top of page

shop of good's privacy policy 


Shop of Good Oy (the”Company”)

Business ID: 3298064-8

Address: Tehtankatu 11b 21, 00140 Helsinki, Finland

Contact info:


This Privacy Policy outlines how we collect, use, and protect personal data of data subject’s and what practices are followed when processing the data subjects’ personal data.

In compliance with arts. 13 and 14 of European Regulation 2016/679 (“GDPR”) we hereby inform you that the Company, in its capacity as Controller, electronically processes its data subject’s data to respond to the data subject’s request to send the newsletter and relative registration on the mailing list concerning direct marketing, newsletters or regarding the Controller’s events and initiatives, in full compliance with the principles of lawfulness, fairness and with legal provisions.

The Company processes personal data only for the purposes described in this policy and where we have a legal basis for doing so. Please note that by subscribing the data subject consents to the processing of their personal data and agrees that the Company collects the personal data in its registers.

Processing of Personal Data


  • Managing customer relationships;

  • Managing investor relationships;

  • Direct marketing such as sending newsletters;

  • Targeting and personalizing marketing content;

  • Analytics and market research;

  • Investor communications;

  • Compliance with legal obligations;

  • Claims and legal procedures;

The legal basis for the data processing for direct marketing purposes is consent or legitimate interest. We may rely on our legitimate interests as the legal basis for processing your personal data for direct marketing purposes if we have a genuine and legitimate interest in promoting our products or services, and if we believe that our marketing materials would be of interest to you. We will ensure that your rights and interests are not overridden by our legitimate interests. Personal data can be processed and used for the marketing purposes of the Company and its partners in accordance with the GDPR. Based on the subscription, the Company has the right to process the data subject’s data.



The Company processes some or all of the following personal data of the data subject:

  • Name;

  • Address;

  • Primary country of residence;

  • Company / employer (if any);

  • Phone number; and

  • E-mail address.

The register only contains information provided by the data subject when subscribing to our newsletters, registering for our mailing lists or events on our website or in other connection.


The Company may disclose the data subject's data, within the limits allowed by the GDPR, also to a third party or another data controller, if this has been separately agreed with the data subject. These third parties are, for example, the authorized service providers and partners and subcontractors that the Company uses.

Information can be transferred to the Company's own direct marketing registers, unless the data subject has prohibited it. The Company takes measures to ensure adequate protection of the data subject’s personal data regardless of the processing location.

The Company can hand over information stored in the register to third parties such as service providers. In these situations, the Company has made appropriate agreements with the third parties and thus ensured the appropriate processing of personal data.

The Company may be obliged to hand over data subject’s data if this is required by applicable law or regulation or a request from a judicial or administrative authority.

The Company uses certain service providers and tools on our website, whose service providers may be located (or have access to the personal data from) outside the EU or the European Economic Area (EEA). In these cases, we take care of the necessary protective measures as required by the applicable legislation.

Personal data will only be transferred to countries that the European Commission has assessed in its decision as providing an adequate level of data protection. More information:

When the service provider operates in a country that does not belong to the aforementioned countries, separate contractual clauses approved by the European Commission apply, which contractually protect personal data at the same level as within the EEA area. We will also implement necessary technical, organisational, or contractual supplementary measures to ensure that personal data has the same protection as in EU/EEA. More information:.  

Storage Period

Please note that, in compliance with the principles of lawfulness, purpose limitation and data minimization, pursuant to art. 5 of the GDPR, the data subject’s personal data shall be stored for as long as it is necessary to achieve the purposes for which it was collected, unless a longer retention period is required by law. The length of time we retain your personal data will depend on the purposes for which it was collected, the nature of the data, and any legal or regulatory obligations that apply to us. For direct marketing purposes, we will retain your personal data for as long as you remain subscribed to our mailing list or until you opt-out of receiving our marketing materials. If you unsubscribe from our mailing list or opt-out of receiving our marketing materials, we will securely and permanently delete or anonymize your personal data within a reasonable timeframe. However, we may retain a record of your opt-out request to ensure that we do not contact you for marketing purposes in the future.

Purpose of the Register

The register is used for

  • Marketing and sales of services and products of the Company;

  • Customer management and communication, analysis and development of the customer relationship, investor relations, and for statistical purposes.

Protection of the Register

The Company's register is only stored electronically. The Company uses administrative, organizational, technical and physical measures (including encryption and firewalls) to protect the data it collects and processes. All information security breaches are reported as soon as possible as required by the applicable legislation to the relevant authorities and, if required by the data protection legislation. The register is used only by those persons whose job description includes the use of the register. Each person handling the register has a personal username and password for the system. Access rights to the register are granted and monitored by the Company's data protection officer.

Rights of the Data Subject

Right to Access

The registered data subject has the right to check the information about the data subject, stored in the register. The inspection request is free of charge once a year and must be made in writing, signed and delivered to the Company's data protection officer.

Right to Rectify

If the data subject’s information contains errors or is incomplete, the data subject has the right to demand that the incorrect information be corrected or that the incomplete information be supplemented.

Right to Delete

The registered data subject also has the right to demand the deletion of personal information subject to the retention obligation in terms of official supervision. The data subject’s data will be deleted if there is no longer a legal basis for the processing.

Right to Transfer

The registered data subject has the right to receive the information the data subject has provided in a machine-readable format and to transfer the information to another system when the processing is based on consent or an agreement and the processing is done automatically.

Right to Object

The Company can process the data subject's personal data based on the subscription. The registered data subject has the right to object to the processing of the data subject’s personal data.

Right to Restrict

If, for example, the registered data subject disputes the correctness of the data subject’s personal data or if the processing is illegal, the data subject can limit the processing of the data subject’s personal data, in which case the Company will not, as a rule, process the data subject's data other than by storing the information.

The registered data subject has the right to prohibit the use of the data subject’s data for direct marketing by notifying the Company's data protection officer.

Right to File a Complaint

The registered data subject has the right to file a complaint with the data protection ombudsman (national supervisory authority) if the data subject considers that the Company does not act in accordance with the GDPR when processing the data subject's personal data.

Changes to Data Protection

The Company reserves the rights to possible changes regarding data protection measures and this statement.

Automatic Decision Making

The Company does not use the data subject's data for automatic decision-making such as profiling.

Using Data for other Purposes

The Company does not use the data subject's data for purposes other than those stated in this statement. The Company informs the data subject of the new purposes of use and the basis for their processing. If necessary, The Company will ask the data subject for consent to the processing of personal data for new purposes.


The Company's website uses cookies.

Data Protection Officer

Lynsey Burns, the Company's Data Protection Officer, provides more information on the processing of personal data by the Company and the use of the Customer's rights based on the GDPR. You can contact us by email:

bottom of page