This privacy policy describes what personal data Venrego (sole trader / "the company") collects, how the data is processed, for what purposes the data is used, and to which parties the data may be disclosed. This privacy policy also provides information about the obligations the company follows when processing personal data.
The company pays special attention to data protection and complies with the EU General Data Protection Regulation (2016/679) ("GDPR") and other applicable data protection legislation and good data processing practices in all processing of personal data.
This privacy policy applies to all services provided by the company. In addition to customer personal data, this privacy policy also applies to the processing of potential customers' personal data. Furthermore, the privacy policy applies to the processing of personal data of the company's business customers, partners, service providers, and subcontractors' representatives.
Personal data refers to all information relating to a natural person ("data subject") by which they can be directly or indirectly identified as defined in the GDPR. Information that cannot directly or indirectly identify a data subject is not personal data.
Data controller: Venrego (sole trader)
Business ID: 3610730-1
Address: Helsinki, Finland
Email: contact@venrego.com
Contact person: Kirill Zuravlev
Personal data is processed for the following purposes, among others:
The legal basis for processing data subjects' personal data is the contractual relationship between the company and the data subject, based on the ordering or provision of a product or service offered by the company. The processing of personal data is also based on legal obligations such as accounting obligations. Processing for customer relationship management and marketing is based on the company's legitimate interest.
Electronic direct marketing and subscribing to the company's newsletters is based on the data subject's consent or the company's legitimate interest. The data subject has the right to withdraw their consent at any time (see data subject rights below).
The company only collects personal data about data subjects that is relevant and necessary for the purposes described in this privacy policy. The following data about data subjects is processed:
4.1. Contact information: name, address, phone number, email address
4.2. Identification data (only if absolutely necessary): personal identity code and date of birth
4.3. Customer relationship data: account number, billing and payment information, and other data that identifies the customer relationship
4.4. Customer transaction and contract data: information about the contract between the company and the data subject or between the company and the organization represented by the data subject, sales contracts, customer feedback, and contacts, complaints, and other transaction data between the data subject and the company
4.5. Consents given by the data subject: data concerning the data subject's consent to electronic direct marketing, withdrawal of consent, and prohibitions given by the data subject
4.6. Behavioral data and technical identification data: monitoring of the data subject's online behavior and the company's services, for example through cookies or similar technical identifiers. Data collected may include the user's IP address, pages visited, browser type, web address, session time, and duration.
Providing the data mentioned in sections 4.1–4.4 above is necessary for fulfilling the obligations based on the contract and legislation between the company and the data subject, as well as for providing the company's services. Providing the data mentioned in section 4.5 is voluntary.
Personal data is primarily collected from the data subjects themselves, for example when making a quote, entering into a contract, or during the customer relationship. The data subject may also have provided the company with data, for example by subscribing to an electronic newsletter, through social media services, or on the company's website.
The company may use external service providers in marketing who process data subjects' contact information for marketing purposes.
Personal data may also be collected from an organization on whose behalf the data subject acts. In addition, data may be collected and updated from registers maintained by third parties in situations permitted by legislation.
The company's subcontractors, contractors, and partners provide the company with data subjects' personal data in situations required by legislation and contractual obligations.
The company uses various services for website visitor tracking, including Google Analytics, which use browser cookies and other identifiers. More information about these can be found in each service's own privacy policies.
The company retains personal data for as long as necessary to fulfill the purposes defined in this privacy policy, unless legislation requires retaining personal data for a longer period (for example, responsibilities and obligations related to special legislation, accounting obligations, or reporting obligations), or unless the company needs the data for preparing, presenting, or defending against a legal claim or resolving a similar dispute.
The retention period and retention criteria vary by personal data category depending on the purpose of use of a particular personal data category.
Personal data is processed for the duration of the customer and contractual relationship and for a necessary period after the end of the customer and contractual relationship. Data concerning potential customers is primarily retained for 1 year.
Regarding organizations, the retention of the organization's representative's personal data is linked to how long the data subject in question acts as the organization's representative toward the company.
When personal data is no longer needed as defined above, the data is deleted within a reasonable time.
The company may outsource the processing of personal data to service providers or subcontractors in accordance with this privacy policy. The company ensures through sufficient contractual obligations that personal data is processed appropriately.
Personal data may be disclosed to authorities in situations required and authorized by legislation.
The company does not disclose data subjects' personal data for direct marketing.
If the company is involved in a business transaction or other corporate arrangement, it may be required to disclose data subjects' personal data to third parties.
Disclosure of data to a third party is primarily done through electronic data transfer connections, but data may also be disclosed in other ways such as by phone or mail.
Data is not transferred outside the European Union or European Economic Area.
If data is transferred outside the European Union or European Economic Area, the company ensures an adequate level of protection for personal data by, among other things, agreeing on matters related to the processing of personal data as required by data protection legislation, such as using standard contractual clauses approved by the European Commission.
The company processes personal data in a manner that aims to ensure appropriate security and data protection of personal data in all situations, including protection against unauthorized processing and accidental loss, destruction, or damage.
Appropriate technical and organizational safeguards are used in the processing of personal data to ensure this, including the use of firewalls, encryption techniques, secure facilities, appropriate access control and access management, and staff training.
Contracts and other documents kept as originals are stored in locked premises with access restricted only to authorized parties. Paper printouts are destroyed securely.
All parties processing personal data have a duty of confidentiality regarding matters related to the processing of data subjects' personal data, based on the Employment Contracts Act and the confidentiality terms of contracts.
The company may outsource the processing of personal data to service providers in accordance with this privacy policy, in which case the company ensures through sufficient contractual obligations that personal data is processed appropriately and lawfully.
Data subjects have the rights guaranteed by data protection legislation.
The data subject has the right to obtain confirmation of whether their personal data is being processed. The data subject has the right to review and see data concerning themselves and, upon request, the right to receive the data in writing or electronic form.
The data subject has the right to request the correction of inaccurate or imprecise data. In addition, the data subject has the right under applicable data protection legislation to request the deletion of their data. The company also proactively deletes, corrects, and supplements personal data that it discovers to be inaccurate, unnecessary, incomplete, or outdated in relation to the purpose of processing.
The data subject has the right under applicable data protection legislation to request the transfer of their data to another data controller.
In addition, the data subject has the right to request the restriction of processing of personal data in accordance with the conditions defined by data protection legislation. Furthermore, in situations where personal data suspected to be inaccurate cannot be corrected or deleted, or there is uncertainty about a deletion request, the company restricts access to the data.
The data subject has the right to object to the use of data for certain types of processing. The data subject has the right to prohibit the disclosure and processing of their data for direct marketing purposes.
Requests concerning data subject rights are made in person or in writing or electronically and addressed to the contact person of this privacy policy. Identity is verified before providing data. A verification request is responded to within a reasonable time and, where possible, within one month of the submission of the request and verification of identity.
If the data subject's request cannot be granted, the refusal is communicated to the data subject in writing. The company may refuse a request, such as deletion of data, due to a legal obligation or the company's legal right, such as a service-related obligation or claim.
Consent for electronic direct marketing can be withdrawn or a direct marketing prohibition can be given by contacting the company's contact persons. In addition, the data subject can unsubscribe from the company's mailing list at any time by clicking the "Unsubscribe" link in the email.
The data subject has the right to lodge a complaint with a data protection authority if the data subject considers that their personal data has been processed in violation of applicable legislation.
Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: P.O. Box 800, 00521 Helsinki
Email: tietosuoja@om.fi
Switchboard: 029 56 66700
The company continuously develops its services and may therefore need to change and update this privacy policy. Changes may also be based on changes in legislation. We recommend reviewing the content of the privacy policy regularly. Changes are communicated on the company's website, and significant changes are communicated to data subjects by email.
Privacy policy published on April 7, 2026