Privacy Policy

Updated: 18.09.2025
Data Controller: Töölön Osakeyhtiötalo Oy (marketing name: Töölön Osakeyhtiötoimisto)
Business ID: 3435876-4
Address: Torivoudintie 12 D 17, 00640 Helsinki, Finland
Data protection contact: toolo@osakeyhtiotoimisto.fi, +358 44 248 8709

This Privacy Policy describes how we process personal data on our website and in our business processes in accordance with the EU General Data Protection Regulation (GDPR) and applicable national legislation. The policy is deliberately comprehensive and detailed to make our obligations and your rights fully transparent.

1. Data Subjects

We process personal data of the following categories of individuals:

  • Website visitors (including cookie and tracking preferences, analytics and marketing events)

  • Contact form submitters and leads

  • Customers and their representatives

  • Newsletter subscribers

2. Categories of Data Processed

The scope of data processed depends on your relationship with us and the services you use.
Typically, we process:

  • Contact details: name, email, phone, company name, business ID, address.

  • Transactional data: content of messages and forms, attachments, communication history related to customer relationship, contract and order information.

  • Marketing and communication data: newsletter subscription and opt-out details, consents and objections, campaign and audience data.

  • Technical and usage data: IP address, device type, browser, language, screen size, operating system, page views, session duration, clicks, traffic source, UTM parameters, referrers, cookie and consent IDs (IAB TCF consent string), and similar event data.

  • Log and security data: system logs, error and incident data, information related to misuse prevention.

Note: We do not normally process special categories of personal data (GDPR Art. 9).

3. Sources of Data

  • Directly from you (forms, email, phone, contractual documents)

  • From our website and integrated analytics/advertising tools

  • From public registers and authorities when necessary (e.g. company verification)

4. Purposes and Legal Bases

Purpose

Customer relationship management and contracts

Communication and customer service

Direct electronic marketing

Analytics and service development

Targeted advertising

Security and misuse prevention

Examples

quotes, assignments, invoicing

inquiries, feedback

newsletters, campaigns

GA4 measurement, conversion tracking

Google Ads audiences, remarketing

logs, load balancing, abuse detection

Oikeusperuste

Contract (GDPR 6(1)(b)) and legal obligation (accounting)

Legitimate interest (6(1)(f)) or contract

Consent (6(1)(a)); for B2B customers also legitimate interest where allowed by law

Consent for non-essential cookies

Consent

Legitimate interest and legal obligation

We do not make automated decisions producing legal effects concerning you; however, we use analytics and targeting to improve services and optimize advertising.

5. Recipients and Transfers

We use trusted service providers who process data under our instructions (processors) or as independent controllers:

  • Platform and hosting: Squarespace (website)

  • Tag management: Google Tag Manager (GTM) – does not permanently store data, only passes on consent and event data

  • Analytics: Google Analytics 4 (GA4)

  • Advertising: Google Ads (including conversions and audiences)

  • Email marketing / newsletter platform: separate provider (if used)

International transfers. Data may be transferred outside the EU/EEA, particularly to the United States through the services above. Such transfers rely on:

(i) the EU–US Data Privacy Framework (if the provider is certified),
(ii) the European Commission’s Standard Contractual Clauses (SCCs), and/or
(iii) additional safeguards such as pseudonymisation and encryption.

We strive to ensure an adequate level of protection in all cases.

6. Retention Periods

We retain personal data only as long as necessary for the purposes described or as required by law:

  • Contacts and leads: generally 24 months from last interaction.

  • Customer and contract/invoicing data: 6–10 years as required by accounting law.

  • Analytics event data (GA4): up to 14 months; aggregate reports without personal data may persist longer.

  • Marketing lists and remarketing audiences (Google Ads): up to 540 days or until consent is withdrawn.

  • Consent and CMP/TCF logs: typically 36 months to demonstrate consent management.

  • Server and security logs: typically 12 months, unless longer retention is necessary for investigations.

7. Safeguards

We apply technical and organizational measures such as encrypted connections (HTTPS/TLS), access control and logging, data minimization, backups, and staff instructions. We choose subcontractors with appropriate security practices.

8. Your Rights

Under GDPR you have (as applicable):

  • right of access and to obtain a copy of your data

  • right to rectification and completion

  • right to erasure ("right to be forgotten")

  • right to restrict processing

  • right to data portability

  • right to object when processing is based on legitimate interest

  • right to withdraw consent at any time (does not affect processing carried out before withdrawal)

Requests: toolo@osakeyhtiotoimisto.fi. We will respond without undue delay.

9. Right to Lodge a Complaint

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman in Finland or the supervisory authority of your EU place of residence.

10. Children’s Data

Our services are not directed to children under 16 and we do not knowingly collect children’s personal data.

11. Changes to this Policy

We update this policy when our practices or regulations change. Significant changes will be announced on our website.

Cookie Policy

Updated: 18.09.2025

We use cookies and similar technologies to deliver services, improve user experience, perform analytics, and target advertising. We comply with the IAB Europe TCF v2.2 framework and use Cookie Yes as our consent management platform (CMP) to collect and transmit consents to the advertising ecosystem.

1. How Consent Works

  • On first visit, a cookie banner is shown with options “Accept all”, “Reject all”, and “Customize settings”.

  • Non-essential cookies (analytics, marketing, functional) are set only with your consent.

  • You can change your consent at any time via the “Cookie settings” link (re-opens the banner) or by clearing cookies in your browser.

  • The CMP stores a TCF consent string that services (e.g. Google) read. Tags are fired via Google Tag Manager based on consent signals (Consent Mode).

2. Categories of Cookies

  • Strictly necessary cookies – basic site functions (session ID, security, load balancing). Always active.

  • Functional cookies – remembering settings, enhanced features (only with consent).

  • Analytics cookies – Google Analytics 4: traffic measurement, error analysis, service development (only with consent).

  • Marketing cookies – Google Ads: conversion tracking, remarketing, audiences (only with consent).

3. Third Parties

Third-party services may set their own cookies or read the consent string via GTM (e.g. YouTube embeds, Hotjar, LinkedIn Ads). The up-to-date list is displayed in the Cookie Yes banner and cookie settings, which take precedence over this policy.

4. Retention of Cookies and Event Data

  • Necessary: session or short-term, duration of service.

  • Analytics (GA4): event-level data up to 14 months; aggregate reports may persistwithout personal data.

  • Marketing (Google Ads): audiences and conversions up to 540 days.

  • Consent logs (CMP/TCF): typically 36 months.

5. Cookie Management

You can change your preferences at any time via the “Cookie settings” link. You can also block cookies in your browser settings. Blocking may affect site functionality.

6. Profiling and Personalization

With your consent, we use cookies and identifiers (such as the TCF string) for targeted advertising and measurement. We do not make automated decisions producing legal effects; profiling is limited to marketing and communications.

7. International Transfers

Through third-party cookies and services, data may be transferred outside the EU/EEA. Transfers are made under the Data Privacy Framework, SCCs, and, where necessary, additional safeguards.

8. Changes

We update this Cookie Policy when our practices or regulations change. Significant changes will be announced on the banner or website.

Contact for privacy and cookies inquiries:
Please send requests to toolo@osakeyhtiotoimisto.fi. We respond without undue delay.

Paloheinäntie 20
00670 Helsinki

Phone: 044 248 8709
E-mail: toolo@osakeyhtiotoimisto.fi
Business ID: 3435876-4

Suomeksi
privacy-policy

Engaged in Influencing

© Osakeyhtiötoimisto | Designed By Anele