In this policy, we, Purmo Group Plc, describe how we, as a statutory data processor, collect and process personal data in a lawful and secure manner. 

If you have any questions on this topic or if you wish to exercise your right to review what information has been collected about you, you can contact us at [email protected].

Data processing

Customer information 
If you are a customer or represent a customer, we may collect the following information about you: your name, title, contact information, customer type, geographic location and language of your choice. If you represent a corporate or organisational client, we may also collect information about the organisation you represent. In addition to this information, we will keep information about your communications with us (e.g. email correspondence, feedback you send, meeting notes). We may also store information about whether you have consented to the publication of information about you on our website and any further description of your wishes in this regard.

In most cases, we will receive the information described above directly from you, but we may also receive information from the organisation you represent (for example, if your employer has sent us your name and contact details when you act as a contact person in relation to an order placed by your employer). In certain cases, we may also receive information from public sources (for example, if we check your telephone number on your employer's public website or numbering service). We may also receive information about you from other companies in our group (for example, if you were initially contacted by another company in our group and were referred to us from there).

If we do not receive the customer information we need from you, we may not be able to establish a customer relationship with you or the organisation you represent.

Other marketing information
Whether or not you are one of our customers, we may collect information about you for marketing purposes. Such information may include your name, contact details, information about the organisation you represent, the status of your newsletter subscription, your content request (for example, if you have asked us to send you articles or similar content), your consent or opt-out of receiving electronic direct marketing material or other communications related to a particular subject, information about your opening of electronic communications from us, information about your visits to our website, your geographic location, your language preference, and your history of contact with us (for example, email conversations or feedback you have provided).

In most cases, we will receive marketing information such as that described above directly from you, for example when you contact us to inquire about our products or when you subscribe to our newsletters. We may also receive information through social media platforms when you respond to our content or accounts on our platforms (for example, by liking a post or sending us a public or private message). We may also receive information through other companies in our group (for example, if you have previously interacted with another company in our group). We may also receive marketing information from public sources (for example, your company's website) or from business service providers.

Website usage data

We also collect certain website analytics information about how our websites are used, which pages are popular, how visitors arrive at our site, how much time they spend on each page, their geographic location, which web browser they use, and other such data. Such website usage data is generally anonymous and we do not seek to identify our website visitors (except, for example, when they subscribe to our newsletter or otherwise provide us with marketing information themselves in the ways described in the previous paragraph). It is still possible, in principle, that website usage data can be identified at the time of collection, for example, based on your IP address. Below we explain in more detail how we use our website analytics.

Purpose and legal basis for the collection and processing of your personal data

We collect and process your data primarily to fulfil our obligations to you and/or to prepare a contract with you at your request. If you are not our direct customer, but a representative of our customer, we process your customer data in order to fulfil our obligations towards the customer you represent or to take the necessary steps to prepare for cooperation.

In certain cases, we collect and process your data to respond to legal requirements imposed on us. These include, for example, documents and receipts relating to accounting, and customer feedback relating to security issues, which we are required by law to retain in certain cases.

We may also process your data to improve our products and services. This includes, for example, analysing your customer feedback on our products and services. We may also collect and analyse information about, for example, your interest in certain of our products or your purchasing behaviour in order to improve our offerings.

We also collect and process your data for our own purposes in connection with the marketing of our products and services. This may include, for example, identifying products or services of interest to you based on your interactions with us or your responses on our social media channels, and subsequent communications from us telling you about relevant products or services or inviting you to events (read more about direct marketing by email below). Identifying popular products or trends based on the information described above is also one of the purposes of collecting and processing such data.

We collect and process website usage data because we are interested in how our website is used, what content is popular and what trends are associated with popular products. We also use website usage data to ensure the safe, secure and fast operation of our website and to provide you with content that is relevant to other pages or content you have encountered in the past.

We are required by law to ask for your consent for electronic direct marketing (requirements may vary from region to region) and for situations where we use cookies to collect your information. Below we explain more about our use of web analytics and cookies. In situations where we need your separate consent, we will inform you of this and ask for your permission.

We will not use your personal data for automated decision-making.

Disclosures and transfers of your personal data; international data transfers

In general, we will not disclose your data mentioned above to third parties. However, there are a few exceptions.

  • Organizational customers. If you represent an organisational customer, it is possible that we may pass your customer information to that organisation. For example, we may tell an organisational customer who placed a particular order, requested a change or made other arrangements related to the order. This may be necessary, for example, for billing or other administrative purposes.
  • Our group companies. We may disclose your personal information to other companies within our group. These group companies will process your data under the same conditions and for the same purposes as set out in this Privacy Policy.
  • Public transfers. If you have given us your consent that we may, for example, mention you as our reseller on our website, we may use your data publicly in this context.

In addition, we may provide your information to service providers acting on our behalf. Such service providers may include, for example, ordinary IT service providers and companies that provide us with services such as marketing. For example, we may also use survey companies to collect feedback on our products and services. We may also use service providers to help us collect results from our paid marketing campaigns, for example on social media platforms.

We currently use the services of at least the following providers:

  • Brevo. We use a company called Brevo to send newsletters and electronic messages on our behalf. For more information about Brevo, please visit
  • NapoleonCat. We use a service called NapoleonCat to manage and respond to encounters on social media platforms in a coordinated way. This service does not allow for the collection of more extensive personal data than typically flows through these social media platforms, but it does provide us with a consolidated view of our social media profiles and customer encounters through them. For more information about how NapoleonCat processes personal information, please visit http://napoleoncat/privacy (please note, however, that not all parts of this statement apply to you as a visitor to our social media channels).
  • Profacts. A company called Profacts BV sometimes helps us to conduct customer surveys. For more information about Profacts' privacy policy, please visit
  • Google Analytics. We also use Google Analytics, a service provided by Google LLC, to collect certain information relating to website usage data. We use the anonymisation feature of Google Analytics. In the next section of this notice you can read more about how we use cookies on our website, as Google Analytics may place cookies on your web browser. For more information about Google Analytics and how it may use information about you, please visit
  • CloudFlare. We use CloudFlare CDN (Content Distribution Network), a service provided by CloudFlare, Inc., 101 Townsend St, San Francisco, CA 94107, USA, to distribute content on our websites. CloudFlare enables global access to our website through its Content Distribution Network (CDN) and provides additional protection against DDoS attacks. All data entering or leaving our website travels over CloudFlare's CDN network. This is normally done using the nearest CloudFlare data centre available to the user. Although CloudFlare also maintains data centres outside the EU/EEA, the company states that cached data will normally be deleted within four (4) hours, but not more than three (3) days. You can find more information about CloudFlare CDN and CloudFlare's data processing at

Some of these service providers may also partly operate outside the European Union and the European Economic Area (EEA) in regions where local legislation does not itself provide an EU/EEA model for data processing. In most cases where we use a service provider that processes data outside the EU/EEA, we have entered into an agreement with that service provider based on the clauses of the EU Commission's model contract, which guarantees secure data processing in third countries as well. In certain limited cases, international data transfers may be necessary to fulfil our agreed obligations towards the end-customer, in which case the use of the Model Clauses is not necessary. We also ensure the safe and lawful processing of data abroad in other ways. Where possible, we can provide you with more detailed information on international data transfers.

We also use cookies on our website. Cookies are small text files that your web browser stores on the device you are using. Cookies may be technically necessary for the functionality of the website and its features, but they may also be used for non-essential analytical purposes.

Technically necessary cookies include session cookies and other cookies that enable, for example, your login to our online services, language preferences, checking the contents of your shopping cart and other similar technical functionalities (where applicable).

In addition to these, we use other cookies related to website analytics and the use of web behaviour data (see above for a list of third party services we use for this purpose). For non-essential cookies, we ask for your consent to use cookies. You can withdraw your consent at any time, but this does not affect the legality of the measures already taken.

If you wish, you can control how cookies are set on your device through your web browser.

Data retention periods

We will process and retain your personal information only for as long as it is necessary to achieve the purpose for which the information was collected or as required by applicable law.

More specifically, we may retain information about you as follows:

  • Customer information. Unless a more specific retention period is stated below, we will generally retain your customer data for at least the duration of the relevant agreements between us and you and for two years after their expiry.
    • Accounting information. We will retain your records, invoices, receipts and similar documents for the period required by the applicable laws. In Finland, for example, this means that we keep accounting information for six (6) or ten (10) years, depending on the nature of the information.
  • Unless a more specific retention period is stated below, we will retain general marketing data for two years from the date of your last contact with us.
    • Newsletter subscriptions. Information about your newsletter subscriptions or other marketing communications to you will be retained for as long as your subscription is active. You have the option to opt-out of such direct marketing at any time. If you have indicated your wish not to receive direct marketing, we may retain data relating to your opt-out even after this time to ensure that you are not inadvertently added back to marketing lists.
    • Social media data. When you interact with us in one way or another via social media platforms, the associated data will be available to us in accordance with the specific terms of each platform (for example, if you send a message on a channel that is visible to all visitors to our profile in accordance with the specific policies of that social media channel).
    • Website usage data. We do not generally store website usage data in an identifiable form, but we do retain general analytics data for 38 months.
    • Materials relating to legal claims. If we have reason to believe that a legal claim may develop between us and you (or the organisation you represent), we may retain the data we hold for longer than the period set out above - for as long as is necessary for our legal action, such as prosecution, defence or evidence.

At the end of that retention period, your personal data will either be completely deleted or modified so that it no longer makes it possible to identify you as an individual.

Your rights

Under European Union data protection law, you have at least the following rights in relation to the personal data we collect and process about you:

  • Right of access. You have the right to see what information we have collected about you. We may only refuse your request on the grounds set out in law. There is generally no charge for exercising this right.
  • Right to request amendment, deletion and restriction. You have the right to ask us to correct inaccurate information about you. In certain cases, you also have the right to request that we delete information we hold about you. You may also be able to request that we temporarily stop processing information about you until any other request you have made in relation to the matter has been dealt with.
  • The right to data portability. Where we process data relating to you with your consent or in connection with our joint agreement, you have the right to require us to provide that data to you in a structured, commonly used and machine-readable format or, as the case may be, to transfer that data directly to another data controller. This right does not apply in situations where we collect and process data for our own purposes (see above for more details).
  • In situations where we collect and process data relating to you for our own purposes (see above for more details), you have the right to object to the processing based on your specific situation. If you object, we are only allowed to process the data if we can provide a legally valid, overriding reason for continuing to process it.
  • The right to opt-out of direct marketing. You always have the right to opt-out of direct marketing. If you opt-out, we will no longer send you marketing messages. If you have previously consented to marketing, you can withdraw your consent at any time.
  • Right to withdraw consent. In situations where we collect and process information about you based on your consent, you have the right to withdraw your consent at any time. However, withdrawal of consent does not affect the lawfulness of any processing operations that have already taken place.
  • The right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with the supervisory authority concerned if you consider that we have failed to comply with our obligations as a data processor.