Privacy Policy
This privacy policy explains how the Ansiokas online store processes your personal data when you purchase downloadable PDF guides from the store. The policy describes what data we collect, for what purposes and on what basis it is used, how long the data is retained, and what rights you have regarding your own data. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Finnish data protection legislation.
Data Controller
The data controller is:
Ansiokas
For questions and requests relating to data protection, you can contact us by email at ansiokastuki@gmail.com.
What Data We Collect
We collect only the data needed to deliver your order and to fulfil our statutory obligations:
- Email address: for delivering download links and for communication related to your order.
- Order details: the products purchased, the order total, and the buyer's country.
- Payment transaction details: payments are processed by Stripe, from which we receive confirmation of the payment and the payment transaction's identifying details. We never see or store your card details at any stage.
- Consent to immediate delivery: we record on the order that, before payment, you gave your consent to the digital content being delivered immediately after payment and confirmed that you understand that you lose your 14-day right of withdrawal.
- Reader list (newsletter): if you subscribe to our reader list, we store your email address, your chosen language, and the time the subscription was confirmed. Subscriptions use double opt-in: you join the list only after confirming via the link sent to your email. The list is separate from purchase data, and buying a guide does not add you to it.
- IP address: during checkout, downloads, order lookup and reader-list signup we briefly process the request's IP address to prevent abuse (rate limiting). The basis is legitimate interest. We do not link the IP address to your order data and do not use it for tracking.
The online store has no user accounts, so you do not need to register or create a password.
What Data We Do Not Collect
- We do not use marketing or tracking cookies.
- We do not carry out profiling or automated decision-making.
- We do not send marketing messages without your explicit consent: our only mailing list is the reader list you subscribe to yourself, and every message includes a one-click unsubscribe link.
- We do not sell or disclose your data for advertising or any other commercial use.
Purposes and Legal Bases of Processing
We process personal data for the following purposes and on the following legal bases under the GDPR:
- Performance of a contract: your email address and order details are used to deliver the guides you purchased, to send download links, and to handle customer support related to your order (for example, providing a new download link).
- Legal obligation: order and payment transaction data is retained as required by the Finnish Accounting Act for bookkeeping and taxation purposes. The record of your consent to immediate delivery is also retained so that we can demonstrate that the requirements of the Finnish Consumer Protection Act have been met.
- Legitimate interest: data may be used to prevent and investigate misuse, such as payment fraud or misuse of download links.
- Consent: the reader list email address is used for sending the newsletter only on the basis of the consent you have given. You can withdraw your consent at any time via the link included in every message or by contacting support, in which case the address is removed from the list.
Data Retention Periods
- Order and payment data: retained in accordance with the requirements of the Accounting Act, as a rule for six years from the end of the financial year during which the purchase was made.
- Email address associated with an order: retained as part of the order data for the same period, because it forms part of the accounting records and is needed to handle any customer support requests.
- Support emails: messages you send to support are retained only for as long as handling the matter requires.
- Reader list: your email address is kept on the list until you unsubscribe, after which it is removed. Unconfirmed subscriptions are deleted as part of regular clean-ups.
When the retention period ends, the data is deleted or anonymised.
Data Processors
We use the following service providers to operate the store. They process personal data on our behalf under contract:
- Stripe: payment processing and calculation of value added tax based on the buyer's country.
- Resend: sending order confirmations and download links by email.
- Neon: the database in which order data is stored.
- Vercel: the technical platform (hosting) of the online store.
- Cloudflare R2: storage and downloading of the purchased PDF files.
- Upstash: rate limiting to prevent abuse; briefly processes the IP address.
All processors have committed to processing data only in accordance with our instructions and in compliance with data protection legislation.
Data Transfers Outside the EU/EEA
Some of the service providers we use may process data outside the EU/EEA, for example in the United States. For such transfers we use the safeguards required by the GDPR: transfers are based on the standard contractual clauses approved by the European Commission or on the EU-US Data Privacy Framework, where the service provider is certified under it.
Rights of the Data Subject
Under the GDPR, you have the following rights:
- Right of access: you can request a copy of the personal data stored about you.
- Right to rectification: you can request that inaccurate or incomplete data be corrected, for example an incorrectly recorded email address.
- Right to erasure: you can request that your data be deleted. Please note that we cannot delete data that we are legally required to retain (for example, order data that forms part of the accounting records) before the statutory retention period has ended.
- Right to restriction of processing: in certain situations, you can request that the processing of your data be restricted.
- Right to data portability: you can request that the data you have provided yourself, and which is processed on the basis of a contract, be delivered in a machine-readable format to you or to another service provider.
- Right to object: you can object to processing based on legitimate interest on grounds relating to your particular situation.
You can exercise your rights by sending a request to ansiokastuki@gmail.com. We respond to requests without undue delay, and at the latest within one month.
If you consider that the processing of your personal data is not lawful, you have the right to lodge a complaint with the supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).
Cookies
The online store uses only cookies and similar technologies that are strictly necessary for its operation, for example those required for the technical functioning of the order and payment process. We do not use tracking, analytics, or advertising cookies, and we do not share your browsing data with third parties for marketing purposes. Because only strictly necessary cookies are used, separate cookie consent is not required.
Data Security
We protect personal data with appropriate technical and organisational measures. Data transmissions are encrypted, access to the data is limited to those who need it for their work, and the processing of payment data is handled entirely by Stripe in its security-certified environment.
Changes to This Policy
We may update this policy, for example when legislation changes or when the service providers we use change. The current version is always available on the store's website. We aim to communicate any material changes clearly.
If you have questions about the processing of your personal data, please contact: ansiokastuki@gmail.com.