Verkkokurssikassa Oy — Privacy Policy

Data Controller

- Verkkokurssikassa Oy

- Business ID: 3497731-1

- Address: Raunistulantie 7 B 26, 20300 Turku, Finland

- Email for privacy matters: info@verkkokurssikassa.fi

1. General

- This Privacy Policy describes how Verkkokurssikassa Oy ("we", "service") collects, uses, stores, and discloses personal data in connection with the use of the service.

- The data controller is Verkkokurssikassa Oy.

2. Data Subjects

- Our customers (companies and their contact persons)

- Our customers' end customers (online store buyers)

3. Data Collected and Sources

- Customer accounts: name, email, profile picture, language setting, account creation and update information, acceptance timestamps

- Authentication and usage: two-factor authentication, session identifiers, login times, technical data (IP address, user-agent)

- Organization data: organization name, Business ID, address, contact email, website, logo, VAT number

- Checkout subscriber data: name, email, phone, address, company details, ordered products, order details and where necessary technical data for order processing

- Payment data: tokenized payment data and payment transaction identifiers (card details are not stored)

- Analytics and tracking: customer activations (Meta Pixel, Meta CAPI, Google Analytics, Google Tag Manager) and data collected with end user consent

- Error and log data: application error logs and technical logs (e.g. Sentry)

4. Purposes and Legal Bases for Processing (GDPR)

- Delivering the service and performance of contract (Art. 6(1)(b))

- Order and payment processing and accounting obligations (contract and legal obligation)

- Customer service and communication (contract / legitimate interest, Art. 6(1)(f))

- Service development and error monitoring (legitimate interest, Art. 6(1)(f))

- Analytics from end users only with consent (consent, Art. 6(1)(a))

5. Retention Periods

- Customer accounts: retained for the duration of the customer relationship and thereafter as long as contractual or legal obligations require

- Payment and transaction data: retained in accordance with statutory and payment service provider requirements

- Checkout subscriber data: retained for the time necessary for order processing and service functionality, or until the data subject requests deletion and no legal obligations prevent it

- Logs and error reports: retention period based on technical need, documented in internal policy

6. Rights of Data Subjects

- Right of access to personal data

- Right to rectify inaccurate data

- Right to erasure ("right to be forgotten") where legal or contractual obligations do not prevent it

- Right to restrict processing in certain circumstances

- Right to object to processing, including direct marketing

- Right to data portability

- Right to withdraw consent at any time (for consent-based processing)

- Rights can be exercised by contacting: info@verkkokurssikassa.fi

- Requests will be responded to without undue delay and within one month of receipt

- If a request is not handled satisfactorily, the data subject has the right to lodge a complaint with the supervisory authority (Data Protection Ombudsman, Finland)

7. Disclosure of Data and Sub-processors

- Payment processing: Paytrail (tokenized payment data and payment transactions)

- Course platforms: Kajabi (integrations separately activated by the customer may transfer name and email data)

- Analytics and tracking: Meta Pixel, Meta CAPI, Google Analytics, Google Tag Manager — used only if the customer's checkout has activated them and the end user has given consent

- Cloud and development services: AWS, Vercel, Neon Serverless Postgres, Sentry — technical access to the system for application functionality and error detection

- Disclosures occur only on lawful grounds and on a contractual or consent basis; written data processing agreements are in place with all processors

8. International Transfers

- Some of our service providers, such as AWS, Vercel, and Sentry, transfer data outside the EU/EEA, including to the United States.

- These service providers have their own data protection practices and commitments, which are available on each provider's own website.

- Customers will be informed of significant changes to transfers through the service documentation.

9. Security and Data Breaches

- Technical safeguards: encryption, access controls, secure connections, and encrypted API keys and tokens

- Organisational safeguards: minimisation of access rights

- Data breach notification: we detect and handle data breaches as quickly as possible. Where required, we will notify the supervisory authority within the timeframe required by GDPR, and will inform data subjects when the obligation to notify applies

10. Cookies and Tracking

- The service uses cookies and similar technologies for session management and functionality

- Analytics relating to our customers' end users is only activated when the customer's checkout has enabled it and the end user has given consent

- Data subjects have the right to withdraw consent to analytics at any time

11. Changes to This Policy

- We reserve the right to update this Privacy Policy.

- Significant changes will be communicated by email or through the service.

- The current version is always available within the service.

12. Contact Information

- Questions and requests: info@verkkokurssikassa.fi

- Supervisory authority (Finland): Office of the Data Protection Ombudsman — https://www.tietosuoja.fi