Privacy policy


Mysoda Oy's consumer register privacy statement 

 

April 19, 2026 

 

Mysoda Oy processes consumers' personal data in accordance with this privacy policy. This privacy policy sets out the information required by Articles 12–14 of the EU General Data Protection Regulation to be provided to the data subject. 

Mysoda may change this privacy policy by publishing a new version on its website, for example, if legislation, official instructions, case law or its own practices change. Data subjects will be notified of material changes in the processing of personal data separately by email. Other changes will not be notified separately, unless ­required by law. This policy provides up-to-date information on our practices related to the processing of personal data. 

 

1. Contact information of the data controller in data protection matters 

 

Data controller   Mysoda Oy, business ID: 2432834-2 ( “ Mysoda ”, “Company” or “Data controller”)
Contacts for all data protection matters 

The data subject may contact the Data Controller in all matters relating to data protection as follows: 

Mysoda Oy/ Customer Service  

Holkkitie 6 

00880 Helsinki 

Phone: +358 (0)20 712 1590 

Email: info@mysoda.fi 

 

2. Registered

 

The controller collects and processes the personal data of its current and potential consumer customers (“Data Subject”, “Customer”).

 

3. Personal data collected

 

The Data Controller collects and processes the following personal data about the Data Subjects:

 

Data Group Description Where is the information collected and updated? 
Basic
  • name, native language, service language, age, gender, contact information (postal addresses, business addresses, email address, telephone number), preferred method of contact
  • Data subject, e.g. in connection with orders and newsletter subscriptions
  • Public and private registers such as the population information system of the Digital and Population Information Service (DVV), Posti, Fonecta, and the Customer Marketing Association 
Marketing information
  • information about surveys made by the Data Subject, as well as offers sent to the Data Subject and other pre-contractual marketing activities and contacts
  • consents, prohibitions, restrictions and authorizations regarding the use of data and direct marketing
  • Data subject (e.g. in connection with service events or participation in events)
  • Data Controller
  • The Digital and Population Information Service's (DVV) population information system, other public and private registers, such as contact information services , Fonecta Oy, Posti Oy

  • newsletter subscription and cancellation information 
  • Data subject
Customer information
  • customer number, purchase and other customer history: customer relationship start and end times, order, confirmation, cancellation, return, termination and termination information, delivery information, payment transaction status information and other information related to customer relationship activities 
  • customer feedback, customer satisfaction survey data, complaints and other contacts; information regarding discounts and damages, other communication with the customer 
  • recordings of phone calls and remote meetings 
  • Data subject, including in connection with orders, deliveries, payments, electronic or telephone transactions, other personal contacts and the use of services or products by the Data subject
Usage data for electronic services 
 Access rights, usernames and passwords, other possible identification information
  • Data controller
  • Data subject

Usage history and log data recorded when using electronic services
  • Data subject
  • Data controller's information systems

Newsletter usage data: email address, data regarding sending, receiving and reading 
  • Data subject
  • Information systems of the Data controller and its subcontractor

Online service usage and browsing data: page from which the user has accessed the Data controller's website, device model, unique device and/or cookie identifier, data collection channel (internet browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, screen resolution and operating system, country/city level location  Data subject (using cookies, advertising tags, etc.) information about the use of Internet and mobile services and newsletters.
Information regarding suspected crimes Information about suspected crimes or misconduct Information systems of the Data controller and its subcontractors
Event organization information  Participation information, e.g. invitation, registration and participation information related to events, competitions, raffles and other events organized by the controller Data subject

Health information: essential dietary and accessibility information Data subject

Photos and videos taken from events Data controller
Profile and classification information Based on the analysis and profiling of the data described above, classifications, segments and profiles are formed for the purposes of processing in accordance with this statement. The data is generated automatically based on the customer register data.

 

Legal bases and purposes of processing personal data

 

referred to in Section 3 are processed on the legal grounds and for the purposes set out in the following table:

 

Purpose of processing Data groups to be processed   Legal basis

of the Data products and events, conducting opinion and market research, organizing marketing competitions and other events, e.g. 

  • Advertising on the Data controller’s own and other Internet and mobile media, services and applications, such as Google, other advertising networks and social media. The Data subject's encrypted email address may be used for targeting and creating target groups. 
  • Direct marketing by email, text message and other electronic means; 
  • Direct marketing by letter and telephone 
  • Basic 
  • Marketing information 
  • Customer information 
  • Usage data for electronic services 
  • Profile and classification information 
  • Event attendance information 
  • The legitimate interest of the Data controller to conduct business and market its services (Article 6(1)(f) GDPR) 
  • Regarding the use of online services and browsing data, the Data subject's consent to the use of cookies (Act on Electronic Communications Services, Section 205) 
  • The Data subject's consent to the use of encrypted email addresses of non-customers (e.g. newsletter subscribers) for the creation of online advertising target groups and for advertising targeting
Conclusion of the contract and the steps leading up to it (e.g. inquiries, offers, orders and order confirmations), delivery of orders, payment and documentation of the above-mentioned actions, 
  • Basic 
  • Marketing information 
  • Customer information 
  • Usage data for electronic services 

Taking steps prior to entering into a contract At the request of the Data Subject, execution of the contract 

(Article 6(1)(b) GDPR) 
  • Providing customer support and other services 
  • handling contacts, managing, developing and maintaining customer relationships, 
  • Customer communication and contact by letter, telephone, email, text message or other electronic means 
  • Customer satisfaction and other customer surveys and polls 
  • Business and service development 
  • Basic 
  • Marketing information 
  • Customer information 
  • Usage data for electronic services 
  • Event attendance information 
  • Profile and classification information 

The legitimate interest of the Data controller, based on the right to conduct business and the customer relationship between the Data Controller and the Customer (Article 6(1)(f) of the GDPR)
Providing a newsletter service
  • Newsletter subscription, usage and cancellation information

Implementation of a Data subject’s newsletter subscription (Article 1, point 6 b) of the GDPR) 
Organizing events
  • Basic
  • Event organization information

The legitimate interest of the Data controller based on the right to conduct business (Article 6(1)(f) GDPR)

  • Health information

Data subject consent

(Article 6(1)(a) GDPR)
Information provided by the Controller regarding events in the media, the Internet, and social media 
  • Photos and videos taken from events

Data subject consent 

(Article 6(1)(a) GDPR)
Ensuring data security
  • Basic 
  • Usage data for electronic services

Compliance with a legal obligation (Article 6(1)(c) GDPR and Article 32 of the Act on Electronic Communications Services)
Detecting, preventing and investigating fraud and other crimes and abuses The information required for the purpose of use mentioned in paragraph 3 above and information regarding suspected crimes

The legitimate interest of the Data controller in preventing crimes against it and other parties (Article 6(1)(f) of the GDPR)
Carrying out the Controller's statutory duties concerning data subjects and other duties  All information required for each statutory task mentioned in section 3 above 

Compliance with a legal obligation, e.g. regulatory reporting 

(GDPR Article 6(1)(c))
Analysis, statistics and profiling for the development of services and customer relationships, as well as for marketing  All information mentioned in section 3 above and declared to be processed for each purpose of use in accordance with this statement

The Data controller's legitimate interest based on the customer relationship 

(GDPR Article 6(1)(f)) 

Online service usage and browsing data

Data subject's consent to the use of cookies (Act on Electronic Communications Services, Section 205)

 

 

The Data controller does not use automated decision-making in its activities concerning Data Subjects and does not process personal data using artificial intelligence. 

 

5. Disclosure of information 

 

The Data Controller discloses the personal data of the Data Subjects to the following parties, who process them as independent controllers in accordance with their own data protection declarations: 

 

Transport and logistics service providers   Warehousing and order delivery 
Banks and other payment service providers  Payment services and payment tracking for your order 
The controller's legal advisors and auditors  Performing legal assignments and auditing 
Authorities, e.g. police, enforcement authority, tax administration  Implementing the authority's statutory right to information 

 

 

Personal data will not be disclosed to other parties without the consent of the Data Subject, except if it is necessary to fulfill the Data Controller's legal obligations, in connection with legal proceedings, at the request of authorities, or as part of business arrangements. 

 

6. Transfer of data for processing by subcontractors 

 

The Data Controller has the right to use subcontractors in the processing of personal data in accordance with this statement. In this case, personal data may be transferred to subcontractors to the extent necessary for the implementation of the subcontractor's services. Each subcontractor processes personal data only to the extent necessary for the performance of the subcontractor's tasks. The subcontractors process personal data on behalf of and for the account of the Data Controller in accordance with the Data Controller's instructions. The subcontractors are bound by the agreements concluded with the Data Controller regarding the processing of personal data, including the terms and conditions regarding confidentiality and data security. 

The Data controller uses subcontractors for the following tasks: 

 

Subcontractor or group  Task
The Data controller's respective subsidiaries, e.g. Mysoda Sweden Ab, Mysoda Scandinavia Aps , Mysoda Deutschland GmbH , Mysoda France SAS Tasks related to sales, marketing, logistics and customer service

Shopify International Limited, 2nd Floor , Victoria Buildings 1-2, Haddington Road, Dublin 4, D04 XN32, Ireland

https://www.shopify.com/en/legal 

 Shopify acts as the provider of the functionality (platform service) of Mysoda's online store. A list of Shopify's subprocessors and the services they perform and the data they process can be found here: https://help.shopify.com/en/manual/privacy-and-security/privacy/subprocessors

Klaviyo , Inc., 125 Summer Street , Floor 6, Boston, MA, 02110, United States 

https://www.klaviyo.com/legal

 Klavio produces the Mysoda newsletter service. A list of Klavio's subprocessors and the services they perform and the data they process can be found here: https://www.klaviyo.com/legal/subprocessors
Advertising and marketing agencies Marketing, analytics
Financial management service providers Accounting and other financial management services
ICT suppliers Design of online stores and other applications, cookie management, telecommunications services, other electronic communication services, information security services, information system services 
Google Inc. Statistical monitoring of Internet services is carried out by Google Inc. on behalf of the Data Controller in accordance with the cookie consent given by the Data Subject. Google may also use the information collected by cookies for its own marketing purposes in accordance with the cookie consent and its own terms of use and privacy policy. Google is responsible for its own cookies and the information it collects for its own use, see more information at: https://business.safety.google/privacy/

 

 

7. Transfer of data to third countries 

 

The Data controller may also transfer or transfer personal data to a country outside the EU/EEA. The transfers mainly consist of the transfer of personal data to Shopify Inc., which is established in Canada and is subject to the EU Commission Decision 2002/2/EC of 20 December 2001 on the adequate protection of personal data provided by the Canadian Personal Data Protection and Electronic Documents Act. The transfer of data to the USA is based on the EU Commission Decision of 10 July 2023 on the adequacy of the data protection provided by the EU-US data protection framework. 

Unless the European Commission has decided that the level of data protection in the destination country is acceptable, the Data Controller shall ensure adequate data protection by concluding written agreements with the recipient using standard contractual clauses approved by the European Commission or other legal procedure. The standard contractual clauses can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&qid=1778501382994

 

8. The Data Controller's processing of personal data concerning social media users

 

The Data Controller's website uses social media functions (i.e. community plugins), such as Facebook, Instagram and TikTok buttons, which take you to community pages maintained by the Data Controller. 

Social media services share user information with the Data Controller in accordance with their privacy policies and the consents given by users, e.g. comments and links shared by the user in the media regarding the Data Controller's sites and information contained in the user's public profile. The Data Controller processes personal data obtained through its community sites on the basis of legitimate interest only for the Data Controller's own purposes, such as informing about new products, services or offers, implementing competitions and raffles, receiving feedback, purchasing advertising on the social media service, measuring the reach of pages or advertisements or providing customer service on community sites. The Data Controller does not process information outside of social media, and the information shared by them is not combined with other data or registers of the Data Controller without the user's consent. 

Social plugins are the responsibility of the company providing them. They are primarily responsible for complying with data protection legislation and implementing data security and the rights of the Data Subject on the service. You can familiarize yourself with the privacy policies of social media and manage their privacy settings on a service-specific basis: 

Facebook and Instagram: https://fi-fi.facebook.com/privacy/explanation

TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en

 

9. Principles of register protection

 

Only those persons who need the information to perform their work duties are entitled to use the information. Personnel processing personal data have been given training and instructions on data protection. Personnel and subcontractors processing the information are committed to confidentiality obligations. Information regarding suspected crimes is kept separate from other information about the Data Subject. 

Personal data is stored in locked facilities that meet the data protection level and are monitored by automatic access control. The protection of electronically stored data is based on access control, user identification, technical protection of databases and servers, e.g. firewalls and other security software, data encryption, data traffic protection, data backup, and the collection of log data and monitoring of security events. 

A description of the security measures used on the Shopify e-commerce platform can be found here: https://www.shopify.com/security

 

10. Personal data retention periods

 

Data group 

Storage time 

Information collected based on consent 

As long as the consent given by the data subject is valid. 

Recordings of phone calls and remote meetings 

12 months from recording 

Usage data of electronic services collected using cookies 

In accordance with the deadlines stated in connection with cookie consents 

Other Electronic Services Usage Data 

Up to 5 years after the end of the customer relationship 

 

Basic information, Marketing information, customer service validity period 

Permanently, within the framework permitted by law, for direct marketing purposes, unless the Data Subject has prohibited direct marketing or withdrawn consent thereto 

Anonymized data 

Information that does not identify a person may be stored permanently. 

Backups 

In accordance with the controller's normal retention and deletion schedules 

Other personal information

 

Up to 2 years after the end of the customer, supplier or other relationship

 

 

Data may be retained after the aforementioned retention periods for the establishment, exercise or defense of legal claims, until the claims have been finally resolved and in accordance with the requirements of applicable law. 

The Data controller shall regularly assess the necessity of retaining personal data, e.g. identification and authentication data and documents no later than three years after the previous review of the necessity of retention. In addition, the Data controller shall take reasonable measures to ensure that no personal data of the Data subjects that are incompatible with the purposes of the processing, outdated or incorrect are retained in the register.

 

11. Data subject rights

 

The Data subject has the right to inspect the information about him or her stored in the personal data register and to demand the correction or deletion of incorrect, outdated, unnecessary or unlawful information. 

The Data subject does not have the right to inspect information concerning suspected crimes. The Data Protection Ombudsman may, at the request of the data subject, inspect the lawfulness of the processing of this information. 

The Data subject has the right to cancel the newsletter subscription and the right to withdraw previously given consent to the processing of their personal data at any time. Withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal of consent. 

The Data subject has the right to prohibit the use of their data for direct marketing, opinion and market research, including related profiling. 

When the processing of personal data is based on legitimate interest, the Data Subject has the right to object to the processing of their data on grounds relating to their particular personal situation. The Data Subject must specify the particular situation on which the objection is based in connection with the request. 

The Data Subject may demand the restriction of the processing of their personal data, for example its suspension in whole or in part, when the data subject believes that there is uncertainty about the accuracy of the data or its processing, until the uncertainties regarding the data are clarified and resolved. 

If the Data Subject has provided their personal data to the Data Controller and the processing is based on consent or agreement, they have the right to receive this data in a structured, commonly used and machine-readable format and the right to transfer the data to another Data Controller in accordance with applicable law. 

The Data Subject may exercise the above rights by sending requests in writing or by email to the Data Controller (contact information is provided at the beginning of the statement). If necessary, the Data Controller may ask the Data Subject to specify their request in writing and to prove their identity. 

The Data Subject has the right to file a complaint about the processing of personal data with the Data Protection Ombudsman.