

Privacy policy
PRIVACY POLICY FOR BUSINESS CUSTOMERS
We are committed to respecting and protecting the privacy of our customers and to processing personal data in accordance with applicable data protection legislation and good data protection practice. We comply with applicable Finnish legislation and the General Data Protection Regulation of the European Union when processing personal data.
The purpose of this Privacy Policy is to describe how we collect, use and protect our customers’ personal data and clarify the rights the data subject has regarding the processing of their personal data. The term “Business customer” refers to the contact persons and representatives of AuroraHut’s business customers.
Contact information
Controller of the processed personal data:
AuroraHut Oy (2876613-9)
Pilaritie 2, 84100 Ylivieska
Enquiries regarding data protection and privacy policy: mikael.rissanen@aurorahut.com
Data protection officer:
Privaon Oy (2647800-2)
Hevosenkenkä 3, 02600 Espoo
Processing and retention period of personal data
Personal data sources
The personal data is provided by the customer when using AuroraHut’s services. The term “Services” refers to the sale and rental of AuroraHut igloo boats to business customers.
Purposes of processing personal data and retention period
Purpose of processing | Legal basis | Categories of personal data |
Provision of services (sale and rental of igloo boats to business customers) | Agreement | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
Management and development of business relationships and customer communication | Agreement Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur, content of communication |
Ledger and accounting | Legal obligation Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
Legal requirements and monitoring and collection of receivables | Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur and creditworthiness, other information necessary to process the order |
Electronic direct marketing (newsletters) | Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur, target group information, prohibition information |
Personal data will be retained for as long as necessary to fulfil the processing purposes described in this Privacy Policy, but no longer than the current year plus 10 years. Legislation may require us to retain some information after the customer relationship has ended. We take reasonable measures to ensure that personal data that is unnecessary, outdated or inaccurate in relation to the purpose for which it is processed is not retained.
Recipients of personal data
Processors of personal data
We use service providers to assist us in running our business and providing our services. To ensure the high quality and confidentiality of personal data processing, we have entered into personal data processing agreements with all service providers involved in the processing of personal data. Our service providers only process personal data in accordance with the terms of the services and agreements.
Disclosure of personal data
We disclose personal data to our partners to the extent necessary to process your order and deliver the goods. We may use the services of partners for analysis and personalisation purposes, in which case we may disclose service usage information to provide targeted offers.
We may disclose personal data to authorities, for example for criminal investigations or regulatory enquiries, as required by law or by order of a government authority. Information may also be disclosed to third parties to whom the customer has given consent.
Personal data may be disclosed to third parties in connection with business arrangements where the personal data is part of that arrangement. Such arrangements may include, for example, business acquisitions, transfers of businesses, and mergers and divisions of companies.
Data transfers outside the EU/EEA
Personal data will generally only be processed within the EU/EEA. In certain cases, personal data may be technically processed outside the EU/EEA. When we transfer personal data outside the EU/EEA, we ensure that the transfer complies with applicable law, and that we use appropriate safeguards, such as standard contractual clauses approved by the European Commission or other appropriate mechanisms, to ensure adequate protection of personal data.
Personal data protection and data security
All personal data we process is protected by technical and organizational measures against unauthorised processing, destruction, loss, damage, and access.
The security of our information systems is of a high standard, and our systems are protected against data breaches and denial of service attacks. We ensure the security of our personnel, internal processes, and premises to protect personal data.
Personal data is stored in monitored and guarded facilities. Where necessary, information processed and stored outside of monitored and guarded facilities is encrypted to prevent unauthorised use.
Access to personal data is protected by user-specific IDs, passwords, and access rights. Users of systems containing personal data have access only to the data required for their job duties. Persons who process personal data are trained to process personal data confidentially, securely, and in accordance with applicable laws, instructions, and regulations. Persons who process personal data are bound by confidentiality obligations.
Data subject rights
The person whose personal data is processed is called the data subject. The data subject has the following rights:
Right to be informed | You have the right to receive information about the processing of your personal data. You also have the right to receive information about the recipients to whom your personal data may be disclosed. |
Right of access | You have the right to know that we are processing your data and the right to access the data. |
Right to rectification | You have the right to ask us to rectify any inaccurate personal data about you. |
Right to be forgotten | You have the right to request the deletion of your personal data. However, in certain cases this right may be limited due to mandatory legal obligations relating to data retention. |
Right to restriction of processing | You have the right to restrict the processing of your personal data. Restricting the processing means that we limit the processing of certain data and only retain it. However, restricting the processing of your personal data may adversely affect your ability to receive expected products or services. |
Right to data portability | You have the right to request that we provide you with your personal data in a systematic, commonly used and machine-readable format, which allows the transfer of the data to another data controller. |
Right to object | You have the right to object to the processing of your personal data in certain cases. We will consider whether the legal grounds for processing the personal data are sufficient to continue the processing, or whether we will stop processing your personal data. |
Rights related to automated decision-making | You have the right not to be subject to a decision based solely on automated processing that has legal or other significant effects on you. You have the right to request that decisions based on automated decision-making be reviewed by a human being. We do not make decisions based solely on automated processing of personal data that would have legal or other significant effects. |
Right to withdraw consent | Where the processing of personal data is based on your consent, you have the right to withdraw your consent unconditionally at any time. However, this does not affect the lawfulness of the processing based on the consent that took place before the withdrawal. |
Right to lodge a complaint with a supervisory authority | If you believe that the processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with your local supervisory authority. |
If you need further information or assistance in exercising your rights, or if you have any other questions regarding the processing of your personal data or this Privacy Policy, please write an email to mikael.rissanen@aurorahut.com.
We may ask you to clarify your request in writing or verify your identity before complying with the request. We may refuse to comply with the request on the grounds set out in applicable law. If the request is refused, we will inform you of the reasons.
Changes to the Privacy Policy
We reserve the right to change this Privacy Policy if there are changes in our operations.
This Privacy Policy was last updated on 24 March, 2025.