Privacy Statement

Last updated: October 7, 2025

This privacy statement applies to citizens and legal permanent residents of the European Economic Area, United Kingdom, Norway, United States, Canada, and Japan.

This privacy statement explains what we do with the data we obtain about you via pikkuna.fi. We recommend you carefully read this statement. In our processing, we comply with the requirements of privacy legislation. That means, among other things, that:

1. we clearly state the purposes for which we process personal data. We do this by means of this privacy statement;
2. we aim to limit our collection of personal data to only the personal data required for legitimate purposes;
3. we first request your explicit consent to process your personal data in cases requiring your consent;
4. we take appropriate security measures to protect your personal data and also require this from parties that process personal data on our behalf;
5. we respect your right to access your personal data or have it corrected or deleted, at your request.

If you have any questions or want to know exactly what data we keep of you, please contact us.

1. Purpose, data and retention period

We may collect or receive personal information for a number of purposes connected with our business operations which may include the following:

1.1 Contact — Through phone, mail, email and/or webforms

Data we collect:

1. A first and last name
2. A home or other physical address, including street name and name of a city or town
3. An email address
4. A telephone number

Legal basis: It is necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party.

Retention period: We retain this data until the service is terminated.

1.2 Payments

We use Stripe Inc. (based in the United States) as our payment processor to handle secure payment transactions. Stripe is a PCI DSS Level 1 certified payment processor, which is the highest level of security certification in the payments industry.

Data we collect:

1. A first and last name
2. A home or other physical address, including street name and name of a city or town
3. An email address
4. A telephone number
5. Payment information (processed securely by Stripe; we do not store full credit card numbers)

Legal basis: It is necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party.

Third-party processor: Stripe Inc. processes payment data on our behalf. Data transfers to the United States are protected by Standard Contractual Clauses. For more information, see Stripe's Privacy Policy.

Retention period: We retain this data upon termination of the service for the following number of months: 120 (10 years). This retention period is justified by Finnish accounting law (Kirjanpitolaki 1336/1997), which requires businesses to retain accounting records including invoices for a minimum of 6 years. We retain data for 10 years to cover potential warranty claims, product liability issues, and tax audits.

1.3 To be able to comply with legal obligations

Data we collect:

1. A home or other physical address, including street name and name of a city or town

Legal basis: For compliance with a legal or regulatory obligation.

Retention period: We retain this data until the service is terminated.

1.4 Compiling and analyzing statistics for website improvement

Data we collect:

1. IP Address
2. Internet activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement
3. Geolocation data

Legal basis: Consent (GDPR Article 6(1)(a) and ePrivacy Directive)

We collect this data through cookies and similar technologies only after obtaining your explicit consent via our cookie banner. You can manage your cookie preferences at any time through our Cookie Policy.

Retention period: Upon termination of the service we retain this data for the following period: 26 months.

1.5 Deliveries

Data we collect:

1. A first and last name
2. A home or other physical address, including street name and name of a city or town
3. An email address
4. A telephone number

Legal basis: It is necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party.

Retention period: We retain this data upon termination of the service for the following number of months: 120 (10 years). This retention period is justified by Finnish accounting law (Kirjanpitolaki 1336/1997), which requires businesses to retain accounting records including invoices for a minimum of 6 years. We retain data for 10 years to cover potential warranty claims, product liability issues, and tax audits.

1.6 Marketing and Advertising

We use marketing pixels from Facebook (Meta Platforms Inc.) and TikTok (ByteDance Ltd.) to measure the effectiveness of our advertising campaigns, track conversions, and show you relevant advertisements on these platforms.

Data we collect:

1. IP address (anonymized)
2. Browser type and version
3. Device information
4. Pages visited and actions taken on our website
5. Purchase events and conversion data
6. Facebook Click ID (fbclid) and TikTok Click ID (ttclid)

Legal basis: Consent (GDPR Article 6(1)(a) and ePrivacy Directive). We only activate these marketing pixels after you have accepted marketing cookies through our cookie banner.

Purpose: To measure advertising effectiveness, optimize our marketing campaigns, retarget visitors with relevant ads, and create custom audiences for advertising purposes.

Retention period: Marketing pixel data is retained by Facebook and TikTok according to their respective privacy policies. Cookie consent can be revoked at any time through our Cookie Policy.

2. Sharing with other parties

We only share this data with processors and with other third parties for which consent must be obtained.

2.1 Processors:

We share your personal data with the following processors:

All processors located in the United States are outside the European Economic Area. We ensure appropriate safeguards are in place for data transfers through Standard Contractual Clauses approved by the European Commission in accordance with GDPR Chapter V.

3. Cookies

Our website uses cookies. For more information about cookies, please refer to our Cookie Policy.

4. Disclosure practices

We may disclose your personal information in the following circumstances:

4.1 Legal Obligations

We disclose personal information if we are required by law or by a court order, in response to a law enforcement agency, to the extent permitted under other provisions of law, to provide information, or for an investigation on a matter related to public safety. This includes compliance with tax authorities, regulatory bodies, and law enforcement agencies in Finland and other jurisdictions where we operate.

4.2 Business Transfers

If our website or organisation is taken over, sold, or involved in a merger or acquisition, your details may be disclosed to our advisers and any prospective purchasers and will be passed on to the new owners. In such cases, we will ensure that the receiving party is bound by terms at least as protective as this Privacy Statement.

4.3 Data Processing Agreements

We have concluded Data Processing Agreements (DPAs) with all our processors as required by GDPR Article 28:

1. Google LLC — For analytics and advertising services
2. Meta Platforms Inc. — For Facebook Pixel and marketing services
3. ByteDance Ltd. — For TikTok Pixel and marketing services
4. Stripe Inc. — For payment processing services
5. Zoho Corporation — For CRM and customer support services
6. Airtable Inc. — For order management services
7. Mailgun Technologies — For email delivery services

These agreements ensure that our processors only process personal data on our documented instructions and implement appropriate technical and organizational measures to protect your data.

4.4 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Any sharing of data with third parties is limited to the purposes described in this Privacy Statement and is subject to appropriate safeguards.

5. Security

We are committed to the security of personal data and implement appropriate technical and organizational measures to protect your information against unauthorized or unlawful processing, accidental loss, destruction, or damage, in accordance with GDPR Article 32.

5.1 Technical Security Measures

Our technical security measures include:

1. HTTPS/TLS encryption: All data transmitted between your browser and our website is encrypted using industry-standard TLS 1.3 protocol
2. Secure payment processing: Payment data is processed by Stripe, a PCI DSS Level 1 certified processor; we do not store full credit card numbers on our servers
3. Data encryption at rest: Personal data stored in our systems and with our processors is encrypted using AES-256 or equivalent encryption standards
4. Regular security updates: We maintain current versions of all software and regularly apply security patches
5. Firewall and intrusion detection: Our infrastructure includes firewalls and monitoring systems to detect and prevent unauthorized access

5.2 Organizational Security Measures

Our organizational security measures include:

1. Access control: Only authorized personnel have access to personal data, and access is granted on a need-to-know basis using role-based access controls
2. Data Processing Agreements: All third-party processors are bound by DPAs that require them to implement appropriate security measures
3. Employee training: Staff members who handle personal data receive training on data protection and security best practices
4. Data minimization: We collect and retain only the personal data necessary for the purposes described in this Privacy Statement
5. Regular security reviews: We regularly review and update our security measures to address evolving threats
6. Incident response procedures: We have established procedures for detecting, responding to, and recovering from security incidents

5.3 Data Breach Notification

In case of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

1. Notify the relevant supervisory authority (Office of the Data Protection Ombudsman in Finland) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
2. Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
3. Take immediate measures to mitigate the impact and prevent future occurrences
4. Document the breach, including the facts, effects, and remedial actions taken

If you have concerns about the security of your personal data, please contact us immediately using the contact information provided in section 9.

6. Third-party websites

This privacy statement does not apply to third-party websites connected by links on our website. We cannot guarantee that these third parties handle your personal data in a reliable or secure manner. We recommend you read the privacy statements of these websites prior to making use of these websites.

7. Accessing and modifying your data

If you have any questions or want to know which personal data we have about you, please contact us. You can contact us by using the information below. You have the following rights:

1. You have the right to know why your personal data is needed, what will happen to it, and how long it will be retained for.
2. Right of access: You have the right to access your personal data that is known to us.
3. Right to rectification: You have the right to supplement, correct, have deleted or blocked your personal data whenever you wish.
4. If you give us your consent to process your data, you have the right to revoke that consent and to have your personal data deleted.
5. Right to transfer your data: You have the right to request all your personal data from the controller and transfer it in its entirety to another controller.
6. Right to object: You may object to the processing of your data. We comply with this, unless there are justified grounds for processing.

Please make sure to always clearly state who you are, so that we can be certain that we do not modify or delete any data of the wrong person.

8. Submitting a complaint

If you are not satisfied with the way in which we handle (a complaint about) the processing of your personal data, you have the right to submit a complaint to the relevant Data Protection Authority:

1. For EEA/Finland residents: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at https://tietosuoja.fi/
2. For UK residents: Information Commissioner's Office (ICO) at https://ico.org.uk/
3. For Norwegian residents: Datatilsynet (Norwegian Data Protection Authority) at https://www.datatilsynet.no/
4. For Canadian residents: Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/
5. For US residents: Federal Trade Commission (FTC) at https://www.ftc.gov/. California residents may also contact the California Attorney General at https://oag.ca.gov/privacy
6. For Japanese residents: Personal Information Protection Commission (個人情報保護委員会) at https://www.ppc.go.jp/

9. Contact details

Suomen Pehmeä Ikkuna Oy
Teollisuustie 10, 54800 Savitaipale, Finland

Website: https://pikkuna.fi/
Email: info@pikkuna.fi

10. Changes to this Privacy Statement

We reserve the right to make amendments to this privacy statement. It is recommended that you consult this privacy statement regularly in order to be aware of any changes. In addition, we will actively inform you wherever possible.

The latest version of this privacy statement is always available on our website. We will update the "Last updated" date at the top of this privacy statement when we make changes.

Your continued use of our website after any changes to this privacy statement constitutes your acceptance of such changes.

11. Additional Rights for California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

1. The right to know what personal information we collect about you
2. The right to delete your personal information
3. The right to opt-out of the sale of your personal information
4. The right to non-discrimination for exercising your CCPA rights

To exercise these rights, please contact us using the information provided in the "Contact details" section.

12. Additional Rights for Canadian Residents

If you are a Canadian resident, you have additional rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

1. The right to access your personal information
2. The right to challenge the accuracy of your personal information
3. The right to withdraw consent for the collection, use, or disclosure of your personal information

To exercise these rights, please contact us using the information provided in the "Contact details" section.

13. Children's Privacy

Our website is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us, and we will take steps to delete such information.

In accordance with the Children's Online Privacy Protection Act (COPPA), we will not knowingly collect, use, or disclose personal information from children under the age of 13 without prior parental consent.

14. Cross-Border Data Transfers

Your personal information may be transferred to, and processed in, countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

14.1 Transfers to the United States

When we transfer personal information from the European Economic Area (EEA) or the United Kingdom to the United States (for processors including Google LLC, Meta Platforms Inc., ByteDance Ltd., Stripe Inc., Airtable Inc., and Mailgun Technologies), we use Standard Contractual Clauses (SCCs) approved by the European Commission as safeguards to protect your data in accordance with GDPR Chapter V.

Standard Contractual Clauses are contractual commitments between us and our processors that provide adequate safeguards for personal data transferred outside the EEA, as recognized by the European Commission following the Schrems II ruling (2020).

14.2 Transfers to India and Other Countries

For Zoho Corporation services, data may be processed in India or within the European Union (Netherlands). We use Standard Contractual Clauses and ensure that Zoho implements appropriate technical and organizational measures to protect your personal information.

14.3 Canadian Data Transfers

When we transfer personal information from Canada to other countries, we take appropriate safeguards to ensure that your personal information remains protected in accordance with PIPEDA. These safeguards include contractual commitments and technical security measures implemented by our processors.

14.4 Your Rights Regarding International Transfers

If you have concerns about the transfer of your personal information to countries outside your jurisdiction, you have the right to request information about the safeguards we have put in place. You may also have the right to object to such transfers in certain circumstances. Please contact us using the information provided in section 9 below.

15. Additional Rights for UK Residents

If you are a resident of the United Kingdom, you have rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

1. Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and access to the personal data
2. Right to rectification: You have the right to obtain rectification of inaccurate personal data and to have incomplete personal data completed
3. Right to erasure ("right to be forgotten"):In certain circumstances, you have the right to obtain the erasure of personal data concerning you
4. Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format
5. Right to object: You have the right to object to processing of your personal data where we are relying on a legitimate interest
6. Right to lodge a complaint:You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at  https://ico.org.uk/

Data transfers from the UK to countries outside the UK are protected by UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses approved by the UK ICO.

16. Additional Rights for Norway Residents

If you are a resident of Norway, you have rights under the Norwegian Personal Data Act (Personopplysningsloven):

1. Right of access: You have the right to know what personal data we process about you
2. Right to rectification: You have the right to have incorrect personal data corrected
3. Right to erasure: In certain cases, you have the right to have your personal data deleted
4. Right to data portability: You have the right to receive your data in a structured, commonly used format
5. Right to object: You may object to certain types of processing
6. Right to lodge a complaint: You have the right to lodge a complaint with Datatilsynet (Norwegian Data Protection Authority) at  https://www.datatilsynet.no/

As Norway is part of the European Economic Area (EEA), data transfers within the EEA are considered adequate under Norwegian law. For transfers outside the EEA, we use Standard Contractual Clauses.

17. Additional Rights for Japan Residents

If you are a resident of Japan, you have rights under the Act on the Protection of Personal Information (APPI, 個人情報保護法):

1. Right of disclosure: You have the right to request disclosure of your personal information
2. Right to correction: You have the right to request correction of inaccurate personal information
3. Right to deletion: You have the right to request deletion of your personal information in certain circumstances
4. Right to suspend use: You have the right to request suspension of use or provision to third parties in certain cases
5. Right to lodge a complaint: You have the right to lodge a complaint with the Personal Information Protection Commission (個人情報保護委員会) at  https://www.ppc.go.jp/

We transfer personal data to Japan in accordance with APPI requirements. As Japan has been recognized by the European Commission as providing adequate protection for personal data, transfers from the EEA to Japan are facilitated under this adequacy decision.

18. Additional Rights for Quebec Residents

If you are a resident of Quebec, you have additional rights under Law 25 (formerly Bill 64):

1. The right to data portability: You can request your personal information in a structured, commonly used format
2. The right to be informed about automated decision-making: We will inform you when your personal information is used to make an automated decision
3. The right to withdraw consent at any time
4. The right to request the cessation of dissemination of your personal information

We have implemented the following measures to comply with Law 25:

1. Appointed a privacy officer responsible for the protection of personal information
2. Conduct privacy impact assessments for new projects
3. Maintain a register of confidentiality incidents
4. Implement privacy by default in our systems and processes

In case of a confidentiality incident involving your personal information, we will:

1. Notify you without delay if the incident presents a risk of serious injury
2. Notify the Commission d'accès à l'information du Québec if the incident presents a risk of serious injury
3. Take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature

To exercise your rights under Law 25, please contact our privacy officer using the information provided in the "Contact details" section.