Data protection
Privacy statement updated 14 August 2025
Data protection and processing of personal data at Innoflame Oy
The privacy of customers is very important in our operations, and we commit to protecting personal data and processing it appropriately and to high standards in all processing circumstances. We regularly work on data protection and information security and develop our operations to improve these areas and the whole entity.
Privacy statements are available to all on our website, and upon request we will provide them to the data subject. The privacy documentation may be updated as needed, and changes will be announced on the website. The date of change is listed in the privacy statement.
We have analyzed the processing of personal data and the processes related to it in our operations. An internal processing operations description has been prepared. In situations where the legal basis for processing is legitimate interest, a balancing test has been drawn up to ensure the appropriateness of the legitimate interest. The processing of personal data is risk-based, and threats and risks related to the processing of personal data are regularly assessed.
Impact assessments are made when we identify that processing causes a high risk to the data subject.
Personal data is not processed or stored unnecessarily, and all unnecessary data is removed. Also, persons who process personal data are limited, and only those employees whose job requires handling the data have access to the data. The processing of personal data in different systems is also limited through roles, so only the personal data needed for the moment is used.
The processing of personal data is carried out in accordance with data protection principles, which are considered also at practical level in our operations, and we have trained our staff to act according to those principles.
Alongside processes related to handling personal data, we have paid attention to technical solutions and ensure that only secure technologies are in use. We obligate that all subcontractors and contractual partners fulfill our quality requirements.
We actively monitor data protection practices in the field and ensure high level of knowledge among personnel. The required competence is tailored to the person’s role, and if the job involves significant handling of personal data, the competence must be at a high level.
A data subject may use their rights by filling the form available on the website. We respond to data requests as quickly as possible, and if for some reason we cannot satisfy the request within a month, we will immediately inform the data subject.
Data subjects have the right to prohibit the use of their data for direct marketing, distance selling or other direct marketing, and for opinion and market research, and the right to demand correction of inaccurate data by contacting the person responsible for registry matters.
We are always happy to help regarding processing of personal data; up-to-date contact information is available on the website and in the privacy statement.
1. Data controller and responsible person
Innoflame Oy
(Business ID / Y-tunnus: 1055712-8, VAT no.: FI10557128)
Kornetintie 3
00380 Helsinki
Phone: +358 20 7433 600
Contact for privacy matters: tietosuoja(at)innoflame.fi
2. Purpose of the register
We collect and process only those personal data that are necessary for maintaining the customer relationship or for providing our services and products.
We process your personal data for the following purposess:
| Purpose | Legal basis |
|---|---|
| Operation and maintenance of the online store | Contract |
| Order processing and delivery processes | Contract |
| Customer relationship management | Contract, legitimate interest |
| Advertising and marketing | Contract, legitimate interest |
| Communication | Legitimate interest |
| Exercising a data subject’s rights | Legal obligation |
| Product and service development | Legitimate interest |
3. Data included in the register
The register processes those data that are necessary in view of the register’s purpose, which include:
- First name and last name, company name
- Business ID (y-tunnus)
- Contact details (company and/or home address, phone number, email address, country)
- Start and end dates of the customer relationship
- Authentication credentials related to use of services, identification and electronic communications identification
- Newsletter subscribers
- Advertising campaigns targeted at the data subject, product data and instructions, and other communications
- Invoicing data
- Chosen payment method, identifiers of payment instruments, and purchase data
- Product data
- Contact relating to the customer relationship
- Consent or refusal for direct marketing and data used for targeting marketing
- Usage analytics data
- Changes to prior data, log data
4. Regular data sources and retention
Personal data is collected from the customer company, the data subject themselves, and from systems used by the controller in data processing.
Personal data may be collected and updated from the controller’s group companies and partners.
Data is stored only as long as it is necessary to fulfill the intended purposes. The retention periods are influenced both by business needs and legal obligations.
5. Protection of the register
Databases containing register data are protected by technical means, such as firewalls and passwords, and storage occurs in locked spaces. Manual materials are handled only in locked premises, and manual archives are in locked areas with restricted access.
The controller ensures that only employees of the controller or of companies acting on behalf of controller whose work tasks necessitate access to personal data have access to it.
6. Disclosure and transfer of data
We only disclose data within the limits permitted or required by applicable law. In corporate acquisitions or mergers, the acquiring party may gain access to customer data.
We may use third parties as processors for personal data processing. For each processor, we have an agreement concerning processing of personal data.
Data is not transferred outside the European Union or European Economic Area unless there is a direct need (e.g. in product shipping processes). In such case, as controller we ensure the protection of data at the level required by law and ensure a high level of data protection through contractual means. For transfers outside the EU/EEA, an appropriate transfer mechanism is always ensured.
7. Rights of the data subject
You have the right under the EU General Data Protection Regulation to:
- Be informed about the processing of your personal data
- Access (inspection)
- Rectification (correction)
- Erasure (to be forgotten)
- Restriction of processing
- Objection to processing
- Data portability
- Not to be subject to automated decision-making
The exercise of these rights depends on the legal basis on which the data is processed. Personal data that is necessary for the purposes stated in this statement, or whose retention is required by law, cannot be erased.
You may use a form on our website to exercise your rights.
If you believe that the processing of your personal data is not appropriate, you have the right to contact the Data Protection Authority. You can find contact details for the data protection authority on its website: https://tietosuoja.fi/yhteystiedot.
7. Cookies
The website maintained by Innoflame Oy uses cookies. A cookie is a small text file stored by the browser on the user’s device. The cookie contains an anonymous, unique identifier that can be used to recognize the browser visiting the website.
Cookies do not harm the user’s device, and cookies cannot be used to spread malware.
The user cannot be personally identified via cookies.
Cookies are used for providing the website and its development. Cookies may be used to analyze website usage. Cookies may also be used for targeted advertising.
We use Leadoo user tracking to monitor how users move on our pages, and combine this data with information collected (for example via chat interactions). Leadoo uses etag tracking, technically different from cookie-based tracking, but subject to the same rules as cookies. Check Leadoo Marketing Technologies Oy’s privacy policy for more details. (https://leadoo.com/privacy-policy/).
From GDPR perspective, we act as controller and Leadoo as processor. You can block tracking by clearing your browser’s cache after your visit. More information about how Leadoo operates as a GDPR-compliant processor is at https://leadoo.com/privacy-policy-processor/
A website user may block cookies by adjusting their browser settings or cookie settings on this site, or delete cookies from their browser. However, note that blocking or deleting cookies may adversely affect or prevent the use of the site.