller on their personal data, insofar as the processing is based on the customer relationship between the data subject and the data controller. The data subject may submit an objection request as described in the section “Contact Information” of this privacy policy. The data subject must specify the particular situation that forms the basis of their objection to the processing. The data controller may refuse to fulfill the objection request on legal grounds.
The data subject can also submit consent or prohibition requests regarding direct marketing or profiling to the data controller.
13. Other Rights of the Data Subject Regarding Personal Data Processing
13.1 Right to Access Data (Right to Inspect)
The data subject has the right to inspect what personal data concerning them is stored in the data controller’s customer register. The inspection request must be made as described in the “Contact Information” section of this privacy policy. The right to inspect may be denied on legal grounds. The right to inspect is generally free of charge when exercised once a year.
13.2 Right to Request the Correction, Deletion, or Restriction of Data Processing
Upon detecting an error, the data subject may submit a request for correction, deletion, or restriction of data processing as described in the "Contact Information" section of this privacy policy.
The data subject also has the right to request the restriction of the processing of their personal data, for example, while awaiting the data controller’s response to a request to correct or delete data.
13.3 Right to Data Portability
Insofar as the data subject has provided data to the customer register that is processed based on the data subject’s consent or assignment, the data subject has the right to receive such data, generally in a machine-readable format, or to have it transferred to another data controller.
13.4 Right to Lodge a Complaint with a Supervisory Authority
The data subject has the right to lodge a complaint with the relevant supervisory authority if the data controller has not complied with applicable data protection regulations.
13.5 Other Rights
If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying the data controller as described in the "Contact Information" section of this privacy policy.
14 Contact Information
In all matters related to the processing of personal data and in situations regarding the exercise of one’s rights, the data subject should contact the person mentioned in section 2. The request must be in writing. The data controller or the person mentioned in section 2 may ask the data subject to clarify their request in writing, and the data subject's identity may need to be verified before taking any further action.