Privacy policy

Created: 12 October 2023

Last updated: 24 September 2025 (see the update log in the box “Updating the privacy policy”).

At Varoen, we value everyone’s right to privacy, which is a fundamental constitutional right. We have prepared this privacy policy to provide you with a comprehensive but concise and clear description of how we process your personal data and the means by which you can influence the processing of your personal data.

The contents of the privacy policy

This privacy policy complies with the provisions of the General Data Protection Regulation (GDPR) of the European Union. It therefore includes, inter alia, a description of the purposes for which personal data are processed, the lawful basis for processing, the recipients and transfers of data, the retention periods and your rights. In addition, we have included information that we believe is important to you, even if not directly required by law.

We want you to have a clear understanding at all times of what we do with your personal data and how we protect your interests, rights and freedoms. If you cannot find the answers you are looking for in this notice, please contact us and we will be happy to provide you with more information.

The structure of the privacy policy

To make it easier to read, the privacy policy is divided into two parts. In Part I (General), we provide a general description of the processing of personal data at Varoen. These general issues apply to all processing of personal data, regardless of what data we process about you. The subject areas are divided into their own boxes so that you can easily find what interests you.

Part II (Processing of personal data depending on your role in different situations) contains practical information on the processing of personal data depending on your role in different situations. Whether you are a current or potential customer (or their representative) or a user of our online services, you can easily find the processing information that applies to you in the box below.

PART I. General

Our contact details

When we process your personal data we are are a so-called processor as defined in the EU’s General Data Protection Regulation.

If you have any questions about Varoen’s processing of your personal data or if you wish to exercise any of the rights set out in this notice, please contact us.

Our contact details are:

Varoen Oy
Bulevardi 21
FIN-00180 HELSINKI

legal@varoen.com

Principles of data processing

We will always process your personal data in accordance with the following principles:

Legality: All processing of personal data is based on the law. All processing of personal data is lawful. All processing is done in line with the law.

Appropriateness: We process personal data in a way that is fair and reasonable. We will not process the data in a way that would be unforeseeable or unexpected for you. We will always respect your rights, freedoms and interests. We will provide clear and fair information about the processing.

Purpose limitation: We process your personal data only and only to the extent that it serves one of our legitimate purposes. We will not process your data unnecessarily.

Data minimisation: We will only process personal data that is adequate, relevant and necessary for our legitimate purposes. We will not process your data that we do not need.

Storage limitation: We will only process your personal data for as long as is necessary for our legitimate purpose. We will stop processing your personal data when it is no longer necessary.

Accuracy: We will ensure that the personal data we process is accurate and up to date. We will update the information when necessary. We keep records of the sources of the data and the partners to whom we disclose it.

Confidentiality and security: We take steps to minimise risks to the confidentiality, integrity and availability of data. We regularly review our practices and make improvements where necessary.

Transparency: We will always make sure that you have the information you need and are required by law about what personal data we process, what we do with it, who we share it with and how we protect your interests and rights.

Categories of personal data and retention periods

We process different types of personal data depending on the context of the processing. In general, we list here the categories of personal data we process and the retention periods.

For a more detailed description of how we process your personal data and the data retention periods, please see Part II below.

Categories of personal data

On a regular basis, we process the following data:

Name
Title and authorisations (e.g. job title in the client company or position as data protection officer, labour protection officer, etc.)
Contact details (postal address, telephone number and e-mail address)
Payment details (e.g. transaction details)
Correspondence and discussion notes
Technical identifiers (e.g. IP address and cookie information)

In some cases, we process the following information:

Video and audio recordings (we will always tell you in advance if we will process this information)
When we record video and audio recordings, we will always tell you if we use this information (e.g. when we record audio recordings).
Social media (e.g. if we use social media or personal data to send you personal information).
Tax information (e.g. tax records and tax debt information)
Background information (e.g. sanctions, political influence information and similar background information)
Consents and prohibitions (e.g. direct marketing prohibitions)

If you are acting as a representative of a company or entity, much of the information listed above is company or entity information. However, it is possible that some of the information may also meet the definition of personal data.

Retention periods

We will retain personal data for as long as it is lawfully processed as described in this privacy policy.

When the active processing of personal data ceases, we will retain it for a number of years in case it is needed at a later date or is required to be retained by law (see Part II of this privacy policy for more detailed descriptions).

Sources of personal data and mandatory categories

As a general rule, when we process your personal data, we receive it directly from you. This happens when you fill in your personal data, e.g. in a service contract or send us an email.

In some cases, we also receive data from other sources.

Other sources of personal data

If you represent a company or entity that is a customer of ours, we may in certain cases receive information from that company or entity. This may happen, for example, if a customer updates contact information on your behalf.
If you use our online services, we automatically receive your personal information through cookies and other technologies (see below under the subheading “Cookies and Analytics”).
If we process payment, financial, tax and background information, we may obtain information from, for example, public registers.
If we process social media content or other similar sources of the company or community you represent, we may also process information that is considered personal data.
If we engage in direct marketing, we may obtain personal data about you from public marketing registers, internet searches and social media, for example.

Mandatory categories personal data

According to the GDPR, we must tell you if you are required by law or contract to provide certain types personal data.

Some personal data are such that providing them is necessary for us to enter into a service contract and perform our services. This applies in particular to name and contact information.

In some cases, for example, the provision of financial, tax and background information may be mandatory if we have a legal obligation to know our customers or if we need to process the data for risk management purposes.

We have indicated mandatory categories of personal data in Part 2 of this privacy policy.

Recipients and transfers of personal data

Recipients of personal data means external parties to whom we share or otherwise disclose personal data. Sharing is necessary, for example, when we process personal data with the help of our trusted partners who act as our data processors.

Transfers of personal data means that we disclose or otherwise transfer personal data outside the European Union (EU) and the European Economic Area (EEA). This is necessary, for example, when the joint controller or processor we use is located outside the EU/EEA.

Recipients of personal data

We disclose personal data to the following recipients for the following purposes:

Zoner Oy, Finland (1985221-1): Web hosting service provider acting as Varoen’s data processor. The purpose of the disclosure is to maintain the website and related databases.

InnoCraft Ltd, New Zealand and EU (NZBN 6106769) (Matomo Analytics): Website analytics software provider acting as Varoen’s data processor. The purpose of the disclosure is to provide user and user experience analytics for the website.

Proton AG, Switzerland (CHE-354.686.492): Data management service provider acting as Varoen’s data processor. The purpose of the disclosure is to store, create, share and otherwise process files and to carry out e-mail communications.

Whereby A/S, Norway (NO 997742346): Video calling software provider acting as Varoen’s personal data processor. The purpose of the disclosure is to conduct video calls and video seminars.

~~Usercentrics A/S, Denmark (DK 34624607) (Cookiebot):~~ ~~Cookie management software provider acting as Varoen’s data processor. The purpose of the disclosure is to implement cookie management on the website.~~ (Until 23 Sep 2025)

meetergo GmbH, Germany (Cologne HRB 102300): Scheduling software provider acting as Varoen’s data processor. The purpose of the disclosure is the implementation of the appointment calendar on the website.

Ideally Oy, Finland (3010123-2): Customer acquisition services provider acting as Varoen’s data processor. The purpose of the disclosure is to contact customer prospects.

Aivan Innovations Oy, Finland (2855757-2) (Zefort): Document management services provider acting as Varoen’s data processor. The purpose of the disclosure is the electronic management of contracts and other documents.

Microsoft Corp., USA (WA 600413485): Data processing services provider acting as Varoen’s data processor. The purpose of the disclosure is to provide online file management, email and calendar functions.

Spatie BVBA, Belgium (BE 0809.387.596) (Mailcoach): E-mailing software provider acting as Varoen’s data processor. The purpose of the disclosure is to send newsletters and other customer communications.

Rotio Oy, Finland (2883355-7): Accounting services provider acting as Varoen’s data processor. The purpose of the disclosure is to carry out accounting and financial management.

Visma Solutions Oy, Finland (1967543-8) (Netvisor): Financial management software provider acting as Varoen’s data processor. The purpose of the disclosure is to carry out Varoen’s financial management and invoicing.

Conceptboard Cloud Service GmbH, Germany (HRB 29184): Cloud-based collaboration service provider acting as Varoen’s data processor. The purpose of the disclosure is to enable visual collaboration between Varoen and its customers.

Moi Mobiili Oy (2758687-3): A telephone operator used by Varoen, which processes phone numbers and communications meta data when facilitating phone calls and text messaging. The recipient receives the data automatically when a telephone is used. Disclosing the data is necessary for facilitating electronic communications.

Suomen Osuuspankki (0886725-8): A current account bank used by Varoen, which processes various information when facilitating bank transfers. The information may in some cases contain personal data of the parties to a bank transfer. The bank may also process personal data when carrying out its legal duties, for example regarding its “know-your-customer” obligations. The recipient receives the information as part of the mandatory information provided or otherwise collected in connection with bank transfers. Disclosing the information is necessary to facilitate the bank transfers.

Papoo Software & Media GmbH, Germany (HRB 22721) (CCM19.de): A cookie consent manager provider acting as Varoen’s data processor. The purpose of the disclosure is to implement cookie management on the website.

Transfers of personal data

We transfer personal data to the following non-EU/EEA countries:

New Zealand. This country has been recognised by the EU Commission as a safe country for the transfer of personal data. See the acequacy decision issued by the Commission.

Switzerland. This country has been recognised by the EU Commission as a safe country for the transfer of personal data. See the adequacy decision issued by the Commission.

United States. This country has been designated by the EU Commission as a safe country for the transfer of personal data under the EU-US Data Privacy Framework (DPF). See the adequacy decision issued by the Commission. Varoen has verified that the recipients of personal data have signed up to the DPF.

Measures to ensure an adequate level of data protection

For personal data disclosures, we ensure an adequate level of data protection by entering into legal personal data processing agreements with all third-party controllers and processors, or by confirming the legally mandated basis for diclosure before the disclosure takes place. We regularly review, at least once a year, that the agreement is adequate to ensure an adequate level of data protection.

For transfers of personal data, we ensure an adequate level of data protection primarily by transferring data only to countries for which the EU Commission has issued an adequacy decision. We do not currently transfer personal data to countries other than these. Even in such cases, we conclude a personal data processing agreement with the joint controller or processor who receives the data.

Your right to information

As explained in more detail above in the box “Your rights”, you may request copies of the personal data processing agreements we have entered into.

Links to the EU Commission’s so-called adequacy decisions are provided above in this box.

Updating the privacy policy

We review our privacy practices regularly, but at least once a year. We will also update our privacy policy at that time.

Unless we make minor changes to the privacy policy that do not significantly affect the rights, interests and freedoms of data subjects, we will only update the privacy policy as published on our website at www.varoen.fi. A description of the changes made can be found at the bottom of this box under “Update log”.

If changes are made to the privacy policy that have a more than de minimis effect on the rights, interests and freedoms of data subjects, we will also notify you of the changes separately if we have your contact information. We will primarily make the notification by e-mail, and only in exceptional cases will we contact you by other means (for example, by telephone).

Update log

24 Sep 2025: Regular GDPR check (no changes); added Papoo Software & Media GmbH (CCM19) as a recipient of personal data. Removed Usercentrics A/S, Denmark as a recipient of personal data.

24 Oct 2024: Added Moi Mobiili Oy, Finland and Suomen Osuuspankki, Finland as recipients of personal data. Minor corrections and improvements to the wording of the privacy policy.

21 May 2024: Translated the privacy policy into English. Added Conceptboard Cloud Service GmbH, Germany as a recipient of personal data. Removed Miila Digital, Finland, Calendly LLC, USA and enuvo GmbH, Switzerland as recipients of personal data.

7 March 2024: Added Rotio Oy, Finland and Visma Solutions Oy, Finland as recipients of personal data. Removed Tilitoimisto Pia Nyman, Finland and enuvo GmbH, Switzerland as recipients of personal data.

25 January 2024: Added Spatie BVBA, Belgium as a recipient of personal data.

10 January 2024: Clarified the classification of retention periods for personal data in Part II of the Privacy Statement by specifying the explicit processing purposes to which each retention period category applies. Added examples of processing periods.

4 January 2024: Added enuvo GmbH, Switzerland as a recipient of personal data.

21 December 2023: Added Microsoft Corp., USA as a recipient of personal data.

7 December 2023: Added Aivan Innovations Oy, Finland and Calendly LLC, USA as recipients of personal data. Removed Fennoa Oy, Finland from the list of recipients of personal data. Added description of the processing of personal data in social media. The changes do not affect the rights, interests and freedoms of data subjects.

28 November 2023: Added Ideally Oy, Finland as a recipient of personal data. Corrected minor typing errors.

20 November 2023: Added a description of the processing of personal data when you participate in a voice or video call with us. The changes do not affect the rights, interests and freedoms of data subjects.

17 November 2023: Added Meetergo GmbH, Germany as a recipient of personal data.

8 November 2023: Added description of the processing of data concerning consents and objections (e.g. direct marketing objections). The changes do not affect the rights, interests and freedoms of data subjects.

27 November 2023: Added description of mandatory personal data under the GDPR. The amendments do not affect the rights, interests and freedoms of data subjects.

24 October 2023: Improved the language of the notice and corrected typing errors. The changes do not affect the rights, interests and freedoms of data subjects.

18 October 2023: Minor corrections to the text and terminology of the explanatory note. The changes do not affect the rights, privileges and immunities of data subjects.

18 October 2023: Added Usercentrics A/S, Denmark (Cookiebot) as a recipient of personal data.

Your rights

Rights of the data subject

As the owner of personal data, you have a number of rights under the law. These include:

Access to your personal data (right of access): you can ask us to clarify whether we are processing your personal data. If we do, you have the right to obtain a copy of any personal data we process about you. You can also request an explanation of who we have shared your personal data with and what information about you we have shared with them.

You can request the above statements and information free of charge once every 12 months.

Rectifying inaccurate or incomplete personal data: If you find that there is an error or something is missing in the personal data we are processing about you, you can ask us to correct or complete the information.

Erasure of your personal data (“right to be forgotten”): You can ask us to delete any of your personal data. We will comply with your request if we have no lawful and legitimate reason to retain or continue to process your data. For example, we may need to retain information despite your request to delete it if you are our customer contact and we need your contact information to provide a service. We also retain certain personal data (for example, correspondence and chat notes) for a certain period of time after the end of the processing in case the data is needed, for example, to resolve a dispute. We are also required by law to keep certain personal data (for example, payment and tax information) for a certain period of time.
We explain the grounds and retention periods for the retention of personal data in more detail in Part II of this privacy policy.

Restricting the processing of your personal data: If you believe that the personal data we are processing about you is inaccurate or that our processing is unlawful, you can request that we restrict our processing of your data until we have clarified the matter. We will comply with your request and resolve the matter with you as soon as possible.
You can also request that we do not delete or otherwise process your personal data if you need it as evidence in a legal dispute, for example. In this case, we will comply with your request, even if we would otherwise have no reason to retain or otherwise process your data.

Objecting to the processing of your personal data: As explained in more detail in Part II of this privacy policy, in some cases we will use what is known as “legitimate interest” as a ground for processing your personal data. If this is the case, you can object to the processing of your data on that basis. We will comply with your request unless we have a legitimate ground for continuing to process your data. We will then explain to you why we need to continue processing and how we have taken into account your interests and rights to continue processing.
If we have contacted you for direct marketing purposes, you can also object to the continuation of the direct marketing (i.e. you can opt-out of our direct marketing) and we will comply with your request without undue delay.

Transferring personal data to another system: If we are processing you personal data, which you have provided with us either on the basis of our contract or with your consent, you may request a machine-readable copy of the data so that you can transfer it into another personal data system. We will comply with your request unless it would adversely affect the rights and freedoms of third parties.
You may request a copy free of charge once every 12 months.

Withdrawal of consent: As explained in more detail in Part II of this privacy policy, in some cases we ask your consent as a ground for processing your personal data. If this is the case, you can withdraw your consent at any time. We will then stop processing your data on that basis. However, the withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal.
If you withdraw your consent, we may continue to process your personal data on another lawful basis. We will let you know if this is the case.

Right to appeal to a supervisory authority: If you believe that our processing of your personal data breaches the law, you have the right to lodge a complaint with a supervisory authority. You can also complain if we do not respect your rights as described here. You can also complain to the supervisory authority if we do not comply with your rights under this privacy policy.
In Finland, the supervisory authority is the Data Protection Ombudsman, who can be reached at tietosuoja.fi.

Requesting further information

In addition to the rights described above, you may request the following information from us to the extent that it concerns you:

“Legitimate interests” balancing tests: whenever we rely on so-called “legitimate interests” for the processing of personal data, we will carry out a test to weigh those legitimate interests against your interests and rights before processing starts. We will only process data if we can consider that the legitimate interests on which we rely are sufficiently compelling to take into account your interests and rights. This is called the legitimate interests balancing test. You can ask us for an explanation of the basis and results of the balancing test we have carried out.

Joint controllers and processors of personal data: You can ask us to identify the parties to whom we have disclosed your personal data for this purpose.

Data Processing Agreements: When we disclose personal data to third party joint controllers or processors, we enter into personal data processing agreements with them before we start processing. When we process personal data with third parties before we enter into processing agreements with our data controllers, we may ask you to provide us with an explanation of the agreements we have entered into.

Safeguards for transfers of personal data: When we process personal data using external partners, we may need to transfer data outside the European Union (EU) and the European Economic Area (EEA) (see box “Recipients and transfers of personal data”). In this case, we will ensure that we have a legally acceptable basis for the transfer and that all legally required documentation is in place. You can ask us for an explanation of the transfer basis we use and for a copy of the necessary documents.

Cookies and analytics

We use cookies and analytics software on our website. We describe here our cookie and analytics practices in general. For more information about the cookies and analytics software we use, please click on the “Cookie settings” button at the bottom of each page.

Cookies and analytics programs help us to develop and maintain the usability and security of our website and to improve your user experience. They also help us to track and analyse how customers and users find our website, how they browse the site and what information on the site interests them. This allows us to improve our sales and marketing.

Important note: Cookie settings are always device and browser specific. It is possible that you have previously selected settings that you would like to change, or made choices in one browser that are not available in another browser. It is therefore important that you check your cookie settings regularly and make any necessary changes to your preferences (click on “Cookie settings” at the bottom of the page).

We use the following types of cookies and analytics software on the site.

1. Necessary cookies and technologies

We use essential cookies and technologies to ensure the functionality and security of our online services. They are mandatory tools on the site that must be enabled at all times. They can therefore not be disabled or deactivated. (You can also block the use of these cookies and technologies in your browser settings, but in this case the site may not function and its security cannot be guaranteed.)

Some of the necessary cookies and technologies work anonymously, which means that we do not process your personal data through them. However, some cookies and technologies also require us to process personal data such as IP addresses and terminal identification information. If this happens, we will only process your data for the purposes described in this box.

The personal data we process in this way are necessary technical identifiers, the processing of which we explain in more detail in Part II of this privacy policy.

2. Preference cookies

We use preference cookies to improve the usability of our website. They allow us to store certain preferences you have made, such as language and location.

Preference cookies may work in such a way that they also process personal data. If this happens, the personal data we process through these cookies will be non-volatile technical identifiers, the processing of which is described in more detail in Part II of this privacy policy.

As these cookies are not necessary for the functioning of the website, we will ask you for your consent to their use. If you do not explicitly agree to enable these cookies, they will be disabled by default.

You can accept or refuse the use of these cookies and programs at any time by clicking on the “Cookie settings” button at the bottom of each page.

3. Statistical cookies

We use statistical cookies to track and analyse our customers and users of our website. They help us to better understand how our website is used. The information they collect is anonymous, meaning that it cannot be used to identify you. In other words, we do not process your personal data through these cookies.

However, as these cookies are not necessary for the functioning of the website, we ask you for your consent to their use. If you do not explicitly agree to enable these cookies, they will be disabled by default.

You can accept or refuse the use of these cookies and programmes at any time by clicking on the “Cookie settings” button at the bottom of each page.

4. Marketing cookies

Marketing cookies are used to track users on different websites. They help to create profiles of users based on their website visits and other activities, so that they can be targeted with advertising that interests them. In some cases, users can also be identified and automatically profiled.

We do not currently use cookies for such marketing purposes.

If the use of marketing cookies on our site becomes relevant, we will ask for your consent to use them. If you do not explicitly agree to enable these cookies, they will be disabled by default.

You can accept or decline the use of these cookies and programs at any time by clicking on the “Cookie Settings” button at the bottom of each page.

5. Unclassified cookies

We use cookies that cannot yet be classified into the categories described above. They serve different purposes, corresponding to the purposes described above.

As these cookies are not necessary for the functioning of the website, we ask for your consent to use them. If you do not explicitly agree to enable these cookies, they will be disabled by default.

You can accept or refuse the use of these cookies at any time by clicking on the “Cookie settings” button at the bottom of each page.

6. Analytics software

We use the Matomo Analytics platform to analyse traffic and user transactions on our website. It is a New Zealand-based open source analytics platform that respects user privacy.

The personal data stored by Matomo is stored within the European Union. However, we will ensure the lawful processing of data even if it is transferred to New Zealand (see box ‘Recipients and transfers of personal data’).

Read more: https://matomo.org/about/ and https://matomo.org/matomo-cloud-privacy-policy/)

PART II. Processing your personal data in different scenarios

Client (or a representative of one)

If you are an existing client or represent a company or entity that is a client of ours, we will process your personal data as follows.

1. Categories of personal data and retention periods

We process personal data for the following processing purposes described below: Customer relationship and performance of services. For these purposes, the following data will be kept in the customer file for three years from the end of the calendar year in which the active processing ceases:

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)
Correspondence and discussion notes
Social media content

Example: You act as a representative of the client company and we discuss with you the progress of the service. We collect the personal data listed above as part of the company’s customer file. We will call you on 10 May 2024 and record your name and contact details and the content of our conversation. On 30 December 2027, we will carry out a regular deletion of personal data. At the same time, we will remove your name and contact details from the file and ensure that you cannot be identified from the remaining entries in the file added on or before 31 December 2024.

We also process personal data for the following processing purposes described below: Risk management and protecting our interests. For these purposes, the following data will be kept in the customer file for three years from the end of the calendar year in which the active processing ends:

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)
Correspondence and discussion notes
Social media content
Video and audio recordings (we will always tell you in advance if we process this information)
Financial information (e.g. business affiliations and credit risk data)
Tax information (e.g. tax records and tax debt information)
Background information (e.g. sanctions, political influence information and similar background information)

Example: In the example described above, we will collect reports in the customer file showing the progress of the service and the completion of the agreed tasks, so that we can demonstrate that we have taken the agreed actions, if necessary. The reports contain your personal data. We will delete your data from the reports on 30 December 2027.

Example: We have agreed that your company can use our company name and logo in its own marketing on social media and that you, as a representative of the company, can also post content on your own account. In order to control the use of our trademarks and the rights to use them, on 10 August 2024 we will record a note of the agreement in the customer file. We will also record a hyperlink to social media updates made by you and your company that include our company name and logo. We will delete your personal data from the customer file on 30 December 2027.

We also process personal data for the following processing purposes described below: Invoicing and debt collection as well as Accounting and taxation. For these purposes, the following data will be kept in the customer file and accounting records for six years from the end of the calendar year in which the active processing ceases:

Payment data (e.g. transaction identifiers)

Example: After we have provided our service, we issue an invoice on 11 August 2024. To identify the receivable, we record on the voucher and store in the customer file and in the accounting records the fact that you, as the representative of your company, are the subscriber and recipient of the service. We will delete your personal data on 30 December 2030, unless there is a justifiable purpose under this privacy policy to keep it longer (e.g. to collect a debt and to stop the relevant limitation period from running out).

We also process personal data for the following processing purposes described below: Risk management and protecting our interests. For these purposes, the following data will be kept in the customer file for six years from the end of the calendar year in which the active processing ceases:

Financial information (e.g. business affiliations and credit risk data)
Tax information (e.g. tax registry and tax debt data)
Background information (e.g. sanctions, political influence information and similar background data)

Example: We will identify the financial, tax and background information of the company’s representatives and add it to the customer file on 30 October 2024. We will delete your personal data on 30 December 2030, unless there is an justifiable purpose under this privacy policy to keep it longer.

We will also transfer personal data to the direct marketing register after the end of active processing for the following processing purposes described below: Marketing. For these purposes, the following data will be kept in the direct marketing register for an indefinite period of time, unless you object to the use of the data for direct marketing purposes (see the box “Your rights” in Part I above):

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)

Example: As a representative of your client company, we are reaching out to you for the purpose of marketing additional services. In the call, you indicate that your company does not currently have a need for the additional services we offer. However, we agree to come back to you in the future. We will transfer the above information to our direct marketing register, where it will be kept as long as we have a reasonable expectation of reaching out to you for marketing purposes in the future. We will regularly assess the currentness and accuracy of the information and if, for example, we become aware that you are no longer employed by the company concerned, we will delete the information without delay.

We also store personal data in the direct marketing register, where necessary, for the following processing purposes described below: Marketing. For these purposes, the following data will be stored in the direct marketing register for an indefinite period of time, unless you ask us to delete or amend the data concerned:

Direct marketing prohibitions

Example: In the example above, we are targeting you for marketing purposes. In the phone call, you state that your company has no need for the services we offer and you wish us not to offer any further additional services. We will add to the direct marketing register that you have opted out of direct marketing of additional services. We will also remove your unnecessary information from our direct marketing register, but we will keep your name and contact details there so that we know that the opt-out applies to you.

We also process personal data for the following processing purposes described below: Technical functioning and security. The following data retention periods for these purposes are indicated in the cookie settings window, which can be opened by clicking on the “Cookie settings” button at the bottom of each web page:

Technical identifiers (e.g. IP addresses and cookie information)
However, the consent information for cookies and similar technologies (the settings you choose in the cookie settings window) will be kept for one year from the date of your choices

Example: The cookie manager stores information about your choices and certain unique information (such as your cookie choice ID) in its database. This information will remain in the database for one year.

2. The purposes of the processing, and mandatory categories of personal data

The purposes of processing your personal data are as follows:

Customer relationship and performance of services: In order to perform our service contract, to provide our service and to contact you about it, we need to process your personal data, in particular your name, contact details, payment details, correspondence and conversation memos. In addition, we process information about your title and authorisations, firstly because it is part of the contact information, and secondly because we use, for example, information about the client company’s data protection and health and safety representatives and other responsible persons as part of the content of our services (e.g. when drawing up organisational charts, guidelines, etc. for the client). We will only process information that is necessary for the purposes of the customer relationship and the provision of the service.

Of the categories of personal data listed above, name, contact details and payment details are necessary for the customer relationship. In other words, providing them is mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory information” in Part I of the Privacy Policy).

Invoicing and debt collection: Once we have provided our services, we will process your data for invoicing purposes. If an invoice is overdue, we will also process the data for the purposes of debt collection. These processing purposes include, in particular, name, contact details and payment details. These categories of data are necessary for the customer relationship. In other words, providing them is mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory data” in Part I of the Privacy Policy).

Accounting and taxation: In order to comply with our accounting and taxation obligations and our general duty of care, we process information that is required by law or otherwise complies with good practice. This includes payment information, financial information and tax information. These categories of personal data are necessary for the customer relationship. In other words, providing them is mandatory within the meaning of the GDPR (see the box ‘Sources and mandatory information’ in Part I of the privacy policy).

Risk management and protection of interests: As a commercial operator, we need to manage risk and protect our various interests:

Legal risk management: We will process your name, contact details, payment details, correspondence and chat notes, video and audio recordings (if we record video or audio calls in compliance with the law and with prior notice to you) in case a contractual dispute or other legal complications ever arise in between us.

Credit risk management: Especially if the monetary value of our contract is high, we will process financial information and tax information for risk management purposes so that we can assess our potential credit risks. These categories of personal data are necessary for the formation and management of our customer relationship. In other words, providing them is mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory information” in Part I of the Privacy Policy).

Background checks: Especially if a client is not registered in Finland or the EU/EEA, we will process name, contact details and background information in order to check whether the customer or its owners or representatives are for example subject to sanctions or are politically influential persons. These categories of personal data are necessary for formation and management of our customer relationship. Therefore, providing them is mandatory within the meaning of the GDPR (see the box “Sources and mandatory information” in Part I of the privacy policy). Providing it may also be required by law, for example if we are subject to “Know Your Customer” (KYC) or anti-money laundering laws.

Protection of intellectual property and reputation: To monitor and protect our intellectual property rights and reputation, we sometimes process social media content and similar publicly available information that may contain personal data.

Communications: If you send us a message, for example on our website or by email, we will process your personal data, in particular your name, contact details, correspondence and conversation memos, in order to receive and respond to the message.

If you wish to receive a response to your communication, the provision of your name and contact details is mandatory within the meaning of the GDPR (see the box “Sources and mandatory information” in Part I of the privacy policy). The mandatory personal data depend on the context: for example, in the case of an online contact form, which is only intended for (potential) business customers and their representatives, providing your name, business telephone number and business e-mail address is mandatory in order for us to process your inquiry.

If you book a meeting with us using the appointment calendar on our website or otherwise, we will process your name and contact details to make the appointment. In order to book the meeting, providing your name and contact details as indicated in the booking form is mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory information” in Part I of the privacy policy).

If you participate in a voice or video call with us, we will process your name and contact details in order to organise the call. If the call is recorded, we will also process video or audio recordings containing your voice and facial image. We will always inform you in advance if the call will be recorded. Where we have a legitimate interest in processing video or audio recordings (e.g. for risk management reasons), providing the personal data is mandatory within the meaning of the GDPR (see the box “Sources and mandatory information” in Part I of the privacy policy).

Marketing: As we are a company conducting business, we want to tell you about our services. We will therefore contact you from time to time through direct or other types of marketing. We will only contact you in so far as it relates to your work. In particular, we process your name, title, authorisations and contact information as well as social media content for this purpose. We will also process any direct marketing prohibitions that you may issue.

Technical functioning and security: To be able to offer you electronic (digital) services, we process technical identifiers that are essential for the functioning and security of those services. These types of personal data are mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory categories” in Part I of the privacy policy). Failure to provide information does not in itself lead to a limitation of the availability of the service, but if you prevent the provision of information, we may not be able to ensure the functionality and security of the services.

3. Legal bases for the processing

We process the personal data listed above only on lawful grounds. We justify the purposes of personal data processing listed above as follows.

Contract (Article 6(1)(b) GDPR). We justify the following purposes of processing of personal data described above on this basis:

Customer relationship and performance of services
Invoicing and debt collection
Accounting and taxation
Risk management and protection of interests (legal risk management and credit risk management, insofar as they are necessary for the performance of the contract)
Communications
Technical functioning and security (for the mandatory technical identifiers used in the electronic services relevant for the customer relationship)

Legal obligation (Article 6(1)(c) GDPR): When performing our services and invoicing for them, we are obliged to carry out certain processing of personal data as required by law. We justify the following purposes of processing of personal data described above on this basis:

Accounting and taxation (in particular with regard to the storage of invoices and receipts and other accounting obligations)
Risk management and protection of interests (in particular with regard to background checks)
Marketing (when we store direct marketing prohibitions that you may issue)

Legitimate interest (Article 6(1)(f) GDPR): Where the processing of personal data is necessary for us or for another person but cannot be justified by our contractual relationship or by the requirement of a legal obligation, we will process it on the basis of legitimate interests protected by law. We justify the following purposes for processing personal data described above on this basis:

Marketing
Communications (in particular with regard to the processing of video and audio recordings)
Risk management and protection of interests (all of the above purposes of personal data processing to manage our own operational risks insofar as the processing is not necessary for the performance of a contract or is not required by a legal obligation)
Technical functioning and security (for mandatory technical identifiers for electronic services that are not necessary for the customer relationship)

Consent (Article 6(1)(a) GDPR). We justify the following purposes of processing of personal data described above on this basis:

Technical functioning and security (for non-mandatory technical identifiers).

Prospective client (or a representative of one)

If we are approaching you as a potential client or you represent a company or organisation we are approaching, we will process your personal data as follows.

1. Categories of personal data and retention periods

We process personal data for the following processing purposes described below: Marketing and Communications. For these purposes, the following data will be kept in the prospective customer register for three years from the end of the calendar year in which the active processing ceases:

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)
Correspondence and conversation memos
Social media content

Example: You are acting as a representative of a company and we are reaching out to you for marketing purposes. We collect the personal data listed above as part of the company’s prospect file. We will call you on 10 May 2024 and record your name and contact details and the content of the conversation we had. On 30 December 2027, we will carry out a periodic erasure of personal data. At the same time, we will remove your name and contact details from the file and ensure that you cannot be identified from the remaining entries in the file added on or before 31 December 2024.

We also process personal data for the following processing purposes described below: Risk management and protecting our interests. For these purposes, the following data will be kept in the customer file for three years from the end of the calendar year in which the active processing ends:

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)
Correspondence and discussion notes
Social media content
Video and audio recordings (we will always tell you in advance if we process this information)
Financial information (e.g. business affiliations and credit risk data)
Tax information (e.g. tax records and tax debt information)
Background information (e.g. sanctions, political influence information and similar background information)

We also store personal data in the direct marketing register, where necessary, for the following processing purposes described below: Marketing. For these purposes, the following data will be stored in the direct marketing register for an indefinite period of time, unless you ask us to delete or amend the data:

Direct marketing prohibitions

Example: In the example above, we are approaching you for marketing purposes. In the phone call, you state that your company has no need for the services we offer and you wish us not to offer any additional services. We will add a note in the direct marketing register that you have opted out of our direct marketing. We will also remove your unnecessary information from our direct marketing register, but we will keep your name and contact details there so that we know that the opt-out applies to you.

Direct marketing prohibitions

Example: In the example above, we are approarching you for marketing purposes. In the phone call, you state that your company has no need for the services we offer and you wish us not to offer any further additional services. We will add to the direct marketing register that you have opted out of direct marketing of additional services. We will also remove your unnecessary information from our direct marketing register, but we will keep your name and contact details there so that we know that the opt-out applies to you.

We also process personal data for the following processing purposes described below: Technical functioning and security. The following data retention periods for these purposes are indicated in the cookie settings window, which can be opened by clicking on the “Cookie settings” button at the bottom of each web page:

Technical identifiers (e.g. IP addresses and cookie information)
However, the consent information for cookies and similar technologies (the settings you choose in the cookie settings window) will be kept for one year from the date of your choices

2. The purposes of the processing, and mandatory categories of personal data

The purposes of processing your personal data are as follows:

Marketing: As we are a company conducting business, we want to tell you about our services. We will therefore contact you from time to time through direct or other types of marketing. We will only contact you in so far as it relates to your work. In particular, we process your name, title, authorisations and contact information as well as social media content for this purpose. We will also process any direct marketing prohibitions that you may issue.

Preparation of our customer relationship: When you are about to become our customer, we process a number of personal data in preparation for the customer relationship, in particular your name, contact details, payment details, correspondence and conversation memos. In addition, we process your title and authorisations, firstly because it is part of the contact information, and secondly because we use, for example, information about your data protection and health and safety representatives and other responsible persons as part of the content of our services (e.g. when drawing up organisational charts, guidelines, etc. for the client’s use). We will only process information that is necessary for the contractual relationship and only to the extent that we have agreed.

Communications: If you send us a message, for example on our website or by email, we will process your personal data, in particular your name, contact details, correspondence and conversation memos, in order to receive and respond to the message.

Risk management and protection of interests: As a commercial operator, we need to manage risk and protect our various interests:

Legal risk management: We will process your name, contact details, payment details, correspondence and chat notes, video and audio recordings (if we record video or audio calls in compliance with the law and with prior notice to you) in case a contractual dispute or other legal complications ever arise in between us.

Credit risk management: Especially if the monetary value of our contract is high, we will process financial information and tax information for risk management purposes so that we can assess our potential credit risks. These categories of personal data are necessary for the formation and management of our customer relationship. In other words, providing them is mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory information” in Part I of the Privacy Policy).

Background checks: Especially if a client is not registered in Finland or the EU/EEA, we will process name, contact details and background information in order to check whether the customer or its owners or representatives are for example subject to sanctions or are politically influential persons. These categories of personal data are necessary for formation and management of our customer relationship. Therefore, providing them is mandatory within the meaning of the GDPR (see the box “Sources and mandatory information” in Part I of the privacy policy). Providing it may also be required by law, for example if we are subject to “Know Your Customer” (KYC) or anti-money laundering laws.

Protection of intellectual property and reputation: To monitor and protect our intellectual property rights and reputation, we sometimes process social media content and similar publicly available information that may contain personal data.

Technical functioning and security: To be able to offer you electronic (digital) services, we process technical identifiers that are essential for the functioning and security of those services. These types of personal data are mandatory within the meaning of the GDPR (see the box “Sources of personal data and mandatory categories” in Part I of the privacy policy). Failure to provide information does not in itself lead to a limitation of the availability of the service, but if you prevent the provision of information, we may not be able to ensure the functionality and security of the services.

3. Legal bases for the processing

We process the personal data listed above only on lawful grounds. We justify the purposes of personal data processing listed above as follows.

Legitimate interest (Article 6(1)(f) GDPR): Where the processing of personal data is necessary for us or for another person but cannot be justified by the preparation of our contractual relationship or by the requirement of a legal obligation, we will process it on the basis of legitimate interests protected by law. We justify the following purposes for processing personal data described above on this basis:

Marketing
Communications (in particular with regard to the processing of video and audio recordings)
Risk management and protection of interests (all of the above purposes of personal data processing to manage our own operational risks insofar as the processing is not necessary for the preparation of our contractual relationship or is not required by a legal obligation)
Technical functioning and security (for mandatory technical identifiers for electronic services that are not necessary for the customer relationship)

Preparation of a contractual relationship (Article 6(1)(b) GDPR). As you are about to become our customer (or act as a representative of one), we prepare our contractual relationship as agreed separately. We justify the following purposes of processing of personal data described above on this basis:

Preparation of our customer relationship
Risk management and protection of interests (legal risk management and credit risk management, insofar as they are necessary for the performance of the contract)
Communications
Technical functioning and security (for the mandatory technical identifiers used in the electronic services relevant for the customer relationship)

Contract (Article 6(1)(b) GDPR). You contact us and ask us to reply to your inquiry, or you book a meeting with us. We justify the following purposes of processing of personal data described above on this basis:

Communications (insofar as they are not related to the preparation of our contractual relationship)

Legal obligation (Article 6(1)(c) GDPR): When performing our services and invoicing for them, we are obliged to carry out certain processing of personal data as required by law. We justify the following purposes of processing of personal data described above on this basis:

Accounting and taxation (in particular with regard to the storage of invoices and receipts and other accounting obligations)
Risk management and protection of interests (in particular with regard to background checks)
Marketing (when we store direct marketing prohibitions that you may issue)

Consent (Article 6(1)(a) GDPR). In certain limited cases we only process your personal data with your consent. We justify the following purposes of processing of personal data described above on this basis:

Technical functioning and security (for non-mandatory technical identifiers).

User of our online services

If you use our online services, for example by visiting our website, we process your personal data as follows.

1. Categories of personal data and retention periods

We process personal data for the following processing purposes described below: Technical functioning and security. The following data retention periods for these purposes are indicated in the cookie settings window, which can be opened by clicking on the “Cookie settings” button at the bottom of each web page:

Technical identifiers (e.g. IP addresses and cookie information)
However, the consent information for cookies and similar technologies (the settings you choose in the cookie settings window) will be kept for one year from the date of your choices

We also process personal data for the following processing purposes described below: Communications and Risk management and protection of interests. For these purposes, the following data will be kept in the user register for three years from the end of the calendar year in which the active processing ceases:

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)
Correspondence and conversation memos

Example: You visit our website on 4 April 2024 and send us a message using the contact form there. You fill in the form with the personal data mentioned above. This information will be stored in our information system. On 30 December 2027, we will carry out a regular deletion of personal data. At the same time, we will delete your personal data from our information system and ensure that you cannot be identified from the remaining entries in the system that were added on or before 31 December 2024.

2. The purposes of the processing, and mandatory categories of personal data

The purposes of processing your personal data are as follows:

Technical functioning and security: In order to provide you with electronic services, in particular our website, we process certain technical identifiers electronically. These tags may be necessary or non-necessary. This information includes, but is not limited to, IP address, information obtained through cookies and other analytics data. We explain these in more detail above (see the box “Cookies and Analytics” in Part I of the privacy policy).

Necessary technical identifiers are essential for the functioning and security of electronic services. In other words, providing them is in principle mandatory within the meaning of the GDPR (see the box “Sources and mandatory information” in Part I of the privacy policy). Failure to provide information does not in itself lead to a limitation of the availability of the service, but if you prevent the provision of information, we may not be able to ensure the functioning and security of the services.

Marketing: As we are a company conducting business, we want to tell you about our services. We will therefore contact you from time to time through direct or other types of marketing. We will only contact you in so far as it relates to your work. In such cases, we will process your personal data as described above in the box “Customer prospect or representative”.

Risk management and protection of interests: As a commercial operator, we need to manage risk and protect our various interests:

Protection of intellectual property and reputation: To monitor and protect our intellectual property rights and reputation, we sometimes process social media content and similar publicly available information that may contain personal data.

3. Legal bases for the processing

We process the personal data listed above only on lawful grounds. We justify the purposes of personal data processing listed above as follows.

Legitimate interest (Article 6(1)(f) GDPR): Where the processing of personal data is necessary for us or for another person, we will process it on the basis of legitimate interests. We justify the following purposes for processing personal data described above on this basis:

Technical functioning and security (for mandatory technical identifiers)
Risk management and protection of interests (for protecting our intellectual property rights and reputation)
Marketing

Contract (Article 6(1)(b) GDPR). You contact us on our website and ask us to reply to your inquiry, or you book a meeting with us. We justify the following purposes of processing of personal data described above on this basis:

Communications

Technical functioning and security (for non-mandatory technical identifiers).

Social media user

If you use our social media services, for example by visiting our social media pages, we process your personal data as follows.

1. Categories of personal data and retention periods

We process personal data for the following processing purposes described below: Communications and Marketing. For these purposes, the following data will be kept in the user register for a maximum of three years from the end of the calendar year in which the active processing ceases:

Name
Title and authorisations
Contact details (postal address, telephone number and e-mail address)
Correspondence and conversation memos
Social media content

Example: you visit our social media page on 4 April 2024 and send us a message there. Your profile information will be stored in our social media information system. On 30 December 2027, we will carry out a regular deletion of personal data. At the same time, we will delete your personal data from our information system and ensure that you cannot be identified from the remaining entries added on or before 31 December 2024.

Example: We use social media features to help us find customer contacts. Before we start reaching out to you as a customer prospect (see box above), we collect personal data from the service in our client prospect contact list. We will remove your data from the list by 30 December 2027 at the latest if we have not started processing your data as a prospective client before then.

Example: We organise a raffle on our social media page. We will store your contact details in the user register for the purpose of conducting the raffle. We will delete your data after the prize draw has taken place.

2. The purposes of the processing, and mandatory categories of personal data

The purposes of processing your personal data are as follows:

Communications: If you send us a message on our social media page, we will process your personal data, in particular your name, contact details, correspondence and conversation memos, in order to receive and respond to the message.

Marketing: As we are a company conducting business, we want to tell you about our services. We will therefore contact you from time to time through direct or other types of marketing. We will only contact you in so far as it relates to your work. In such cases, we will process your personal data as described above in the box “Customer prospect or representative”.

Risk management and protection of interests: As a commercial operator, we need to manage risk and protect our various interests:

Protection of intellectual property and reputation: To monitor and protect our intellectual property rights and reputation, we sometimes process social media content and similar publicly available information that may contain personal data.

3. Legal bases for the processing

We process the personal data listed above only on lawful grounds. We justify the purposes of personal data processing listed above as follows.

Risk management and protection of interests (for protecting our intellectual property rights and reputation)
Marketing

Contract (Article 6(1)(b) GDPR). You contact us on our social media page and ask us to reply to your inquiry. We justify the following purposes of processing of personal data described above on this basis:

Communications

Privacy policy

The contents of the privacy policy

The structure of the privacy policy

PART I. General

PART II. Processing your personal data in different scenarios

3. Legal bases for the processing

3. Legal bases for the processing

3. Legal bases for the processing

3. Legal bases for the processing

Book a no-risk meeting free of charge

Email: info@varoen.com

Direct contact details

Privacy policy

Our services

Company

News