0

Privacy Policy

Privacy Policy

In this privacy policy, we explain how Viinilehti Oy (“Controller”) in cooperation with CoreGo Oy (“Processor” or “CoreGo”) processes the personal data of their customers and users of their online services (“Data Subject”) and how the processing of personal data can be influenced. The Controller and the Processor comply with applicable data protection legislation in their operations.

Controller

Viinilehti Oy (Business ID: 0837553-6)

Processor

CoreGo Oy (Business ID: 2683401-1)
Messuaukio 1
00520 Helsinki

Personal Data Collected

The Controller and CoreGo process personal data only to the extent necessary for the purposes described in this privacy policy. The types and scope of personal data collected vary depending on the relationship between the Controller and the Data Subject, given consents, and the privacy settings of the Data Subject’s browser.

Customer and Participant Data

Data is collected from the Data Subject when making purchases or reservations through the online service, registering for an event, signing up for the online service, or joining, for example, a marketing list. The following categories of personal data are collected as necessary; some may be optional:

  • Basic information, such as name

  • Contact details, such as postal address, email address, phone number

  • Detailed personal information, such as date of birth, gender, municipality of residence, occupation

  • Event participation details, such as participant groups, background information, or choices related to the event

  • Customer card information, such as membership or loyalty card identifiers and validity

  • Identification information, such as encrypted username and password or other identifiers

  • Any other information provided by the Data Subject

In some cases, the data may be provided by an authorized person on behalf of the Data Subject, for example, a group contact person.

Order Data

Order data is collected when the Data Subject makes purchases, reservations, or registrations via the online service, email, phone, or in person. Order data includes:

  • Source of the order, e.g., method of order

  • Preferred payment and delivery method and payment details

  • Order contents, products, and any modifications or cancellations

  • Additional order processing information, such as invoicing or processing history

Event Attendance Data

Data related to event attendance may be collected when the Data Subject visits the event or afterwards. Examples include:

  • Attendance times, such as entry and exit times

  • Movement-related data, such as ticket check points or visits to service points

  • Customer service development data, such as feedback provided during the event

Online Service Usage Data

Data is collected when the Data Subject uses the Controller’s online service provided by CoreGo. Examples include:

  • Device or application information, such as browser version, device type, screen size, and IP address

  • Online service usage data, such as page visits, time spent in the service, and navigation within the service

Online service users can be identified, for example, via social login integrations or identifiers in emails.

Purposes of Data Processing and Legal Basis

The Controller uses collected personal data for necessary measures to manage the customer relationship, such as organizing events appropriately and safely, delivering ordered products or services, and providing customer support. Data may also be used for customer communications and maintaining the customer relationship. Data processing is based on the contract between the Data Subject and the Controller for providing products or services (e.g., ticket or accessory orders) and on the legitimate interest of the Controller to manage measures related to the customer or employee relationship (e.g., event registration).

The Controller may use collected data for marketing and commercial purposes if the Data Subject has given consent. Processing for commercial purposes relies on the Data Subject’s consent, particularly for electronic direct marketing.

The Controller may use collected data to improve products and services and enhance service offerings, for example, via personalized recommendations. This processing is based on the Controller’s legitimate interest in benefiting the Data Subject.

Sharing and Disclosure of Personal Data

CoreGo acts as a Processor on behalf of the Controller and does not disclose data to third parties unless instructed in writing. Exceptions include some online service usage data that users can block via cookie settings.

The Controller may use other third-party services to process personal data, ensuring lawful processing through agreements and written instructions.

Data may also be disclosed to third parties if required by law or necessary to protect the rights or safety of the Controller, CoreGo, or the Data Subject.

Transfers Outside the EU/EEA

Personal data is generally not transferred outside the EU/EEA. If such transfers occur exceptionally, they comply with this privacy policy and applicable law.

Use of Cookies

Cookies are used to enhance the online service experience and facilitate usage tracking. Cookies store short text information in the user’s browser for later use.

Location Data

Precise location data is generally not collected. IP addresses may be logged and approximated to a municipality. Event-specific location data may also be collected, e.g., at ticket checkpoints.

Data Retention

Personal data is retained as long as necessary for the intended purpose. Legal obligations may require longer retention.

  • Online service usage data is retained for about 12 months

  • Basic and contact data, consents, detailed personal data, and participation/order information are retained for 36 months from the last interaction

  • Detailed event-related participant and registration data are retained for 36 months after the event

  • Order data is retained 36 months after the event or order date; canceled order data is retained similarly

  • Payment information is retained according to legal requirements

Data Subject Rights

Data Subjects have the right to access, correct, or delete their personal data, and to transfer their data to another Controller. They may also object to marketing communications and the processing of personal data for marketing purposes. Requests should be submitted to the Controller using the contact details provided.

Data Security

The Controller and CoreGo ensure secure handling of personal data through physical and technical measures to protect against loss, destruction, misuse, or unauthorized access. Measures include access control, employee training, and ensuring subcontractors comply with instructions, contracts, and law.