Our business is based on trust, which is why we process and store all information we receive, produce, and transmit with care. This register and privacy policy, in accordance with the Personal Data Act and the EU General Data Protection Regulation (GDPR), describes the principles we follow in processing personal data. Contact us if you need more information.
This is the register and privacy policy of Vuonum Oy in accordance with the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR).
Vuonum Oy (FI35219854)
Vanhanpaikantie 33, 58520 Hiukkajoki, Finland
Pyry Jantunen
Customer, marketing, and stakeholder register of Vuonum Oy.
The legal bases for processing personal data under the EU GDPR are
1. the person’s consent (documented, voluntary, specific, informed, and unambiguous)
2. contract in which the data subject is a party
3. the controller’s legitimate interest (customer relationship)
The purpose of processing personal data is to maintain contact with customers and stakeholders, customer relationship management, recruitment, events, as well as marketing and communication. Data is not used for automated decision-making or profiling.
The information stored in the register includes: the person’s name and position, company or organization, contact details (phone number, email address, postal address, visiting address), website addresses, IP address of the network connection, identifiers and profiles in social media services, information on subscribed services and their changes, billing information, and other information related to the customer relationship and subscribed services.
Data stored in the register is obtained from the customer, for example, from messages sent via web forms, by email, by phone, through social media services, from contracts, customer meetings, and other situations where the customer provides their information.
Data is not regularly disclosed to other parties. Data may be published to the extent agreed with the customer. Data may also be transferred outside the EU or EEA by the registrar.
Care is observed in the processing of the register and the information processed with information systems is appropriately protected. When register data is stored on Internet servers, the physical and digital security of the hardware is appropriately ensured. The registrar ensures that stored data as well as server access rights and other information critical to the security of personal data are handled confidentially and only by employees whose job description requires it.
Personal data collected for any purpose, or for multiple purposes, shall not be retained for longer than is necessary for those purposes. The data subject’s ‘right to erasure’ applies only where the controller has no overriding legal obligations requiring the continued processing of such personal data.
Basic customer information related to customer agreements is retained for three months after the end of the customer relationship. After this, the data will be deleted or anonymized. Data processed on the basis of consent is retained until the customer withdraws their consent. Email archive messages containing personal data are stored for a minimum of two years. Accounting materials are retained in accordance with the Accounting Act for six years.
In general, documents containing personal data (including electronic documents) are retained in accordance with statutory obligations, if the documents are considered relevant to ongoing or potential future legal proceedings.
Every individual in the register has the right to check their stored data and request correction of any incorrect information or completion of incomplete information. In addition, the individual has the following rights
1. the right to restrict processing (e.g. in marketing)
2. the right to object to processing
3. the right to withdraw consent
4. the right to lodge a complaint with a supervisory authority
If a person wants to check their stored information or request a correction, the request must be sent in writing to the registrar. If necessary, the registrar may request the requester to prove their identity. The registrar responds to the customer within the time specified in the EU GDPR (generally within one month).
A person in the register has the right to request the deletion of their personal data (“right to be forgotten”). Similarly, registered persons have other rights under the EU GDPR, such as restricting the processing of personal data in certain situations.
Requests must be sent in writing to the registrar. If necessary, the registrar may request the requester to prove their identity. The registrar responds to the customer within the time specified in the EU GDPR (generally within one month).
This Privacy Notice was issued on October 16 2025.