Cairn's Point Privacy Notice
Last Updated: 20-11-2025
Cookie & Data Processing Notice
This website uses cookies and tracking technologies, including Google Analytics and Google Ads conversion tracking. We also use third-party services (Resend for email delivery and Neon Postgres for database storage) to process your data. You can manage your cookie preferences at any time.
Cairn's Point Finland (hereinafter “CPF”) is committed to protecting your privacy. With this Privacy Notice we explain to you how and why we collect, use, and protect any Personal Data obtained from you when you use our website and Services. CPF is committed to transparency and compliance related to data protection regulations, which primarily focuses on the General Data Protection Regulation of the European Union (EU) 2016/679 (hereinafter the “GDPR”). This Privacy Notice outlines our data processing practices along with your rights regarding your personal information that is processed by CPF.
We process your Personal Data for the following purposes during our business activities:
* Improving our Services
* Client relationships
* Business partner relationships
* Marketing
* Recruiting
* Communication
* Legal obligations
* Cookies
1. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?
The Controller of your Personal Data is Finnish limited liability company with the name of Number Go Up Technologies LLC (Finnish Business ID: 3490835-9), with its primary place of business being at c/o Number Go Up Technologies Oy, Kuusitie 2 B 88, 00270 Helsinki, Finland.
The Controller of your Personal Data can be contacted at info@cairnspoint.com and +358 46 801 0795.
2. WHAT DEFINITIONS ARE USED IN THIS PRIVACY NOTICE?
Controller is the party that is in charge of the processing activities connected to Personal Data.
Data Subject refers to a human being in accordance with data protection laws.
GDPR is the European General Data Protection Regulation ((EU) 2016/679), which is the primary applicable law that this Privacy Notice is based upon.
Legal Basis for processing means the legal basis with which the Controller processes Personal Data of a Data Subject. The lawfulness of processing is described in Article 6 of the GDPR.
Personal Data means any data directly concerning a Data Subject or any other data by which a Data Subject can be identified with.
Privacy Notice refers to this document, which has been drawn up in accordance with Articles 13 and 14 of the GDPR, through which the Controller (i.e. CPF) informs the Data Subjects (e.g. you) of the ways their Personal Data is being processed.
Processor means a party that processes Personal Data for and/or on behalf of the Controller.
Purpose for processing means the reason why the Controller processes Personal Data of a Data Subject.
Services refers to the services, features, and functionalities provided by CPFthrough its website that are available for purchase or use by clients. These Services are designed to fulfill specific needs as outlined on our website and may be subject to updates and/or improvements.
3. WHY DO WE PROCESS YOUR PERSONAL DATA?
CPFprocesses your Personal Data for various general business purposes, as outlined below. In each section, you will find information on the types of Personal Data we process and the Legal Basis for this processing.
3.1. Improving Our Services
Why: We process Personal Data to analyse and enhance the functionality, performance, and usability of CPF’s Services. This may include user interaction data, feedback, and usage patterns to help us refine and improve the overall user experience and optimize service offerings.
Legal Basis: This processing is based on CPF’s legitimate interest in continuously improving its Services and increasing user satisfaction.
Note: You have the right to object to the processing of your Personal Data for Service improvement purposes. For more details, see the section on your rights found further below.
3.2. Client Relationships
Why: We process Personal Data provided by our clients to manage and fulfill client relationships. This includes contact details, information related to Service use, and any other data disclosed to us as part of the client relationship.
Legal Basis: The processing of this data is necessary to fulfill our contractual obligations with our clients.
3.3. Business Partner Relationships
Why: We process the Personal Data of our current and potential business partners to manage and build business relationships. This includes contact details, information related to the business relationship, and any other data provided to us.
Legal Basis: This processing is necessary to fulfill our contractual obligations with business partners.
3.4. Marketing
Why: We process the Personal Data of clients and potential clients to inform them about CPF’s products, Services, and other potential offers. This includes contact details, information relevant to the relationship, and other data disclosed to us.
Legal Basis: We process this Personal Data based on our legitimate interest in developing and growing client relationships and our business activities.
Note: You have the right to object to the processing of your Personal Data for marketing purposes. For more details, see the section on your rights found further below.
3.5. Recruiting
Why: We process the Personal Data of job applicants for recruitment purposes. This includes contact details, CV information, and any additional information disclosed, such as images, videos, or other materials provided by applicants.
Legal Basis: This processing is based on our legitimate interest in managing job applications and recruitment processes.
Note: You have the right to object to the processing of your personal data for recruiting purposes. For more details, see the section on your rights found further below.
3.6. Communications
Why: We process the Personal Data of individuals who contact us for purposes of communication. This includes contact details, and any other data shared with us in the course of communication.
Legal Basis: Processing is based on our legitimate interest in managing communications with clients, partners, and other individuals.
Note: You have the right to object to the processing of your Personal Data for communication purposes. For more details, see the section on your rights found further below.
3.7. Legal Obligations
Why: We process Personal Data to comply with our legal obligations as required by applicable laws. This may include data processing across different categories, as legally mandated.
Legal Basis: Processing is necessary to fulfill our legal obligations.
3.8. Cookies and Analytics
Why: We use cookies and similar tracking technologies to improve user experience, monitor website traffic, analyse trends, and measure the effectiveness of our marketing campaigns. Specifically, we use:
Google Analytics and Google Ads Conversion Tracking: We have implemented Google Analytics and Google Ads conversion tracking to collect and analyse data about how visitors interact with our website. This includes:
* IP addresses (anonymized where possible)
* Browser type and version
* Device information (device type, operating system)
* Pages visited and time spent on each page
* Referral sources (where visitors came from)
* User interactions and behavior patterns
* Conversion events (e.g., form submissions, contact requests)
* Geographic location (country/city level)
Data Processor: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data Transfers: Personal Data collected through Google Analytics and Google Ads may be transferred to and processed in the United States and other countries where Google operates. Google is certified under the EU-U.S. Data Privacy Framework, and we have implemented Standard Contractual Clauses (SCCs) to ensure adequate protection of your data.
Retention Period: Google Analytics user-level data is retained for up to 14 months; aggregated data may be retained longer. Cookie identifiers may be stored for varying periods depending on the cookie type. You can learn more about Google's privacy practices at: https://policies.google.com/privacy
Your Choices: When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or reject analytics and marketing cookies. You can change your cookie preferences at any time by clearing your browser's local storage and revisiting our website. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on available at: https://tools.google.com/dlpage/gaoptout
Legal Basis: For analytics and marketing cookies, processing is based on your explicit consent obtained through our cookie consent banner. For strictly necessary cookies required for website functionality, processing is based on our legitimate interest in operating our website. You may withdraw your consent at any time.
4. FROM WHERE DO WE COLLECT YOUR PERSONAL DATA?
CPFcollects Personal Data from several sources to deliver, improve, and support our Services effectively. We are committed to collecting your data responsibly and transparently. Below is an overview of the primary sources from which we may obtain your Personal Data:
4.1. Directly from you
Business partner relationships: Information provided during communication and collaboration with current or potential business partners.
Client relationships: During interactions as part of client relationship management, such as account preferences, Service usage, and feedback.
Recruiting: Information collected when you apply for a job, including details shared on resumes, CVs, and other application materials.
Communications: Information shared through inquiries, support requests, and other interactions.
4.2. Through our Services and platform(s)
Service usage data: We collect data generated as you interact with our Services and platform(s). This may include usage patterns, interaction logs, and other data that help us improve the functionality and performance of our Services and/or platform(s).
Cookies and similar technologies: We use cookies, IP address tracking, and other web technologies to understand website traffic, enhance user experience, and improve Service functionality. Specifically, we use Google Analytics and Google Ads conversion tracking to collect information about your visit, including pages viewed, time spent on the site, browser information, device information, and referring website.
4.3. From third-parties and public sources
Marketing and analytics partners: We may receive data from third-party partners to support our marketing efforts and improve our understanding of Service usage patterns. These partners operate under similar data protection guidelines aligned with this Privacy Notice.
Publicly available information: In some cases, we may collect information from publicly accessible sources, such as professional profiles, for purposes related to recruiting or business partnerships.
5. DO WE TRANSFER YOUR PERSONAL DATA?
As part of our regular business operations, CPFmay transfer your Personal Data to third-parties, including data storage providers, Service integration partners, and other relevant communication platforms. We are committed to ensuring that these transfers are conducted securely and in compliance with applicable data protection laws.
Therefore, every transfer is assessed for data security, and we require third parties to uphold high data protection standards through adequate agreements and safeguards.
5.1. Transfers to third-party service providers
We may share your Personal Data with trusted third-party providers (data processors) who support our business functions, such as:
Analytics and advertising services: We use Google Analytics and Google Ads (Google LLC) to analyse website traffic, measure campaign effectiveness, and improve our Services. Google processes your Personal Data on our behalf in accordance with their privacy policy and data processing agreements.
Email delivery services: We use Resend, Inc. (via AWS infrastructure in the United States) to send newsletters and transactional emails. Resend processes email addresses and names on our behalf. Email delivery logs are retained by Resend for 30 days.
Database storage and hosting: We use Neon, Inc. (via AWS data centres in the EU and US) to securely store email addresses, subscription preferences, and contact form submissions. All data is encrypted at rest and in transit. Neon acts as a data processor, storing data on our behalf.
Accounting and auditing services: For compliance with our financial and regulatory obligations.
Authorities: Where required by law or in response to valid legal requests.
Business partners: For facilitating client relationships, partnerships, and other collaborative purposes.
Communication platforms: To enable seamless interaction and support services.
5.2. Transfers to third countries
In some cases, CPFmay transfer Personal Data to service providers or partners located in countries outside the European Economic Area (EEA).
Google Analytics and Google Ads: Personal Data collected through Google Analytics and Google Ads is transferred to and processed by Google LLC in the United States and globally where Google maintains data processing facilities. Google is certified under the EU-U.S. Data Privacy Framework.
Resend: Email data is processed through Resend, Inc. using AWS infrastructure in the United States. Standard Contractual Clauses (SCCs) and appropriate technical safeguards are in place.
Neon Postgres: Database storage is provided through Neon, Inc. using AWS data centres in both the EU and US. Data transfers to the US are protected by Standard Contractual Clauses (SCCs) and encryption.
When we transfer Personal Data outside the EEA, we ensure an adequate level of data protection through measures such as:
Standard Contractual Clauses (SCCs): Approved by the European Commission to ensure data protection when transferring Personal Data outside the EEA.
EU-U.S. Data Privacy Framework: For transfers to certified organizations in the United States.
Other appropriate safeguards: Such as data processing agreements (DPAs), supplementary technical measures, and compliance monitoring to secure the transferred data.
6. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
The retention period for your Personal Data depends on the purpose for which we process it. We periodically review the necessity of the Personal Data we retain and document our retention practices in line with data protection regulations, such as the GDPR.
6.1. Improving our Services
We retain Personal Data related to the analysis and improvement of our Services for as long as necessary to achieve Service enhancements, refine user experience, and optimize our offerings. This data may include aggregated or anonymized data to support ongoing improvements, in which case it can no longer be used to identify individual users, and is thus no longer considered Personal Data.
6.2. Client relationships
We retain Personal Data for as long as is necessary to maintain and support the client relationship. This retention period takes into account our field of business and the duration of the client relationship.
6.3. Business partner relationships
We retain Personal Data of our business partners and potential business partners for as long as is necessary to support and manage our business partnerships, considering the needs of our industry and our ongoing relationships.
6.4. Marketing and newsletter subscriptions
We retain Personal Data for marketing purposes and newsletter subscriptions until you notify us that you no longer wish to receive communications (i.e. you opt out or unsubscribe) or when we determine that you no longer wish to receive such communications based on inactivity or other indications. Your email address and subscription preferences are stored in our Neon Postgres database and deleted upon your request. Email delivery logs maintained by Resend are automatically deleted after 30 days.
6.5. Recruiting
We retain the Personal Data of job applicants for a maximum of twelve (12) months from the date of receiving the job application or from the closing date of the relevant job posting. This allows us to consider applicants for future roles while respecting data retention limitations.
6.6. Communications
We retain Personal Data related to communications with individuals for three (3) years from the date of the last contact. For information shared on our social media channels, we retain this data until the individual removes their information from the respective platform.
6.7. Legal obligations
We retain Personal Data for as long as required to comply with applicable legal obligations. This period varies depending on the specific legal requirements and retention obligations in place.
6.8. Cookies and Analytics
The retention period for cookies varies based on the type and purpose of each cookie used on our website:
Google Analytics cookies: User-level data collected through Google Analytics is retained for up to 14 months from your last interaction with our website. Aggregated data may be retained longer. Individual cookie identifiers may expire sooner depending on the specific cookie type.
Google Ads cookies: Conversion tracking cookies and related identifiers are retained according to Google's retention policies, typically for varying periods based on the cookie's purpose (ranging from session-based to up to 2 years).
Newsletter and contact data: Email addresses and related information stored in our Neon Postgres database are retained until you unsubscribe or request deletion. Email delivery logs in Resend are retained for 30 days.
Consent cookies: Your cookie consent preferences are stored locally in your browser's storage and persist until you clear your browser data or change your preferences.
You can delete cookies at any time through your browser settings. For more information about managing cookies, please visit your browser's help documentation.
7. WHAT DATA PROTECTION RIGHTS DO YOU HAVE?
Under the GDPR, you have the following rights regarding your Personal Data. To exercise these rights, please contact us using the details provided in this Privacy Notice. We will take steps to verify your identity before processing any requests to ensure your data is protected.
7.1. Your data protection rights
Right to access (Article 15 of the GDPR): You have the right to request access to the Personal Data we hold about you, including information on how we process your data.
Right to rectification (Article 16 of the GDPR): If any of the Personal Data we hold about you is incorrect or incomplete, you have the right to request that we correct or complete it.
Right to erasure (Article 17 of the GDPR): In certain circumstances, you may request the deletion of your Personal Data. This right, often known as the “right to be forgotten,” applies where, for example, the Personal Data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent and there is no other legal basis left for legitimizing processing.
Right to restriction of processing (Article 18 of the GDPR): You may ask us to restrict the processing of your Personal Data in certain situations, such as if you contest the accuracy of the data or object to the processing.
Right to data portability (Article 20 of the GDPR): If we process your Personal Data based on your consent or a contract and the processing is automated, you have the right to request a copy of your data in a structured, commonly used, and machine-readable format. You may also request that we transfer this Personal Data to another data Controller, where this sort of transfer is technically feasible.
Right to object (Article 21 of the GDPR): You have the right to object to our processing of your Personal Data if the processing is based on our legitimate interests or is for direct marketing purposes. For marketing, this means you can opt out at any time to stop receiving communications.
Right to object to automated decision-making – including profiling (Article 22 of the GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, that significantly affects you. This right applies if such decisions produce legal effects or similarly significant consequences for you.
Right to withdraw consent If we process your Personal Data based on your consent, you have the right to withdraw this consent at any time. Withdrawing consent does not affect the lawfulness of processing conducted prior to your consent’s withdrawal.
7.2. Region-Specific rights
California, USA: CPFcomplies with the California Consumer Privacy Act (CCPA). California residents have the right to know, delete, and correct their information.
Brazil: In compliance with LGPD, residents have the right to anonymization and to access information shared with public and private entities.
China: We adhere to the Personal Information Protection Law (PIPL) and ensure data transfers meet local legal standards.
7.3. How to exercise your rights
If you would like to exercise any of your rights or have questions about data protection at CPF, please contact us via email (see contact information in Section 1 of this Privacy Notice). We will respond to your request in accordance with applicable data protection laws.
7.4. Right to Lodge a Complaint
If you believe that the processing of your Personal Data infringes data protection laws, you also have the right to lodge a complaint with a supervisory authority, such as the Office of the Finnish Data Protection Ombudsman at: https://tietosuoja.fi/en/home.
8. CAN THIS PRIVACY NOTICE BE AMENDED?
CPFmay amend this Privacy Notice as needed to reflect changes in our practices, Services, legal obligations, or applicable data protection laws, including the GDPR. Amendments to this Privacy Notice will take effect immediately upon posting the updated version on our website, unless stated otherwise.
If we make significant changes to the Privacy Notice or implement new ways of processing Personal Data that could materially affect your rights or the way we handle your Personal Data, we will notify you directly where possible. This may include email notification or announcements on our website, ensuring you stay informed about how we handle your Personal Data.
We encourage you to periodically review this Privacy Notice to stay updated on any changes. Your continued use of our website and/or Services after an update signifies your acknowledgement and acceptance of the amended/updated Privacy Notice.
We process your Personal Data for the following purposes during our business activities:
* Improving our Services
* Client relationships
* Business partner relationships
* Marketing
* Recruiting
* Communication
* Legal obligations
* Cookies
1. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?
The Controller of your Personal Data is Finnish limited liability company with the name of Number Go Up Technologies LLC (Finnish Business ID: 3490835-9), with its primary place of business being at c/o Number Go Up Technologies Oy, Kuusitie 2 B 88, 00270 Helsinki, Finland.
The Controller of your Personal Data can be contacted at info@cairnspoint.com and +358 46 801 0795.
2. WHAT DEFINITIONS ARE USED IN THIS PRIVACY NOTICE?
Controller is the party that is in charge of the processing activities connected to Personal Data.
Data Subject refers to a human being in accordance with data protection laws.
GDPR is the European General Data Protection Regulation ((EU) 2016/679), which is the primary applicable law that this Privacy Notice is based upon.
Legal Basis for processing means the legal basis with which the Controller processes Personal Data of a Data Subject. The lawfulness of processing is described in Article 6 of the GDPR.
Personal Data means any data directly concerning a Data Subject or any other data by which a Data Subject can be identified with.
Privacy Notice refers to this document, which has been drawn up in accordance with Articles 13 and 14 of the GDPR, through which the Controller (i.e. CPF) informs the Data Subjects (e.g. you) of the ways their Personal Data is being processed.
Processor means a party that processes Personal Data for and/or on behalf of the Controller.
Purpose for processing means the reason why the Controller processes Personal Data of a Data Subject.
Services refers to the services, features, and functionalities provided by CPFthrough its website that are available for purchase or use by clients. These Services are designed to fulfill specific needs as outlined on our website and may be subject to updates and/or improvements.
3. WHY DO WE PROCESS YOUR PERSONAL DATA?
CPFprocesses your Personal Data for various general business purposes, as outlined below. In each section, you will find information on the types of Personal Data we process and the Legal Basis for this processing.
3.1. Improving Our Services
Why: We process Personal Data to analyse and enhance the functionality, performance, and usability of CPF’s Services. This may include user interaction data, feedback, and usage patterns to help us refine and improve the overall user experience and optimize service offerings.
Legal Basis: This processing is based on CPF’s legitimate interest in continuously improving its Services and increasing user satisfaction.
Note: You have the right to object to the processing of your Personal Data for Service improvement purposes. For more details, see the section on your rights found further below.
3.2. Client Relationships
Why: We process Personal Data provided by our clients to manage and fulfill client relationships. This includes contact details, information related to Service use, and any other data disclosed to us as part of the client relationship.
Legal Basis: The processing of this data is necessary to fulfill our contractual obligations with our clients.
3.3. Business Partner Relationships
Why: We process the Personal Data of our current and potential business partners to manage and build business relationships. This includes contact details, information related to the business relationship, and any other data provided to us.
Legal Basis: This processing is necessary to fulfill our contractual obligations with business partners.
3.4. Marketing
Why: We process the Personal Data of clients and potential clients to inform them about CPF’s products, Services, and other potential offers. This includes contact details, information relevant to the relationship, and other data disclosed to us.
Legal Basis: We process this Personal Data based on our legitimate interest in developing and growing client relationships and our business activities.
Note: You have the right to object to the processing of your Personal Data for marketing purposes. For more details, see the section on your rights found further below.
3.5. Recruiting
Why: We process the Personal Data of job applicants for recruitment purposes. This includes contact details, CV information, and any additional information disclosed, such as images, videos, or other materials provided by applicants.
Legal Basis: This processing is based on our legitimate interest in managing job applications and recruitment processes.
Note: You have the right to object to the processing of your personal data for recruiting purposes. For more details, see the section on your rights found further below.
3.6. Communications
Why: We process the Personal Data of individuals who contact us for purposes of communication. This includes contact details, and any other data shared with us in the course of communication.
Legal Basis: Processing is based on our legitimate interest in managing communications with clients, partners, and other individuals.
Note: You have the right to object to the processing of your Personal Data for communication purposes. For more details, see the section on your rights found further below.
3.7. Legal Obligations
Why: We process Personal Data to comply with our legal obligations as required by applicable laws. This may include data processing across different categories, as legally mandated.
Legal Basis: Processing is necessary to fulfill our legal obligations.
3.8. Cookies and Analytics
Why: We use cookies and similar tracking technologies to improve user experience, monitor website traffic, analyse trends, and measure the effectiveness of our marketing campaigns. Specifically, we use:
Google Analytics and Google Ads Conversion Tracking: We have implemented Google Analytics and Google Ads conversion tracking to collect and analyse data about how visitors interact with our website. This includes:
* IP addresses (anonymized where possible)
* Browser type and version
* Device information (device type, operating system)
* Pages visited and time spent on each page
* Referral sources (where visitors came from)
* User interactions and behavior patterns
* Conversion events (e.g., form submissions, contact requests)
* Geographic location (country/city level)
Data Processor: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Data Transfers: Personal Data collected through Google Analytics and Google Ads may be transferred to and processed in the United States and other countries where Google operates. Google is certified under the EU-U.S. Data Privacy Framework, and we have implemented Standard Contractual Clauses (SCCs) to ensure adequate protection of your data.
Retention Period: Google Analytics user-level data is retained for up to 14 months; aggregated data may be retained longer. Cookie identifiers may be stored for varying periods depending on the cookie type. You can learn more about Google's privacy practices at: https://policies.google.com/privacy
Your Choices: When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or reject analytics and marketing cookies. You can change your cookie preferences at any time by clearing your browser's local storage and revisiting our website. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on available at: https://tools.google.com/dlpage/gaoptout
Legal Basis: For analytics and marketing cookies, processing is based on your explicit consent obtained through our cookie consent banner. For strictly necessary cookies required for website functionality, processing is based on our legitimate interest in operating our website. You may withdraw your consent at any time.
4. FROM WHERE DO WE COLLECT YOUR PERSONAL DATA?
CPFcollects Personal Data from several sources to deliver, improve, and support our Services effectively. We are committed to collecting your data responsibly and transparently. Below is an overview of the primary sources from which we may obtain your Personal Data:
4.1. Directly from you
Business partner relationships: Information provided during communication and collaboration with current or potential business partners.
Client relationships: During interactions as part of client relationship management, such as account preferences, Service usage, and feedback.
Recruiting: Information collected when you apply for a job, including details shared on resumes, CVs, and other application materials.
Communications: Information shared through inquiries, support requests, and other interactions.
4.2. Through our Services and platform(s)
Service usage data: We collect data generated as you interact with our Services and platform(s). This may include usage patterns, interaction logs, and other data that help us improve the functionality and performance of our Services and/or platform(s).
Cookies and similar technologies: We use cookies, IP address tracking, and other web technologies to understand website traffic, enhance user experience, and improve Service functionality. Specifically, we use Google Analytics and Google Ads conversion tracking to collect information about your visit, including pages viewed, time spent on the site, browser information, device information, and referring website.
4.3. From third-parties and public sources
Marketing and analytics partners: We may receive data from third-party partners to support our marketing efforts and improve our understanding of Service usage patterns. These partners operate under similar data protection guidelines aligned with this Privacy Notice.
Publicly available information: In some cases, we may collect information from publicly accessible sources, such as professional profiles, for purposes related to recruiting or business partnerships.
5. DO WE TRANSFER YOUR PERSONAL DATA?
As part of our regular business operations, CPFmay transfer your Personal Data to third-parties, including data storage providers, Service integration partners, and other relevant communication platforms. We are committed to ensuring that these transfers are conducted securely and in compliance with applicable data protection laws.
Therefore, every transfer is assessed for data security, and we require third parties to uphold high data protection standards through adequate agreements and safeguards.
5.1. Transfers to third-party service providers
We may share your Personal Data with trusted third-party providers (data processors) who support our business functions, such as:
Analytics and advertising services: We use Google Analytics and Google Ads (Google LLC) to analyse website traffic, measure campaign effectiveness, and improve our Services. Google processes your Personal Data on our behalf in accordance with their privacy policy and data processing agreements.
Email delivery services: We use Resend, Inc. (via AWS infrastructure in the United States) to send newsletters and transactional emails. Resend processes email addresses and names on our behalf. Email delivery logs are retained by Resend for 30 days.
Database storage and hosting: We use Neon, Inc. (via AWS data centres in the EU and US) to securely store email addresses, subscription preferences, and contact form submissions. All data is encrypted at rest and in transit. Neon acts as a data processor, storing data on our behalf.
Accounting and auditing services: For compliance with our financial and regulatory obligations.
Authorities: Where required by law or in response to valid legal requests.
Business partners: For facilitating client relationships, partnerships, and other collaborative purposes.
Communication platforms: To enable seamless interaction and support services.
5.2. Transfers to third countries
In some cases, CPFmay transfer Personal Data to service providers or partners located in countries outside the European Economic Area (EEA).
Google Analytics and Google Ads: Personal Data collected through Google Analytics and Google Ads is transferred to and processed by Google LLC in the United States and globally where Google maintains data processing facilities. Google is certified under the EU-U.S. Data Privacy Framework.
Resend: Email data is processed through Resend, Inc. using AWS infrastructure in the United States. Standard Contractual Clauses (SCCs) and appropriate technical safeguards are in place.
Neon Postgres: Database storage is provided through Neon, Inc. using AWS data centres in both the EU and US. Data transfers to the US are protected by Standard Contractual Clauses (SCCs) and encryption.
When we transfer Personal Data outside the EEA, we ensure an adequate level of data protection through measures such as:
Standard Contractual Clauses (SCCs): Approved by the European Commission to ensure data protection when transferring Personal Data outside the EEA.
EU-U.S. Data Privacy Framework: For transfers to certified organizations in the United States.
Other appropriate safeguards: Such as data processing agreements (DPAs), supplementary technical measures, and compliance monitoring to secure the transferred data.
6. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
The retention period for your Personal Data depends on the purpose for which we process it. We periodically review the necessity of the Personal Data we retain and document our retention practices in line with data protection regulations, such as the GDPR.
6.1. Improving our Services
We retain Personal Data related to the analysis and improvement of our Services for as long as necessary to achieve Service enhancements, refine user experience, and optimize our offerings. This data may include aggregated or anonymized data to support ongoing improvements, in which case it can no longer be used to identify individual users, and is thus no longer considered Personal Data.
6.2. Client relationships
We retain Personal Data for as long as is necessary to maintain and support the client relationship. This retention period takes into account our field of business and the duration of the client relationship.
6.3. Business partner relationships
We retain Personal Data of our business partners and potential business partners for as long as is necessary to support and manage our business partnerships, considering the needs of our industry and our ongoing relationships.
6.4. Marketing and newsletter subscriptions
We retain Personal Data for marketing purposes and newsletter subscriptions until you notify us that you no longer wish to receive communications (i.e. you opt out or unsubscribe) or when we determine that you no longer wish to receive such communications based on inactivity or other indications. Your email address and subscription preferences are stored in our Neon Postgres database and deleted upon your request. Email delivery logs maintained by Resend are automatically deleted after 30 days.
6.5. Recruiting
We retain the Personal Data of job applicants for a maximum of twelve (12) months from the date of receiving the job application or from the closing date of the relevant job posting. This allows us to consider applicants for future roles while respecting data retention limitations.
6.6. Communications
We retain Personal Data related to communications with individuals for three (3) years from the date of the last contact. For information shared on our social media channels, we retain this data until the individual removes their information from the respective platform.
6.7. Legal obligations
We retain Personal Data for as long as required to comply with applicable legal obligations. This period varies depending on the specific legal requirements and retention obligations in place.
6.8. Cookies and Analytics
The retention period for cookies varies based on the type and purpose of each cookie used on our website:
Google Analytics cookies: User-level data collected through Google Analytics is retained for up to 14 months from your last interaction with our website. Aggregated data may be retained longer. Individual cookie identifiers may expire sooner depending on the specific cookie type.
Google Ads cookies: Conversion tracking cookies and related identifiers are retained according to Google's retention policies, typically for varying periods based on the cookie's purpose (ranging from session-based to up to 2 years).
Newsletter and contact data: Email addresses and related information stored in our Neon Postgres database are retained until you unsubscribe or request deletion. Email delivery logs in Resend are retained for 30 days.
Consent cookies: Your cookie consent preferences are stored locally in your browser's storage and persist until you clear your browser data or change your preferences.
You can delete cookies at any time through your browser settings. For more information about managing cookies, please visit your browser's help documentation.
7. WHAT DATA PROTECTION RIGHTS DO YOU HAVE?
Under the GDPR, you have the following rights regarding your Personal Data. To exercise these rights, please contact us using the details provided in this Privacy Notice. We will take steps to verify your identity before processing any requests to ensure your data is protected.
7.1. Your data protection rights
Right to access (Article 15 of the GDPR): You have the right to request access to the Personal Data we hold about you, including information on how we process your data.
Right to rectification (Article 16 of the GDPR): If any of the Personal Data we hold about you is incorrect or incomplete, you have the right to request that we correct or complete it.
Right to erasure (Article 17 of the GDPR): In certain circumstances, you may request the deletion of your Personal Data. This right, often known as the “right to be forgotten,” applies where, for example, the Personal Data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent and there is no other legal basis left for legitimizing processing.
Right to restriction of processing (Article 18 of the GDPR): You may ask us to restrict the processing of your Personal Data in certain situations, such as if you contest the accuracy of the data or object to the processing.
Right to data portability (Article 20 of the GDPR): If we process your Personal Data based on your consent or a contract and the processing is automated, you have the right to request a copy of your data in a structured, commonly used, and machine-readable format. You may also request that we transfer this Personal Data to another data Controller, where this sort of transfer is technically feasible.
Right to object (Article 21 of the GDPR): You have the right to object to our processing of your Personal Data if the processing is based on our legitimate interests or is for direct marketing purposes. For marketing, this means you can opt out at any time to stop receiving communications.
Right to object to automated decision-making – including profiling (Article 22 of the GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, that significantly affects you. This right applies if such decisions produce legal effects or similarly significant consequences for you.
Right to withdraw consent If we process your Personal Data based on your consent, you have the right to withdraw this consent at any time. Withdrawing consent does not affect the lawfulness of processing conducted prior to your consent’s withdrawal.
7.2. Region-Specific rights
California, USA: CPFcomplies with the California Consumer Privacy Act (CCPA). California residents have the right to know, delete, and correct their information.
Brazil: In compliance with LGPD, residents have the right to anonymization and to access information shared with public and private entities.
China: We adhere to the Personal Information Protection Law (PIPL) and ensure data transfers meet local legal standards.
7.3. How to exercise your rights
If you would like to exercise any of your rights or have questions about data protection at CPF, please contact us via email (see contact information in Section 1 of this Privacy Notice). We will respond to your request in accordance with applicable data protection laws.
7.4. Right to Lodge a Complaint
If you believe that the processing of your Personal Data infringes data protection laws, you also have the right to lodge a complaint with a supervisory authority, such as the Office of the Finnish Data Protection Ombudsman at: https://tietosuoja.fi/en/home.
8. CAN THIS PRIVACY NOTICE BE AMENDED?
CPFmay amend this Privacy Notice as needed to reflect changes in our practices, Services, legal obligations, or applicable data protection laws, including the GDPR. Amendments to this Privacy Notice will take effect immediately upon posting the updated version on our website, unless stated otherwise.
If we make significant changes to the Privacy Notice or implement new ways of processing Personal Data that could materially affect your rights or the way we handle your Personal Data, we will notify you directly where possible. This may include email notification or announcements on our website, ensuring you stay informed about how we handle your Personal Data.
We encourage you to periodically review this Privacy Notice to stay updated on any changes. Your continued use of our website and/or Services after an update signifies your acknowledgement and acceptance of the amended/updated Privacy Notice.