Privacy policy

Ravintorengas Ltd

1. General information

This Privacy Policy describes how Ravintorengas Oy ("Ravintorengas" or "the controller") processes personal data. The Privacy Policy applies to the processing of personal data relating to the Kari’s Pine Bark extract drink (karinhavu.fi), Pinena (pinena.fi and pinena.com) and Ravintorengas (ravintintorengas.fi) websites, marketing and customer relationship management, and the products and services we offer.

We comply with applicable data protection legislation in all processing of personal data. Data protection legislation refers to applicable data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Any data protection-related terms that are not defined in this Privacy Policy shall be interpreted in accordance with data protection legislation.

Our services and website may also contain links to external websites and services operated by other organisations. This Privacy Policy is not applicable to their use, so we encourage you to consult their privacy policies separately. "Personal data" means any information relating to a natural person ("data subject") from which the person can be directly or indirectly identified, as further defined in the Data Protection Regulation

2. Data controller and data protection officer

Controller: Ravintorengas Oy
Business ID: 0222773-5
Address: Kuusistontie 3, 29810 Siikainen
E-mail address: herttua(@)ravintorengas.fi

3. Purposes and legal grounds for processing personal data

The purposes (and in brackets the legal grounds) for processing personal data are:

  • supplying products and services, concluding customer contracts and managing orders (contractual relationship or preparation thereof, legitimate interest)
    • data belonging to special categories of personal data (consent)

  • customer service and communication and customer satisfaction surveys (legitimate interest, consent, contractual relationship)

  • billing and debt collection (legitimate interest)

  • marketing, including market research, other marketing promotion and analysis, and the production of statistics and measurement of marketing effectiveness (legitimate interest).

  • direct marketing, including electronic direct marketing and telemarketing, as well as the design and measurement of the effectiveness of advertising and marketing and the aggregation and updating of personal data for direct marketing purposes (legitimate interest, consent)

  • managing stakeholder relations, subcontracting and working with service providers (legitimate interest, contractual relationship or preparation of a contractual relationship)

  • improving the user experience of our website and other services and monitoring user traffic (consent)

  • internal reporting and other administrative measures (compliance with legal obligations)

  • handling complaints and dealing with legal and administrative procedures (compliance with legal obligations)

  • preventing and investigating misuse and ensuring the security of information, persons and property (compliance with legal obligations)

  • Carrying out other legal obligations (e.g. accounting, tax) and reporting obligations

Where we process personal data on the basis of legitimate interests, we assess the benefits and potential harm of the processing to the data subject and we have assessed that the rights and interests of the data subject do not override the legitimate interests. We will provide further information on the processing of personal data on the basis of legitimate interests upon request.

4. Personal data processed and data sources

Data group

Examples of data content

Identification and contact details

Customer's name, address, telephone number and email address.

Health information

Health information and contact details of persons who have agreed to be interviewed for their user profile or who have provided us with their user profile via the Restaurant Ring website, by telephone or email without being asked or requested to do so.

Information on products and services, including subscriptions and customer communications

Information on processed orders, delivery time of orders, as well as information related to contracts, invoicing, customer communication and complaints.

Information relating to marketing (including direct marketing) and events, and the data subject's consents and prohibitions.

Contact information for marketing purposes, as well as information collected in connection with events and occasions. Consents and prohibitions on direct marketing.

Information about the use of websites and other electronic services

IP address, electronic communication identification data, search and browsing data, browser and operating system data and registration data

We collect personal data directly from the data subject, for example, in the course of a transaction, or when the data subject purchases or orders our products or services, either on their own behalf or on behalf of an organisation they represent, or in connection with registration, when the data subject visits our website or other electronic services, subscribes to our newsletter, responds to a survey or customer satisfaction survey, or otherwise communicates with us. The information recorded in the register may also be obtained from the customer by telephone or e-mail.

We receive information about payments made for our services from our payment service providers (including Stripe and Verifone).

5. Retention of personal data

We will retain personal data for as long as necessary for the purposes set out in this Privacy Policy and always for the period required by law (for example, in relation to accounting or reporting obligations), or for the purposes of litigation or similar dispute resolution. After the end of the purpose, the personal data will be deleted or anonymised within a reasonable period of time.

We will provide further information on our personal data retention practices upon request.

6. Recipients of personal data

Various service providers and other third parties, such as providers of technical solutions or server space or accounting and financial service providers, may also be used to process personal data. We will ensure that the parties we use to process personal data have the necessary agreements with us as required by data protection legislation.

Personal data may be disclosed to third parties in situations required by law or by a public authority, or for the purpose of investigating misconduct or ensuring security. In addition, personal data may need to be disclosed in connection with legal proceedings or similar legal proceedings.

If the controller or a company belonging to the same group as the controller is involved in a merger, business transaction or other business arrangement, personal data may be disclosed to the parties to the arrangement or to parties assisting in the arrangement.
Customer's personal data may be published to the extent that the customer's individual consent has been obtained.

On request, we will provide you with more information about the recipients of your personal data.

7. Transfer of personal data outside the European Economic Area

When data is transferred outside the European Union or the European Economic Area, the company ensures an adequate level of protection of personal data, including by agreeing on the issues related to the processing of personal data as required by data protection legislation, such as standard contractual clauses adopted by the European Commission. Data will be transferred to the following recipients:

  • Google LLC
  • Stripe
  • Verifone
  • Meta - Social Metaverse Company

8. Protection of personal data

Data security and the protection of personal data is of paramount importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also ensure that our systems are fault-tolerant and that data can be recovered. Access to personal data is limited to specifically authorised parties. Those who process personal data are bound by a duty of confidentiality in relation to the processing of personal data.

Manual material is stored in a locked room in a locked filing cabinet at the service providers' premises.

9. Rights of data subjects

Data subjects have rights to their personal data under data protection legislation. However, the application of these rights in each individual situation depends on the purpose and context in which the personal data are used.

  • Right of access to personal data. The data subject has the right to obtain confirmation from
    whether the data subject's personal data is being processed and other information on the processing of personal data in accordance with data protection legislation. The data subject has the right to obtain a copy of the personal data.

  • Right to rectification of personal data. Subject to certain limitations, the data subject has the right to obtain the rectification or erasure of inaccurate or incorrect data.

  • Right to erasure of personal data. The data subject has the right to request the erasure of his or her personal data in accordance with the conditions laid down in data protection legislation. Upon request, we will delete the personal data unless we are required to retain the personal data by law or any other applicable exception under data protection legislation.

  • Right to restriction of processing. The data subject has the right, under the conditions set out in data protection legislation, to request the restriction of the processing of personal data in certain circumstances.

  • The right to transfer personal data. Data subjects have the right to request the transfer of their personal data to another controller. In principle, the right of portability applies to personal data which the data subject has provided to the controller in a structured and machine-readable form, the processing of which is based on the data subject's consent or on a contract and/or the processing of which is carried out automatically.

  • The right to object to processing. The data subject has the right to object to the processing of personal data based on legitimate interests, including profiling, in accordance with the conditions set out in data protection legislation. We may refuse a request if the processing is necessary for the purposes of compelling legitimate interests pursued by the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and profiling for direct marketing purposes.

  • The right to withdraw consent. Where the processing of personal data is based on the data subject's consent, the data subject has the right to withdraw his or her consent to the processing of personal data concerning him or her. Withdrawal of consent shall have no effect on the processing previously carried out.

Exercising rights

We hope you will contact us if you have any questions about the processing of your personal data.

You can send a request for data subject rights by letter or email using the contact details provided in this Privacy Policy.

The identity of the applicant may be verified before the request is processed. The request will be answered within a reasonable time and, in principle, within one month of the request and the verification of identity. If the request cannot be granted, the refusal will be made explicit.

10. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent data protection authority if he or she considers that his or her personal data have been processed in breach of the data protection legislation.

You can find the contact details of the Finnish Data Protection Authority here.

11. Changes to the Privacy Policy

This Privacy Policy may need to be amended from time to time. Changes may also be based on changes in data protection legislation. We therefore encourage you to periodically review this Privacy Statement to identify any changes. The latest version is available on our website.

This Privacy Policy is published on 8.9.2023.