Privacy Policy

Ceepos Web Shop – Privacy Policy

1. Controller

Name (Business ID): Kajaanin Ammattikorkeakoulu Oy (2553600-4)
Address: PL 52, 871010 Kajaani
Telephone number: (08) 618991
E-mail address:

2. Contact person in matters relating to the data file

Name: Jaana Karjalainen
Address: PL 52 (Ketunpolku 1), 87101 Kajaani
Telephone number: +358 44 715 7014
E-mail address:

Name: Satu Härkönen
Address: PL 52 (Ketunpolku 1), 87101 Kajaani
Telephone number: +358 44 7101 406
E-mail address:

3. Name of the data file

Ceepos Web Shop

4. Purpose of processing personal data

Personal data is collected for purposes such as order delivery, proper allocation of payments, identification
of the customer and/or a person specified by the customer, verification of the customer’s service history
and rights, reporting and marketing.

Data is collected about the users of the software in order to determine access rights and monitor the use.
The software creates log data including personal data in order to determine software usage history and
solve any problems.

5. Data content of the file

The personal data that can be stored in the registers includes:

General customer register: customer number, first name, last name, address, city/town, telephone
number, e-mail address, order history, username and direct marketing permission.
Order register: contact information, products ordered.
Customer cards/identifiers: card number and PIN.
Registrations: registered person’s name, contact information, health status (allergies and other limitations),
parent/guardian’s details.
Mailing lists: e-mail address.

Personal data will be kept in the registers until manually removed. Order information will be kept until
manually or automatically removed. The electronic receipt history will be kept until manually removed, but
for a minimum of six years.

6. Regular sources of data

External systems, integrated into the web shop, which transmit payment transactions through interfaces.
The primary sources of data are the web shop’s customers, placing orders and registrations and making
online payments.

7. Regular disclosure of data

Personal data will not be disclosed to third parties. Personal data may be transferred to the controller’s
other systems, such as the point-of-sale system, accounting, invoicing and access control. Depending on the
payment service provider, some of the customer’s contact information is conveyed to the payment system
upon payment of the order to facilitate solving problems and returning payments.

8. Transfer of data outside the EU or EEA

Personal data will not be transferred outside the EU or EEA.

9. Protection of the data file

Maintenance of the software is protected by usernames and passwords as well as user-group-specific
access rights. The data in the database is protected by usernames and passwords, and processing the data
has been limited to the web shop system only. The data stored on the drives has been protected by
operating-system-level access rights. All data communications between the system provider’s systems and
the web shop and payment service provider are SSL-protected.

Maintenance access to the server is only allowed for server and system providers. The software supplier
has full access to viewing and removing all the data collected.

10. Approval for processing personal data

Making purchases and payments in the web shop is regarded as an approval for processing personal data,
and no separate approval is required from the consumer in order to use the system. When the personal
data comes from an external system, approval for its processing is provided outside the web shop system.

11. Right of access by the data subject

The data subject has the right to access their personal data stored in the data file and receive copies of it.
The access request must be made electronically or in writing and addressed to the contact person for the
data file.

12. Right to demand the correction of data

The data subject has the right to demand the correction of inaccurate data concerning them in the personal
data file. Requests must be made electronically or in writing to the contact person for the data file.

13. Other rights relating to the processing of personal data

The data subject has the right to forbid the controller to process data concerning them for direct
advertising, remote sales and other direct marketing as well as market and opinion research.