Privacy policy

This privacy policy (hereinafter “Policy”) explains how Lehtovuori Group together with its group companies collects, processes and discloses personal data. The Policy applies in particular to contact persons of customers and partners, website visitors and other stakeholders.

  1. Data Controller
    The data controller under applicable data protection law is the company belonging to the Lehtovuori Group with which you have a customer relationship or otherwise interact (hereinafter “the company”). The company is responsible for ensuring that personal data is processed in accordance with this Policy and applicable data protection laws.
    Contact details of the data controller
    Lehtovuori Oy
    Business ID: 2544559-1
    Address: Hopeatie 4, 33470 Ylöjärvi
    Data Protection Officer: Patrik Hämälä
    Address: Hopeatie 4, 33470 Ylöjärvi
    Email: patrik.hamala@lehtovuori.fi
  2. Processing of personal data
    Personal data may be collected in different ways. The company processes, as needed, for example the following personal data:
    Basic and contact information: name, title, role, company, email, phone, address;
    Customer relationship and/or order data: orders, deliveries, complaints, customer service events;
    Billing and contract data: contract and invoicing data, payment-related information;
    Communication: contacts, email messages and other transaction history;
    Website usage data: cookies and analytics (section 9).
    The company does not process unnecessary data and strives to minimize the scope of processing.
  3. Purpose of processing personal data
    The company processes personal data for the following purposes:
    Managing the customer relationship and executing contracts (offers, orders, deliveries, warranty and complaint matters);
    Billing, monitoring of payments and accounting obligations;
    Communication and customer service;
    Business development and reporting (e.g. quality management, smoothness of production and supply chain);
    Marketing and communication (e.g. newsletters) to the extent permitted;
    Information security and prevention of misuse;
    Compliance with legislation and official obligations.
  4. Legal bases for processing personal data
    The company processes personal data on the following legal bases:
    Contract and preparation of a contract (e.g. offer, order, delivery);
    Legal obligation (e.g. accounting, taxation, official requests);
    Legitimate interest (e.g. B2B communication, maintaining customer relationships, information security);
    Consent (e.g. certain cookies/marketing, where required).
    If the processing is based on consent, the consent can be withdrawn at any time.
  5. Possible transfers and disclosures of personal data
    Personal data may be processed by:
    The company’s personnel to the extent required by their duties;
    Service providers (processors), such as:
    IT and cloud services (e.g. email, files, information security);
    ERP/CRM and other business systems;
    Accounting firms, auditors;
    Transport and logistics partners (for arranging deliveries);
    Marketing tools (only in permitted situations);
    Authorities, if required by law.
    Personal data may be disclosed to companies belonging to the Lehtovuori Group for managing customer relationships and carrying out sales and business operations. The company does not sell personal data to third parties.
  6. Possible transfers of personal data outside the EU or EEA
    Personal data may be transferred outside the EU or EEA. In such cases, transfers are carried out with safeguards in accordance with data protection legislation, such as standard contractual clauses approved by the European Commission.
  7. Retention periods of personal data
    The company retains personal data only as long as necessary for the purpose or to fulfill legal obligations. Typical retention periods:
    Customer and contract data: duration of the contract + 5 years;
    Billing and accounting material: the period required by the Accounting Act (usually at least 6 years from the end of the financial year);
    Marketing register: until consent is withdrawn or a marketing prohibition is given, however no more than 2 years from the last activity;
    Complaint and warranty data: duration of the warranty period + 2 years;
    Customer service and contact data: up to 2 years from handling the matter;
    Website analytics data: up to 14 months;
    User accounts (webshop): as long as the account is active, and up to 2 years from the last login.
  8. Rights of the data subject
    You have rights under data protection legislation:
    Right of access to data;
    Right to rectification of data;
    Right to erasure of data under certain conditions;
    Right to restriction of processing under certain conditions;
    Right to object to processing when based on legitimate interest (especially direct marketing);
    Right to data portability when processing is based on consent or contract and is automated;
    Right to withdraw consent (if processing is based on consent).
    Requests can be sent to the data controller mentioned in section 1. We may request additional information to verify identity.
    If you consider that the processing of your personal data is not appropriate, you have the right to contact the data protection authority. Office of the Data Protection Ombudsman: https://edpb.europa.eu/.
  9. Cookies and website tracking
    The company’s website may use cookies and similar technologies:
    Necessary cookies: functionality of the website;
    Analytics cookies: statistics and development of website usage;
    Marketing cookies: targeted communication (if used).
    The company requests consent for non-essential cookies via a cookie banner, and the user can change settings later.
  10. Sources of data
    The company receives personal data mainly:
    Directly from you (e.g. contact, order, contract);
    From your company and/or employer (B2B contact persons);
    From public sources (e.g. company contact details) within permitted limits.
  11. Automated decision-making and profiling
    The company does not make decisions concerning you based solely on automated processing (including profiling) that would have significant effects, unless separately notified.
  12. Data security
    The company protects personal data with appropriate technical and organizational measures (e.g. access control, logging, encryption, backups) and restricts access to data only to those who need to process them as part of their work.
  13. Changes to the policy
    The company may update this privacy policy. We publish the current version on our website and indicate the latest update date at the end of the policy.
  14. Contact
    You can ask about this Policy or more detailed information about the processing of your personal data by contacting via email: info@lehtovuori.fi
    Last updated: [23.04.2026]