Privacy Policy

You can find all our Privacy Policy documents below:

• Privacy Policy - Website visitors (19.6.2025)
• Tietosuojaseloste - Verkkosivuvierailijat (19.6.2025)
• Tietosuojaseloste - Palvelun tilaajat/maksajat (12.6.2025)
• Tietosuojaseloste - Palvelun käyttäjät (12.6.2025)
• Tietosuojaseloste - Julkisen palvelun käyttäjät - hyvinvointialue ja kunnat (15.6.2025)
• Privacy Policy - Employees and freelancer (12.6.2025)
• Privacy Policy - Suppliers and contractors (12.6.2025)

‍

Privacy Policy – Website visitors

Last update 19.6.2025

Introduction

We value your fundamental right to privacy. As a company based in the European Union, we adhere to our obligations under the General Data Protection Regulation (GDPR). In this document, we inform you about our processing of your personal data when you visit our website.

For clarity, we have divided the privacy policy into two parts: 

• Part 1 contains general information about personal data processing. 
• Part 2 applies to the processing of your personal data specifically. 

If you have any questions or concerns regarding the processing of your personal data, please don’t hesitate to contact us:

Gubbe Sydänystävä Oy

Privacy team
Erottajankatu 1–3 A 8, 00130 HELSINKI, FINLAND
Tel: +358 44 724 6007
Email: privacy@gubbe.com
Data Protection Officer: Susanna Laanikari (contact details as above)

We may update our privacy policies from time to time. The date of last update is shown above. Minor changes will be shown in this document, and we ask that you review it regularly. Changes that significantly affect your rights and freedoms will be communicated to you by email or notification if we have your contact details.

Part 1: General information

Categories of personal data

As you visit our website, we regularly process certain categories of your personal data. These depend on the various purposes that we process your data for. A detailed list of the various purposes and categories of data that we process is shown in Part 2 of this privacy policy.

Some categories of personal data are mandatory in the sense that without certain data, we cannot make sure that your visit is safe and enjoyable. We have marked clearly, which categories of personal data are mandatory for a given purpose.

Sources of personal data

We primarily process personal data that you give us, for instance when you send us a message using a contact form, or when you subscribe to our newsletter.

However, in certain cases we may receive personal data relating to you from other sources. These are:

Social media and the internet

If you visit our social media pages or interact with social media plugins on our website, those pages collect various data about you and your visit. If those pages share that data with us (e.g. when you like our posts or contact us through social media), we receive your personal data from those sources.

Technical sources

We use cookies and similar technologies on our website. These collect and process certain technical personal data, such as your IP address and device identifiers.

Retention periods of personal data

When processing your personal data, we adhere to the principle of storage minimisation. That means we only keep your personal data as long as necessary for the purposes that we describe more in detail in Part 2, and only as long as we have a legal basis set out in the GDPR to process the data.

As soon as no relevant purpose or legal basis applies, we will either erase your personal data or anonymise it in an irreversible manner.

Sharing your personal data with third parties

As a provider of commercial services, we like most other companies have to outsource some of the processing of your data to our trusted partners. Because of that, we share certain categories of personal data with third parties.

We always make sure that all disclosures are protected by a contractual arrangement between us and our trusted partners to protect your personal data, as required by the GDPR.

Our trusted partners can be categorised as follows:

Website functionality and security

We use hosted website and content delivery network systems, as well as cookie management tools provided by our trusted partners. When you use our website, these systems process your personal data (such as your IP address and device identifiers) through cookies and other technical sources.

Communications

We use hosted emailing and other communications systems (such as contact forms, customer care chats and meeting scheduling tools) provided by our trusted partners. When we communicate with each other, your personal data passes through these systems.

Social media and advertising technology companies

We use social media plugins on our website, and we have our social media pages. We also use tools provided by Google and other advertising technology companies.

As you visit our website and social media pages, the companies providing those services collect certain data about you for their own purposes. These purposes relate to the companies’ advertising business endeavours.

Please refer to the relevant social media companies’ privacy policies to see how they process and retain your personal data.

Public authorities

If we are legally required to hand over information about a suspected data breach or other things to public authorities, this may include your personal data.

Mergers and acquisitions

If we are ever subject to a merger or acquisition by another company, all of our data, which naturally includes website visitor data, may be legally transferred to that company.

Transfers outside the EU/EEA

We normally process your personal data exclusively within the European Union and European Economic Area. In some cases, we or our trusted partners process your personal data outside these areas. If that happens, we will make sure through various safeguards that your personal data will be processed in a compliant way.

Some of your personal data are transferred to the following countries:

United States

We and our trusted partners make sure that transfers are protected under the EU-US Data Privacy Framework approved by the European Commission. If not, we and our trusted partners make sure transfers are protected by contractual arrangements using the Standard Contractual Clauses (SCC) issued by the European Commission. Should we be unable to take any of these precautions, ultimately we’ll ask for your consent for the transfer.

If you wish to learn more about the ways we protect your data when transferring outside the EU/EEA, please contact us using the contact details above.

Your rights

According to the GDPR, you have various rights as we process your personal data. These are:

• Right of access: You may ask us whether we process any personal data about you, and if we do, you have a right to request a copy of some or all of the data. You also have a right to ask for more information regarding the third-party recipients of your personal data as well as our protective measures applicable to the transfers of your data to our trusted partners and outside the EU/EEA.
  If you request a copy of your data, we will send it to you electronically. In most cases we will be glad to accommodate your request, but if we receive repeated or manifestly unfounded requests from you, we may have to refuse or charge a reasonable administrative fee to process your request.

• Rectifying incorrect or incomplete personal data: If you consider that some of your personal data that we process is incorrect or incomplete, you may ask us to correct or complete the data. We will investigate your request without undue delay, and accommodate it if we can be sufficiently certain that the request is justified.

• Erasing personal data (“the right to be forgotten”): If you don’t want us to process your personal data, you may ask us to erase a part or all of it. We will do our best to accommodate your request, but in some cases we may have to refuse or postpone the request. This may happen e.g. if we need some of your information like IP addresses and device identifiers to protect the safety of our website (we have described these in more detail in Part 2).

• Restricting the processing of personal data: If you consider that our processing of your personal data breaches the GDPR or other laws, you may ask us to restrict the processing (i.e. to stop the processing for the time being). We will accommodate your request as well as possible while we investigate the matter.
  You may also ask us that we do not erase or otherwise process your personal data if you need the data e.g. in a legal dispute and the erasure or other processing would jeopardise your interests in that regard. We will aim to accommodate your request as well as possible.

• Objecting to processing of personal data: As explained in detail in Part 2, we sometimes process your data on the basis of our or someone else’s legitimate interest. If that’s the case, you may object to our processing of your data on that basis due to a reason relating to your particular circumstances. We will aim to accommodate your request as much as possible, however in some cases the legitimate interests in question may be so important that they outweigh your interest to object.
  If in that case we cannot accommodate your request, we will let you know about our reasons for not doing so and inform you about your right to lodge a complaint with the relevant data protection authorities.

• Withdrawing consent: As explained in detail in Part 2, we sometimes process your personal data on the basis of your consent. If that’s the case, you may, at any time, withdraw your consent for that processing. We will accommodate your request without undue delay, however we may continue the processing if we have another legal basis to do so. Please note that withdrawing consent will not affect the prior processing of your personal data.

• Right to lodge a complaint: If you consider that our processing of your personal data breaches the GDPR or other laws, you may at any time lodge a complaint with the relevant data protection authorities. In Finland, you can contact the Data Protection Ombudsman: www.tietosuoja.fi
  

To exercise any of your above rights, please contact us using the contact details shown at the beginning of the document. We’ll be glad to assist you.

Cookies and tracking

Like most other companies and organisations, we use cookies and similar technologies on our website. We will adhere to applicable laws regarding the prerequisites for the processing of your personal data in such ways.

We have described in detail the types of cookies and similar technologies we use as well as their purposes in our cookie policy.

Part 2: Processing of your data

As you visit our website, we process your personal data in certain ways in that context. Here we describe the purposes of processing your personal data together with the appropriate legal bases for the processing, as well as the categories of personal data processed together with their retention periods.

Purposes and legal bases of the processing of personal data

According to the GDPR, all processing of personal data must be justified using a legal basis found in the law. First, here is a short description of the legal bases that we use:

Consent

In many cases, we ask for your consent to process your personal data. If we receive your consent, we may process your data on that basis within the limits of the consent.

Legitimate interest

In other cases, we may process your personal data if it’s justified for our or someone else’s legitimate interest. We only do so after having assessed your rights and freedoms against the importance of the legitimate interest (we conduct a so-called “balancing test”).

Communications

• Legitimate interest
  
  • If you contact us through our website (e.g. through a contact form or customer care chat) or social media page, we will process your personal data to receive, process and (if necessary) respond to it.
  • We may also use the contents of your message (e.g. any feedback that you give) to improve our website and business.
• Consent
  
  • If you subscribe to our newsletter, we will ask for your consent for it.

Technical functioning and security

• Legitimate interest
  
  • We use cookies and other technologies that collect and process personal data for technical reasons. We do this to ensure the proper technical functioning and security of our website. This often includes processing of personal data such as necessary technical identifiers, which are on by default and cannot be switched off.
• Consent
  
  • We also use cookies and other technologies that collect and process your personal data for functional purposes that are not strictly necessary for the safety and technical functioning of the website (e.g. in case of cookies used to improve the visual appeal of the website). If that is the case, we will ask for your consent to enable those cookies and technologies.

Analytics and marketing

• Consent
  
  • We also use cookies and other technologies that collect and process your personal data for analytics and marketing purposes. We will ask for your consent to enable those cookies and technologies.

Categories of personal data processed and their retention times

The below table contains a detailed description of the categories of personal data that we process for our various purposes. If a certain category is mandatory by law or contract (e.g. if we need the information to fulfil our legal obligations or to serve you as our customer), we’ve mentioned that in the table.

The table also contains a list of our retention times for different categories of personal data under a given purpose. Once a specific retention period runs out, we will erase the relevant personal data or anonymise it irreversibly, unless a different purpose with a longer retention period applies.

Communications 

Personal data marked with (*) are mandatory if you wish us to respond to you, or if you wish to receive our newsletter.

• Categories of personal data
  
  • Name, contact details (*)
  • Messages and correspondence (*)
  • Calendar booking information (*)
  • Newsletter consent (*)
• Retention period(s)
  
  • 2 years from last contact.
  • 2 years from last calendar booking.
  • However, we will retain your newsletter consent indefinitely (until you unsubscribe from the newsletter).
• Examples:
  
  • To communicate with you, we have to process your basic information and the contents of your messages.
  • If you book a time in our appointment calendar, we process the information you've shared in the booking.
  • To send you our newsletter, we need to process your consent.

Technical functioning and security

Personal data marked with (*) are mandatory to the extent that we have a justified interest in ensuring the technical functioning and security of our website.

‍See our Cookie Policy.

• Strictly necessary technical identifiers (*)
  
  • We collect, process and retain technical identifiers (like IP addresses and device identifiers) through mandatory cookies and other technologies to ensure the safety and proper functioning of the website, or in case we need to address a technical or security issue.
  • If you block mandatory cookies and other technologies, or otherwise prevent the collection of the technical identifiers as intended, our website may not function properly or may not be safe to use.

• Not strictly necessary technical identifiers
  
  • If we use cookies and similar technologies to collect and process personal data for functional purposes that are not strictly necessary for the technical functioning and security of the website, we ask for your consent to enable them.

• Consents and prohibitions
  
  • We record your consent (or denial) in our cookie management tool, which retains the information as described in our cookie policy.

Analytics and marketing

See our Cookie Policy.

• Not strictly necessary technical identifiers
  
  • If we use cookies and similar technologies to collect and process personal data for analytics and marketing purposes (e.g. to measure our web traffic or to personalise our advertising to you), we ask for your consent to enable them. 
• Consents and prohibitions
  
  • We record your consent (or denial) in our cookie management tool, which retains the information as described in our cookie policy.