Privacy policy

Ravintorengas Oy

1. General

This privacy policy describes how Ravintorengas Oy (”Ravintorengas” or ”data controller”) processes personal data. This privacy policy applies to the websites, marketing, customer relationship management, products, and services provided by Arctic Pine Bark (arcticpinebark.com), Karin Havupuu-uutejuoma (karinhavu.fi), Pinena (pinena.fi and pinena.com), and Ravintorengas (ravintorengas.fi).

We comply with all applicable data protection legislation in the processing of personal data. The term ”data protection legislation” refers to the current data protection laws, such as the General Data Protection Regulation of the European Union (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Any data protection-related terms not defined in this privacy policy will be interpreted in accordance with data protection legislation.

Our services and websites may contain links to external websites and services operated by other organizations. This privacy policy does not apply to their use, so we encourage you to review their respective privacy policies separately.
”Personal data” refers to any information concerning natural persons (”data subjects”) from which an individual can be directly or indirectly identified, as defined more specifically in the data protection regulation.

2. Data controller and data protection officer

Data Controller: Ravintorengas Oy
Business ID: 0222773-5
Address: Kuusistontie 3, 29810 Siikainen
Email Address: herttua(@)ravintorengas.fi

3. Purposes and legal bases of processing personal data​

The purposes (and legal bases in parentheses) for processing personal data are as follows:

  • Providing products and services, entering into customer agreements, and managing orders (contractual relationship or its preparation, legitimate interest)
    • Special categories of personal data (consent)

  • Customer service and communication, as well as customer satisfaction surveys (legitimate interest, consent, contractual relationship)

  • Invoicing and debt collection (legitimate interest)

  • Marketing, including market research, other marketing promotions, analysis, statistical production, and marketing effectiveness measurement (legitimate interest)

  • Direct marketing, including electronic direct marketing and telemarketing, as well as planning advertising and marketing and measuring their effectiveness, including combining and updating personal data for direct marketing purposes (legitimate interest, consent)

  • Managing stakeholder relationships, collaboration with subcontractors and service providers (legitimate interest, contractual relationship or its preparation)

  • Improving the user experience of our website and other services and monitoring user traffic (consent)

  • Internal reporting and other administrative actions (compliance with legal obligations)

  • Handling complaints and managing legal and official proceedings (compliance with legal obligations)

  • Preventing and investigating misconduct, as well as ensuring information security and the safety of individuals and property (compliance with legal obligations)

  • Fulfilling other legal obligations (e.g., actions related to accounting and taxation) and reporting requirements

When we process personal data based on a legitimate interest, we assess the benefits and potential drawbacks to the data subject and have determined that the rights and interests of the data subjects do not override the legitimate interest. Upon request, we provide further information about the processing of personal data based on a legitimate interest.

4. Processing of personal data and data sources

Data Category

Examples of Data Content

Identification and Contact Information

Customer’s name, address, phone number, and email address.

Health Information

Health information and contact information provided voluntarily or upon request by individuals who have consented to interviews about their user experiences through Ravintorengas’ website, by phone, or via email.

Information related to products and services, including orders and customer communication

Information about processed orders, delivery times, and information related to agreements, billing, customer communication, and complaints.

Information related to marketing (including direct marketing) and events, as well as consents and opt-outs provided by the data subject

Contact details for marketing purposes, as well as information collected during events and gatherings. Consents and opt-outs related to direct marketing.

Information related to the use of websites and other electronic services

IP address, electronic communication identifiers, search and browsing data, browser and operating system data, and registration information.

We receive information about payments for our services from payment service providers (e.g., Stripe and Verifone).

5. Retention of personal data

We retain personal data for as long as necessary to fulfill the purposes defined in the privacy policy and always for the duration required by legislation (e.g., responsibilities and obligations related to accounting or reporting), or for the resolution of legal disputes or similar disagreements. After the termination of the intended use, personal data is deleted or anonymized within a reasonable timeframe.

Upon request, we provide additional information about the practices of retaining personal data.

6. Recipients of personal data

Various service providers and other third parties, such as providers of technical solutions, server hosting providers, or accounting and financial management service providers, may be used in the processing of personal data. We ensure that the entities we work with in processing personal data have the necessary agreements as required by data protection legislation.

Personal data may be disclosed to third parties in situations required by legislation or authorities, as well as for the investigation of misconduct and to ensure security. Additionally, personal data may need to be disclosed in connection with legal proceedings or similar legal procedures.

If the data controller or a company within the same group is involved in a merger, business transfer, or other corporate reorganization, personal data may be disclosed to the parties involved in the arrangement or to entities assisting in the arrangement.

Customer’s personal data may be published to the extent that the customer has provided specific consent.
Upon request, we provide additional information about the recipients of personal data.

7. Transfer of personal data outside the european economic area

When data is transferred outside the European Union or the European Economic Area, the company ensures an adequate level of protection of personal data by, among other things, entering into agreements on the processing of personal data as required by data protection legislation, such as using standard contractual clauses approved by the European Commission. Data is transferred to the following recipients:

  • Google LLC
  • Stripe
  • Verifone
  • Meta – Social Metaverse Company

8. Protection of personal data

Information security and the protection of personal data are of paramount importance to us. We employ appropriate technical and organizational safeguards to protect personal data. We also ensure the fault tolerance of our systems and data recovery capabilities. Access to personal data is limited to only those who are expressly authorized. Parties handling personal data are bound by confidentiality obligations related to the processing of personal data.

Manual records are stored in locked rooms in locked archive cabinets at service provider facilities.

9. Rights of data subjects

Data subjects have rights to their personal data in accordance with data protection legislation. The application of these rights in individual cases depends on the purpose and situation of the processing of personal data.

  • Right of access to personal data. Data subjects have the right to obtain confirmation as to whether their personal data is being processed and receive certain information about the processing in accordance with data protection legislation. Data subjects have the right to receive a copy of their personal data.

  • Right to rectification of personal data. Subject to certain restrictions, data subjects have the right to request the correction or deletion of incorrect or inaccurate information.

  • Right to erasure of personal data. Data subjects have the right, in accordance with data protection legislation, to request the deletion of their personal data. Upon request, we delete personal data, unless legislation or some other applicable exception under data protection legislation requires us to retain the personal data.

  • Right to restriction of processing. Data subjects have the right, in certain situations and in accordance with data protection legislation, to request a restriction of the processing of their personal data.

  • Right to data portability. Data subjects have the right to request the transfer of their personal data to another data controller. The right to data portability primarily applies to personal data that the data subject has provided to the data controller in a structured, machine-readable format and for which processing is based on the data subject’s consent or contract, and/or for which processing is carried out automatically.

  • Right to object to processing. In accordance with data protection legislation, data subjects have the right to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if processing is necessary for the compelling and legitimate interests of the data controller or a third party. However, data subjects always have the right to object to the processing of personal data for direct marketing purposes and related profiling.

  • Right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent to the processing of their personal data. The withdrawal of consent does not affect the processing that has been carried out prior to the withdrawal.

Exercising Rights

We encourage you to contact us if you have any questions regarding the processing of your personal data.

You can submit a request regarding data subject rights by mail or email using the contact information mentioned in this privacy policy.

The identity of the requester may be verified before processing the request. Requests are generally responded to within a reasonable time, typically within one month from the request and identity verification. If a request cannot be accommodated, this will be communicated separately.

10. Right to lodge a complaint with a supervisory authority

Data subjects have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data has been processed in violation of data protection legislation.

You can find the contact information for the Finnish data protection authority here.

11. Changes to the privacy policy

This privacy policy may need to be amended from time to time, which may also be based on changes in data protection legislation. We recommend regularly checking the privacy policy for any updates. The latest version is available on our website.

This privacy policy was published on October 13th, 2023.