Privacy statement

Registry and privacy policy

EU General Data Protection Regulation (GDPR) and Data Protection Act (1050/2018).

Prepared and last edited on January 16, 2025.

1. Contact information of the data controller and the person responsible for data management

LittleVolpi
Business ID
3350152-2

littlevolpico(at)gmail.com

Kia-Cathrine Juntunen
tel. +358 45 139 6582

Tamppisaarentie 1 A 27
87200 Kajaani

2. Name of the register

LittleVolpi's customer register.

3. Purpose and legal basis for processing personal data

Personal data is collected and processed in connection with online store orders in order to provide the service. Personal data is needed to manage the customer relationship, deliver the order, invoicing and handle any issues related to the order. By accepting cookies, the customer agrees to the use of cookies.

The legal basis for processing personal data is contract, consent or legitimate interest.

4. Information contained in the register

The data is collected in connection with an online store order. The online store service provider is Shopify.

When ordering, the customer provides basic information, such as:
-name
-delivery address
- phone number
- email address
- payment and payment method information
- direct marketing consent or prohibition

Information may be collected from the customer regarding service usage data. This information includes, for example, billing, credit and payment information, shopping cart information, product reviews and delivery information.

Information about the customer's online behavior on the site may be collected using cookies and similar technologies.

The customer can, if they wish, accept, reject or select the cookies they use from a pop-up window that opens when entering the website.

The customer, if desired, gives permission for direct marketing when placing an order.

5. Transfer of personal data to third parties and outside the EU or EEA

Personal data is only disclosed to third parties when it is necessary for the provision of the service. Such parties include, for example, payment service providers.

Data is not transferred outside the EU or EEA by LittleVolp.

6. Regular sources of information

Personal data is collected from the customer themselves in connection with the ordering process or in other transaction situations, for example at events, social media and customer communications or in other situations where the customer provides their information.

Personal data is collected and updated within the limits of the legislation from generally available sources that are related to the implementation of the customer relationship between the controller and the customer and with which the controller carries out obligations related to maintaining customer relationships.

7. Retention period of personal data

The customer's personal data will be stored for as long as necessary to fulfill the purposes stated in the privacy policy, however, for a maximum of six years. The Accounting Act stipulates a retention period of six years for accounting records, and as required by the Act, some customer personal data must be stored for the aforementioned period.

Unnecessary, outdated and incorrect personal data is not retained and efforts are made to update it without delay.

10. Principles of register protection

Information in digital form is protected by appropriate means, such as firewalls, SSL encryption, and passwords. Only the person responsible for data protection has access to the information.

Information in physical form is stored in locked facilities, accessible only to the person responsible for data protection.

Systems and databases essential for operations are protected by separately issued usernames and passwords. Only the person responsible for data protection or persons necessary for lawful processing can access the data.

11. Rights of the data subject

The data subject has the following rights under the EU General Data Protection Regulation:

  1. the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where such personal data are being processed, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or are to be disclosed; (iv) where possible, the planned storage period for the personal data or, where that is not possible, the criteria for determining that period; (v) the right of the data subject to request from the controller rectification or erasure of personal data concerning him or her or restriction of processing of personal data or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where personal data are not collected from the data subject, all available information on the origin of the data (GDPR Art. 15).
  2. the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (GDPR Art. 7);
  3. the right to demand that the controller rectify inaccurate and incorrect personal data concerning the data subject without undue delay and the right to have incomplete personal data completed, including by providing additional information, taking into account the purposes for which the data were processed (GDPR Art. 16);
  4. the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other legitimate ground for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no compelling reasons for the processing or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been processed unlawfully; or (v) the personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or national law (GDPR Art. 17);
  5. the right to obtain from the controller restriction of processing where (i) the data subject contests the accuracy of the personal data, in which case the processing shall be restricted for a period of time during which the controller may verify their accuracy; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation, pending verification whether the legitimate grounds of the controller override those of the data subject (GDPR Art. 18);
  6. the right to receive the personal data concerning him or her, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent within the meaning of the Regulation and the processing is carried out automatically (GDPR Art. 20);
  7. the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the EU General Data Protection Regulation (GDPR Art. 77).

Requests regarding the exercise of the data subject's rights shall be addressed to the controller's contact person mentioned in section 1.

12. Changes to the Privacy Policy

The privacy policy is updated regularly and LittleVolpi reserves the right to change the policy if necessary. It is therefore recommended that the customer check the updated privacy policy regularly.