Last updated: October 7, 2025
This privacy statement applies to citizens and legal permanent residents of the European Economic Area, United Kingdom, Norway, United States, Canada, and Japan.
This privacy statement explains what we do with the data we obtain about you via pikkuna.fi. We recommend you carefully read this statement. In our processing, we comply with the requirements of privacy legislation. That means, among other things, that:
If you have any questions or want to know exactly what data we keep of you, please contact us.
We may collect or receive personal information for a number of purposes connected with our business operations which may include the following:
Data we collect:
Retention period: We retain this data until the service is terminated.
We use Stripe Inc. (based in the United States) as our payment processor to handle secure payment transactions. Stripe is a PCI DSS Level 1 certified payment processor, which is the highest level of security certification in the payments industry.
Data we collect:
Third-party processor: Stripe Inc. processes payment data on our behalf. Data transfers to the United States are protected by Standard Contractual Clauses. For more information, see Stripe's Privacy Policy.
Retention period: We retain this data upon termination of the service for the following number of months: 120 (10 years). This retention period is justified by Finnish accounting law (Kirjanpitolaki 1336/1997), which requires businesses to retain accounting records including invoices for a minimum of 6 years. We retain data for 10 years to cover potential warranty claims, product liability issues, and tax audits.
Data we collect:
Legal basis: For compliance with a legal or regulatory obligation.
Retention period: We retain this data until the service is terminated.
Data we collect:
Legal basis: Consent (GDPR Article 6(1)(a) and ePrivacy Directive)
We collect this data through cookies and similar technologies only after obtaining your explicit consent via our cookie banner. You can manage your cookie preferences at any time through our Cookie Policy.
Retention period: Upon termination of the service we retain this data for the following period: 26 months.
Data we collect:
Retention period: We retain this data upon termination of the service for the following number of months: 120 (10 years). This retention period is justified by Finnish accounting law (Kirjanpitolaki 1336/1997), which requires businesses to retain accounting records including invoices for a minimum of 6 years. We retain data for 10 years to cover potential warranty claims, product liability issues, and tax audits.
We use marketing pixels from Facebook (Meta Platforms Inc.) and TikTok (ByteDance Ltd.) to measure the effectiveness of our advertising campaigns, track conversions, and show you relevant advertisements on these platforms.
Data we collect:
Legal basis: Consent (GDPR Article 6(1)(a) and ePrivacy Directive). We only activate these marketing pixels after you have accepted marketing cookies through our cookie banner.
Purpose: To measure advertising effectiveness, optimize our marketing campaigns, retarget visitors with relevant ads, and create custom audiences for advertising purposes.
Retention period: Marketing pixel data is retained by Facebook and TikTok according to their respective privacy policies. Cookie consent can be revoked at any time through our Cookie Policy.
We only share this data with processors and with other third parties for which consent must be obtained.
We share your personal data with the following processors:
Processor | Country | Purpose | Data Transfer Safeguards |
---|---|---|---|
Google LLC | USA | Analytics and advertising | Standard Contractual Clauses |
Meta Platforms Inc. (Facebook) | USA | Marketing pixels and advertising | Standard Contractual Clauses |
ByteDance Ltd. (TikTok) | USA | Marketing pixels and advertising | Standard Contractual Clauses |
Stripe Inc. | USA | Payment processing | Standard Contractual Clauses |
Zoho Corporation Pvt. Ltd. / Zoho Corporation B.V. | India / Netherlands | CRM, customer support, visitor analytics | Standard Contractual Clauses, EU presence |
Airtable Inc. | USA | Order management and tracking | Standard Contractual Clauses |
Mailgun Technologies Inc. | USA | Transactional email delivery | Standard Contractual Clauses |
All processors located in the United States are outside the European Economic Area. We ensure appropriate safeguards are in place for data transfers through Standard Contractual Clauses approved by the European Commission in accordance with GDPR Chapter V.
Our website uses cookies. For more information about cookies, please refer to our Cookie Policy.
We may disclose your personal information in the following circumstances:
We disclose personal information if we are required by law or by a court order, in response to a law enforcement agency, to the extent permitted under other provisions of law, to provide information, or for an investigation on a matter related to public safety. This includes compliance with tax authorities, regulatory bodies, and law enforcement agencies in Finland and other jurisdictions where we operate.
If our website or organisation is taken over, sold, or involved in a merger or acquisition, your details may be disclosed to our advisers and any prospective purchasers and will be passed on to the new owners. In such cases, we will ensure that the receiving party is bound by terms at least as protective as this Privacy Statement.
We have concluded Data Processing Agreements (DPAs) with all our processors as required by GDPR Article 28:
These agreements ensure that our processors only process personal data on our documented instructions and implement appropriate technical and organizational measures to protect your data.
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Any sharing of data with third parties is limited to the purposes described in this Privacy Statement and is subject to appropriate safeguards.
We are committed to the security of personal data and implement appropriate technical and organizational measures to protect your information against unauthorized or unlawful processing, accidental loss, destruction, or damage, in accordance with GDPR Article 32.
Our technical security measures include:
Our organizational security measures include:
In case of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
If you have concerns about the security of your personal data, please contact us immediately using the contact information provided in section 9.
This privacy statement does not apply to third-party websites connected by links on our website. We cannot guarantee that these third parties handle your personal data in a reliable or secure manner. We recommend you read the privacy statements of these websites prior to making use of these websites.
If you have any questions or want to know which personal data we have about you, please contact us. You can contact us by using the information below. You have the following rights:
Please make sure to always clearly state who you are, so that we can be certain that we do not modify or delete any data of the wrong person.
If you are not satisfied with the way in which we handle (a complaint about) the processing of your personal data, you have the right to submit a complaint to the relevant Data Protection Authority:
Suomen Pehmeä Ikkuna Oy
Teollisuustie 10, 54800 Savitaipale, Finland
Website: https://pikkuna.fi/
Email: info@pikkuna.fi
We reserve the right to make amendments to this privacy statement. It is recommended that you consult this privacy statement regularly in order to be aware of any changes. In addition, we will actively inform you wherever possible.
The latest version of this privacy statement is always available on our website. We will update the "Last updated" date at the top of this privacy statement when we make changes.
Your continued use of our website after any changes to this privacy statement constitutes your acceptance of such changes.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
To exercise these rights, please contact us using the information provided in the "Contact details" section.
If you are a Canadian resident, you have additional rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
To exercise these rights, please contact us using the information provided in the "Contact details" section.
Our website is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us, and we will take steps to delete such information.
In accordance with the Children's Online Privacy Protection Act (COPPA), we will not knowingly collect, use, or disclose personal information from children under the age of 13 without prior parental consent.
Your personal information may be transferred to, and processed in, countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.
When we transfer personal information from the European Economic Area (EEA) or the United Kingdom to the United States (for processors including Google LLC, Meta Platforms Inc., ByteDance Ltd., Stripe Inc., Airtable Inc., and Mailgun Technologies), we use Standard Contractual Clauses (SCCs) approved by the European Commission as safeguards to protect your data in accordance with GDPR Chapter V.
Standard Contractual Clauses are contractual commitments between us and our processors that provide adequate safeguards for personal data transferred outside the EEA, as recognized by the European Commission following the Schrems II ruling (2020).
For Zoho Corporation services, data may be processed in India or within the European Union (Netherlands). We use Standard Contractual Clauses and ensure that Zoho implements appropriate technical and organizational measures to protect your personal information.
When we transfer personal information from Canada to other countries, we take appropriate safeguards to ensure that your personal information remains protected in accordance with PIPEDA. These safeguards include contractual commitments and technical security measures implemented by our processors.
If you have concerns about the transfer of your personal information to countries outside your jurisdiction, you have the right to request information about the safeguards we have put in place. You may also have the right to object to such transfers in certain circumstances. Please contact us using the information provided in section 9 below.
If you are a resident of the United Kingdom, you have rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:
Data transfers from the UK to countries outside the UK are protected by UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses approved by the UK ICO.
If you are a resident of Norway, you have rights under the Norwegian Personal Data Act (Personopplysningsloven):
As Norway is part of the European Economic Area (EEA), data transfers within the EEA are considered adequate under Norwegian law. For transfers outside the EEA, we use Standard Contractual Clauses.
If you are a resident of Japan, you have rights under the Act on the Protection of Personal Information (APPI, 個人情報保護法):
We transfer personal data to Japan in accordance with APPI requirements. As Japan has been recognized by the European Commission as providing adequate protection for personal data, transfers from the EEA to Japan are facilitated under this adequacy decision.
If you are a resident of Quebec, you have additional rights under Law 25 (formerly Bill 64):
We have implemented the following measures to comply with Law 25:
In case of a confidentiality incident involving your personal information, we will:
To exercise your rights under Law 25, please contact our privacy officer using the information provided in the "Contact details" section.
Skriv inn bestillingsnummeret og e-posten din for å sjekke gjeldende status