top of page

Privacy policy

This is a document stating the privacy policy of Mustavuori in accordance with the Finnish Personal Data Act (10 and 24 §) and the General Data Protection Regulation (GDPR) of the EU. Drafted 1.5.2019. Last modification 5.4.2020.

1. Controller


Mustavuori Oy, Nokiantie 150, 33330 Tampere (Business ID: 2919372-3)


2. Controller's representative


Mikko Ojala,


3. Name of the register


Mustavuori Oy:n asiakas- & markkinointirekisteri


4. Legal basis for and the purpose of the processing of personal data


Personal data is processed on the basis of customer relationship or other acceptable connection when it is a legal right of the controller to process the data especially for the following purposes:

  • Implementing and developing customer service

  • Upholding a customer register

  • Implementing competition activities

  • Upholding a result service and publishing statistics

  • Digital communication with customers

  • Analyzation and compilation of statistics

5. Data content


We process the following necessary data or data categories of the registered persons:

  • Contact information, e.g., name, address, phone number, email addresses

  • Demographic information, e.g., age, sex, and mother tongue

  • Possible permissions and acceptances

  • Data concerning the customer relationship, e.g., billing and payment information, product and order information, and information on person carrying the parental responsibility

  • Information related to the customer’s competition activities and other information gathered with the permission of the customer, e.g., photo of the customer

  • Information on registration, e.g., username, alias, password and any other possible unique id


6. Regular sources of data

  • The customer themselves via the system, email, phone, an online form or a form on paper, mobile application, or other similar sources

  • Input by a processor

  • Cookies or other similar technologies

  • FSAA registers and competition registers


Personal data can be collected and updated from authorities and companies providing personal data services, e.g.:

  • Population Information System, Posti address register, contact registers of phone companies and other private or public registers

7. Regular disclosure of data and transfer of data outside the EU or EEA

We do not sell or rent personal data of registered persons to third parties. We transfer data to third parties only under the following circumstances:

  • We can hand over personal data from the register when requested by competent authorities or other entities under valid legislation.

  • We can hand over data for statistical purposes or scientific or historic research purposes when the data is pseudonymized and no natural or legal person can be identified from the data.

  • Data can be handed over to our selected partners for advertising purposes only if the person has given their acceptance to use the data in digital advertising.

We use our partners as described in this privacy policy document and may, under these principles, transfer personal data outside the EU or EEA in compliance with valid legislation. Data transfers to third countries are based on suitable safeguards, such as standard form contracts accepted by an adequacy decision of the European Commission or supervisory authority. You may ask for more information on the aforementioned precaution measures by contacting the controller's representative identified in point 2 of this privacy policy.

8. Principles according to which the data has been secured

Manual material regarding the register is stored in protected environments. Digitally stored data and processed data are stored in databases protected by firewalls, passwords and other technical solutions. The databases are located in environments under constant monitoring and to which access is restricted only to personnel whose work assignments require use of the said environments or data. The board and management of the controller may process personal data in accordance with valid data protection legislation. The processing of personal data may be outsourced to a third party only if it is guaranteed by contracts that processing of the said data shall be conducted in accordance with valid data protection legislation and in a pertinent manner as described in this privacy policy.

9. Right of access and request of rectification

Everyone has the right of access to data on themselves and request rectification of erroneous or incomplete data. A written request shall be submitted to the controller should a person wish to have access to or rectify data on themselves. The controller may, if needed, require the sender of the request to proof their identity. The controller shall respond to the customer within a time limit as set in the GDPR (in most cases one month).

10. Other rights in relation to the processing of personal data

A person whose personal data is stored in the register has a right to request their data to be erased from the register (“right to be forgotten”). In continuance, a person whose personal data is stored in the register pertains all other rights as laid down in the GDPR, e.g., the right to restrict processing of personal data under certain circumstances. All requests to the controller shall be delivered in written form. The controller may, if needed, require the sender of the request to proof their identity. The controller shall respond to the customer within a time limit as set in the GDPR (in most cases one month).

11. Changes to privacy policy


We are constantly improving our services and reserve the right to make changes to this privacy policy by notifying customers about the changes in our services. This privacy policy is also subject to changes in legislation. We advise you to regularly familiarize yourself with the contents of this privacy policy.


bottom of page