Privacy policy

Hallitse Tavarasi ("we", "us") is the data controller for personal data collected through this site and the storage service we operate. The platform itself is run on our behalf by Hallitse Oy (Finland), who acts as our data processor.

For privacy questions or to exercise any of the rights listed below, contact us at privacy@tavarasi.fi.

• Account data - name, email address, password hash, sign-in history, multi-factor settings.
• Contact details - phone, billing / pickup addresses, VAT number where you have supplied one.
• Service data - your storage contracts, box contents descriptions you choose to enter, delivery / pickup events, photos you upload.
• Billing data - invoices, credit notes, payment status. Card details are never seen by us - they go directly to the payment provider.
• Communications - emails we send you and any messages you send us through the platform.
• Technical data - IP address, browser / device info, session cookies. Used to keep you signed in and to detect suspicious activity.

Most of what we hold we hold because we need it to perform the contract with you (Article 6(1)(b) GDPR): account creation, deliveries, invoicing, and customer support. Some of it we keep on legitimate-interest grounds (Article 6(1)(f)) - fraud prevention, sign-in audit logs, and defending against legal claims. We do not sell your data and we do not use it for advertising.

Where we rely on consent - currently just for optional marketing emails - you can withdraw consent at any time via the unsubscribe link or by writing to us.

• Hallitse Oy - our platform operator; runs the database, API and email on our behalf.
• Paytrail (Paytrail Oyj, Finland) - our payment provider. Card details go directly to Paytrail; we only ever receive billing-relevant identifiers.
• Amazon Web Services (AWS) - the cloud infrastructure (hosting, document storage and email delivery) Hallitse Oy runs on, in the EU (Stockholm) region.
• Single sign-on providers - if you sign in with Google / Microsoft / Apple, only the profile fields you authorise are shared.
• Tax / accounting authorities - where we are legally required to disclose invoice records.

We do not share your data with any other third parties. No data is sold.

Personal data is stored and processed within the European Economic Area (EEA) - our infrastructure, document storage and email all run in Amazon Web Services' Stockholm (EU) region. AWS is operated by a US-headquartered company, so even though your data stays in the EEA we additionally rely on the AWS Data Processing Addendum - the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework - to keep it protected to GDPR standards.

• Active account - for as long as you hold a contract or active session with us.
• Service records - your storage contract, the box-contents descriptions you provide, and delivery/return photos are kept for as long as your contract is active. After it ends they are handled under the closed-account rule below, except any photo or record we need to keep as evidence of a delivery or to resolve an open claim.
• Invoices and tax records - for the statutory retention period (typically 6-10 years depending on the country we operate in; in Finland the Bookkeeping Act (Kirjanpitolaki) requires 6 years), even after your account is closed. We are legally required to keep these.
• Audit logs (sign-in events, security events) - up to 24 months, then deleted.
• Closed account - non-statutory personal data is deleted within 90 days of account closure, except where a deletion-suppression flag is set on a specific record (see "Right to erasure" below).

You have the following rights, exercisable free of charge by writing to privacy@tavarasi.fi:

• Right of access (Art. 15) - ask for a copy of the personal data we hold about you.
• Right to rectification (Art. 16) - ask us to correct inaccurate data. Most fields you can update yourself from your account page.
• Right to erasure / "right to be forgotten" (Art. 17) - ask us to delete your personal data, subject to the statutory-retention exceptions in section 6. Where deletion is blocked by tax law, we will tell you which records are retained and for how long.
• Right to restrict processing (Art. 18) - ask us to stop using your data while a dispute is resolved.
• Right to data portability (Art. 20) - ask for your data in a machine-readable format.
• Right to object (Art. 21) - to any processing we do under legitimate-interest grounds.
• Right to lodge a complaint with your national data-protection authority. In Finland this is the Office of the Data Protection Ombudsman.

We aim to respond to any request within 30 days. For complex cases the deadline may be extended once by a further 60 days, in which case we will tell you.

We use a strictly necessary session cookie to keep you signed in - this is essential and always on. We may also use analytics cookies (via Google Tag Manager) to understand how the site is used; these load only if you accept them in the cookie banner. You can decline, and change your choice at any time using the "Cookie settings" link in the footer. The session cookie expires when you sign out or after a period of inactivity.

Hallitse Tavarasi may update this policy from time to time. The current version is always the version in force. Significant changes will be communicated by email before they take effect.