Register description
Privacy policy
NINJA CUSTOMER DATABASE REGISTER DESCRIPTION
This is Ninja's register and data protection statement in accordance with the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Prepared on 21.5.2018.
Data controller
No8nik Oy is the controller and is responsible for the processing of personal data. For this service, you can contact the controller in the following ways:
Ninja / No8nik Oy
Y-2957453-4
Eteläkatu 14
13100 Hämeenlinna
tel. 010-3272700 pvm/mpm
e-mail: asiakaspalvelu@ninja.fi
Contact person for matters concerning the register:
Ninja / No8nik Oy
NoNo8 NoNo8
13100 Hämeenlinna
Name of the register
Ninja customer register
Legal basis and purpose of the processing of personal data
The legal basis for the processing of personal data under the EU General Data Protection Regulation is 1) performance of a contract, 2) a legal obligation relating to, for example, accounting law and consumer liability, 3) consent or 4) protection of vital interests.
Personal data is used to manage and develop customer relationships, to plan and target marketing, to improve customer service. Personal data are also processed in connection with customer contacts, customer service, customer surveys and other measures related to the management of the customer relationship.
Data content of the register
Ninja's customer register processes data in the following categories:
Basic customer information:
- First name
- Surname
- Postal address
- Mobile phone number
- E-mail address
- Additional customer information
- Marketing authorisations and bans
- Customer relationship management information and targeted marketing activities
- Subscription data
- Order tracking codes
- Membership information
- Returns and exchanges
- Changes to the information identified above
- Customer profiling
Regular data sources
Information about the customer is obtained from the customer himself when placing an order in the Ninja.fi online store and from information provided by the customer during the customer relationship. In addition, the register collects information about the customer's purchases at product category level, product returns and exchanges, and customer communications. Personal data may also be collected and updated from the registers of the controller and companies belonging to the same chain as the controller, as well as from authorities and companies providing personal data services.
Processing of data
Customer purchase data are processed for the purpose of delivering orders placed by the customer. For the purposes of compliance with the contract, the first name, surname, postal address, mobile phone number, e-mail address, additional customer information, order data and order tracking codes are required.
The company has a legal obligation to keep certain information, for example to comply with accounting law and consumer liability for errors. Such information includes first name, surname, postal address, mobile phone number, email address, additional customer information, order details and order tracking codes.
With the customer's consent, the company also collects the following information from the customer for the purposes of electronic direct marketing: first name, surname, e-mail address, order details, consent and language preference.
In order to protect vital interests, the company collects information from customers for possible product recalls: first name, surname, postal address, mobile phone number, e-mail address, order details and order tracking codes.
Data retention period
The retention periods for your personal data in Ninja's services are as follows:
- Purchase history: 10 years
- Customer service history: 10 years
- Direct marketing: data will be deleted if requested by the customer
- Accounting retention: pursuant to Section 2:10 of the Accounting Act, supporting documents containing personal data are retained for six years from the end of the calendar year in which the accounting period ends.
Your right to withdraw consent
Where the processing of your personal data is based on your consent, you may withdraw your consent at any time. For example, if you have given your consent to electronic direct marketing, the processing of your personal data is based on consent. You can withdraw your consent by notifying Ninja Customer Service or by clicking on the unsubscribe link in your email.
Other rights
You have the right to know, upon request, whether your personal data are processed by the Controller. If we process your data, you have the right to receive a copy of the data we process. If we do not process your data, you have the right to obtain confirmation of this as well.
You have the right to correct or complete your personal data that is inaccurate or incomplete for processing purposes.
You may have the right to have your personal data erased in certain circumstances referred to in the Regulation. We will delete your data at your request if the criteria set out in the legislation are met. You have the right under the Regulation to have your personal data deleted from our system if:
- the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; or
- you have withdrawn your consent on which the processing was based and there is no other lawful basis for the processing; or
- you object on personal grounds to processing necessary for the purposes of the legitimate interests pursued by the controller or a third party, such as profiling;
- In this case, the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
- the personal data have been collected from the child in connection with the provision of information society services.
You may have the right to restrict the processing of your personal data. We will restrict processing at your request in the circumstances specified by law. You can restrict the processing of your personal data if:
- you contest the accuracy of your personal data, in which case processing will be limited for a period of time during which we can verify its accuracy;
- the processing is unlawful and you object to the erasure of the personal data and instead request the restriction of its use.
- as a controller, we no longer need the personal data concerned for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims;
- you have objected on personal grounds to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in the legitimate interests of the controller or a third party and we are awaiting verification of whether the controller's legitimate grounds override yours.
Where the processing of your personal data is restricted, it may be processed, except for storage purposes, only with your consent or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
In certain circumstances, you have the right to transfer your personal data held by us to yourself or to another controller. This right applies to personal data which you have provided to us and which we process on the basis of your consent or in order to perform a contract to which you are party. It applies to data processed by automated means. Some of the information is in hard copy and the right does not apply to such documents.
You may have the right to object to the processing of your personal data. We will stop processing your personal data at your request in the situations specified by law. You may object to the processing of your personal data:
- for the purposes of the controller's or a third party's legitimate interests, such as profiling, on the basis of your personal reasons;
- In this case, the controller may no longer process the personal data, unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or where it is necessary for the establishment, exercise or defence of legal claims.
- at any time, where your personal data are processed for the purposes of direct marketing, including pro marketing, where it relates to such direct marketing.
Exercise of rights
You can send us a request to exercise your rights by emailing asiakaspalvelu@ninja.fi. Alternatively, you can send a personally signed request by post to the address above.
If your personal data is included in the response, we will provide it either in encrypted electronic form or by post by personal registered mail, as appropriate. The letter cannot be acknowledged as received by anyone other than the person indicated as the addressee. This is to ensure the confidentiality of the information of the correct recipient of the letter.
Information about the recipients of personal data
As the controller, we process personal data ourselves, but we also use various service providers. The controller seeks to use the best and most reliable partners and is responsible for the performance of the service providers it chooses when processing personal data.
Ninja uses the following external services:
- Shopify
- Paytrail, Stripe
- Klaviyo
- Posti, PostNord
- Meta, TikTok
- Google, Microsoft
Personal data is considered to be transferred outside the EU and EEA in connection with the provision of IT services where the personal data is accessible by remote access (from a country outside the EU and EEA). This transfer of data has been contracted with the service provider in accordance with the standard contractual clauses adopted by the EU Commission.
Some public authorities also have a legal right of access to the data. These authorities include police, customs, border guards and tax authorities.
Information necessary for the service
In order to provide you with the benefits or services mentioned in the contract, we need to process personal data necessary for the performance of the contract. This includes your name, contact details and details of purchases.
Consent for electronic marketing is not necessary, but without consent we cannot provide electronic and usually targeted direct marketing.
If you do not consent to profiling, we will not be able to target marketing messages sent to you. You will then only receive general marketing communications, not information about the products in which we could determine your interest through profiling.
Information about automated decision making including profiling
Profiling is the processing of personal data that uses personal data to evaluate certain personal aspects of you. We profile customers in order to target marketing. However, we consider that such profiling does not have legal effects within the meaning of the Regulation or otherwise have a significant impact on the subject of the profiling.
As a data subject, you have the right to object to profiling based on the controller's legitimate interest on the basis of a specific personal ground. You may also object at any time to profiling carried out for the purposes of direct marketing.
Use of data for other purposes
We do not use data for purposes other than those stated here. If new uses subsequently arise, we will inform you of them and inform you of the lawful basis for processing or, where appropriate, ask your consent to the processing of your personal data for the new purposes.
Transfer of data outside the EU or EEA
Personal data will not be transferred outside the EU or EEA unless this is necessary for the technical implementation of the processing.
Principles for the protection of the register
The register is only collected electronically. Ninja's customer register is stored electronically. The customer register is protected by firewalls and other technical means. Only designated persons subject to confidentiality obligations are authorised to access and maintain the data in the register. The register will not be disclosed to third parties, except for technical management activities (e.g. management of the server or e-commerce platform).
Notice of appeal
If you believe that we are not processing your personal data in accordance with the EU General Data Protection Regulation, you may lodge a complaint with the supervisory authority in the EU Member State where you are habitually resident or employed or where you consider that a breach has occurred. In Finland, this authority is the Data Protection Ombudsman.