Privacy policy

This privacy policy has been prepared in accordance with the EU General Data Protection Regulation (GDPR), the Data Protection Act (1050/2018), the Personal Data Act (Sections 10 and 24), and the Act on the Protection of Privacy in Working Life (759/2004).
At Grinvest, we value privacy and strive to provide everyone with a safe and pleasant user and service experience. At the same time, we seek to understand the needs to create engaging content and serve our customers as effectively as possible. By collecting and utilizing data from multiple sources, we can improve both user experience and the quality of our services.

Please note that this privacy notice applies only to data processing carried out by Grinvest. It does not cover data processing carried out by third parties, and Grinvest is not responsible for the data processing activities of third parties.

Last updated: 22 October 2025

1. Data controller

Grinvest Oy (“Grinvest” or “we”)
Business ID: 3263672-4
Okeroistentie 1
15800 Lahti, Finland

2. Contact person responsible for the register

Kimmo Palo
grinvest@grinvest.fi
+358 45 673 5484

3. Purpose and legal basis of processing personal data

The primary basis for processing personal data is the customer relationship, assignment, or the consent given by the customer for processing personal data.
Grinvest processes personal data to fulfill its contractual obligations towards customers and to comply with legal requirements. In addition, we process personal data to develop our business operations and may collect technical data from website visitors in connection with site visits.

Personal data may be processed by Grinvest for the following purposes:

  • Providing, delivering, producing, and designing Grinvest’s services and products
  • Managing and maintaining the customer relationship between Grinvest and the customer, as well as implementing, developing, and monitoring customer service, communications, and marketing
  • Conducting customer feedback and opinion surveys, collecting, monitoring, and analyzing customer satisfaction data
  • Managing orders, invoicing, communications, transactions, recruitment, and reporting, and developing Grinvest’s business operations
  • Using technical information to analyze website functionality and develop services

4. Data content of the register

We collect from individual customers, job applicants, employees, and partners the personal data necessary for providing our services. We may also collect technical data from visitors to our website during visits.

  • We may collect and process, for example, the following personal data:
    First and last name
  • Contact details (address, phone number, and email address)
  • Gender
  • Date of birth
  • Language skills
  • Customer number
  • Feedback and evaluations given by customers

We may also collect the following technical information related to website use:

  • Duration and time of website visits
  • Actions taken on the site
  • Information describing browsing behavior
  • IP address, operating system, and Internet Service Provider

5. Regular sources of data

We collect personal data only during the provision of services and website use, directly from the customer or user.

Data stored in the register is obtained from our customers. Sources include, for example, messages sent through web forms, email, telephone, social media services, contracts, customer meetings, and other occasions where individuals provide their information.

6. Cookies

We automatically collect information about how Grinvest’s websites are used. We may collect behavioral data in our digital services using cookies and similar technologies (e.g., web beacons, pixels, and tags).
A cookie is a small file stored on the user’s device containing an anonymous numeric identifier that enables us to identify and count different browsers visiting our site. Cookies and similar technologies do not harm the user’s device or files, cannot spread viruses, and cannot access data stored on your hard drive.

We use cookies and similar technologies to improve our services. We may combine behavioral data collected through cookies or similar techniques with personally identifiable information, such as name and email address, but typically the data is anonymized or pseudonymized.
We use, among others, Google Analytics to measure website usage. Data stored in cookies used by Google’s tools (e.g., pseudonymized IP addresses) may be transmitted to and stored on Google’s servers around the world. Therefore, such data may be processed on servers located outside the user’s country of residence.

More information about Google Analytics’ privacy practices:
https://support.google.com/analytics/topic/2919631?hl=fi&ref_topic=1008008

You can opt out of Google Analytics data collection by installing a browser add-on:
https://tools.google.com/dlpage/gaoptout

7. Disclosure of data

We share personal data only within the Grinvest organization and only to the extent necessary for providing and developing our services.

We do not disclose personal data to third parties outside Grinvest unless one of the following applies:

  • Purpose of this privacy notice: Where third parties need access to personal data to perform services, Grinvest has implemented appropriate contractual and organizational safeguards to ensure personal data is processed only for the purposes stated in this privacy notice and in accordance with applicable laws.
  • Authorities: We may disclose personal data to competent authorities as required by applicable laws (e.g., tax, police, enforcement, or supervisory authorities).
  • Corporate transactions: In the event of a sale, merger, or other restructuring of our business, personal data may be disclosed to buyers and their advisors. In such cases, we ensure confidentiality and notify customers before the transfer or change of privacy policy.
  • Consent: We may disclose personal data to third parties if you have given your consent.
  • Debt collection and legal claims: We may disclose personal data if necessary to enforce a contract, collect debts, investigate potential violations, or prepare, present, or defend legal claims.
  • Advertising: Anonymous information related to website use may be shared with advertisers, business partners, and other third parties.

8. Transfer of data outside the EU or EFTA

Grinvest does not transfer or disclose personal data outside the EU or EFTA.

9. Principles of data protection

We handle all register data with care, and information processed using IT systems is appropriately protected. When register data is stored on Internet servers, both physical and digital security of the equipment is ensured. Electronic data is stored on secure servers managed by us and our service providers. Access to electronic data is password-protected, and any manual data is stored in locked premises accessible only to authorized personnel.

10. Data retention period

Grinvest does not retain personal data longer than required by law or longer than necessary for providing services. The retention period depends on the nature and purpose of the data. Thus, the retention period may vary depending on the type of data and purpose of processing.

11. Rights of the data subject

Data subjects have the right to inspect their personal data recorded in the register, request correction of inaccurate data, and otherwise exercise the rights guaranteed by law. Processing of personal data is based on the consent given by the data subject. Under Articles 18 and 21 of the GDPR, data subjects have the right to restrict or object to the processing of their data or to request its deletion from the register.

A data subject who wishes to inspect, correct, or delete their data must submit a written request to the data controller, signed by hand or otherwise verified. Identity is confirmed with an official ID or by another secure method before releasing data. The right of access may be denied based on legal grounds. Exercising the right of access is free of charge once per year.

Customers may give or withdraw consent for direct marketing under Section 26 of the Act on the Protection of Privacy in Electronic Communications or prohibit the use of their data for direct marketing under Section 30 of the Personal Data Act. The right to object does not apply to customer communications, service-related advertising, or messages related to the customer relationship.

Right of Access:
The data subject may inspect the personal data stored about them.

Right to Rectification:
The data subject may request correction of inaccurate or incomplete information.

Right to Object:
The data subject may object to processing if they believe their data has been processed unlawfully.

Right to Prohibit Direct Marketing:
The data subject has the right to prohibit the use of their data for direct marketing purposes.

Right to Erasure (“Right to be Forgotten”):
The data subject has the right to request the deletion of their personal data from the register. Data subjects also have other rights under the GDPR, such as the right to restrict processing in certain situations.
Requests must be submitted in writing to the data controller, who may require proof of identity. The data controller will respond within the timeframe set by the GDPR (generally within one month).

12. Automated decision-making

The register is not used for automated decision-making or profiling (as referred to in Article 22 of the GDPR).
Any data breaches involving personal data will be reported to both the data subjects and relevant authorities in accordance with applicable regulations.

13. Updating the privacy notice

We continuously develop our services and may update this privacy notice. Changes may also result from legislative amendments. The latest version is always available on our website.

14. Contact

If you have any questions regarding our privacy practices, please contact: grinvest@grinvest.fi.