Privacy statement pursuant to § 10 of the Personal Data Act (523/1999)

1. Controller of the register

Beauty In Oy
Sibeliuksenkatu 3
FI-20100 TURKU

2. Person handling register-related issues

Petra Nuortio-Katajisto
Sibeliuksenkatu 3
FI-20100 TURKU

3. Name of the register

Customer register for IN17 Skincare

4. Grounds and purpose of the register

Personal information is processed on the basis of a registered customer relationship
Personal information is processed on the basis of consent

Personal information is only used for purposes specified in advance, which are:

  • Maintaining customer relations
  • Customer and direct marketing
  • Analytics

5. Personal information stored in the register

  • first name
  • last name
  • email address
  • company name
  • company address
  • company invoicing information
  • company telephone number
  • company e-mail address
  • company business ID/VAT number

6. Anonymised data

We may use third-party analysis tools in order to develop our online services. Such tools include e.g. Google Analytics. Data collection is automatic, and all data are anonymised during the collection. The collected data include e.g.:

  • IP address (and country)
  • User behaviour in the online service
  • Type of used device
  • Browser type and language settings
  • Referrer information

More information concerning the anonymisation of analytics:

7. Using analytics

We use anonymised analytics regularly:

  • To carry out and target market research and other research, analyses and reports
  • To ensure usability and functionality and to investigate misuses
  • To plan business operations and to develop products
  • To produce, maintain, protect and develop services
  • To personalise services and target marketing

8. Data subject’s rights

The data subject has the following rights, and all requests concerning the exercise of said rights must be made in writing and personally signed or personally delivered to the address Beauty In Oy, Sibeliuksenkatu 3, FI-20100 Turku.

Right of review

The data subject may review the personal data stored by us.

Right of rectification

The data subject may request a rectification of their incorrect or incomplete data.

Right of objection

The data subject may object to the processing of their personal data, if they feel that their data have been illegally processed.

Direct marketing ban

The data subject may forbid the use of their data for direct marketing purposes.

Right of removal

The data subject may request the removal of their data, if the processing of their data is not necessary. We will process the request and either delete the data or notify the subject of the reasons why the data cannot be removed.

It must be noted that the controller may be legally or otherwise entitled to not remove the data the deletion of which has been requested. The controller is obliged to store all records for the duration of the period (10 years) specified in the Accounting Act (paragraph 2, § 10). This is why no accounting materials may be removed before this time has passed.

Withdrawing consent

If the processing of the personal information concerning the data subject is based on consent only instead of e.g. customership or membership, the data subject may withdraw their consent.

The data subject may appeal a decision to a data protection supervisor

The data subject may demand that we restrict the processing of disputed data until the matter is resolved.

Right of appeal

The data subject may file a complaint to a data protection supervisor if they feel that we have violated existing data protection laws in the processing of their personal information.

9. Regular data sources

The data stored in the register are obtained from the customer on the basis of e.g. messages submitted via web forms, e-mail, telephone, social media services, from agreements, customer meetings and other occasions where the customer hands over their personal information.

10. Regular data transfers

The controller of the register shall not disclose any of the customers’ personal data to third parties, and the personal data shall not be transferred outside the EU.

11. Protection principles of the register

The register is handled with care, and all data processed by data systems shall be appropriately protected. When register data are stored on internet servers, both the physical and digital security of the systems are seen to in an appropriate manner. The controller sees to it that stored data, server access rights and other data critical to the security of the personal information are processed confidentially and only by those employees whose job description includes such processing.