Privacy policy

 

Register Description

We take data protection seriously. We take excellent care of any information we collect or receive about our customers. We also enable customers to access their own data and request to be forgotten.

By using the Turku Fan Club online store, the customer accepts the methods of data collection and processing described in this privacy policy. This consent is confirmed and recorded in our system during checkout (contract), when creating/using a customer account (consent), or in connection with any other similar data collection action.

We store and maintain three types of data: data observed from the use of online services, data provided by the user themselves, and data derived through analytics.

Last updated: 30 June 2024.

Short version

We do not misuse your personal data, and we do not spam.

 

Full Version

TURKU FAN CLUB CUSTOMER REGISTER PRIVACY STATEMENT

 

1. Data Controller

Data controller: Turku Fan Club 
Asiakas on Kuningas Oy

Business ID: 2854936-1

Email: aura@turkufanclub.com

 

2. Name of the Register

The name of the register is the Turku Fan Club customer register.

 

3. Purpose of Processing Personal Data

In practice, the source of information is the user or customer of the website. Personal data is processed for purposes related to managing, administering, and developing the customer relationship, offering and delivering services, improving services, and handling billing. Personal data is also used for managing complaints and resolving related claims.

Additionally, personal data is used in customer communications, such as for information and news, as well as for marketing. This includes both direct and electronic marketing purposes.

Customers have the right to opt out of direct marketing. The data controller processes the data and may also use subcontractors to process personal data on behalf of and for the benefit of the data controller.

4. Legal Basis for Processing

The legal bases for processing personal data are as follows, in accordance with the General Data Protection Regulation of the EU (hereinafter also "GDPR"):

  1. The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a));
  2. Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
  3. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Article 6(1)(f)).

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which arises from the fact that the data subject is a customer of the controller. The processing is carried out for purposes which the data subject could reasonably expect at the time of the collection of personal data and within the context of this relevant relationship.

 

5. Register Data Content (Categories of Personal Data Processed)

What data does Turku Fan Club collect and store?

  1. Information provided by the user:
    • Identification details, such as name
    • Contact information, such as phone number, email address, and postal address
    • Payment information, such as billing details and payment method data
    • Location data used for service localization (currencies, delivery options)
    • Product reviews
    • Permissions or refusals for direct marketing
    • Wishlist items
  2. Information observed from service usage:
    • Delivery details, such as shipping address and chosen payment method
    • Purchase history, such as ordered products, returns, and payments
    • Browsing and usage data from the online store
    • Device identification data
    • E-commerce session events, such as cart additions
  3. Information derived via analytics:
    • Product recommendations based on browsing and purchase behavior
    • Customer segmentation and interests derived from purchase data
    • Size preferences inferred from purchase data to offer sizing recommendations

6. Regular Sources of Data and Cookies

Personal data is collected directly from the data subject.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources relevant to the customer relationship between the controller and the data subject. These sources help the controller fulfill its obligations related to maintaining customer relationships.

The Turku Fan Club website uses cookies. Our site sends a cookie—a small text file—to your browser, which is stored on your computer's hard drive. We use both temporary session cookies, which are deleted when you close your browser, and persistent cookies, which remain stored on your hard drive. Cookies allow us to recognize your browser and use the information obtained for purposes such as tracking the number of visitors to our site and analyzing website usage, including statistical monitoring. Cookies also help us provide you with services and products based on what you have previously viewed on our site. They allow us to better understand user interests and improve our website—such as search functionality, content arrangement, and information accessibility.

Your browser likely accepts cookies by default, but you can change your browser settings at any time to disable cookies. If you prefer, you can block cookies altogether by modifying your browser settings. Please note, however, that disabling cookies may impact the functionality of our services and prevent certain features from working properly.

Advertising cookies help us display the most relevant and interesting ads, products, and search results for you. They also prevent repetitive ad displays. Some third-party services may use cookies or web beacons (1-pixel image files) to show you ads tailored to your interests when you visit other websites. Information collected via cookies and web beacons does not include personal identifiers such as your name or contact details.

Our website may also use technology to measure ad performance. For this purpose, we may include a 1-pixel tracker on our site to collect anonymous data. Based on this anonymous data from visits to the Turku Fan Club website and other sites, advertisers can design ads for products and services that may interest you.

Turku Fan Club's website also uses the Google AdWords cookie to target advertising through user lists on the Google advertising network. The user cannot be identified based on the data associated with this cookie. You can opt out of Google AdWords remarketing based on user lists at: www.google.com/settings/ads

For more information about interest-based advertising and managing your preferences, visit the Your Online Choices website.

Evästeet

7. Retention Period of Personal Data

The data collected in the register is stored only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

We retain data for the period required to fulfill the purposes stated in this privacy notice. If a customer account is deemed inactive, we will delete the personal data associated with it no later than five years after the last activity. Some data may be retained for a longer period if required by law—for example, accounting records are stored for six years after the end of the financial year.

The data controller regularly assesses the necessity of storing data in accordance with its internal policies. Additionally, the controller will take all reasonable steps to ensure that inaccurate, incorrect, or outdated personal data is deleted or corrected without delay.

 

8. Recipients (or Categories of Recipients) of Personal Data and Regular Disclosures

In some cases, we may need to transfer data to third parties for purposes such as storage, analytics, or marketing. We only use trusted partners for these purposes, with whom we have comprehensive data protection and data processing agreements. These agreements ALWAYS comply with applicable legislation and the requirements of the EU General Data Protection Regulation (GDPR).

Only the information necessary for providing the service is shared with each partner, and these service providers are not allowed to use your data for any purpose other than the provision of the agreed service. All data transfers are carried out over encrypted connections.

We ensure that all our service providers comply with data protection legislation. We regularly use the following service providers:

  • Posti
  • Matkahuolto
  • Vipps MobilePay, collects the IP address, payment method, and time of transaction.
  • Klarna, collects the IP address, payment method, and time of transaction.
  • Meta (manages Facebook ad preferences)
  • Unifaun
  • Google (e.g., Analytics)

     

9. Transfer of Data Outside the EU or EEA

We conduct online marketing and advertising using services provided by, for example, Google and Meta. These companies do not receive personal data from us, and the marketing is not direct marketing. However, personal data is protected in accordance with data protection laws. Online marketing is based on cookies collected by your browser, as described in the section on cookies. 

Google and Meta are U.S.-based companies, which means that personal data may be transferred outside the European Union. These companies are certified under the EU-U.S. Privacy Shield Framework and comply with the EU General Data Protection Regulation. 

 

10. Principles of Register Protection

Materials containing personal data are stored in locked premises accessible only to designated persons authorized to access the data due to their duties.

Henkilötietoja sisältävä tietokanta on palvelimella, jota säilytetään lukitussa tilassa, johon on pääsy ainoastaan nimetyillä ja tehtäviensä vuoksi pääsyyn valtuutetuilla henkilöillä.  Palvelin on suojattu asianmukaisella palomuurilla ja teknisellä suojauksella.

Access to databases and systems is granted only through individually assigned usernames and passwords. The data controller has restricted access and permissions in systems and other storage platforms so that only individuals who need the data for lawful processing may access and process it. All access events are logged in the controller’s IT system.

Employees and other persons acting on behalf of the controller are bound by confidentiality obligations and must keep all personal data obtained during processing confidential.

11. Rights of the Data Subject

Under the EU General Data Protection Regulation, data subjects have the following rights:

  1. Right of access to confirm whether personal data concerning them is being processed and, if so, to access that data and receive information about: (i) the purposes of processing; (ii) the categories of personal data; (iii) recipients or categories of recipients to whom the data has been or will be disclosed; (iv) where possible, the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to request correction or erasure of personal data, or restriction of processing, or to object to processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the data is not collected from the data subject, any available information as to its source (Article 15 GDPR). These details (i–vii) are provided in this document.
  2. Right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Article 7 GDPR);
  3. Right to rectification, meaning the right to have inaccurate or incorrect personal data corrected without undue delay and the right to have incomplete personal data completed (Article 16 GDPR);
  4. Right to erasure, i.e., to have personal data deleted without undue delay, under certain conditions, such as: (i) data is no longer necessary for the purposes for which it was collected; (ii) consent is withdrawn and there is no other legal ground for processing; (iii) the data subject objects and there is no overriding legitimate interest; (iv) the data was processed unlawfully; or (v) the data must be erased to comply with legal obligations (Article 17 GDPR);
  5. Right to restriction of processing, for example: (i) if the accuracy of the data is contested; (ii) processing is unlawful but the data subject opposes erasure; (iii) the data is no longer needed for processing but is required by the data subject for legal claims; or (iv) the data subject has objected pending verification of legitimate grounds (Article 18 GDPR);
  6. Right to data portability, meaning the right to receive personal data in a structured, commonly used, and machine-readable format and to transfer that data to another controller where processing is based on consent and carried out by automated means (Article 20 GDPR);
  7. Right to lodge a complaint with a supervisory authority if the data subject believes that the processing of personal data violates the GDPR (Article 77 GDPR).

Requests concerning the exercise of these rights should be addressed to the contact person mentioned in Section 1.

Shopping Basket