This privacy notice describes how puulab.com (the “Site” or “we”, or "PUULAB") collects, uses, and discloses your Personal Information when you visit or make a purchase from the Site.

Collecting Personal Information

The Site management demonstrates commitment to data protection by creating the policy and associated requirements, assigning specific roles and responsibilities, continuously developing a good data protection culture, and allocating appropriate resources.

We are responsible for compliance with:

  • General Data Protection Regulation (GDPR, 2016/679);
  • Finnish Data Protection Act (Tietosuojalaki, 1050/2018);
  • other applicable normative acts concerning privacy and personal data protection.

Personal data in the Site are:

  • processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency);
  • collected for specified, explicit, and legitimate purposes (purpose limitation);
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
  • accurate and kept up to date where necessary (accuracy);
  • stored no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
  • processed in a secure manner that ensures the confidentiality, integrity, and availability of personal data.

PUULAB is able to demonstrate compliance with this statement (accountability).

PUULAB respects the rights of the Data Subjects (the right to be informed, the right to access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, the right to object, the rights in relation to automated decision making and profiling) and guarantees their observance.

PUULAB has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of incidents;
  • processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

PUULAB does not transfer personal data related to your orders (for example, your photos or contact details) outside the EU (the European Union) / EEA (the European Economic Area) or to international organisations unless you explicitly agree with it.

We would like to point out that, in connection with cookies and marketing, personal data is transmitted to service providers in the USA. When data is transferred to the USA, there is a fundamental risk that this data will be accessed by US authorities without being notified and without the possibility of legal remedies. With your consent, you agree to the data being transferred to the USA.

Please find additional information related to the cookies in our Cookies notice.

The Data Protection Policy is subject to periodic assessment, revision, and updating every two years or, if necessary, at shorter time intervals to reflect changing conditions.

Definitions

'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law will not be regarded as recipients; the processing of those data by those public authorities will be in compliance with the applicable data protection rules according to the purposes of the processing.

General Information

1. The Data Controller

PUULAB Oy, Buisness ID 3310140-6 

Kiilatie 3-5, 02420 Jorvas, Finland

e-mail: info@puulab.com

In case of questions related to privacy please contact

e-mail: privacy@puulab.com

2. Information about processing operations 

We will inform you about the legal basis of each processing operation. We will also inform you if we intend to transfer personal data in certain countries outside the European Union (EU) or the European Economic Area (EEA).

3. Rights of data subjects

We respect and guarantee the observance of the following rights of the Data Subjects.

  • The right to be informed. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement.
  • The right of access. Individuals shall have the right to access their personal data.
  • The right to rectification. Individuals have the right to request for rectification their inaccurate personal data, or complete it if it is incomplete.
  • The right to erasure (“the right to be forgotten”). Individuals can make a request for erasure their data. The right is not absolute and only applies in certain circumstances.
  • The right to restrict processing. Individuals have the right to request the restriction or suppression of their personal data. It gives individuals the right to limit the way an organization uses their personal data, instead of requesting erasure This is not an absolute right and only applies in certain circumstances.
  • The right to data portability. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • The right to object. Individuals have the right to object to the processing of their personal data in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

If you wish to file a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Data Protection Ombudsman (https://tietosuoja.fi)

4. Contacting us

If you contact us using the contact details published on the Site (for example, by email) and in this context provide us with personal data, we will use this data to process your request on the basis of Art. 6 (1)(b) GDPR, if your request is related to the performance of a contract or is required to perform pre-contractual action. In all other cases, processing is based on your consent in accordance with Art. 6 (1)(a) GDPR and / or our legitimate interest in the effective processing of requests addressed to us pursuant to Art. 6 (1)(f) GDPR. All personal data collected by us when you established contact with us will be deleted after completion of your request unless such data are still required for other purposes (for example performance of a contract or defense against legal claims risen against us) or need to remain stored with us for other reasons (for example to comply with statutory retention periods).

5. Email direct marketing to customers

If you are a customer and we have received your email address in connection with the sale of goods or services, we may use your email address for direct marketing purposes for of similar goods or services offered by us. This is only applicable if you have not objected and we clearly and unequivocally have advised you of the possibility of objection at the time of collecting the email address, and every time we use it for direct marketing purposes thereafter. For email direct marketing, we process your email address, your name, your company affiliation if you are interacting on behalf of a company, and the type of goods or services you purchase from us. The legal basis of processing is our legitimate interest in direct marketing according to Art. 6 (1)(f) GDPR. We will store the personal data until you object to the processing.

We use services provided by Shopify Inc, 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Canada. The controller for the processing of personal data in the EU is Shopify International Ltd, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter “Shopify”). Your contractual data and other data you enter in our online shop are processed by Shopify as a data processor on our behalf and are being transferred to Shopify Inc. in Canada. The EU Commission has decided that Canada ensures an adequate level of protection. The adequacy decision for Canada can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=en. According to Art. 45 GDPR, due to this decision a transfer of personal data to Canada does not require any specific authorization.

6. Newsletter

If you would like to receive our newsletter we require your email address, name. The data processing for the purpose of sending the newsletter takes place in accordance with Art. 6 (1)(a) GDPR based on your voluntary consent by means of the so-called double-opt-in procedure. The email address will be used and stored for this purpose until you withdraw your consent or unsubscribe from receiving the newsletter. You can unsubscribe at any time, for example by using the link at the bottom of each newsletter. You can also send your withdrawal/unsubscribe request at any time to the email address given under Clause II.

We embed a so-called counting pixel into our newsletters. A counting pixel is a miniature graphic embedded in the HTML format of the newsletter to allow us an analysis of the reader's reading behavior. In this context, we gather information on whether, and at what time, a newsletter was opened by you and which of the links contained in the newsletter were accessed by you. We use this data to generate statistical evaluations of the success or failure of a marketing campaign to optimize the distribution of our newsletters and to better tailor the content of future newsletters to your interests. The collected data will not be passed on to third parties and will be deleted after the statistical evaluation.

Shopify Inc, 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Canada. The controller for the processing of personal data in the EU is Shopify International Ltd, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter “Shopify”). Your contractual data and other data you enter in our online shop are processed by Shopify as a data processor on our behalf and are being transferred to Shopify Inc. in Canada. The EU Commission has decided that Canada ensures an adequate level of protection. The adequacy decision for Canada can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=en. According to Art. 45 GDPR, due to this decision a transfer of personal data to Canada does not require any specific authorization.

7. User reviews and ratings

If you leave reviews or ratings on the products offered in our web store, we will store your user account , the time and date and the content of your review or rating and your IP address. The purpose of storing this information is

  • to connect your reviews or ratings with your user account and use these reviews or ratings for the purposes of PUULAB , and
  • to forward any complaints about your reviews or ratings to you and, if necessary, ask you to comment.

It is not possible to leave a review or rating on our web store without a user account for PUULAB. The user account provided will be stored and published with the review.

The legal basis for the processing of personal data to provide you with the functionality to leave ratings and reviews und to connect your user account for  PUULAB  with these reviews and ratings is your consent in accordance with Art. 6 (1)(a) GDPR and our legitimate interest under Art. 6 (1)(f) GDPR. Our legitimate interest in requesting and storing the user account for  PUULAB  and your IP address is based on security considerations, for example, in case someone posts unlawful content (for example, defamatory comments). In this case, we ourselves could be prosecuted for the comment or post and therefore have a legitimate interest in storing the publisher's IP address. We will pass the personal data collected on to law enforcement authorities in cases of criminal investigations. Beyond that, we will make other disclosures to third parties.

The reviews and ratings you leave in our store will be connected internally with your user account for  PUULAB  so you can review your usage history.

The data will be disclosed to third parties only to the extent necessary to fulfil pre-contractual and contractual obligations, e.g. banks, payment providers and credit card companies for processing the payment, shipping service providers for the shipment of goods.

8. Shopify

Our online shop uses the Shopify e-commerce platform. Shopify is provided by Shopify Inc, 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Canada. The controller for the processing of personal data in the EU is Shopify International Ltd, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter “Shopify”). Your contractual data and other data you enter in our online shop is processed by Shopify as a data processor on our behalf and is being transferred to Shopify Inc. in Canada. The EU Commission has decided that Canada ensures an adequate level of protection. The adequacy decision for Canada can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=en. According to Art. 45 GDPR, due to this decision a transfer of personal data to Canada does not require any specific authorization.

In addition, we use external plugins to enhance the usability of our shop. The plugin providers process personal data of the shop uses as data processors on our behalf based on our legitimate interests in accordance with Art. 6 (1)(f) GDPR. Our legitimate interest is to provide a user-friendly online shop.

When you choose to use Shopify Pay for payment, we will transfer your name, email address, mobile phone number, credit card and billing address, delivery address and the shipping method you selected on the checkout page, as well as related information about your order of goods and services you have purchased from us, to Shopify Pay in order to process the payment. The legal basis for the processing is Art. 6 (1)(b) GDPR.

9. Image uploading

Customer obligation to read Private Notice and Terms of Service, before uploading any photo, as stated on each product's page.

Site is using the Upload-Lift app for uploading photos.

According to infromation provided by Upload-Lift app:

  • The only data that is stored by Upload-Lift app is the actual uploaded files and if the file was used in an order, the order number is additionally stored on the file record.
  • Uploaded files are stored for 30 days and are automatically deleted afterwards.
  • All file uploads are stored on Google Cloud storage in the us-west datacenter region.

We would like to point out that personal data is transmitted to service providers in the USA. When data is transferred to the USA, there is a fundamental risk that this data will be accessed by US authorities without being notified and without the possibility of legal remedies.

By uploading photos you provide informed consent, that you agree to the data being transferred to the USA.

Payment providers

If you object to the transfer of your personal data to one of our payment providers, or if you believe that your credit rating is not suitable to use one of our payment providers, you can make an advance payment via bank transfer.

Klarna

The Site uses Klarna as a payment service. Provider is Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter 'Klarna'). Klarna acts as an online payment service provider, trustee and credit reference agency. When making a payment via Klarna, we will forward your name, email address, date of birth, purchased products or services, invoice amount, invoice and delivery address, bank and credit card data, and, if applicable, your mobile phone number to Klarna. If you use the payment methods 'purchase on account' or 'payment by instalments', Klarna may check your credit rating in order to decide on the release of the payment transaction and to minimize payment defaults. In this context, your personal data may be shared with other credit reference agencies. In addition, score values are calculated for credit rating checks (so-called score values), which includes address data. The calculation of these score values is based on a scientifically recognized mathematical-statistical procedure. In the event of insufficient creditworthiness, Klarna may refuse the selected payment method. The legal basis for the processing is Art. 6 (1)(b) GDPR. If you object to the data transfer or if you believe that your credit rating is not suitable for the selected payment method, please use a different payment method. For more information on how Klarna handles your personal data, please refer to the privacy policy at: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy.

Shipping providers

The Site uses Posti Group Oyj as a shipping provider.

Please find additional information related to the shipping in our Shipping policy.

 Statistics and Analytics

1. Google Services

Provider of the services below is Google Ireland Limited (Register No: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”).

The information and personal data collected by Google in connection with the provision of the respective services may be transferred to and processed by Google servers in the USA. Google entered into Standard Contractual Clauses to comply with the requirements of the GDPR to legitimately transfer personal data in third countries outside the European Union (EU) or the European Economic Area (EEA). A copy of the EU Standard Contractual Clauses can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.

For more information about how Google handles personal data, please refer to Google's Privacy Policy: https://www.google.com/intl/de/policies/privacy/. For information on the use of data for advertising purposes by Google, settings and your right to object please refer to: https://www.google.de/policies/privacy/partners/, https://www.google.de/policies/technologies/ads/, https://adssettings.google.de/

The legal basis for the use of the following services is your voluntarily given consent according to Art. 6 (1)(a) GDPR. The legal basis for data transfer to the USA is also your voluntarily given consent in accordance with Art. 49 (1)(a) GDPR.

2. Google Analytics

The Site uses Google Analytics. Google Analytics uses cookies. Google Analytics collects information about the visits of website users and analyses their behavior. This data serves the purpose of developing a user-friendly website design, the continuous optimization of our services and offers, to measure the success of marketing activities and to create statistical analysis. In this context, pseudonymized user profiles are created and cookies are used. Google Analytics collects information such as browser type / version, operating system, referrer URL (the previously visited page), host name of the accessing computer (IP address) and time of server request. The information generated is transferred to the US and stored on servers owned by Google. The collected user data and event data will be deleted after 26 months. Information may also be transferred to third parties if required by law or if third parties process this data on behalf of us or Google. Under no circumstances will your IP address be merged with any other data that is kept by Google. The IP address will be anonymized so that assignment is impossible.

2.1 Demographics and interests with Google Analytics

The Site uses the feature 'demographics and interests' within the scope of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of our site visitors. This data comes from Google's interest-based advertising as well as visitor data from third-party providers. This data cannot be assigned to any specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as explained above.

2.2 Google Analytics Remarketing

The Site uses Google Analytics Remarketing. This service presents internet users advertisement related content of previously visited websites. Google uses cookies to recognize visitors who access web pages from the Google Advertising Network. This service collects your IP address, which of websites you have visited and, if necessary, other data required by Google for the provision of Analytics Remarketing. Your IP address will not be merged with other data provided by Google. The information gathered about your use of this website is stored on a server in the USA. This information may also be transferred to third parties if required by law or if third parties process this data on behalf of us or Google. You can prevent the local storage of cookies by configuring your browser software correspondingly. However, be advised that in this case you may not be able to use all the features of the Site to the full extent possible. If you do not wish to use Google Remarketing, you can disable it by configuring your personal settings at: http://www.google.com/settings/ads.

2.3 Google Ads with Conversion-Tracking

The Site uses Google Ads and Google Ads with Conversion Tracking. Google Conversion Tracking is used to track and evaluate the clicks on ads, purchases, signups, phone calls, app downloads, and other actions on our website. In this context Google Ads collects your IP address, which of our websites you have visited and, if necessary, other data required by Google for providing conversion tracking statistics. Under no circumstances will your IP address be merged with any other data that is kept by Google. This service also uses Cookies for analysis and evaluation purposes. You can prevent the storage of cookies by configuring your browser so that no cookies will be stored on your device. However, disabling cookies may mean that you may not be able to use all the features on our website. The information generated is transferred to the US and stored on servers owned by Google. This information may also be transferred to third parties if required by law or if third parties process this data on behalf of us or Google.

2.4 Google AdSense

The Site uses Google AdSense to integrate advertisements on our website. Google AdSense uses cookies and web beacons to recognize and analyze page visits. Web beacons are small invisible graphics that analyze information such as clicks on advertisements or website traffic. This service collects your IP address, which of our web pages you have visited and, where applicable, other data required by Google for the provision of the advertisements. The IP address transmitted by your browser as part of Google AdSense will never be merged with other Google data. The information generated about your use of the Site is stored on a server in the USA. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of us or Google. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this you may not be able to use the full functionality of this website.

3. Google Tag Manager

The site uses Google Tag Manager in order to manage the website through a single tag management interface. Google Tool Manager only implements tags. This means no cookies are used and no personal data is collected. Google Tag Manager triggers other tags, which may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain effective for all tracking tags as far as they are implemented with the Google Tag Manager.

4. Meta Pixel / Facebook Pixel (Visitor action pixels)

We use the “visitor action pixels” from Meta Platforms, Inc. (1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”)) on our website. This allows user behavior to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, which is why we are informing you, based on our knowledge of the situation. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes. The legal basis for the use of this service is Art. 6 paragraph 1 sentence 1 letter f GDPR. You can object to the collection of your data by Facebook pixel, or to the use of your data for the purpose of displaying Facebook ads by contacting the following address: https://www.facebook.com/settings?tab=ads.

Privacy in social media

For information regarding data processing on Facebook, Instagram and TikTok, please check the following links:

Facebook:

https://www.facebook.com/about/privacy/

Instagram:

https://help.instagram.com/519522125107875/?maybe_redirect_pol=0

TikTok:

https://www.tiktok.com/legal/privacy-policy-eea?lang=en

 

Last updated: 20.09.2022