Privacy Policy for Online Services

1. Data Controller

O.S. Palvelut (hereinafter “Bio Grand” or “we”)
2794141-7
Kielotie 7
01300 VANTAA

Email: [email protected]

The data controller collects, stores, and processes personal data as the controller to provide the website and related services (hereinafter also “services”). The controller is committed to complying with applicable laws. This privacy policy describes our practices regarding personal data processing. The controller collects, stores, and otherwise processes personal data in accordance with this privacy policy and the registry descriptions of separate registers.

We are committed to protecting your privacy. We respect the confidentiality and security of your personal data. The primary basis for processing personal data is the customer relationship, another legitimate connection, or the consent of the data subject.

Do not use the website or services if you do not accept this privacy policy.

2. What personal data do we collect?

We may collect your personal data when you use the website, for example IP address, browsing time, which websites you came from, which websites you visit next, which links you click, which content you have viewed, how long the session lasts, your browser type, and similar information. We may also process derived or profiled information using web analytics.

We process information you provide yourself, for example through customer feedback. We also process information provided when purchasing products and services, such as your name, address, email address, and phone number.

If you use the online store, we process information related to the purchase transaction, such as customer type, your purchases, downloads, and information you provide us. Additionally, we process delivery information for products and services, information about your communications with us, and other similar information describing our interaction with the customer. For information on the processing of customer-related data, see the registry description of the online services personal data register.

Products and services are generally intended for all audiences. However, we do not knowingly collect personal data about children under 15 without the consent of their parents or guardians.

3. Why do we process personal data?

We process personal data only for predefined purposes. We may process your personal data to manage your bookings and purchases and to fulfill other similar obligations.

Using the online store requires creating a customer profile. More information on the processing of personal data related to your customer profile is available in the online services personal data register description.

We may process personal data to develop and manage products, services, sales, and marketing and to improve user experience. Additionally, we may process personal data to prevent and investigate misuse.

4. Customer communication and marketing

We may process your personal data to receive and respond to customer feedback.

Even if you opt out of direct marketing, we may still send you notifications about our services, for example, to inform you about service malfunctions or contact you for this purpose.

5. Do we disclose or transfer personal data?

We do not sell or otherwise disclose your personal data to third parties except in the situations described in this privacy policy or registry descriptions. We may transfer personal data to our service providers.

We may also disclose personal data as required by applicable law or binding authorities. We may also disclose or otherwise process personal data in accordance with applicable law to protect the legitimate interests of the controller.

We may transfer personal data to a potential buyer or their advisor during corporate transactions.

Data is generally not transferred outside the European Union or the European Economic Area unless necessary for the purposes of personal data processing or technical implementation, in which case transfers comply with data protection laws.

6. How do we protect your personal data?

We design and produce all our services with privacy and security in mind. Databases are protected with firewalls, passwords, and other technical measures against external breaches. We ensure data communication security and risks related to personal data processing, taking into account the likelihood of risks and the nature of the protected data. Access to databases containing personal data is limited to authorized personnel with a legitimate need to process the personal data.

Our services may contain links to third-party websites or services, which have their own privacy practices. We recommend reviewing the privacy policies of such third parties. We are not responsible for third-party privacy practices or personal data processing.

7. Cookies and location data

We use cookies and similar technologies on our website to serve our customers as effectively as possible. A cookie is a small text file delivered to the user's device through the service. Cookies are used, for example, to enable website functionalities such as login and online store shopping cart features.

Cookies allow us to collect information about devices used by visitors and behavior on the service, such as the page from which the user arrived, which browser is used, or which parts of the service were browsed. This information is used to improve the website usability and analyze visitor data.

Third parties may place cookies on our website with our consent to provide information or a personalized experience (e.g., Google Analytics).

You can block cookies entirely or partially at any time by changing your browser settings. You can also delete previously stored cookies. Note that blocking cookies may affect your use of some parts or functions of the website or services, or even prevent access.

8. Right of inspection, correction, and objection

You have the right under data protection law to inspect the information we have collected about you. Inspection requests must be addressed personally or in writing, signed, to the contact person mentioned at the end of this privacy policy.

We strive to update outdated personal data and remove unnecessary personal data. You can partially manage your personal data in our services. We encourage customers to periodically review their data, as notifying changes is the customer's responsibility.

You have the right, within legal limits, to request the correction or deletion of incorrect, unnecessary, incomplete, or outdated personal data.

9. Changes to this privacy policy

The data controller may occasionally make changes to this privacy policy.

Last updated: 31.10.2025

10. Contact

For privacy-related matters, you can contact us via the data controller's email address.

 
Personal Data Act (523 /99) Section 10 - Registry Description

1. Data Controller

See the previous privacy policy.

2. Name of the Register

Personal register for the website booking system and online store

3. Purpose of processing personal data

Data in the personal register may be used to provide services, deliver ordered products, manage and maintain customer relationships, and handle billing.

4. Contents of the register

The personal register may contain the following personal data and their changes:

  • Name
  • Contact details such as phone number, email address, and home address
  • Age/date of birth
  • Customer language
  • Email address
  • Start and end time and method of customer relationship or other legitimate contact
  • Data related to managing and communicating the customer relationship or other legitimate contact (e.g., username and password for the controller's electronic services, order and purchase behavior, feedback, complaints)
  • Username and password
  • Order and purchase behavior data
  • Billing and collection information
  • Customer-provided feedback
  • Information about the use of electronic services and content, technical data sent by the user's browser to the controller's server (e.g., IP address, browser, browser version, referring page), cookies sent to the browser, and related information if personal data is linked to cookies

5. Regular sources of information

Information is collected only from the data subject themselves.

6. Regular disclosures and data transfers

Data may be disclosed to competent authorities or other parties as required by applicable law.

Data may be transferred to selected partners of the controller who process data on behalf of the controller under a cooperation agreement. The processor has no right to process transferred data for their own purposes in their own registers.

Data is generally not transferred outside the EU or EEA unless necessary for processing purposes or technical implementation, in which case transfers comply with data protection laws.

7. Principles of register security

Databases related to the register are protected with firewalls, passwords, and other technical measures against external breaches. Databases and backups are stored in locked facilities inaccessible to unauthorized persons. Only specifically designated personnel of the controller have access to the data. Persons handling the data must not disclose it to outsiders during employment or afterward.

The register is located in the eTiketti POS service, and eTiketti POS Oy acts as the data processor. Full access to register data is available only to the controller and technical maintenance personnel of eTiketti POS Oy.

8. Right of inspection and correction

The data subject has the right under the Personal Data Act to inspect the data recorded about them. Inspection requests must be addressed personally or in writing, signed, to the contact person of the personal register.

The controller corrects, deletes, or supplements incorrect, unnecessary, incomplete, or outdated personal data in the register proactively or upon request. The data subject must contact the register's contact person to correct the information.