Privacy Notice

In this privacy policy, we inform you exclusively about the customer register of Hosalehto Oy’s Johku shop and the principles of processing its data.

We may change our privacy practices and this privacy policy from time to time. We therefore recommend that you review our privacy practices regularly.

1. Data Controller

2. Person in Charge of Register Matters and/or Contact Person

3. Name of the Register

The customer register of Hosalehto Oy’s online store.

4. Legal Basis and Purpose of Processing Personal Data / Intended Use of the Register

The legal basis for processing personal data in accordance with the EU General Data Protection Regulation (GDPR) is the contract that arises when a customer orders products and/or services from Hosalehto Oy’s online store.

The purpose of the register is to enable online trade through Hosalehto Oy’s online store, such as transmitting order information, billing details, payment confirmation data, and order processing data between Hosalehto Oy and the customer. In addition, data is collected to enable customer service contacts, maintain the customer relationship, and for electronic marketing communications when the customer has given their consent.

Hosalehto Oy does not in any way store orders placed for other merchants' products or information related to them in its customer register.

The data is not used for automated decision-making. The data may be used for profiling.

5. Data Content of the Register

  • First name and last name

  • Address

  • City / Town

  • Country

  • Phone number

  • Email address

  • Personal identity code (private billing customers)

  • Order source page

For companies, the following additional information is registered:

  • Company name

  • Business ID (Y-tunnus)

  • Electronic invoicing address (Verkkolaskuosoite)

  • Intermediary code (Välittäjätunnus)

  • Reference

  • Customer reference / Mark

In addition, the "additional information" field in the process provides the customer with the opportunity to freely provide other information they deem necessary.

Data Retention Period

The data is retained for as long as the user and Hosalehto Oy have a valid mutual agreement and/or consent.

Data may be retained longer to the extent necessary to fulfill obligations set by applicable legislation, such as responsibilities regarding accounting and consumer trade, and to demonstrate their proper implementation.

6. Regular Sources of Information

The data is collected using electronic forms of the Johku online service. Customers enter the information personally when ordering from Hosalehto Oy’s Johku online store.

7. Regular Disclosures of Data and Transfer of Data Outside the EU or the European Economic Area (EEA)

Personal data is not disclosed to third parties and remains under the control of the data controller. The data may be technically processed outside the EU or the European Economic Area.

8. Principles of Register Protection

Due diligence is observed in the processing of the register, and data processed using information systems is appropriately protected. When personal data is stored on servers connected to the Internet, the physical and digital security of the hardware is taken care of appropriately. The data controller ensures that stored data, as well as server access rights and other information critical to the security of personal data, are treated confidentially and only handled by employees whose job description requires it.

Electronically Stored Data

The register is located in the Johku service, and Aptual Commerce Oy acts as the data processor. Full register data can only be accessed by the data controller and the technical maintenance personnel of Aptual Commerce Oy. More broadly on the privacy principles of the Johku service: johku.fi/fi/tietosuoja

Manual Material

As a rule, we avoid printing the data in the register into manual material. If, in some situations, manual material is printed from the register, the material is kept in a locked space and only the data controller has the right to use the material.

9. Right of Access and Implementation of the Right of Access

Every person in the register has the right to check their personal data stored in the register and correct any incorrect or incomplete information. This right is automated by the Johku system used by Hosalehto Oy in the following way:

In connection with the merchant's confirmation messages, Johku provides information through the Oma Johku service regarding the processing of the user's personal data. The messages contain a link to the Oma Johku service.

In Oma Johku, the user can check the data stored about them and make corrections if necessary. The service also includes functionality that allows the user to download the data in a structured format for transferring data from one system to another. The Oma Johku service can be accessed at any time at johku.com/customer.

Oma Johku also offers the possibility to terminate the Oma Johku agreement and delete data from Oma Johku. If the user stops using Oma Johku and terminates their agreement with Johku, all automatic functionalities related to managing their own data will cease. After the termination of the agreement, the user must manage their own data (access, rectification, right to be forgotten, restriction, right to data portability) in writing directly with Hosalehto Oy. Hosalehto Oy may, if necessary, ask the requester to prove their identity. Hosalehto Oy will respond to the written request within the time stipulated in the EU Data Protection Regulation (generally within one month).

The use of the Oma Johku service is free of charge.

10. Other Rights Related to the Processing of Personal Data

A person in the register has the right to request the erasure of personal data concerning them from the register ("the right to be forgotten"). Likewise, data subjects have other rights in accordance with the EU General Data Protection Regulation, such as restricting the processing of personal data in certain situations.

It should be noted, however, that the data stored in Hosalehto Oy’s customer register is always generated when a customer purchases products and/or services. In this case, Hosalehto Oy is also bound by the obligations set by accounting and tax legislation regarding the retention of material.

Requests must be sent in writing to the data controller. The data controller may, if necessary, ask the requester to prove their identity. The data controller will respond to the customer within the time stipulated in the EU Data Protection Regulation (generally within one month).

11. Cookies

This site uses cookies. The site sends a small file to the browser, which is stored on the computer's hard drive. Both (temporary) session cookies, which close when you close your Internet browser, and persistent cookies, which are stored on the computer's hard drive, are used. The purpose of the cookie is to improve the user experience on the site. If you are a registered user, the cookie also manages logging in and access to pages intended only for registered users.

Cookies can be used to track and view the user's interests and thereby influence the usability of the service. Internet browsers generally accept cookies automatically. If necessary, the use of cookies can be disabled in the browser settings, in which case some of the functionalities will be removed.

Advertising cookies can be used to help optimize the advertising experience for the user of the service. Some third-party providers, including Google, may also use cookies or web beacons (1-pixel image files) to improve the advertising experience.

The information collected using cookies and web beacons does not contain the user's personal data. Online activities cannot be linked to a specific person through them.

Prepared on: June 2, 2026