Privacy Policy

The online store Sigil & Sign on the website www.sigilandsign.fi processes personal data provided by the customer, which fulfill and confirm the terms of use, the processing of electronic orders and deliveries, and the necessary communication of information within the time required by law.

Registrar

Sigil & Sign

Business ID: 3471205-7

Katriinaperintie 2 C 12

03100 Nummela

For questions regarding the register, please contact us by email at info@sigilandsign.fi

Processing of personal data

Personal data is processed for purposes related to the management, administration and development of customer relationships, the provision and delivery of services, and the development and invoicing of services. Personal data is also processed for purposes necessary to resolve potential complaints and other claims.

In addition, personal data is processed for customer-oriented communications, such as information and news purposes, and marketing, as part of which personal data is also processed for purposes related to direct marketing and electronic direct marketing.

The customer has the right to prohibit direct marketing targeted at him.

The controller processes the data itself and utilizes subcontractors acting on behalf of and on behalf of the controller in the processing of personal data.

Legal basis for processing

The legal basis for processing personal data is the following grounds under the EU General Data Protection Regulation (hereinafter also "GDPR"):

the data subject has given consent to the processing of his or her personal data for one or more specific purposes (GDPR Art. 6 1.a);

the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6 1.b);

the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6 1.f).

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which results from the data subject being a customer of the controller, and where the processing is carried out for purposes which the data subject could reasonably have expected at the time the personal data were collected and in the context of that relationship.

Data content of the register (personal data groups processed)

The register contains the following personal data, in principle, on all registered persons:

the person's basic information and contact information: first name, last name, address, telephone number, e-mail address

information related to the person's company or other organization and the person's position or job title in the company or organization in question;

the person's direct marketing permissions and prohibitions.

Regular data sources

Personal data is collected from the registered person himself.

Personal data is also collected and updated within the limits of applicable legislation from generally available sources that are related to the implementation of the customer relationship between the controller and the registered person and with which the controller carries out its obligations related to maintaining customer relationships.

Retention period of personal data

The data collected in the register will only be stored for as long as and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.

The need to retain personal data will be assessed at least every five years and in any case the data concerning the data subject will be deleted from the register after the customer relationship of the data subject with the controller has ended and the obligations and measures related to the customer relationship have been completed. For example, accounting documents will be stored for five years after the end of the financial year.

The controller will regularly assess the necessity of retaining data in accordance with its internal code of conduct. In addition, the controller will take all reasonable steps to ensure that personal data that are inaccurate, incorrect or outdated in relation to the purposes of the processing are deleted or rectified without delay.

Recipients and processors of personal data

Third parties processing the customer's personal data are subcontractors of the controller. The services of these subcontractors are necessary for the implementation of the agreement on the acquisition and processing of electronic orders in the contract between the Controller and the Customer.

The Controller's subcontractors are:

• Webnode AG (online shopping system);
• Posti (shipping company);
• Paytrail (payment service);

Security of personal data

The controller undertakes to implement all technical and organisational precautions necessary to protect personal data. Databases and systems can only be accessed with separately issued personal user names and passwords. The controller has limited access rights and authorisations to information systems and other storage platforms so that only persons necessary for their lawful processing can view and process the data. In addition, the use of databases and systems is recorded in the logs of the controller's IT system.

The controller's employees and other persons are obliged to observe confidentiality and to keep confidential the information they receive in connection with the processing of personal data.

Rights of the data subject

The data subject has the following rights under the EU General Data Protection Regulation:

the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where such personal data are being processed, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or are to be disclosed; (iv) where possible, the planned storage period for the personal data or, where that is not possible, the criteria for determining such period; (v) the right to obtain from the controller rectification or erasure of personal data concerning him or her, restriction of processing or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where personal data are not collected from the data subject, all available information on the origin of the data (GDPR Art. 15). The basic information described (i)-(vii) is provided to the data subject in this form;

the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);

the right to obtain from the controller the rectification of inaccurate or incorrect personal data concerning the data subject without undue delay and the right to have incomplete personal data completed, including by providing additional information, taking into account the purposes for which the data were processed (GDPR Art. 16);

the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other legitimate ground for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no compelling reasons for the processing or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been processed unlawfully; or (v) the personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or national law (GDPR Art. 17);

the right to obtain from the controller restriction of processing where (i) the data subject contests the accuracy of the personal data, in which case the processing shall be restricted for a period of time during which the controller may verify their accuracy; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation, pending verification whether the legitimate grounds of the controller override those of the data subject (GDPR Art. 18);

the right to receive the personal data concerning him or her, which the data subject has provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent within the meaning of the Regulation and the processing is carried out by automated means (GDPR Art. 20);

the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the EU General Data Protection Regulation (GDPR Art. 77).

Requests for the exercise of the data subject's rights shall be addressed to the contact person of the controller specified in point 1.

Web analytics

The services below collect anonymized information about website visits without personal data:

Google Analytics (homepage analytics);

Targeted marketing

Based on your visit to the website, we may make targeted advertising in the following services

- Instagram, Facebook

Final provisions

1. By placing an order on the website www.sigilandsign.fi, the Customer declares that they are aware of all personal data protection conditions and fully accepts them;

2. The Customer accepts these rules by checking the checkbox in the order form;

3. The Data Controller may update these Rules at any time. A new, updated version must be published on this website.

These rules enter into force on 03.09.2025