© Pal-Jon Oy 2026

Privacy policy

Table of contents

This is a statement on the processing of personal data in accordance with the General Data Protection Regulation (679/2016) of the European Union.

Data Controller

Pal-Jon Oy
Business ID: 3112654-6
Address: Puutarhakatu 45, 20100 TURKU
Phone: 044 979 3692
Email: stefan.soderholm@paljon.fi

Contact for Data Protection Matters

Stefan Söderholm
Phone: 044 979 3692
Email: stefan.soderholm@paljon.fi

For all inquiries related to the processing of personal data and situations involving the exercise of your rights, we encourage the data subject to contact the above-mentioned contact person.

Name of the Personal Data Register

Individuals registered with Pal-Jon Oy's NANOid (NANOid)

Legal Basis and Purpose of Personal Data Processing

The legal basis for processing personal data is:

  • Consent given by the data subject for the processing of personal data.
  • An existing contractual relationship between the data subject and the data controller.
  • The legitimate interests of the data controller, based on the customer relationship between the data subject and the data controller. Joining the customer loyalty program is voluntary and open. The purpose of the operation is to provide customer-oriented, meaningful, and cost-effective services and benefits to customers. The legitimate interest of the company is to develop and improve services, product offerings, and the website. We believe that limited processing of personal data for the development of our business benefits the customer more than it harms.
  • The purposes of personal data processing include electronic direct marketing (via email and SMS messages), managing customer relationships, maintaining the customer loyalty program, and targeting marketing and advertising by sharing data with partners, for example, to receive bonuses or other customer loyalty benefits.

Regular Data Sources

Personal data being processed is regularly obtained from the following sources:

  • The data subject themselves.
  • Registers maintained by authorities within the limits allowed by law.
  • Data may also be collected through tools such as Google Analytics or similar analytics tools.

Processed Personal Data

The data controller collects only such personal data about the data subjects that are essential and necessary for the purposes described in this privacy statement.

The following data about the data subjects is processed:

  • Name
  • Phone number
  • Email
  • Address
  • Purchase information, information about paid benefits, and received discounts

Disclosure of Personal Data

Personal data is not disclosed to third parties unless there is a legal obligation to do so. Data may exceptionally be disclosed, for example, to authorities as required by law.

Transfers of Personal Data to Third Countries

Personal data is not transferred outside the European Union and the European Economic Area.

Protection of Personal Data

The data controller processes personal data in a manner aimed at ensuring the appropriate security of personal data, including protection against unauthorized processing and accidental loss, destruction, or damage.

The data controller employs appropriate technical and organizational security measures to achieve this goal, including the use of firewalls, encryption techniques, secure premises, proper access control, and training for staff involved in the processing of personal data.

All employees processing personal data are subject to confidentiality obligations based on the Employment Contracts Act (55/2001) and supplementary confidentiality agreements.

Data Retention Period

Personal data is retained only for as long as necessary, but always for at least the duration of the customer and contractual relationship. We regularly remove outdated data and data that has become unnecessary.

The data controller may have an obligation to process some personal data in the register for longer periods as required by legislation or regulatory requirements.

Profiling

The processing of personal data includes profiling, which means the automatic processing of personal data to evaluate certain personal characteristics of the data subject. Profiling is done to facilitate more targeted direct marketing and other communication based on the data subject's areas of interest.

Rights of the Data Subject

Right to Access Personal Data

The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed and, if so, the right to access a copy of their personal data.

Right to Rectification of Data

The data subject has the right to request the correction of inaccurate and incomplete personal data concerning them. The data subject also has the right to have incomplete personal data completed by providing the necessary additional information.

Right to Erasure of Data

The data subject has the right to request the erasure of personal data concerning them if:

  1. The personal data is no longer necessary for the purposes for which it was collected.
  2. The data subject withdraws consent on which the processing is based, and there is no other legal basis for the processing.
  3. The personal data has been unlawfully processed.

Right to Restriction of Processing

The data subject has the right to restrict the processing of their personal data if:

  1. The data subject contests the accuracy of their personal data.
  2. The processing is unlawful, and the data subject opposes the erasure of their personal data and requests the restriction of their use instead.
  3. The data controller no longer needs the personal data for the original purposes of the processing, but the data subject needs them for the establishment, exercise, or defense of legal claims.

Right to Object

The data subject has the right to object to the processing of their personal data for reasons related to their particular situation at any time.

The data controller may no longer process the data subject's personal data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or unless the processing is necessary for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of their personal data for such marketing, including profiling related to such direct marketing, at any time.

Right Not to Be Subject to Automated Decision-Making

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

This does not apply if the decision is necessary for the conclusion or performance of a contract between the data subject and the data controller or is based on the data subject's explicit consent.

Right to Withdraw Consent

The data subject has the right to withdraw their consent to the processing at any time without affecting the lawfulness of the processing based on consent before its withdrawal.

Right to Data Portability

The data subject has the right to receive their personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format and have the right to transmit that data to another data controller.

Right to Lodge a Complaint with a Supervisory Authority

The national supervisory authority for data protection matters is the Office of the Data Protection Ombudsman, operating under the Ministry of Justice. You have the right to bring your case to the attention of the supervisory authority if you believe that the processing of your personal data violates the applicable legislation.

Changes to Data Protection Practices

The data controller continuously develops its operations and may, therefore, need to change and update its data protection practices as necessary. Changes may also be based on changes in data protection legislation.

If the changes include new purposes for the processing of personal data or otherwise significantly alter the practices, the data controller will notify in advance and request consent if necessary.

If the different language versions of the rules and other documentation differ, the Finnish-language versions shall take precedence.