Privacy Policy

Privacy Statement for hurtta.com Webshop (Consumers)

Last updated: 31.10.2023

Protecting your privacy is very important to Best Friend Group Oy (”Company”). This notice sets out the basis on which personal data of website visitors and users (“Data Subjects”) is collected and processed in connection with the Company’s website and webshop (“Website”). Personal data means all information on the basis of which an individual person can be identified.

This document relates to the processing of the personal data of consumers visiting the Website.

  1. Data controller and processors

The data controller for personal data collected and processed on the Website is Best Friend Group Oy (business ID 1073893-0). The person responsible for personal data processing is Anni Hartikainen. Any questions or requests with regards to data protection can be sent to gdpr@nordicpetcare.com.

The following third parties act as data processors relating to the website on the basis of written data processing agreements:

  • Software as a service platform provider Amazon Web Services
  • Webshop platform provider Shopify Inc. as well as its sub-processors
  • Maintenance and development partner Woolman Oy
  • Systems integration provider Solteq Oyj
  • Analytics service provider Matomo and Google Analytics 4
  • Newsletter service provider Klaviyo, Inc.
  • Logistics service provider nShift Group AS as well as its sub-processors
  • Other companies of the Nordic Pet Care Group A/S group of companies, which have access to the personal data processed on the Website for handling sales processes and providing customer support in their own areas

Furthermore, the Company uses various payment providers (PayPal, Shopify Payments, Paytrail, Klarna) in order to purchase goods on the Website. These payment providers provide information about their own data processing practices in privacy notices on their own websites.


  1. Categories of personal data and the basis for processing said data

Personal data is processed on the Website pursuant to the EU General Data Protection Regulation (“GDPR”) as well as applicable national data protection legislation. Personal data is only processed for the purposes mentioned below, and there is always a legal basis for processing, based on the applicable legislation. It is necessary to provide personal data in order to use the webshop on the Website.

The Company collects and processes the following categories of personal data:

Category of personal data

Purpose of processing

Legal basis

Removal of personal data

Name, email address when registering

Registering for the website (not required, but helps when making purchases)

Performance of contract (GDPR Article 6(1)(b))

Within 3 months of the account becoming inactive

Providing newsletters to registered users

Legitimate interests of Company (GDPR Article 6(1)(f))

Name, email address when ordering a product

Purchasing goods – communications regarding orders

Performance of contract (GDPR Article 6(1)(b))

Within 3 months of the Data Subject no longer being an active customer

Notes made by Company’s employees in relation to orders, including any possible personal data

Documenting information regarding the purchase or return of goods

Performance of contract (GDPR Article 6(1)(b))

Name, email address, phone number, postal address

Fulfilling orders or handling returns

Performance of contract (GDPR Article 6(1)(b))

Individual Shopify customer identity number of each Data Subject

Identifying the purchases of individual Data Subjects in order to handle orders and returns

Performance of contract (GDPR Article 6(1)(b))

Data collected by the Matomot service (including IP address, products looked at by Data Subject)

Analysing the behaviour of Data Subjects in order to develop the service and goods offering of the Company

Legitimate interests of Company (GDPR Article 6(1)(f))

90 days after end of web session

Data Subject’s IP address

Logging in order to detect and fix errors, preventing malicious behaviour/DDoS attacks

Legitimate interests of Company Oy (GDPR Article 6(1)(f))

3 months after end of web session

 

  1. Use of non-personal data

In addition to the personal data mentioned above, the Company also processes data that does not identify individual users, and therefore does not fall within the scope of data protection legislation. The company, e.g., uses cookies, the use of which is described here. The Company also uses Matomo. However, Matomo is used in such a way that a part of the IP address of visitors is masked so that they cannot be used to identify individual users, and therefore this does not amount to the processing of personal data.


  1. Data security

Personal Data will be protected by reasonable security safeguards against accidental loss, unauthorized processing, the destruction of, or use or modification of, or unauthorized disclosure of the personal data. The Company employs appropriate technical and organizational security measures in order to protect the personal data. The safeguards the Company employs, such as limiting its personnel’s and subcontractors’ access to personal data and encryption of data, are proportionate to the likelihood and severity of any potential harms or threats, the sensitivity of the personal data, and the context in which it is held as well as development of security technologies.


  1. Rights of Data Subjects

Under the General Data Protection Regulation (”GDPR”), the Data Subject has the following rights with regards to Personal Data, as more closely specified in Articles 15-21 of the GDPR:

  1. Right of access: the Data Subject has the right to request confirmation of whether his or her personal data is processed in connection with the website, and access to that personal data.
  2. Right of rectification: the Data Subject has the right to request the data controller to rectify any inaccurate or incomplete personal data concerning her or him held by or processed in connection with the website.
  3. Right of erasure: the Data Subject has the right to request that personal data concerning her or him is erased where it is no longer necessary for the purpose for which it was collected or processed, where she or he objects to the processing and there are no overriding legitimate grounds for processing, where her or his personal data is being unlawfully processed, or where personal data must be erased in order to comply with relevant legislation.
  4. Right of restriction: the Data Subject has the right to request restriction of processing of her or his personal data where the accuracy of the personal data is contested, where processing is unlawful or where the personal data is no longer needed by the data controller but she or he legitimately opposes the erasure of the personal data, or where she or he objects to the processing and it has not yet been verified whether legitimate grounds exist for the processing.
  5. Right to object: the Data Subject has the right to object to the processing of her or his personal data where the processing is based on the legitimate interests of the data controller or third parties as specified in Section 2.
  6. The Data Subject has the right the right to contact the competent data protection authority and file a complaint regarding the processing of her or his personal data. With regards to Finland, the competent data protection authority is the Data Protection Ombudsman (tietosuoja.fi). Best Friend Group Oy is part of the Nordic Pet Care Group A/S group of companies. The domicile of the group’s parent company is Denmark, where the competent data protection authority is the Datatilsynet (dt@datatilsynet.dk).

 

  1. Transfers outside the EU/EEC

Personal Data relating to the website is only transferred or processed outside the EU/EEC pursuant to sufficient safeguards under Article 49 of the EU General Data Protection Regulation, such as an adequacy decision by the European Commission, or subject to standard contractual clauses approved by the European Commission. Data subjects have the right to receive a description of the data transferred subject to standard contractual clauses, as well as the measures undertaken to mitigate personal data risks in connection with the use of the standard contractual clauses.


  1. Changes to the Privacy Notice

This Privacy Notice may be amended from time to time by posting an updated version to the website, after which the updated version shall apply. In the event there are substantial changes to the Privacy Notice, the Company may notify Data Subjects by other means, for example via email.

-- End of document --