Privacy policy

Chia de Gracia Oy – Privacy Policy

1. Data Controller

The data controller is Chia de Gracia Oy
Business ID: 2746897-3

Contact person for data protection matters:
Tuomas Korhonen, CEO

Address:
Särkiniemenkatu 5 C 1
00210 Helsinki
Finland

Phone:
+358 40 342 4310

Email:
info@chiadegracia.fi

2. Name of the Register

Chia de Gracia Oy customer and marketing register.

3. Purpose of Processing Personal Data

Personal data is processed for the following purposes:

  • processing and delivering webshop orders
  • managing and maintaining customer relationships
  • customer service and communication
  • payment processing and invoicing
  • arranging deliveries
  • handling complaints and returns
  • developing services and the website
  • website analytics and usage monitoring
  • marketing, newsletters and customer communication
  • targeted digital advertising
  • preventing misuse and fraud
  • fulfilling legal obligations

Electronic direct marketing is sent in accordance with applicable legislation either based on an existing customer relationship or the data subject’s consent.

The data subject has the right to prohibit direct marketing at any time.

4. Legal Basis for Processing Personal Data

The processing of personal data is based on the following legal grounds under the EU General Data Protection Regulation (GDPR):

  • consent given by the data subject (GDPR Article 6(1)(a))
  • performance of a contract (GDPR Article 6(1)(b))
  • compliance with legal obligations (GDPR Article 6(1)(c))
  • legitimate interest of the data controller (GDPR Article 6(1)(f))

The legitimate interest of the data controller is based on customer relationship management, business development, customer communication, marketing, fraud prevention, and ensuring the security and functionality of online services.

5. Contents of the Register

The register may contain the following personal data:

  • name
  • address
  • phone number
  • email address
  • order information
  • delivery and billing information
  • payment-related information
  • customer service messages and communications
  • marketing permissions and restrictions
  • website usage data
  • IP address
  • cookie data and identifiers
  • browser and device technical information
  • purchase history
  • webshop behavioral data
  • newsletter subscription information

Payment card details are not stored in Chia de Gracia Oy’s systems.

6. Regular Sources of Information

Personal data is collected:

  • directly from the data subject
  • in connection with webshop orders
  • when subscribing to newsletters
  • through customer service interactions
  • through cookies and analytics tools
  • from publicly available sources within the limits permitted by applicable legislation

7. Retention Period of Personal Data

Personal data is stored only for as long as necessary to fulfill the purposes of processing or to comply with legal obligations.

Customer data is generally stored for the duration of the customer relationship and for a maximum of five years after the relationship has ended, unless legislation requires a longer retention period.

Accounting materials are retained in accordance with accounting legislation.

Data in marketing registers will be deleted within a reasonable period if the data subject withdraws consent or objects to marketing.

8. Recipients of Personal Data and Data Disclosures

Personal data may be processed and disclosed to service providers acting on behalf of the data controller and participating in the operation of the webshop, payment processing, deliveries, marketing, analytics, customer communication or IT services.

Data may be processed in connection with services such as:

  • Shopify
  • Klaviyo
  • Google Analytics
  • Meta Platforms
  • TikTok
  • Microsoft Advertising / Bing
  • payment service providers
  • logistics and transportation partners
  • accounting and IT service providers

Personal data is not sold to third parties.

Our webshop operates on the Shopify platform. Shopify processes personal data as a service provider in connection with the technical operation of the webshop. More information about Shopify’s privacy practices is available here: Shopify Privacy Policy

9. Transfers of Data Outside the EU or EEA

Personal data may be transferred outside the European Union or the European Economic Area in connection with the technical systems of service providers.

When transferring data, applicable data protection legislation is followed and appropriate safeguards are used, such as the European Commission’s Standard Contractual Clauses (SCC).

10. Principles of Register Protection

Personal data is processed confidentially.

Information systems are protected with appropriate technical and organizational security measures, including:

  • usernames and passwords
  • restricted access rights
  • firewalls
  • encrypted connections
  • log files
  • backups

Access to personal data is limited to persons whose work duties require it.

11. Rights of the Data Subject

The data subject has the right to:

  • receive information about the processing of personal data
  • access their personal data
  • request correction of inaccurate data
  • request deletion of data
  • restrict the processing of personal data
  • object to the processing of personal data
  • transfer data from one system to another in accordance with applicable legislation
  • withdraw consent at any time
  • prohibit direct marketing
  • lodge a complaint with the data protection authority

Requests regarding these rights should be sent to the contact email address listed in section 1.

12. Cookies and Analytics

The website uses cookies and similar technologies to enable website functionality, analytics, user experience and marketing.

We use services such as:

  • Google Analytics
  • Meta Platforms Pixel
  • TikTok Pixel
  • Microsoft Advertising / Bing
  • Klaviyo
  • Shopify

Cookies may collect information such as:

  • IP address
  • browser type
  • device information
  • website usage information
  • purchasing behavior
  • time spent on the website
  • advertising performance information

Cookies are also used for targeted advertising and advertising measurement.

Users can manage cookie settings through the cookie banner and through their browser settings.

Necessary cookies are required for the website to function properly and cannot be disabled.

13. Changes to the Privacy Policy

Chia de Gracia Oy reserves the right to update this privacy policy based on changes in legislation, regulatory guidance or business operations.

The latest version of the privacy policy is always available on the website.

Updated 6 May 2026