This privacy policy describes how we, Purmo Group Oy Ab, as the legally responsible data controller collect and process personal data about our customers, for our marketing, and on our website.

In case you have any questions or wish to exercise your rights in respect of your personal data, you may contact us at: [email protected]

The personal data we collect and process

Customer information. If you are our customer, or the representative of one of our customers, we may col-lect the following data about you: your name, title, position, contact details, customer type, geographic locale, preferred language, and, if you represent an organisational customer, the organisation you represent. Additionally, we will keep records of your contacts and correspondence with us (e.g., email correspondence and feedback you give us, notes of your meetings with us, etc.). We may also collect information about whether you have consented to us publishing information about you on our website and the relevant de-scription.

We generally receive this customer information directly from you, but we may also receive some information from the organisation you represent (e.g., your employer may have provided us your name and contact details as the contact person for orders your employer has made). In some cases, we may also receive information from publicly available sources (e.g., we may check your phone number from your company’s website or a directory service). Finally, we may receive information about you from other members of our group of companies (if you, e.g., first contacted another entity in our group).

In case you do not provide us the required customer information, we may be not able to enter into an agreement with you or the organisation you represent.

Other marketing information. We may also collect certain other marketing-rated information about you, irre-spective of whether you are our customer or not. This may include your name, contact details, organisation-al affiliation, information about whether you subscribe to any of our newsletters or have asked us to send you content (e.g., whitepapers or the like), or have consented or objected to direct electronic marketing or another specific interest, information about whether you have opened our electronic mailings, pages on our website you have visited, geographic locale, preferred language, as well as records of your contacts and correspondence with us (e.g., email correspondence and feedback you give us).

We generally receive much of this other marketing information directly from you, e.g., when you contact us to ask for information about our products or when you subscribe to our newsletters. We may also receive information from social media platforms when you engage with our content or accounts on those platforms (e.g., like a post by us or post a public or private message to us). We may also receive information about you from other members of our group of companies (if you, e.g., first contacted another entity in our group). Finally, we may also acquire such other marketing information from public sources (such as your company’s website) or from business information service providers.

Website usage data. We also collect certain website analytics information about how our website is used, which pages are popular, how visitors arrive at our website, how much time they spend on the page, their geographic locale, their browser settings, and similar data. This website usage data is generally anonymous, and we do not seek to identify specific visitors (except when they, e.g., sign up to a newsletter or contact us; see other marketing data above), but the data may in principle may identifiable at the time of collection by means of, e.g., your IP address. Please see below for more information on how we use website analyt-ics.

Purpose and lawful basis for collecting and processing your personal data

We collect and process your customer information primarily to perform our obligations under the relevant agreement between us and you and/or to, at your request, take preparatory steps for entering into the agreement. If you are not our direct customer but instead a representative of our customer, we process your customer data for the purposes of our legitimate interest to perform our obligations under our agreement with the customer you represent and to take preparatory steps for entering into the agreement.

We may also in some cases collect and process your customer information to comply with legal obligations applicable to us. This is the case for, e.g., such accounting materials and receipts that we by law are re-quired to retain. This might also be the case for customer feedback concerning potential safety issues that we might also in some cases need to retain by law.

Additionally, we may process your customer information for the purposes of our legitimate interest to de-velop our products and services. This means, e.g., collecting, and analysing, feedback you give us about our products or services. This may also mean reviewing and analysing, e.g., purchase patterns and interest-ing in our products to determine how to best develop our offerings.

We also collect and process your customer information and other marketing information for the purposes of our legitimate interesting in marketing our services. This might mean identifying products or services you might be interested in based on your contacts with us, or engagement with our social media accounts, and then contacting you about relevant products or services or inviting you to relevant events (but see below for electronic direct marketing). This might also mean identifying popular products or trends based on such information.

We collect and process the website usage data for the purposes of our legitimate interest in tracking how our website is used, what content is popular, and to identify popular products or product trends. We also use such website usage data to ensure the safe, secure, and fast operation of our websites as well as to show you content that is relevant to other pages or content you have viewed.

In some cases, however, we may instead ask for your consent to process your customer information, other marketing information, and website usage data. This is the case where applicable law requires consent for direct electronic marketing to you (relevant requirements vary locally) and where we use cookies to collect data. Please see below for more information concerning our use of website analytics and cookies. When we rely on your consent, we will separately inform you of this and ask for your consent.

We do not use your personal data for automated decision making.

Disclosures and transfers of your personal data; international transfers of data

In general, we do not give your above information to third parties. There are, however, a few exceptions to this.

  • Organisational customers. If you represent an organisational customer, we may provide that organi-sational customer your customer information. This can include informing the organisational custom-er of who made a particular purchase or order, asked for a change, or made other arrangements in connection to the order. This may be necessary, e.g., for billing-related purposes or for other ad-ministrative purposes.
  • Our group companies. We may also disclose your personal data to other companies in the same corporate group as we. These group companies will process the data for the same terms and for the same purposes as set out in this policy.
  • Public disclosures. If you have consented to us mentioning you are our reseller, e.g., on our web-site, we may also publicly disclose the relevant information about you in that context.

Finally, we may also provide your data to service providers acting on our behalf (as so-called data proces-sors). Such service providers include customary IT services providers and companies who provide us, e.g., marketing related services. We may also use, e.g., survey companies to collect feedback about our prod-ucts or services. We may also use providers that may assist us in collecting results from paid marketing campaigns on, e.g., social media platforms.

As of the current date, we use at least the following service providers:

  • Sendinblue. We use a company called Sendinblue to send newsletters and electronic mailings on our behalf. For more information about Sendinblue, please see
  • NapoleonCat. We use a service called NapoleonCat to collect and respond to social media en-gagement in a coordinated manner. The service does not enable to collection of more personal data than is ordinarily collected via the relevant social media platform, but it presents us with a central-ised dashboard of our social media profiles and user engagement with them. For more information about how NapoleonCat processes personal data, please visit (but note that not all sections of the policy will be relevant to you as a visitor to our social media profiles).
  • Profacts. We occasionally use a company called Profacts BV to conduct customer surveys. For more information about how Profacts collects personal data, please visit
  • Google Analytics. We also use Google Analytics, provided by Google LLC, to collect some of the website usage data. We have enabled service’s anonymization function. Please see below for more information about how we use cookies on our website, as Google Analytics may set cookies in your browser. For more information about Google Analytics and how the service uses information that potentially could be connected to you, please also visit
  • CloudFlare. We use the service Cloudflare CDN (Content Distribution Network) of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA to provide website content distribution services. Cloudflare offers worldwide performance for our website through its content distribution network (CDN) and additional security against DDoS attacks. All data passed to or from our website pass through Cloudflare’s CDN. Normally, CloudFlare’s data centre closest to the user is used for this. While CloudFlare also operates data centres outside the EU/EEA, according to CloudFlare, the cached data is normally deleted within 4 hours, but at the latest within three days. For more infor-mation about Cloudflare CDN and Cloudflare’s privacy policy, please visit

Some of these service providers may in part also operate outside the European Union and European Eco-nomic Area (the “EU/EEA”), in jurisdictions where local law may not in itself offer a level of data protection that is equivalent to the level offered by law in the EU/EEA. Where we use a service provider that processes personal data outside the EU/EEA, we have generally entered into an agreement with the party in accord-ance with EU Commission’s model contract clauses that ensure safe data processing in third countries as well. In some limited cases, the international transfer of the data may also be a necessary part of perform-ing our contractual obligations towards the end customer, in which case use of the model clauses is not required. We also ensure the safe and lawful data processing abroad by other means as well. If necessary, we can give you more detailed information on international data transfers.


We also use cookies on our websites. Cookies are small texts files saved to your device via your web browser. Cookies may be technically essential for the functionality of the website and its features, but they can also be used for analytics purposes that are non-essential.

Technically essential cookies include session cookies and other cookies that enable, for example, logging into our online services, complying with language settings, reviewing the contents of the shopping cart and other similar technical functionalities (where available).

In addition, we use other cookies relating to web analytics (see above for information on the third-party ser-vice providers we use for this) to collect web usage data. For non-essential cookies, we will ask for your consent to the use of cookies. You may withdraw your consent at any time, but this does not affect the lawfulness of measures already taken.

If you want, you may also control how cookies are placed on your device using your web browser’s set-tings.

Retention periods

We will process and store your personal data only for the period necessary to achieve the purpose of stor-age or as required or permitted under applicable laws.

More specifically, we may retain data about you as follows:

  • Customer information. If no more specific retention period is provided for below, we generally retain your customer information at least for the duration of the relevant agreement(s) with us and thereaf-ter for two years.
    • Accounting data. We may retain accounting records, invoices, receipts, and the like for the duration required under applicable laws. In Finland, this means that we will retain such in-formation 6 or 10 years, depending on the nature of the data.
  • Other marketing data. If no more specific retention period is provided for below, we generally retain other marketing data for two years from your last contact with us.
    • Newsletter subscriptions. Information on you being sent a certain newsletter or marketing communications will be stored for as long as your subscription is active. You may opt out of this kind of direct marketing at any time. If you have opted out of direct marketing, we may store the data relating to your objection or withdrawal even after this to ensure that you do not mistakenly get added back to any marketing lists.
    • Social media data. Were you engage with us on a social media platform, the data may be available on the platform as provided for in the relevant platform’s policies (if you, e.g., post a public message to our profile that message may remain visible to all visitors to our profile for the duration normally applicable in that social media service).
  • Website usage data. We generally do not seek to retain website usage data in an identifiable form. We do, however, retain such analytics data in general for a period of 38 months.
  • Materials related to legal claims. Should we have reason to suspect that a legal claim may arise in relation between us and you (or the organisation you represent), we may retain relevant data for a longer period than mentioned above, as long as it necessary for the defence, prosecution or evi-dentiary issues in connection to the legal claim.

When the mentioned storage period ends, your personal data will either be deleted or anonymised in such a way that it is no longer possible to identify you as an individual based on the data.

Your rights

Under European Union data protection law, you have at least the following rights in respect of your personal data that we collect or process:

  • Right of access. You have the right to review the data we have collected on you. We can deny such request only on grounds provided for in applicable law. Exercising this right is generally free of charge.
  • Right to request rectification, erasure or restriction of processing. You have the right to request that we rectify erroneous data about you. In some cases, you also have the right to request that we de-lete the data about you that we have. In some cases, you may also request that we temporarily cease processing your personal data until other related request by you has been dealt with.
  • Right to data portability. Where we process your data based on your consent or for the perfor-mance of a contract with you, you also have the right to request that we provide you the data in structured, commonly used and machine-readable format or, in some cases, to have the data transmitted directly to another controller. This right does not apply where we collect or process the data for our legitimate interests (as explained above).
  • Right to object. Where we collect and process personal data about you on the basis of our legiti-mate interests (as explained above), you may also object to such processing on the basis of grounds relating to your particular situation. If you object, we may only continue to process the data if we can demonstrate that there are overriding compelling legitimate grounds for the processing.
  • Right to object to direct marketing. Nevertheless, you always have the right to object to direct mar-keting. If you object, we will no longer send you such marketing. Where we send marketing based on your consent, you may also withdraw your consent at any time.
  • Right to withdraw consent. Where we collect and process personal data about you based on your consent, you may withdraw your consent at any time. Withdrawing your consent does not, however, affect the legality of any data processing measures already undertaken prior to that time.
  • Right to lodge a complaint with a supervisory authority: You are entitled to lodge a complaint with the competent supervisory authority if you are of the opinion that we have not complied with our ob-ligations as a data controller.