Privacy Policy

# Privacy Policy

**Effective Date:** 1.6.2025 
**Last Updated:** 1.6.2025

## 1. Introduction

This Privacy Policy explains how Marko Pyhäjärvi ("we," "us," or "our") collects, uses, and protects your personal information when you visit our website MarkoPyhajarvi.com or use our business services. We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

**Data Controller:** Marko Pyhäjärvi  
**Business ID:** 11111405 (Buchanon Company Ltd)
**Address:** Merkurstrasse 1, 9000, Sankt Gallen, Switzerland
**Privacy Contact:** contact@markopyhajarvi.com

## 2. Information We Collect

### 2.1 Personal Information You Provide (Business Purposes Only)

**We only provide services to business customers.** When you engage our services, we collect:

**Contact Information:**
- Name and business name
- Business email address
- Business phone number
- Business mailing address

**Business Information:**
- Company details and industry
- Business website URL
- Current revenue metrics (for service delivery only)
- E-commerce platform details (when necessary for service delivery)

**Service-Related Information:**
- Project requirements and goals
- Platform access credentials (encrypted and stored securely)
- Business analytics and performance data
- Communication preferences

### 2.2 Information Automatically Collected

**Technical Information (Minimal Collection):**
- IP address (anonymized after 90 days)
- Browser type and version
- Operating system
- Device information (anonymized)
- Referring website
- Pages visited and session duration
- Date and time of visits (anonymized after 90 days)

**Website Analytics (Anonymized):**
- Website usage patterns (anonymized)
- Click-through rates (aggregated data only)
- Traffic sources (anonymized)
- Bounce rates (aggregated data only)

### 2.3 Information from Third Parties

**Limited Third-Party Data:**
- Business information from publicly available sources (company websites, LinkedIn business profiles)
- Platform data during service delivery (with your explicit authorization only)
- Referral information from business partners (with consent)

**We do not purchase personal data from data brokers or marketing lists.**

## 3. Legal Basis for Processing

We process your personal data based on the following specific legal grounds:

### 3.1 Contract Performance (Article 6(1)(b) GDPR)
- Delivering agreed AI revenue optimization services
- Processing payments and maintaining service agreements
- Providing customer support and project communication
- Implementing and monitoring business systems

### 3.2 Legitimate Interest (Article 6(1)(f) GDPR)
**Our specific legitimate interests:**
- **IT security and fraud prevention** (protecting our systems and client data)
- **Direct marketing to existing business clients** (promoting relevant services)
- **Business relationship management** (maintaining professional relationships)
- **Service improvement** (analyzing anonymized usage patterns)
- **Legal compliance** (maintaining records for tax and regulatory purposes)

**Balancing test conducted:** Our legitimate interests do not override your fundamental rights and freedoms.

### 3.3 Explicit Consent (Article 6(1)(a) GDPR)
- Newsletter subscriptions and marketing communications
- Case study participation and testimonials
- Optional cookies (non-essential)
- Marketing automation and profiling

### 3.4 Legal Obligation (Article 6(1)(c) GDPR)
- Tax and accounting records (Finnish tax law requirements)
- Anti-money laundering compliance
- Court orders and legal process compliance

## 4. How We Use Your Information

### 4.1 Service Delivery (Contract Performance)
- Provide AI revenue optimization consulting
- Conduct business audits and analysis
- Implement systems and automation
- Deliver reports and strategic recommendations
- Provide ongoing support during engagement period

### 4.2 Communication (Contract Performance + Legitimate Interest)
- Respond to business inquiries and support requests
- Send project updates and service notifications
- Provide customer service and technical support
- Schedule business meetings and consultations

### 4.3 Business Operations (Legitimate Interest + Legal Obligation)
- Process payments and maintain financial records
- Comply with Finnish tax and business regulations
- Maintain and improve our service quality
- Protect against fraud and unauthorized access
- Conduct internal business analytics (anonymized data)

### 4.4 Marketing (Consent Only)
**Only with your explicit, freely given consent:**
- Sending business newsletters and industry insights
- Sharing anonymized case studies (separate consent required)
- Promoting relevant business services
- Inviting to professional webinars and industry events

**You can withdraw marketing consent at any time without affecting other services.**

## 5. Cookies and Tracking

### 5.1 Cookie Categories

**Essential Cookies (No Consent Required):**
- Website functionality and security
- Session management and authentication
- Load balancing and performance
- CSRF protection and security

**Analytics Cookies (Consent Required):**
- Google Analytics (with IP anonymization enabled)
- Website performance monitoring
- User behavior analysis (anonymized)

**Marketing Cookies (Explicit Consent Required):**
- LinkedIn business tracking (B2B targeting only)
- Email marketing integration
- Conversion tracking for business inquiries

### 5.2 Cookie Consent Management
- **Granular consent** required for non-essential cookies
- **Easy withdrawal** via cookie settings or email
- **No pre-ticked boxes** - active consent required
- **Consent records** maintained for accountability

### 5.3 Managing Your Cookie Preferences
- Use our cookie consent banner (granular options)
- Browser settings (may affect website functionality)
- Direct opt-out links: [Google Analytics Opt-out](https://tools.google.com/dlpage/gaoptout)

## 6. Data Sharing and Disclosure

### 6.1 We Do Not Sell Personal Information
**We never sell, rent, or trade your personal information to third parties.**

### 6.2 Authorized Service Providers (Data Processors)

**Current service providers with Data Processing Agreements:**
- **Hosting:** [Specific hosting provider] (EU-based servers)
- **Email:** [Specific email service] (GDPR-compliant)
- **Analytics:** Google Analytics (with data processing addendum)
- **Payments:** [Specific payment processor] (PCI-DSS compliant)
- **CRM:** [Specific CRM provider] (EU-based or adequate protection)

**All processors must:**
- Sign comprehensive Data Processing Agreements
- Implement appropriate technical and organizational measures
- Process data only for specified purposes
- Demonstrate GDPR compliance
- Allow audits and inspections

### 6.3 Legal Disclosure (Legal Obligation)
**We may disclose information when legally required:**
- Court orders and legal subpoenas
- Tax audits and regulatory investigations
- Law enforcement requests (with proper legal basis)
- Protection of our legal rights (fraud prevention)

**We will notify you of legal requests unless legally prohibited.**

### 6.4 Business Transfers
**In case of business sale or merger:**
- 30-day advance notice to affected individuals
- Successor bound by this Privacy Policy
- Option to object or request data deletion
- Only if adequate protection guaranteed

## 7. International Data Transfers

### 7.1 Primary Data Processing
**Data primarily processed within EU/EEA** to minimize transfer risks.

### 7.2 Limited Third-Country Transfers
**When transfers outside EU/EEA are necessary:**

**United States (Limited):**
- Google Analytics (Standard Contractual Clauses + additional safeguards)
- Payment processing (if EU alternative not viable)

**Safeguards implemented:**
- Standard Contractual Clauses (2021 version)
- Transfer Impact Assessment conducted
- Additional encryption in transit and at rest
- Regular review of adequacy and risks

### 7.3 Transfer Cessation
**We will cease transfers if adequate protection cannot be guaranteed.**

## 8. Data Security

### 8.1 Technical Safeguards
- **Encryption:** AES-256 for data at rest, TLS 1.3 for data in transit
- **Access controls:** Multi-factor authentication, role-based access
- **Network security:** Firewalls, intrusion detection, VPN access
- **Regular updates:** Security patches applied within 48 hours
- **Backup security:** Encrypted backups with tested restore procedures

### 8.2 Organizational Safeguards
- **Need-to-know access:** Strict data access controls
- **Employee training:** Annual data protection training mandatory
- **Regular audits:** Quarterly security assessments
- **Incident procedures:** 24-hour breach response team
- **Vendor management:** Due diligence on all data processors

### 8.3 Data Breach Response
**In case of personal data breach:**
- **Authority notification:** Within 72 hours to Finnish Data Protection Authority
- **Individual notification:** Within 72 hours if high risk to rights and freedoms
- **Immediate containment:** Source identification and breach containment
- **Full investigation:** Root cause analysis and remediation plan
- **Breach register:** Detailed incident documentation maintained

**We cannot guarantee absolute security but implement industry best practices.**

## 9. Data Retention

### 9.1 Retention Periods (Minimized)

**Active Business Clients:**
- Service delivery data: Duration of engagement only
- Financial records: 6 years (Finnish Accounting Act requirement)
- Communication records: 3 years after engagement end

**Prospects and Inquiries:**
- Initial inquiry data: 12 months unless consent for marketing
- Marketing consent data: Until consent withdrawn
- Website analytics: 14 months (reduced from Google default)

**Former Clients:**
- Essential business records: 6 years (legal requirement only)
- Other personal data: Deleted within 30 days of engagement end
- Anonymized insights: Retained indefinitely (not personal data)

### 9.2 Automated Deletion
- **Automated systems** delete data when retention periods expire
- **Secure deletion** with cryptographic wiping
- **Backup purging** within 90 days of deletion
- **Deletion certificates** available upon request

### 9.3 Early Deletion Requests
**You can request early deletion except where we have legal obligations to retain data.**

## 10. Your Rights Under GDPR

### 10.1 Individual Rights

**Right of Access (Article 15):**
- Request copies of your personal data
- Information about processing purposes and legal basis
- Details of data sharing and retention periods

**Right to Rectification (Article 16):**
- Correct inaccurate personal data
- Complete incomplete data records

**Right to Erasure (Article 17):**
- Request deletion of your personal data
- Exceptions: legal obligations and legitimate interests

**Right to Restrict Processing (Article 18):**
- Limit processing during accuracy disputes
- Suspend processing for unlawful purposes

**Right to Data Portability (Article 20):**
- Receive your data in structured, machine-readable format
- Transmit data to another controller

**Right to Object (Article 21):**
- Object to processing based on legitimate interests
- Absolute right to object to direct marketing

**Right to Withdraw Consent (Article 7):**
- Withdraw consent at any time for consent-based processing
- Does not affect prior lawful processing

### 10.2 Exercising Your Rights

**How to submit requests:**
- **Email:** contact@markopyhajarvi.com
- **Subject line:** "GDPR Rights Request - [Your Name]"
- **Include:** Specific request, your name, and identification

**Response timeline:**
- **Standard:** Within 1 month of receipt
- **Complex requests:** Up to 3 months (with explanation)
- **Free of charge** for reasonable requests

**Identity verification required for security purposes.**

### 10.3 Right to Lodge a Complaint

**Finnish Data Protection Authority:**
- Website: tietosuoja.fi
- Email: tietosuoja@om.fi
- Address: PO Box 800, 00531 Helsinki

**Your local EU Data Protection Authority if you reside in another EU member state.**

## 11. Automated Decision-Making and Profiling

### 11.1 Limited Automated Processing
**We use automated processing for:**
- **Website analytics** (identifying popular content)
- **Email marketing** (engagement scoring)
- **Fraud detection** (security purposes)

### 11.2 AI Services Disclosure
**Our AI revenue optimization services:**
- Use automated analysis of business data
- Produce recommendations requiring human review
- **No automated decisions** with legal or significant effects
- **Human oversight** always maintained in final recommendations

### 11.3 Your Rights
- **Right to human intervention** in any automated process
- **Right to challenge** automated recommendations
- **Right to request manual review** of AI analysis

## 12. Special Categories and Children's Data

### 12.1 No Special Category Data
**We do not intentionally collect:**
- Health data, biometric data, or genetic information
- Religious, philosophical, or political beliefs
- Trade union membership or sexual orientation
- Criminal conviction data

**If accidentally received, we will delete immediately.**

### 12.2 Children's Privacy
- **Services not directed at individuals under 16**
- **Business-to-business services only**
- **Immediate deletion** if child data discovered
- **Parental notification** if applicable

## 13. Privacy by Design

### 13.1 Data Minimization
- **Collect only necessary data** for specified purposes
- **Regular data audits** to identify unnecessary data
- **Automated deletion** when data no longer needed
- **Anonymization** where possible for analytics

### 13.2 Transparency
- **Clear, plain language** in all privacy communications
- **Prominent privacy notices** at data collection points
- **Regular policy updates** to reflect current practices
- **Accessible contact methods** for privacy inquiries

### 13.3 Accountability
- **Comprehensive records** of processing activities
- **Regular compliance audits** and assessments
- **Staff training** on data protection obligations
- **Data Protection Impact Assessments** for high-risk processing

## 14. Updates to This Privacy Policy

### 14.1 Policy Changes
**We may update this policy to reflect:**
- Changes in data processing practices
- Legal or regulatory requirements
- New technologies or services
- Feedback from data protection authorities

### 14.2 Notification Process
**For material changes:**
- **Email notification** to active clients (30 days advance notice)
- **Website banner** notification for 60 days
- **Updated "Last Updated" date** at top of policy
- **Consent re-collection** if required for new purposes

**Continued use after notice period constitutes acceptance of minor changes.**
**Material changes require active consent for consent-based processing.**

## 15. Contact Information

### 15.1 Data Controller Contact
**Marko Pyhäjärvi**  
Email: contact@markopyhajarvi.com  
Business Address: Merkurstrasse 1, 9000, Sankt Gallen, Switzerland
Business ID: 11111405 (Buchanon Company Ltd)

**Privacy-related questions:**
**Privacy-related questions:**
- General privacy: contact@markopyhajarvi.com
- GDPR rights requests: contact@markopyhajarvi.com
- Data breaches: contact@markopyhajarvi.com
- DPO contact: contact@markopyhajarvi.com (if applicable)

**Response commitment: Within 5 business days for privacy inquiries.**

## 16. Effective Date and Scope

This Privacy Policy is effective as of the date listed above and applies to:
- All personal data collected after the effective date
- Existing data processed under previous policies (with appropriate transition)
- All interactions with our website and services
- Both EU and non-EU residents (GDPR standards applied globally)

**Language:** This English version is the authoritative version. Translations provided for convenience only.

---

**Last reviewed by legal counsel:** 1.6.2025
**Next scheduled review:** 1.6.2026