Website Privacy Policy

Fishheart Oy Ltd.

This Website Privacy Notice explains how Fishheart Oy Ltd. processes personal data in connection with the use of its website and online store. For a broader description of how Fishheart Oy Ltd. processes personal data in its overall operations, services, and customer relationships, please refer to our General Privacy Policy.

Prepared: 10 June 2025
Last updated: 19 December 2025

 

1. Controller

Fishheart Oy Ltd.
Yrittäjäntie 26
94450 Keminmaa
Finland

Business ID: 2746831-6

 

2. Contact person for register matters

If you have any questions or concerns about this privacy policy or our use of your personal data, please contact

Samuli Ukkola
samuli[at]fishheart.com
+358 405 880 394

 

3. Name of the register

Website & Online Store Customer Register

 

4. Purpose and legal basis for processing personal data

Personal data is processed for the following purposes:

• Processing and delivering online store orders

• Customer communication related to orders

• Invoicing and accounting

• Managing customer relationships

• Marketing communications (e.g., annual customer newsletter)

• Website analytics and service development

 

The legal bases for processing personal data under the EU General Data Protection Regulation (GDPR) are:

• Performance of a contract (GDPR Art. 6(1)(b)) – for processing orders, deliveries, and invoicing

• Legal obligation (GDPR Art. 6(1)(c)) – for accounting and statutory requirements

• Legitimate interest (GDPR Art. 6(1)(f)) – for customer relationship management, marketing communications, and improving our website and services

• Consent (GDPR Art. 6(1)(a)) – for analytics cookies

 

5. Data content of the register

The following personal data may be processed in the register:

Online store customers

• Name
• Company name (if applicable)
• Postal address
• Email address
• Phone number
• Order and invoicing details
• Marketing communications status

Website analytics (via cookies)

• Device and browser type
• Operating system and screen resolution
• Anonymized IP address and approximate location (city/region level)
• Website usage data (visited pages, session duration, interactions)

Analytics data is not used to identify individual users but to generate aggregated statistics.

 

6. Regular sources of information

Personal data is obtained:

• directly from the data subject when placing an order in the online store
• automatically through cookies, based on the user’s consent given through the cookie banner.

 

7. Regular disclosures of data and transfer of data outside the EU or EEA

Personal data is not regularly disclosed to third parties. Data may be processed by trusted service providers (e.g. hosting or analytics providers) acting on behalf of Fishheart Oy Ltd. under data processing agreements.

In connection with Google Analytics 4, certain technical data may be transferred to Google LLC, which may process data on servers located outside the EU/EEA, including the United States. Such transfers are based on the EU–US Data Privacy Framework or on Standard Contractual Clauses approved by the European Commission, which provide appropriate safeguards for the protection of personal data.

 

8. Principles of register protection

The processing of the register is carried out with due care, and the data processed by means of information systems is properly protected. When register data is stored on Internet servers, the physical and digital data security of their hardware is ensured appropriately. The controller ensures that stored data, as well as server access rights and other information critical to the security of personal data, are handled confidentially and only by those employees whose job description it includes.

 

9. Retention of personal data

Personal data is retained only for as long as necessary for the purposes described above:

• Online store customer data: retained in accordance with contractual and accounting obligations (generally up to 5 years).
• Website analytics data: retained for a maximum of 12 months.
• Marketing communications data: retained until the recipient objects or opts out.

After the retention period, personal data is securely deleted or anonymized.

 

10. Right of access and right to request correction

Data subjects have the right to check their personal data stored in the register and to demand the correction of any inaccurate information or the completion of incomplete information. If a person wishes to check their stored data or demand a correction, the request must be sent to the controller by email. The controller may, if necessary, ask the requester to prove their identity. The controller will respond to the request within the timeframe set by the EU Data Protection Regulation (generally within one month).

 

11. Other rights related to the processing of personal data

Data subjects have the right to request the deletion of their personal data from the register ("right to be forgotten"). Likewise, data subjects have other rights under the EU General Data Protection Regulation, such as the restriction of personal data processing in certain situations. Requests must be sent to the controller by email. The controller may, if necessary, ask the requester to prove their identity. The controller will respond to the request within the timeframe set by the EU Data Protection Regulation (generally within one month).

Data subjects have the right to withdraw their consent to analytics cookies at any time, for example through the cookie settings available on our website.

Data subjects also have the right to object at any time to the processing of their personal data for direct marketing purposes.