en

Privacy Policy

1. DATA CONTROLLER AND CONTACT INFORMATION

Nature Paavola Oy (hereinafter referred to as the "Controller" or "We")

Business ID: 2883773-4

Address: Multiantie 2969, 63950 Vehunkylä, Soini, Finland

email: naturepaavola@gmail.com

2. GENERAL 

This privacy policy describes how we process the personal data of our customers and potential customers or their contact persons, our distributors and subcontractors' contact persons, as well as visitors to the Paavola farm and users of our website.

3. PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

We process personal data for the following purposes and on the following legal bases:

a. Managing and maintaining customer relationships, providing services and delivering orders, and related financial administration

  • Legal basis: for consumer customers, the performance of a contract; for other customer relationships, the legitimate interests of the Controller (such as managing and developing customer relationships and conducting business operations) and, in certain cases, the Controller's legal obligation (compliance with the Finnish Accounting Act 1336/1997 with regard to personal data contained in accounting records).

b. Management and maintenance of resale and subcontracting relationships and related financial administration

  • Legal basis: The legitimate interests of the Controller (such as managing and developing customer relationships and conducting business operations) and, in certain cases, the Controller's legal obligation (compliance with the Finnish Accounting Act 1336/1997 with regard to personal data contained in accounting records).

c. Selling and marketing our services, organising events and responding to contacts

  • Legal basis: The legitimate interest of the Controller (legitimate interest in conducting and promoting business) and the consent of the data subject.

d. Ensuring and maintaining the functioning of our website, developing and analysing visitor and page activity, and targeted advertising

  • Legal basis: The legitimate interest of the Controller when it comes to the functioning of cookies that are necessary for the operation of our website (legitimate interest in transmitting messages over a communications network and ensuring information security) and the consent of the data subject when it comes to the functioning of cookies other than those that are necessary.

e. Camera surveillance

  • Legal basis: Legitimate interest of the Controller (legitimate interest in ensuring security and protecting property as well as preventing and investigating situations relating to these)

Personal data may also be processed on the basis of the Controller's legitimate interest in order to prepare, submit or defend a legal claim, if the situation so requires.

Personal data is not used for automated decision-making or profiling.

4. PROCESSED PERSONAL DATA AND SOURCES

We process the following categories of personal data:

a. Client relationships

  • Name and contact information, such as e-mail address and telephone number, as well as the information of possible organization represented and title/position in said organization
  • For guests staying at our accommodation, also postal address, date of birth and any other legally required information
  • Information related to orders, customer relationships and the performance of our services, such as billing information and billing history

b. Resale and subcontractor relationships:

  • Name and contact information, such as e-mail address and telephone number, as well as the information of organization represented and title/position in said organization
  • Information related to the resale and subcontracting relationship

c. Website visitors

  • Verkkosivuillamme käytettävien evästeiden keräämät tiedot, kuten IP-osoite ja muut evästeiden keräämät tiedot IP-address and other information collected by cookies, such as analytics data

d. Visitors at Paavola farm

  • Video footage recorded by CCTV of persons moving within the surveillance area. Signs in the surveillance area indicate that surveillance is in operation.

The provision of personal data is not a statutory or contractual requirement, except insofar as it relates to the processing of data of guests staying at the farm. The provision of certain personal data is also a prerequisite for the conclusion and performance of a contract between us and the data subject or the organisation represented by the data subject.

We mainly obtain data from the data subject themselves or the organisation they represent in connection with the performance of services/orders and during the customer or reseller relationship, for example by telephone or email. We may also receive data from authorities and contact information service providers. Within the framework of applicable legislation, we may also collect and update data from public sources such as organisations' websites.

CCTV data is collected on individuals who visit the Paavola farm.

Information about users visiting our website is collected through cookies used on the website.

5. DISCLOSURE OF PERSONAL DATA

We do not, as a rule, disclose your personal data to third parties. We may disclose personal data to authorities based on our legal obligations. Personal data may also be disclosed to subcontractors and/or resellers to the extent necessary, for example, to perform our services and/or deliver orders.

We use external service providers, i.e. data processors, who process personal data on our behalf for the purposes described in this privacy notice. These data processors are for example our accountant and the providers of software used by us.

Recordings collected through camera surveillance may be disclosed to the authorities in the event of a security breach for the purposes of a preliminary investigation in accordance with the Finnish Preliminary Investigation Act (805/2011) or, for example, to an insurance company investigating the matter.

6. TRANSFER OF PERSONAL DATA OUTSIDE THE EU OR EEA

We do not, as a rule, transfer personal data outside the European Union ("EU") or European Economic Area ("EEA").

However, some of our data processors or their sub-processors are located outside the EU or EEA. In such cases, we take care of the level of data protection by ensuring that the European Commission has adopted an adequacy decision concerning the target country in question, or by requiring the data processor to accept the Standard Contractual Clauses approved by the European Commission to be part of the data processing agreement between us and said data processor.

7. RETENTION PERIODS FOR PERSONAL DATA

As the Controller we shall retain personal data only for as long and to the extent necessary for the purposes described in this privacy policy or when we have a legal right or obligation to do so:

  • The need to retain personal data related to customer relationships and resale and subcontractor relationships is assessed at least every two (2) years, at which time unnecessary/outdated personal data is deleted.
  • To comply with our obligations pursuant to the Finnish Accounting Act, personal data included in accounting materials is stored for a maximum period of the current year + ten (10) years from the end of the financial year that the accounting material concerns.
  • CCTV recordings are retained for a maximum of six months.

If the storage of personal data is necessary for the collection and/or the drafting, presenting or defending of possible legal claims, the storage may be continued for as long as necessary.

8. RIGHTS OF DATA SUBJECTS

8.1. General

The data subject may exercise their rights described in this section by contacting the Controller.

We will inform you of the actions taken based on your request generally within a month. We will also inform you if your request cannot be fulfilled for any reason.

In order to exercise the rights of the data subject, we may need to request additional information from the data subject so that we can identify them sufficiently.

8.2. Right of Access

The data subject may request information from the Controller about whether personal data oncerning them is being processed and request information from the Controller about the personal data collected about them. The data subject has the right to obtain a copy of the personal data concerning them.

8.3. Right to Rectification and Erasure

The data subject may request the Controller to rectify or supplement the personal data concerning them if it is inaccurate, incorrect or incomplete.

The data subject may request the Controller to erase personal data concerning them on the grounds specified in the GDPR, for example, if the personal data are no longer necessary for the purposes for which they were collected. The Controller cannot delete personal data in all situations if the Controller has a legal obligation or other lawful basis to store the data.

8.4. Right to Restriction of Processing

The data subject may request the restriction of the processing of their personal data in certain situations specified in data protection legislation, such as when the data subject has contested the accuracy of their personal data, in which case the processing will be restricted for the period during which the Controller reviews the accuracy of said personal data.

8.5. Right to Object

The data subject may object to the processing of their personal data if the processing is based on the legitimate interest of the Controller. In such cases, the Controller may no longer process

the personal data in question unless the Controller can demonstrate that there are compelling legitimate grounds for the processing which override the rights of the data subject.

8.6. Right to Withdraw Consent

If the processing of personal data is based on the consent of the data subject, the data subject may withdraw their consent at any time.

8.7. Right to Data Portability

Under certain conditions specified in data protection legislation, the data subject may request the Controller to provide the data subject with the personal data concerning them that the data subject has provided to the Controller and to transfer said data to another Controller.

8.8. Right to Lodge a Complaint with a Supervisory Authority

The data subject may lodge a complaint with the national supervisory authority if in the data subject's opinion the Controller does not process personal data appropriately or does not adequately implement the data subject's rights. A notification to the Finnish national data protection authority, i.e. the Data Protection Ombudsman, can be made at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman

9. AMENDING THE PRIVACY NOTICE

This privacy policy may be updated if necessary due to changes in our operations or legislation.

Data subjects will be notified of any significant changes to the processing of personal data by email.

This privacy policy was created on 14 November 2025.