Privacy policy

Privacy Policy

EU General Data Protection Regulation (GDPR)

Date of Preparation: March 21, 2025

 

1. Data Controller

MOOR-ROOM Oy

Suopursunkallio 8

FI-02860 Espoo, Finland

2. Person Responsible for Register Matters and/or Contact Person

Mika Korhonen

mikki@moor-room.com

3. Name of the Register

MOOR-ROOM Oy Customer Register

 

4. Purpose of Processing Personal Data and Legal Basis for Processing

Personal data stored in the Moor-room.com online store user register is used for the following purposes:

Customer Relationship Management and Contract Execution: Personal data is processed for entering into customer agreements, processing orders, delivering products, processing payments, providing customer service, and handling possible complaints. The legal basis for processing is the performance of a contract (GDPR Article 6(1)(b)).

Customer Communication: Personal data may be used for customer communication, such as sending order confirmations, delivery notifications, and other messages related to the customer relationship. The legal basis for processing is the performance of a contract and the legitimate interests of the data controller (GDPR Article 6(1)(b) and 6(1)(f)). The legitimate interests relate to efficient customer service and customer relationship management.

Marketing: The customer may separately give their consent (GDPR Article 6(1)(a)) to receive marketing messages (e.g., newsletters, offers). Consent is requested separately, and the data subject has the right to withdraw their consent at any time.

Legal Obligations: Personal data may be processed for the fulfillment of legal obligations (e.g., accounting law) (GDPR Article 6(1)(c)).

Website Development and Analytics: Personal data (e.g., technical log data) may be used for website development, usage analysis, and ensuring the functionality of the service. The legal basis for processing is the legitimate interests of the data controller (GDPR Article 6(1)(f)). The legitimate interests relate to ensuring the functionality and development of the website.

5. Data Content of the Register

The following data is collected about data subjects in the register:

Basic Information: First name and last name, customer number

Contact Information: Address, telephone number, and email address

Order Information: Order history (order date, payment method, ordered products, order method, shopping list), order tracking information

Customer Relationship Information: Possible discount benefits belonging to the customer, customer feedback, and contacts

Technical Information: Internet server technical log data (IP address, browser)

Marketing Information: Direct marketing permission/consent, sending and receiving information of marketing messages

 

6. Regular Sources of Information

The data controller primarily collects personal data from the following sources:

The data subject themselves provides the information when using the Moor-room.com online store website, for example, when registering, placing an order, or subscribing to a newsletter.

 

7. Disclosure and Transfer of Data

Data Disclosures: Personal data may be disclosed to the following recipients:

Service Providers: Personal data may be disclosed to reliable service providers used by the data controller, who provide services such as payment processing, logistics, information technology, marketing, or customer service. Appropriate data protection agreements (e.g., a data processing agreement under GDPR Article 28) have been made with these service providers. Examples:

Payment service providers (payment processing)

Logistics companies (order delivery)

IT service providers (online store maintenance, hosting)

Marketing service providers (newsletter sending)

Authorities: Personal data may be disclosed to authorities if required by law (e.g., tax authorities).

Data Transfers Outside the EU or EEA:

Personal data is generally not transferred outside the EU or EEA.

Information of newsletter subscribers (email address, name) may be transferred to the servers of the newsletter service used by the data controller, which may also be located outside the EU/EEA. Such transfers are carried out in accordance with the GDPR using appropriate safeguards. The safeguards used may include, for example:

Standard contractual clauses approved by the EU Commission (GDPR Article 46)

Service provider's Privacy Shield certification (if applicable and in force)

More detailed information on possible transfers and used safeguards is available from the data controller.

 

8. Data Retention Period

Personal data is retained for as long as necessary to fulfill the defined processing purposes, unless legislation requires a longer retention period.

Information related to the customer relationship (e.g., order history) is generally retained for 5 years from the latest order or the termination of the customer relationship.

Accounting material is retained for the time required by the Accounting Act.

Data collected for marketing purposes is retained as long as the customer has given their consent for marketing. After the withdrawal of consent, the data is only retained if there is another legal basis for it.

Technical log data is retained for 12 months.

More detailed retention periods may be defined separately for different data groups if necessary.

9. Data Protection

The data controller has implemented appropriate technical and organizational measures to protect personal data from unauthorized access, processing, disclosure, destruction, or damage. These measures include, among other things:   

Access Control: Access to the register is only granted to designated individuals who need to process personal data based on their job duties. User IDs and passwords are personal.

Data Security Practices: Personal data is processed in accordance with data security instructions.

Data Pseudonymization and Encryption: Personal data is pseudonymized or encrypted if necessary.

Protection of Network Connections: Data communication is protected by appropriate methods (e.g., SSL encryption).

Server Protection: Servers are located in protected facilities and have appropriate access control.

Backup: Personal data is regularly backed up.

Notification of Data Breaches: The data controller has procedures in place to detect data breaches and to notify the supervisory authority and data subjects as required by the GDPR.

 

10. Rights of the Data Subject

The data subject has the following rights:

Right of Access: The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and further information concerning the processing (GDPR Article 15).   

Right to Rectification: The data subject has the right to demand that inaccurate or incomplete personal data be rectified or completed (GDPR Article 16).

Right to Erasure ("Right to be Forgotten"): The data subject has the right to have their personal data erased in certain situations (GDPR Article 17). Such situations include:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing.   

The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.   

Right to Restriction of Processing: The data subject has the right to obtain restriction of processing of their personal data in certain situations (GDPR Article 18).   

Right to Data Portability: The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and has the right to transmit that data to another data controller (GDPR Article 20).   

Right to Object: The data subject has the right to object to the processing of their personal data in certain situations, for example, for direct marketing purposes (GDPR Article 21).

Right to Withdraw Consent: If the processing of personal data is based on the data subject's consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.   

Right to Lodge a Complaint with a Supervisory Authority: The data subject has the right to lodge a complaint with a competent supervisory authority if they consider that the processing of personal data infringes data protection legislation. In Finland, the competent supervisory authority is the Data Protection Ombudsman.   

11. Contact Information

The data subject can exercise their rights by contacting the data controller or the person responsible for register matters.

MOOR-ROOM Oy

Suopursunkallio 8

FI-02860 Espoo, Finland

Contact Person: Mika Korhonen

Email: mikki@moor-room.com

12. Automated Decision-Making and Profiling

The online store does not use automated decision-making or profiling that would have legal effects concerning the data subject.

13. Changes to the Privacy Policy

The data controller may make changes to this privacy policy. The up-to-date privacy policy is available on the data controller's website.

Last updated: 13.6.2025