Privacy Policy

Scope and definitions

This Policy applies to personal data we process in connection with the Site, email, telephone, and in-person interactions that relate to our services. “Personal data” means information relating to an identified or identifiable individual. “Processing” includes collection, storage, use, disclosure, and deletion.

Where we provide links to third-party sites, their privacy practices apply when you leave our Site. We encourage you to read those policies before submitting data elsewhere.

Categories of data we collect

Depending on how you interact with us, we may process:

• Identity and contact details: name, email address, telephone number, postal address when you provide them.
• Communication content: messages you send through forms, email, or post, including attachments and optional room descriptions.
• Technical data: IP address, browser type and version, device category, operating system, approximate region derived from IP, and timestamps of access.
• Cookie and similar data: as described in our Cookie Policy, including consent records stored locally on your device.
• Transactional and service records: order references, delivery notes, and consultation notes where relevant to fulfilling a request.

We do not ask for sensitive categories of data on the Site. If you voluntarily include such information in a message, we will treat it only as needed to respond or to meet legal obligations.

Online advertising

If we use online advertising platforms (including services such as Google Ads) in Finland or other regions, those platforms may process data in line with their own terms and your account or device settings. Where we use cookies, pixels, or similar tools for measurement or remarketing, we describe categories in our Cookie Policy and obtain consent when required. See also our Transparency & advertising page.

Purposes and legal bases

We process personal data for specific purposes and only where a legal basis applies (GDPR Articles 6 and 9 where relevant):

Responding to inquiries

We use contact details and message content to respond to you. This may rely on steps prior to entering a contract or our legitimate interests in operating the studio and communicating with prospective clients.

Providing and improving services

We process data to schedule consultations, deliver goods, document preferences you share, and improve the quality of our materials. We rely on legitimate interests in service delivery and quality management, and where applicable contract performance.

Security and abuse prevention

Technical logs, IP addresses, and rate limits help us detect misuse, protect the Site, and maintain availability. This is based on legitimate interests in security and integrity.

Legal and regulatory compliance

We may process data to comply with tax, accounting, or regulatory obligations, or to establish or defend legal claims.

Analytics and marketing (optional)

Where you enable analytics or marketing cookies, we process related data based on your consent, which you may withdraw at any time through cookie settings or your browser.

Sharing and processors

We do not sell personal data. We share data with processors who assist us under written agreements, such as hosting providers, email delivery services, and payment processors where purchases occur. They may only process data on our instructions and must implement appropriate safeguards.

We may disclose data if required by law, court order, or competent authority, or to protect rights, safety, or property when permitted by law.

International transfers

Some providers may operate outside the European Economic Area. Where we transfer personal data to countries not covered by an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses or other approved mechanisms, together with supplementary measures where the risk profile warrants them.

Retention

We retain personal data only as long as necessary for the purposes described:

• General correspondence: typically up to twenty-four months unless a longer period is needed for ongoing projects, disputes, or legal obligations.
• Contract and tax records: as required by Finnish bookkeeping and tax rules, often longer.
• Server logs: rotated within shorter periods unless a security incident requires limited retention.
• Cookie-related records: as described in the Cookie Policy.

We review retention periodically and delete or anonymise data when no longer needed.

Security measures

We apply organisational and technical measures proportionate to the risk, including access controls, secure transport where supported, separation of environments, and vendor review. No system is perfectly secure; we work to reduce risk in line with good practice.

Your rights

Subject to applicable law, you may request:

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure where conditions are met.
• Restriction of processing in certain cases.
• Data portability for data you provided where processing is automated and based on consent or contract.
• Objection to processing based on legitimate interests, including profiling where applicable.
• Withdrawal of consent for consent-based processing at any time, without affecting prior lawful processing.

We will respond within one month where possible, or inform you of any extension as permitted by law. You may lodge a complaint with the Finnish Office of the Data Protection Ombudsman or another supervisory authority where you reside.

Children

The Site is not directed at children. We do not knowingly collect personal data from children without appropriate parental authority. If you believe we have received such data, please contact us so we can delete it.

Updates to this Policy

We may revise this Policy to reflect operational, legal, or technical changes. The date shown at the top of this page is updated when the text is meaningfully revised. Continued use of the Site after updates may be subject to the new version where permitted by law.