Privacy policy

Kotona Shop Privacy Policy

This privacy policy describes how the data controller processes the personal data of its customers and the users of its website. Please read and acquaint yourself with this privacy policy. In this privacy policy, we explain more closely:

  • Who is the data controller
  • What kind of personal data do we process and where is the data collected from
  • For what purposes do we use personal data and what is the legal basis for the processing
  • How long we keep data
  • How the website uses cookies
  • What kind of influence do you have
  • Where data is transferred and disclosed
  • How data is protected
  • How we can make changes to the privacy policy

1. Who is the data controller?

In the processing of personal data referred to in this privacy policy, the data controller is:

Data controller: A-lehdet Oy
Business ID: 1708790-7
Visiting address: Risto Rytin tie 33, 00570 Helsinki
Postal address: 00081 A-lehdet
E-mail: tietosuoja-asiat@a-lehdet.fi

Please note that personal data related to orders in the online store, such as the name, address, e-mail address and telephone number required for delivery, is also processed by the merchant delivering the product. You can find the merchant's contact information and a link to the merchant's privacy policy on the merchant information page.

2. What kind of data do we process and where is the data collected from?

We typically process the following data:

  • The customer's contact information, such as name, address, e-mail address, telephone number
  • Customer’s order and return information, such as payment details and information about ordered and returned products
  • Data of the registered customer, such as username, logins, saved products in customer’s wish list, newsletter subscription
  • Customer service data, such as customer feedback, communication with customer service and call recordings
  • Permit data, such as information about marketing permits or other permits and prohibitions related to the use of personal data
  • Data collected from the use of online services, such as automatically collected log data and information collected by cookies describing the user's terminal device and the use of the site, in accordance with Section 5

As a rule, we receive the collected data directly from you. The user of the website can be identified by the digital identifier created for the services when the customer logs in or arrives at the online service through targeted customer communications, such as a newsletter.

3. For what purposes do we use personal data and what is the legal basis for the processing?

We process data for the following purposes:

  • Delivering the service and maintenance of a customer relationship: We process the information you provide in order to fulfil the agreement we have entered into with you, e.g. to send you the newsletter you have ordered. We cannot provide the service or keep in touch with you in matters related to the agreement without processing your personal data.
  • Contests and sweepstakes: We may process your data to conduct a contest or sweepstakes and to draw or select winners. In this case, the processing of data for commercial purposes is based on your consent in connection with your participation or on our legitimate interest.
  • Marketing: We process your data based on our legitimate interest in marketing. Direct e-marketing and targeting of advertising with the help of cookies may also be based on your consent.
  • Ensuring data security and investigating abuse: We process data to ensure data security. We also must use the data from time to time to prevent and investigate abuse.
  • Business development: We may develop our business based on order information and website user data. We intend to process the data in such a way that the data subject is not identifiable from it. This processing is based on our legitimate interest.
  • For guaranteeing our rights: We may need to process personal data in order to present or defend ourselves in a legal claim or to resolve disputes primarily amicably. This processing is based on our legitimate interest.
  • To comply with legal obligations: We may be obliged to retain some of your personal data to comply with accounting or other mandatory legislation. In this case, the processing data is based on compliance with a legal obligation.

To the extent that the processing is based on a legitimate interest, we consider that the processing data benefits both you and us. Taking into account the nature and purpose of the use of data, we consider that the processing does not conflict with your fundamental rights or freedoms. You can oppose to marketing based on legitimate interest at any time. You may oppose to other processing based on legitimate interest on grounds relating to your personal situation as described in Section 6.

We may personalise the newsletter on the basis of your browsing history. However, we do not make automated decisions that would produce legal effects or that would significantly affect you.

4. How long do we keep the data?

We will store your personal data for as long as necessary to fulfil the purposes described above. In essence, storage times are as follows:

  • Personal data of our customers for 48 months from the last order, opening of the newsletter or login to the digital account
  • We store any personal data contained in the receipts for approximately seven years in order to comply with accounting obligations

Please note that we may store data if it is necessary for the establishment, exercise or defense of legal claims.

5. How does the website use cookies?

We may collect information about the service user's terminal device with the help of cookies and other similar technologies. A cookie is a small text file which is stored on your computer by your web browser. Cookies contain a unique, pseudonymous identifier which allows us to identify and count the web browsers that visit our site.

Cookies do not move online by themselves, but they are placed on the user's terminal device only with the website called by the user. Only the server which sent the cookie can later read and use the cookie. Cookies or other technologies do not harm the user's terminal device or files, and cookies cannot be used to run programs or spread malware.

We use cookies to collect technical information about your terminal device and information about the use of our websites. In addition to a unique cookie or mobile ID, this information includes for example information related to the device, such as device type, web browser version, screen size, operating system, IP address, as well as information about the use of the online service, such as page loads, time and duration spent on the website, and movement on the online service or content seen.

We may use session cookies that expire when you close your web browser, as well as persistent cookies that remain on your device for a certain period of time or until you delete them. The validity period of persistent cookies typically ranges from a few months to a few years.

So-called first-party cookies are stored by the website you are visiting directly. In addition to these, our website uses so-called third-party cookies, such as social media cookies.

We classify cookies according to their purpose as follows:

  • Necessary cookies: These cookies are necessary to use our service and its functions, such as shopping cart or signing in. These cookies are always enabled.
  • Analytics cookies: These cookies allow us to receive information about how the service is used. In our service, we use, among other things, Google Analytics, a web analytics service provided by Google Inc., to analyze the use of our websites and to develop our websites to serve users even better. The information stored in cookies used by Google's tools is forwarded for storage to Google's servers around the world. As a result, such data may be processed on servers located in a country other than the user's country of residence. Google uses the information it receives to evaluate the user's browsing of the content of the pages and to compile summary reports on site usage. In addition, Google compiles surveys of the services provided in connection with the sites and produces statistics on internet use. Google may also pass on information to third parties where required to do so by law or in cases where the third-party processes information on behalf of Google.
  • Personalisation cookies: These cookies allow us to personalise the content of the service or newsletters by using information about your activity on this service (such as forms you submit, content you look at).
  • Advertising cookies: These cookies are used to target advertising elsewhere on the Internet. Advertising cookies are, in principle, third-party cookies. Some of these third parties process data as independent controllers, and more information about the processing of personal data can be found in their privacy policies.

You can give your consent to the use of cookies or reject the consent through the service's cookie settings. You can withdraw your consent at any time by clicking on "Cookie settings" at the bottom of the website. Cookies that are necessary to provide the service, such as signing in, are always in use.

6. How do you influence the processing of personal data?

The customers' rights and ways of influencing the processing of personal data are listed below:

  • Right to request access: You have the right to receive confirmation that your personal data is being processed or that it is not being processed. If your personal data is processed, you have the right to access the personal data, provided that the provision of the data does not adversely affect the rights and freedoms of others.
  • Right to request correction and erasure of data: We correct or erase personal data that is incorrect, incomplete, or unnecessary for the purpose of processing. The data will not be deleted if it is necessary, for example, for the establishment, exercise or defense of legal claims.
  • Right to data portability: You have a right to receive personal data that you have provided to us which we process automatically on the basis of consent or a contract, transferred to yourself or a third party in a machine-readable format.
  • Right to object direct marketing: You can object to the processing or disclosure of your data for direct marketing purposes at any time.
  • Right to cancel newsletter subscription: You may cancel your newsletter subscription at any time by clicking on the opt-out link.
  • Right to withdraw consent: You can withdraw any consent you may have given to direct marketing and cookies at any given time.
  • Right to object and restriction: You may object to processing based on a legitimate interest on grounds relating to your personal situation. For example, in such a situation, the processing will be restricted for the period during which the grounds for objecting to the processing are assessed. The processing may also be restricted, for example, if you contest the accuracy of the personal data, in which case the processing will be restricted for a period during which we can verify the accuracy of the data. If there are compelling legitimate grounds for the processing that override your rights or freedoms, or if the processing is necessary for the establishment, exercise or defense of legal claims, we will contact you in order to continue the processing of the data.
  • Cookie choices: The cookie tool allows you to control your choices regarding cookies and how they use the information they collect, such as giving consent or withdrawing your consent. Cookie settings can be found in the sub-navigation of the site.
  • Right to lodge a complaint: You can file a complaint with an authority if your personal data has been processed in violation of this privacy policy and the legislation in force from time to time. The contact details of the supervisory authority, the Finnish Data Protection Ombudsman, can be found at: www.tietosuoja.fi/en. The contact details of Traficom, the Finnish authority supervising the use of cookies, can be found at: www.traficom.fi/en.

In order to exercise the rights described above, we ask you to contact us at the address set out in Section 1. We kindly ask you to verify your identity in order to ensure that we do not provide the information to a person other than the data subject himself or herself.

7. Where is the data transferred and disclosed?

We use subcontractors in the processing of data, in which case we ensure through contractual arrangements that the data will be processed in accordance with the legislation in force at the time. If we transfer data outside the EU or EEA, we ensure an adequate level of protection of personal data, for example, by agreeing on matters related to the confidentiality and processing of personal data as required by law, such as by utilizing the EU's standard contractual clauses.

We do not disclose data to third parties for their own, independent uses, in principle, in cases other than those mentioned below:

  • Merchants: We disclose personal data and your personal data, such as name, address, e-mail address and telephone number, to the merchant to the extent that the merchant is responsible for delivering the products you have ordered.
  • Authorities: We may disclose personal data in the manner required by the competent authorities, based on the legislation in force from time to time.
  • Mergers and acquisitions: If we sell, merge, or otherwise reorganize our business, personal data may be disclosed to buyers and their advisors.
  • Legal claims and breaches: We may disclose your personal data to third parties if it is necessary for the performance of a contract, to investigate possible violations, or to establish, exercise or defend legal claims.
  • Consent: With your consent, we may disclose your personal data to our selected partners.

We act as a joint data controller when A-lehdet maintains a page on Facebook or utilizes Facebook's functionalities in the service, such as the like button. With regard to the insights of A-lehdet's Facebook pages, Facebook and A-lehdet are joint controllers. For more information on the processing of personal data, please refer to Facebook's privacy statement.

We collect statistical data e.g., from the likes and visits to our Facebook Pages, the visibility of our posts and the demographic profiles of the people reached by our posts, as well as the public comments made on the pages and the public profile information of the commenters. We do not combine this information with the other information described in this privacy policy.

8. How is the data protected?

We use appropriate technical and organizational data security measures to protect personal data against unauthorized processing. Such measures include:

  • Use of firewalls and encryption techniques
  • Proper access control
  • Restricted user rights
  • Training and instructions for personnel involved in data processing
  • Careful selection of subcontractors

9. Rights of California residents

This section only applies to California residents. We process personal information in accordance with the California Consumer Privacy Act (CCPA). Under CCPA, you have the right to:

  • Request to know what personal information we collect and how we use and disclose it
  • Request the deletion of your personal data, with certain limitations
  • Opt out of the sale or sharing of your personal data
  • Not be discriminated against for exercising your rights

To exercise your rights, please contact us at the address provided in section 1. We may ask you to verify your identity before responding to your request.

10. Can this privacy policy be changed?

We are constantly developing our services and may make changes to this privacy policy. The changes may also be based on changes in legislation or official guidelines. We recommend that you review the content of the privacy policy regularly.

This privacy policy was last updated on 8 May 2025.