Privacy Policy

This document is a machine translation of the original Finnish version available at www.kiho.fi/tietosuojaseloste. In case of discrepancies, the Finnish version shall prevail.

As the controller processing personal data, the controller is Kiho Oy.

Business ID FI31480756

Address: Puutarhakatu 11, C2-T3
70300 Kuopio
tel. 010 411 7740, email tuki@kiho.fi

Legal Bases and Purpose of Processing Personal Data

We process the personal data of data subjects on the following grounds in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”):

  • with the explicit consent given by the data subject;
  • based on the consent obtained from the data subject by a customer using our services or another lawful basis the customer has for processing;
  • for the performance of a contract to which the data subject is a party (for example, a commission contract or an employment contract);
  • for compliance with the controller’s legal obligations (for example, to fulfill Kiho Oy’s employer obligations); and based on legitimate interest, to provide services to our customers.

Registers Formed from Personal Data and Categories of Personal Data

Through the collection of personal data, we form the personal data registers described below. For each register, we have described its intended purpose and provided examples of the types of personal data it contains.

  • Customer Register consists of personal data needed for identifying customers and for managing and developing the customer relationship. Such data includes, for example, the data subject’s name, address, phone number, job title, and other contact details, as well as information related to customer identification.
  • Marketing Register consists of personal data collected, for example, from potential and existing customers, former employees, and participants in events we organize, to whom we market our services and inform about our operations. Such data includes, for example, name, address, phone number, job title, and corresponding contact details.
  • Website Register consists of personal data collected from visitors to our website, which we collect and process to ensure website functionality and for website development. Such personal data includes, for example, cookies, information about the browser used, time spent on the website, and the route through which the visitor arrived at our site.
  • Recruitment Register consists of personal data of potential and recruited employees, which we collect and process to make recruitment decisions. Such data includes, for example, the contact details of job applicants and personal data provided in their applications.
  • Employee Register consists of personal data of our current employees, which we collect and process to fulfill employer obligations. Such data includes, for example, employee contact details.

Cookies and analytics

We use cookies and similar technologies on our website to ensure the proper functioning of the service, to improve user experience, and to develop our marketing and communications.

Cookies collect information such as website usage, visit duration, pages viewed and actions taken on the site. This data is used to develop the service and to better target marketing activities.

Tools in use

Google Analytics
We use Google Analytics to collect statistical information about the use of our website (e.g. number of visitors, page views and visit duration). The data is used to improve the functionality and content of the website.

HubSpot
We use HubSpot for marketing automation, customer communication and for processing contact forms and inquiries. HubSpot may collect information about user activity on the website, such as page visits and form submissions.

Microsoft Clarity
We use Microsoft Clarity to analyze how visitors use our website (for example mouse movements and clicks). This information is used to improve the usability and performance of the website.

Meta Pixel (Facebook Pixel)
We use Meta Pixel to measure the effectiveness of our marketing campaigns and to target advertising on Meta platforms (Facebook and Instagram). Meta Pixel may collect information about user actions on the website, such as page visits and form submissions.

Consent related to cookies

You can accept or reject cookies via the cookie banner. You can also change or withdraw your consent at any time in the cookie settings.

Blocking or deleting cookies may affect the functionality and usability of certain parts of the website.

For more information on the processing of personal data, please see this privacy policy.

Processing of Personal Data and Categories of Processing

Through the processing of personal data collected and provided by customers for service provision, we form the following categories of data processing.

  • Service Information Maintenance Register consists of location data produced by tracking devices used in connection with our services. Location data may constitute personal data if the customer, based on their own data, can associate the location information with an individual data subject.

Recipients of Personal Data

We may transfer, and in some cases do transfer, the personal data of data subjects to our contractual partners who process the data subjects’ personal data on our behalf under a personal data processing agreement between us and the data processor.

We may disclose or transfer personal data of data subjects to competent authorities or other parties as required by applicable legislation and the demands presented by such authorities.

However, our starting point is that we do not disclose the personal data of data subjects to third parties unless there is a justified reason for doing so as described above or as required by law.

We do not disclose personal data obtained from customers to anyone other than the subcontractors necessary for providing the services or to authorities who have the right to access the data by law, unless requested by the customer.

Transfer of Personal Data Abroad

We aim not to transfer the personal data of data subjects outside the EU or EEA.
If we must transfer such data outside the EU or EEA, we ensure an adequate level of data protection by applying safeguards required by data protection legislation (e.g., the EU Commission’s standard contractual clauses).

We use third-party tools on our website whose service providers may also be located outside the EU or the European Economic Area. Such service providers include, for example, Google Analytics. In such cases, we ensure an adequate level of data protection for personal data.

Retention of Personal Data

We retain the personal data of data subjects for as long as necessary for each purpose described above, for our operations, and as required by applicable law.

The retention period of personal data is determined by the purpose for which the data is processed. Personal data related to customer relationships is retained for as long as required by applicable legislation. Retention periods vary greatly. We delete personal data when we no longer need it or have no legal basis for processing it.

We retain location data received from customers for the duration of the customer relationship and thereafter for the time necessary to secure the responsibilities and obligations arising from the relationship.

Protection of Personal Data

We protect the personal data of data subjects from unauthorized access and unlawful processing through organizational and technical measures, such as passwords, access restrictions, and internal operating instructions. We also use appropriate firewalls to protect personal data.

Rights of the Data Subject

Right of Access
 The data subject has the right, under data protection legislation, to inspect what personal data concerning them has been stored in the registers or to confirm that no such data exists.

Right to Rectification
 If there are errors in the stored personal data, the data subject may submit a request to the controller to correct the error.

Right to Erasure
 The data subject has the right to request the deletion of their personal data from the register if there is no legal basis for processing the data.

Right to Restrict Processing
 The data subject may request the restriction of processing of personal data on grounds provided by law.

Right to Object
 The data subject has the right to prohibit the controller from processing their personal data for direct marketing, distance selling, other direct marketing, and market or opinion research.

Right to Data Portability
 Insofar as the data subject has provided the controller with data processed on the basis of consent, the data subject has the right to receive such data in a generally machine-readable format and the right to transfer that data to another controller.

Right to Withdraw Consent
 If personal data processing is based on the data subject’s consent, the data subject has the right to withdraw that consent at any time. Processing carried out before withdrawal remains lawful despite the withdrawal.

Right to Lodge a Complaint with a Supervisory Authority
 The data subject has the right to lodge a complaint with the competent supervisory authority if they believe that the controller has not complied with applicable data protection regulations.
The national supervisory authority is the Office of the Data Protection Ombudsman (www.tietosuoja.fi).

Other Information

The processing of personal data may in part be a statutory duty of the controller and in part a contractual requirement. For example, processing is a statutory duty when it relates to fulfilling our employer obligations.

We do not engage in automated decision-making or profiling.

Source of Personal Data

We receive personal data from the data subject themselves when the data subject uses our services and provides personal data to us based on their consent.
We may also collect and update personal data from our partners’ registers and from authorities and companies providing personal data services, such as subcontractors who provide services to us.

Additionally, we receive location data from our customers in connection with providing our services.

Additional Information

If a data subject has any questions regarding our data protection practices or wishes to exercise their rights, we ask them to contact us at tuki@kiho.fi.

We may update this privacy notice by announcing it on our website or otherwise electronically.

The privacy notice / record of processing activities was last updated on 30 January 2026.