This privacy notice describes how puulab.com (the “Site” or “we”, or "PUULAB") collects, uses, and discloses your Personal Information when you visit or make a purchase from the Site.
Collecting Personal Information
The Site management demonstrates commitment to data protection by creating the policy and associated requirements, assigning specific roles and responsibilities, continuously developing a good data protection culture, and allocating appropriate resources.
We are responsible for compliance with:
- General Data Protection Regulation (GDPR, 2016/679);
- Finnish Data Protection Act (Tietosuojalaki, 1050/2018);
- other applicable normative acts concerning privacy and personal data protection.
Personal data in the Site are:
- processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency);
- collected for specified, explicit, and legitimate purposes (purpose limitation);
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
- accurate and kept up to date where necessary (accuracy);
- stored no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
- processed in a secure manner that ensures the confidentiality, integrity, and availability of personal data.
PUULAB is able to demonstrate compliance with this statement (accountability).
PUULAB respects the rights of the Data Subjects (the right to be informed, the right to access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, the right to object, the rights in relation to automated decision making and profiling) and guarantees their observance.
PUULAB has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of incidents;
- processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
PUULAB does not transfer personal data related to your orders (for example, your photos or contact details) outside the EU (the European Union) / EEA (the European Economic Area) or to international organisations unless you explicitly agree with it.
We would like to point out that, in connection with cookies and marketing, personal data is transmitted to service providers in the USA. When data is transferred to the USA, there is a fundamental risk that this data will be accessed by US authorities without being notified and without the possibility of legal remedies. With your consent, you agree to the data being transferred to the USA.
Please find additional information related to the cookies in our Cookies notice.
The Data Protection Policy is subject to periodic assessment, revision, and updating every two years or, if necessary, at shorter time intervals to reflect changing conditions.
'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law will not be regarded as recipients; the processing of those data by those public authorities will be in compliance with the applicable data protection rules according to the purposes of the processing.
1. The Data Controller
PUULAB Oy, Buisness ID 3310140-6
Kiilatie 3-5, 02420 Jorvas, Finland
In case of questions related to privacy please contact
2. Information about processing operations
We will inform you about the legal basis of each processing operation. We will also inform you if we intend to transfer personal data in certain countries outside the European Union (EU) or the European Economic Area (EEA).
3. Rights of data subjects
We respect and guarantee the observance of the following rights of the Data Subjects.
- The right to be informed. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement.
- The right of access. Individuals shall have the right to access their personal data.
- The right to rectification. Individuals have the right to request for rectification their inaccurate personal data, or complete it if it is incomplete.
- The right to erasure (“the right to be forgotten”). Individuals can make a request for erasure their data. The right is not absolute and only applies in certain circumstances.
- The right to restrict processing. Individuals have the right to request the restriction or suppression of their personal data. It gives individuals the right to limit the way an organization uses their personal data, instead of requesting erasure This is not an absolute right and only applies in certain circumstances.
- The right to data portability. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- The right to object. Individuals have the right to object to the processing of their personal data in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
If you wish to file a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Data Protection Ombudsman (https://tietosuoja.fi)
4. Contacting us
If you contact us using the contact details published on the Site (for example, by email) and in this context provide us with personal data, we will use this data to process your request on the basis of Art. 6 (1)(b) GDPR, if your request is related to the performance of a contract or is required to perform pre-contractual action. In all other cases, processing is based on your consent in accordance with Art. 6 (1)(a) GDPR and / or our legitimate interest in the effective processing of requests addressed to us pursuant to Art. 6 (1)(f) GDPR. All personal data collected by us when you established contact with us will be deleted after completion of your request unless such data are still required for other purposes (for example performance of a contract or defense against legal claims risen against us) or need to remain stored with us for other reasons (for example to comply with statutory retention periods).
5. Email direct marketing to customers
If you are a customer and we have received your email address in connection with the sale of goods or services, we may use your email address for direct marketing purposes for of similar goods or services offered by us. This is only applicable if you have not objected and we clearly and unequivocally have advised you of the possibility of objection at the time of collecting the email address, and every time we use it for direct marketing purposes thereafter. For email direct marketing, we process your email address, your name, your company affiliation if you are interacting on behalf of a company, and the type of goods or services you purchase from us. The legal basis of processing is our legitimate interest in direct marketing according to Art. 6 (1)(f) GDPR. We will store the personal data until you object to the processing.
We use services provided by Shopify Inc, 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Canada. The controller for the processing of personal data in the EU is Shopify International Ltd, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter “Shopify”). Your contractual data and other data you enter in our online shop are processed by Shopify as a data processor on our behalf and are being transferred to Shopify Inc. in Canada. The EU Commission has decided that Canada ensures an adequate level of protection. The adequacy decision for Canada can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=en. According to Art. 45 GDPR, due to this decision a transfer of personal data to Canada does not require any specific authorization.
If you would like to receive our newsletter we require your email address, name. The data processing for the purpose of sending the newsletter takes place in accordance with Art. 6 (1)(a) GDPR based on your voluntary consent by means of the so-called double-opt-in procedure. The email address will be used and stored for this purpose until you withdraw your consent or unsubscribe from receiving the newsletter. You can unsubscribe at any time, for example by using the link at the bottom of each newsletter. You can also send your withdrawal/unsubscribe request at any time to the email address given under Clause II.
We embed a so-called counting pixel into our newsletters. A counting pixel is a miniature graphic embedded in the HTML format of the newsletter to allow us an analysis of the reader's reading behavior. In this context, we gather information on whether, and at what time, a newsletter was opened by you and which of the links contained in the newsletter were accessed by you. We use this data to generate statistical evaluations of the success or failure of a marketing campaign to optimize the distribution of our newsletters and to better tailor the content of future newsletters to your interests. The collected data will not be passed on to third parties and will be deleted after the statistical evaluation.
Shopify Inc, 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Canada. The controller for the processing of personal data in the EU is Shopify International Ltd, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter “Shopify”). Your contractual data and other data you enter in our online shop are processed by Shopify as a data processor on our behalf and are being transferred to Shopify Inc. in Canada. The EU Commission has decided that Canada ensures an adequate level of protection. The adequacy decision for Canada can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=en. According to Art. 45 GDPR, due to this decision a transfer of personal data to Canada does not require any specific authorization.
7. User reviews and ratings
If you leave reviews or ratings on the products offered in our web store, we will store your user account , the time and date and the content of your review or rating and your IP address. The purpose of storing this information is
- to connect your reviews or ratings with your user account and use these reviews or ratings for the purposes of PUULAB , and
- to forward any complaints about your reviews or ratings to you and, if necessary, ask you to comment.
It is not possible to leave a review or rating on our web store without a user account for PUULAB. The user account provided will be stored and published with the review.
The legal basis for the processing of personal data to provide you with the functionality to leave ratings and reviews und to connect your user account for PUULAB with these reviews and ratings is your consent in accordance with Art. 6 (1)(a) GDPR and our legitimate interest under Art. 6 (1)(f) GDPR. Our legitimate interest in requesting and storing the user account for PUULAB and your IP address is based on security considerations, for example, in case someone posts unlawful content (for example, defamatory comments). In this case, we ourselves could be prosecuted for the comment or post and therefore have a legitimate interest in storing the publisher's IP address. We will pass the personal data collected on to law enforcement authorities in cases of criminal investigations. Beyond that, we will make other disclosures to third parties.
The reviews and ratings you leave in our store will be connected internally with your user account for PUULAB so you can review your usage history.
The data will be disclosed to third parties only to the extent necessary to fulfil pre-contractual and contractual obligations, e.g. banks, payment providers and credit card companies for processing the payment, shipping service providers for the shipment of goods.
Our online shop uses the Shopify e-commerce platform. Shopify is provided by Shopify Inc, 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, Canada. The controller for the processing of personal data in the EU is Shopify International Ltd, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32, Ireland (hereinafter “Shopify”). Your contractual data and other data you enter in our online shop is processed by Shopify as a data processor on our behalf and is being transferred to Shopify Inc. in Canada. The EU Commission has decided that Canada ensures an adequate level of protection. The adequacy decision for Canada can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=en. According to Art. 45 GDPR, due to this decision a transfer of personal data to Canada does not require any specific authorization.
In addition, we use external plugins to enhance the usability of our shop. The plugin providers process personal data of the shop uses as data processors on our behalf based on our legitimate interests in accordance with Art. 6 (1)(f) GDPR. Our legitimate interest is to provide a user-friendly online shop.
When you choose to use Shopify Pay for payment, we will transfer your name, email address, mobile phone number, credit card and billing address, delivery address and the shipping method you selected on the checkout page, as well as related information about your order of goods and services you have purchased from us, to Shopify Pay in order to process the payment. The legal basis for the processing is Art. 6 (1)(b) GDPR.
9. Image uploading
Customer obligation to read Private Notice and Terms of Service, before uploading any photo, as stated on each product's page.
Site is using the Upload-Lift app for uploading photos.
According to infromation provided by Upload-Lift app:
- The only data that is stored by Upload-Lift app is the actual uploaded files and if the file was used in an order, the order number is additionally stored on the file record.
- Uploaded files are stored for 30 days and are automatically deleted afterwards.
- All file uploads are stored on Google Cloud storage in the us-west datacenter region.
We would like to point out that personal data is transmitted to service providers in the USA. When data is transferred to the USA, there is a fundamental risk that this data will be accessed by US authorities without being notified and without the possibility of legal remedies.
By uploading photos you provide informed consent, that you agree to the data being transferred to the USA.
If you object to the transfer of your personal data to one of our payment providers, or if you believe that your credit rating is not suitable to use one of our payment providers, you can make an advance payment via bank transfer.
The Site uses Posti Group Oyj as a shipping provider.
Please find additional information related to the shipping in our Shipping policy.
Statistics and Analytics
1. Google Services
Provider of the services below is Google Ireland Limited (Register No: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”).
The information and personal data collected by Google in connection with the provision of the respective services may be transferred to and processed by Google servers in the USA. Google entered into Standard Contractual Clauses to comply with the requirements of the GDPR to legitimately transfer personal data in third countries outside the European Union (EU) or the European Economic Area (EEA). A copy of the EU Standard Contractual Clauses can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.
The legal basis for the use of the following services is your voluntarily given consent according to Art. 6 (1)(a) GDPR. The legal basis for data transfer to the USA is also your voluntarily given consent in accordance with Art. 49 (1)(a) GDPR.
2. Google Analytics
2.1 Demographics and interests with Google Analytics
The Site uses the feature 'demographics and interests' within the scope of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of our site visitors. This data comes from Google's interest-based advertising as well as visitor data from third-party providers. This data cannot be assigned to any specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as explained above.
2.2 Google Analytics Remarketing
2.3 Google Ads with Conversion-Tracking
2.4 Google AdSense
3. Google Tag Manager
The site uses Google Tag Manager in order to manage the website through a single tag management interface. Google Tool Manager only implements tags. This means no cookies are used and no personal data is collected. Google Tag Manager triggers other tags, which may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain effective for all tracking tags as far as they are implemented with the Google Tag Manager.
4. Meta Pixel / Facebook Pixel (Visitor action pixels)
We use the “visitor action pixels” from Meta Platforms, Inc. (1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”)) on our website. This allows user behavior to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, which is why we are informing you, based on our knowledge of the situation. Facebook may link this information to your Facebook account and also use it for its own promotional purposes, in accordance with Facebook’s Data Usage Policy https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to place ads on and off Facebook. A cookie may also be stored on your computer for these purposes. The legal basis for the use of this service is Art. 6 paragraph 1 sentence 1 letter f GDPR. You can object to the collection of your data by Facebook pixel, or to the use of your data for the purpose of displaying Facebook ads by contacting the following address: https://www.facebook.com/settings?tab=ads.
Privacy in social media
For information regarding data processing on Facebook, Instagram and TikTok, please check the following links:
Last updated: 20.09.2022