Privacy

This page explains, in plain language, what data we collect about you, what we use it for, and what rights you have. No more lawyer-speak than absolutely necessary.

Data controller

Valco Oy (Business ID 2919697-5)
Kirvestie 9a
33710 Tampere, Finland

For data protection matters, Henri Heikkinen is your guy. Drop a message to info@valco.fi. Same address if you suspect a data breach.

You can view and delete the data we've stored here: https://www.valco.fi/pages/gdpr-sivu

1. What data we collect

When you browse our pages, we collect anonymous statistical data on how the site is used.

When you place an order or create a customer account, we need your name, email address, phone number, and delivery address. Without them, the package won't find its way to you.

If you sign up for the newsletter, we store your email address for that purpose.

We don't handle your payment card details ourselves. They go straight through the payment provider you choose. How they're handled is explained in the payment provider's own service.

2. What the data is used for and on what basis

We use your data for the following purposes:

  • Delivering orders and customer service – the basis is the contract with you
  • Sending the newsletter – the basis is the consent you've given, which you can withdraw at any time
  • Marketing of our own similar products to existing customers – the basis is legitimate interest (soft opt-in).
  • Store analytics and fraud prevention – the basis is our legitimate interest in running and developing the store
  • Ad targeting – the basis is your consent, given via the cookie banner
  • Bookkeeping and other statutory obligations – the basis is the law

3. How long the data is kept

We keep data only as long as it's needed. In practice:

  • Order and customer data stays in our online store for the duration of the customer relationship. Bookkeeping-related data we keep for six years after the end of the financial year, because the Accounting Act requires it.
  • Newsletter subscriber data stays until you unsubscribe.
  • Data collected via cookies stays for the lifespan of the cookie, from a single session up to about two years.

When you request that your data be deleted, we'll delete it within 30 days of the request arriving and your identity being verified, unless the law forces us to keep something longer, like bookkeeping records.

4. Who the data is disclosed to

We don't sell or rent your data to anyone. We do, however, use trusted services to run the store, and they process your data on our behalf only to the extent necessary:

  • Shopify – the e-commerce platform where order and customer data lives
  • Google and YouTube – visitor analytics and ad targeting
  • Facebook and Instagram (Meta) – visitor tracking and ad targeting
  • TikTok – visitor tracking and ad targeting
  • Stape – server-side event tracking that passes order and event data on to the ad platforms above
  • Mailchimp – email and text message marketing
  • Amazon Web Services (AWS SES) – the technical sending of emails
  • Simple Affiliate – affiliate marketing tracking
  • Judge.me – collecting and displaying product reviews
  • Posti – package delivery
  • Payment provider – handling the payment transaction
  • Credit provider – if you choose invoice or instalment as your payment method

These services' data processing is based on their own terms, shared across all their customers, which also include the contractual terms covering the processing of personal data.

5. Transferring data outside the EU

Some of the services we use process data outside the EU. For US-based services (such as Google, Meta, Amazon, and Mailchimp), transfers are protected by the EU-US Data Privacy Framework. For other services operating outside the EU, we use the European Commission's Standard Contractual Clauses. So your data doesn't travel around unprotected.

6. AI

We use AI tools to develop the store. They only get pseudonymised purchase data, with the name, contact details, and other direct identifiers removed.

7. Email marketing and communications

We only send newsletters and other marketing messages if you've subscribed to our communications. There are two exceptions:

  1. Notifications related to your order (e.g. order confirmation, delivery, returns, and warranty), which are essential to carrying out the sale. The legal basis is the performance of a contract (General Data Protection Regulation, Article 6(1)(b)).
  2. Marketing of our own similar products as an existing customer. If you've bought from us, we may send you marketing about similar products. The legal basis is legitimate interest (GDPR, Article 6(1)(f)) and the so-called soft opt-in under the Act on Electronic Communications Services. You can opt out of this marketing at any time via the link at the end of every message.

For sending messages, we use the Mailchimp service provider and Amazon Web Services' (AWS SES) email service. Messages are sent from Amazon's service within the EU region (Stockholm, eu-north-1). Amazon and Mailchimp are US-based operators, and transfers are protected by the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses (SCC).

Subscriber data (your email address and the status of your consent) and information on whether you opened a message or clicked its links are processed in Mailchimp and in a system administered by Valco itself. We don't pass this open and click data on to Amazon. We use the data to target and develop our communications. If a message doesn't get through (e.g. the address isn't valid) or you mark it as spam, we automatically stop sending to that address.

We keep subscriber data until you unsubscribe.

8. Protecting the data

Your data is stored, appropriately protected, on Shopify's servers, and access to it is limited to those who need it for their work. You can find more about Shopify's data protection here.

9. Cookies

The site has essential cookies that, for instance, keep your shopping cart together. Without them the store doesn't work, so they can't be switched off.

We also use non-essential cookies for analytics and ad targeting (Google, Facebook, and TikTok). We install these only if you give permission via the cookie banner that opens on the page. The same permission also covers server-side event tracking. You can change or withdraw your choice at any time from the banner or your browser settings. A large share of the tracking data is in fact collected by Google, Facebook, and TikTok into their own systems.

You'll find the services' own terms here:

Google: https://policies.google.com/privacy?hl=fi

Facebook: https://www.facebook.com/privacy/policy

TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/fi

10. Your rights

You have the right to:

  • find out what data we hold about you, and get a copy of it
  • correct inaccurate or incomplete data
  • request the deletion of your data
  • restrict or object to processing in certain situations
  • transfer your data to another service
  • withdraw any consent you've given at any time

Send requests to info@valco.fi. Include something we can use to identify you, and tell us which right you want to exercise.

If you feel we're not handling things the way we should, you can file a complaint with the Office of the Data Protection Ombudsman (tietosuoja.fi).

11. Changes to this statement

We may update this statement now and then. We'll announce any significant changes on our site. This statement was last updated on 30 May 2026.

12. Gaps or questions

If you spot any significant gaps in this pile of legally mandated bureaucratic manure, drop a message to info@valco.fi and we'll fix it.