Privacy and personal data policy

Privacy text

Categories of data and sources

We may process identification and contact data you type into the contact form (name, email address, free-text message, and a timestamp of submission), connection data that infrastructure creates automatically (for example the IP address used at the time of the request, user-agent string, and language preference header), and cookie-related consent records on your device as described in the cookie policy. We do not seek special categories of data through the public form. Please avoid including sensitive information unless you have a specific reason to do so and a lawful basis in your own right.

Purposes and legal bases (GDPR Article 6)

Answering enquiries

Responding to your request is usually based on the steps you take before a contract, or on legitimate interest in running a small studio with reliable communication, balanced against your rights. Where you have ticked the consent box on the form, an additional consent basis applies in parallel for that submission.

Improving the site and security

We may review aggregated statistics or log excerpts to fix errors and understand misuse attempts. The basis is typically legitimate interest in a secure, sustainable online presence; where analytics is optional, we add consent for the scope covered by the cookie tool.

Complying with the law

If we are obliged to retain a record for tax, accounting, or a lawful demand from a competent authority, processing may be legal obligation in that narrow instance.

Retention periods

General email threads about a question or a commercial offer are kept for a practical period, usually up to twenty-four months from the last substantive message, unless a longer period is set out in a written agreement, required by an accounting or consumer rule, or you ask us to delete earlier where the law allows. Backups that incidentally still contain a copy of an older message are overwritten on a rolling schedule that does not exceed a typical twelve to eighteen month horizon for the platforms we use, subject to the provider’s technical design.

Security of processing

We use transport layer security for the public site where supported by hosting, we limit account access to people who need it, and we instruct anyone handling inboxes to avoid forwarding personal data to personal email accounts. Vendors with access to the same data are bound by terms that require confidentiality, assistance with data subject questions, and appropriate safeguards. No online service can guarantee absolute security; you should also protect your own devices.

International transfers

Where a processor is established outside the EEA, we use approved transfer tools such as the European Commission’s standard contractual clauses, the provider’s binding corporate rules where certified, or an adequacy decision of the European Commission, and we look for practical supplementary measures when risk warrants them. A copy of the relevant summary is available in procurement files and can be described at a high level on request; we are not always able to publish every commercial annex in public.

Automated decision-making

We do not use fully automated systems on this public site to make decisions with legal or similarly significant effects for you, within the sense of the GDPR. Optional analytics may use aggregated or pseudonymous metrics that do not target you as an individual in an automated way.

Advertising, measurement, and lead forms

When we use paid online advertising, conversion or measurement tools load only in line with the choices you make in the cookie tool (for example where you allow a marketing or analytics category). We do not sell your personal data. Information you send through the contact form is used to answer that request and for related, expected follow-up, in line with the purposes stated in this policy.

Your rights

Subject to conditions in the law, you may request access to the personal data we hold, rectification of errors, erasure, restriction of certain processing, portability of data you provided in a structured, machine-readable form where the processing is based on contract or consent and carried out by automated means, and objection to processing on legitimate-interest grounds, including to analysis that we are not obliged to continue. You can withdraw consent for optional tools with future effect through the same cookie settings or your browser, without affecting the lawfulness of prior processing. You can lodge a complaint with a regulator.

Exercising rights and response times

Write to the email address above with enough detail to identify the request, and, where necessary, a proof of identity that is no more intrusive than needed. We aim to answer within a month, extendable in complex cases with an explanation, as the GDPR allows. If you consider our answer incomplete, you can escalate to the Finnish supervisory authority or another EEA body that has competence for you, without prejudice to seeking a judicial remedy.

Children’s data

Our content is for adults. We do not knowingly run profiling directed at children through this site. If you believe a minor has sent personal data inappropriately, contact us and we will take reasonable steps in line with erasure and security duties.