Privacy Policy
The website and the Unnalapland service provider Aafe Oy (referred to as “we” or “us”) provides family travel support services in Finnish Lapland. We respect your privacy and are committed to protecting the personal information you share with us. This Privacy Policy explains what information we collect, how we use and safeguard it, the legal bases for processing, how long we retain data, and your rights regarding your personal data. We adhere to applicable data protection laws, including the EU General Data Protection Regulation (GDPR), to ensure your information is handled lawfully and transparently. By using our services or website, you agree to the practices described in this Privacy Policy.
Personal Data We Collect:
We collect personal data necessary to arrange and provide our services. This may include:
Contact Information: Name, email address, phone number, and home or accommodation address. This allows us to identify and communicate with you regarding bookings and inquiries.
Booking Details: Information related to your service booking, such as dates and times of service requested, location, and the specific services or activities requested.
Child Information: For families using our childcare services, we collect children’s first names (or nicknames), ages, and any relevant details you provide about their needs. This can include health or dietary information (e.g. illnesses, allergies, medications) that is necessary for safe care. We only request such details from a parent or legal guardian and do not collect information directly from children.
Preferences and Special Requests: Any preferences you communicate to us, for example, your children’s routines, activity preferences, language requirements, or other instructions for the caregiver. This helps us tailor the service to your family’s needs.
Payment and Transaction Data: To process payments for bookings, we may collect data such as invoice details or transaction IDs. Credit card and payment details are handled through our secure third-party payment processor; we do not store your full card numbers or bank account information on our systems.
Website Usage Data: If you use our website (for example, to make inquiries or bookings), we may collect technical data like your IP address, browser type, and browsing activity via cookies or similar technologies. This helps with site functionality and analytics, as described in the Cookies section below. Any online identifiers we collect are generally not used to identify you by name, but to ensure our website works properly and to improve user experience.
How We Use Your Data:
We use the collected personal data to provide and improve our services, always in alignment with the purposes for which you provided it. The main uses of your data include:
Service Delivery: We process your personal and booking information to schedule and provide the services you request. For example, we use your contact and address details to send a babysitter to the correct location and your booking details to ensure the service is delivered as agreed. Information about your children (such as age or allergies) is used strictly to care for them safely and appropriately, and not for any other purposes.
Communication: We use your contact information (email or phone) to communicate with you about your bookings and our services. This includes sending booking confirmations, updates or changes to your reservation, responding to your inquiries, and providing customer support before, during, and after your service.
Personalization and Experience: Details like your children’s interests or your service preferences help us tailor our services to your family. For instance, knowing a child’s age or favorite activities allows our staff to bring appropriate toys or plan suitable activities. Health and allergy information enables us to take necessary precautions (such as avoiding certain foods or activities) to ensure your child’s well-being.
Payments and Administration: We process payment and billing information to charge for services and manage invoices/receipts. This includes confirming that payments are received and addressing any billing questions. We keep transaction records for accounting, auditing, and tax compliance.
Legal Compliance: Personal data may be used to fulfill our legal obligations. For example, we retain invoice records for mandated accounting periods and may use personal information to comply with local laws or regulations (such as childcare regulations or tax laws). If necessary, we might also process data to respond to lawful requests by public authorities or to meet law enforcement requirements.
Improvement and Marketing (Opt-in): We may analyze booking history and feedback to improve our services and develop new offerings. With your consent, we might also use your contact information to send you occasional updates, newsletters or offers about our services. Any such marketing communication will be limited and you can opt out at any time. (If you are an existing customer, we may rely on our legitimate interest to inform you of similar services, but you will always have the option to unsubscribe or object to further marketing.) We do not use children’s personal details for marketing or promotional purposes.
We will not use your personal data in ways that are incompatible with the purposes above without informing you and obtaining any necessary consent. In particular, information about children is only used to deliver the services you’ve requested and to ensure their safety, and is not used for any other purposes. If we plan to process your data for a new purpose not covered in this policy, we will provide you with a new notice and, if required, ask for your consent.
Legal Basis for Processing:
Our company is based in Finland and thus operates under the EU GDPR and other applicable data protection laws. This means we must have a valid legal basis for collecting and using your personal data. Depending on the context, we rely on one or more of the following legal bases:
Performance of a Contract: Most data we collect is processed because it is necessary to fulfill our contract with you. When you book our services, a contract is formed, and we must use your data (e.g. contact and booking details) to deliver the service you have requested. Without this information, we cannot provide the agreed childcare or family services.
Consent: In certain cases, we rely on your consent. For example, we will ask for your consent to process any sensitive information (such as a child’s health details) that you volunteer to us for care purposes. Likewise, we will obtain consent before sending you marketing emails or newsletters (unless you are an existing customer and applicable law permits us to contact you with an opt-out option). You have the right to withdraw consent at any time, which will not affect the lawfulness of processing already carried out.
Legal Obligation: We process some data because we are legally required to do so. For instance, Finnish laws may obligate us to keep certain transaction records for accounting and tax purposes, or to collect specific information when providing childcare services. In such cases, we only process the data to the minimum extent necessary to comply with our legal obligations.
Legitimate Interests: We may process your data as necessary for our legitimate business interests, provided such processing does not override your rights and freedoms. For example, it can be our legitimate interest to improve our services through client feedback, or to send service-related announcements to customers. If we rely on this basis, we will ensure our interests are balanced against your privacy rights. You have the right to object to processing based on legitimate interests as described in the Your Rights section.
We will always clearly indicate the applicable legal basis when required. Generally, your contact and booking data are processed on a contractual necessity basis (to provide the service), any health or children’s data on the basis of your explicit consent or vital interests (safety of the child), communications either on contract basis (service messages) or legitimate interest/consent (marketing), and record-keeping on legal obligation grounds. If you have any questions about the legal basis for a specific processing activity, please contact us.
Cookies and Website Usage
When you visit our website, small text files called cookies are placed on your device to make the site function properly and to enhance your experience. For example, we use cookies analyze how users navigate our site. Cookies help us understand which pages are useful to visitors and allow the website to operate smoothly and securely.
Types of cookies we may use include:
Essential Cookies: These are necessary for the website to function. The site cannot operate properly without these cookies.
Analytics and Performance Cookies: These cookies collect anonymous statistics about site usage, such as number of visitors, which pages are visited, and any errors encountered. We use this information to improve our website’s design and functionality. For example, we may use Google Analytics or similar tools that set their own cookies to help analyze website traffic and usage patterns.
Functional Cookies: These remember choices you make to personalize your experience.
Advertising/Marketing Cookies: (If applicable) We do not currently host third-party ads on our site, but if we ever use re-marketing or social media pixels (for example, a Facebook Pixel or Google Ads cookie), it would be to show you relevant promotions on other platforms based on your interaction with our site. Any such cookies would only be used with your consent via our cookie banner.
When you first visit our website, you will be given the option to accept or reject non-essential cookies in accordance with applicable law. You can also control or delete cookies at any time through your browser settings. Please note that disabling cookies may affect certain features of our website; for example, if you block essential cookies, the booking functionality or may not work properly.
For more details on our use of cookies contact us with any questions. By continuing to use our website without disabling cookies, you agree to our use of them as described in this section.
Data Sharing and Disclosure:
We treat your personal data with care and do not sell or rent it to third parties for marketing or any other purposes. However, in order to run our business and provide services, we sometimes need to share information with trusted third parties. We only share personal data with the following categories of recipients, and only as necessary:
Service Providers and Partners: We share relevant data with third-party service providers who perform functions on our behalf. This includes, for example, our payment processors. If you book our services through a partner (such as a hotel or travel agency), we may exchange necessary details with that partner to coordinate the service. All such parties are obligated to handle your data securely and only for the purposes of providing their services to us.
Assigned Caregivers: If you book a Babysitter or a Nanny through us, we will share the necessary information with the assigned caregiver so they can perform the service. For instance, the caregiver will receive your first name, the address of the service location, phone number (for coordination), and relevant details about your children’s care needs.
Business Administration and Tools: We use standard business tools to operate (such as email services, scheduling software, customer relationship management systems, and accounting software). Personal data might be stored or processed in these systems in the course of our operations. For example, your contact details and booking history may reside in our secure customer management database, and your email address may be in our email system if we correspond with you. We ensure any external tools we use are reputable and compliant with data protection requirements.
Legal and Safety Reasons: We may disclose personal information if required to do so by law or lawful request (for example, in response to a court order or a request from law enforcement or child protection authorities). We might also share data when necessary to establish, exercise, or defend our legal rights. For instance, if there is a dispute or a legal claim related to our services, we may preserve and provide relevant data as needed to handle the matter. Additionally, if disclosing information is in your vital interest or someone else’s (for example, providing a child’s medical information to a doctor in an emergency), we may do so.
In all cases, we only share the minimum information required for the task at hand, and we review our third-party partners to ensure they also protect your data. We never share personal data with third parties for their own marketing uses without your explicit consent. Furthermore, our service providers are not permitted to use your data for any purpose other than to perform services for us, in line with this Privacy Policy. For example, if we share browsing analytics with a service provider, it is solely to improve our website and not for their independent use.
If we ever need to transfer personal data for any new reason beyond the above, we will inform you and obtain consent if required. Your privacy is paramount, and we strive to keep your information confidential within our trusted circle of service fulfillment.
International Data Transfers
Our company and primary data systems are located in Finland (within the European Union). We prefer to store and process personal data within the EU/European Economic Area (EEA) whenever feasible. However, some of our external service providers or partners might be located outside of the EU/EEA, or may store data on servers in other countries. For example, if we use a cloud-based email service or payment gateway that operates from the United States or another country, or if we communicate with you while you are abroad, your data might be transferred internationally.
When we transfer or allow access to personal data outside the EU/EEA, we take steps to ensure adequate protection of your information. Such steps include:
EU Standard Contractual Clauses: We include the European Commission’s Standard Contractual Clauses (SCCs) in our contracts with service providers whenever required. These are legal clauses that obligate the recipient outside the EU to protect your data to EU standards. In practice, this means your data should receive the same level of protection as it would under GDPR, even in a country that does not have an EU adequacy decision.
Adequacy Decisions: If data is transferred to a country that the European Commission has determined provides an adequate level of data protection, we may rely on that decision. This includes countries officially recognized to have strong data protection laws comparable to the EU.
You can rest assured that any international transfer of your data is done in compliance with data protection law. If you have questions, please contact us.
Data Retention:
We keep your personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by applicable law. This means:
Operational Retention: For most customer data, we retain information for as long as you have an active relationship with us (for example, you have ongoing or future bookings) and for a reasonable period afterward. This allows us to provide continuous service to returning clients and to maintain records of past services.
Legal and Accounting Retention: Even after our direct business relationship with you has ended, we may need to keep certain data on file to comply with legal obligations. For example, financial and transaction records (invoices, payment records, receipts) are generally kept for the period required by Finnish accounting and tax laws, which is typically three years after the end of the financial year for supporting documents. This retained data may include your name, contact details, and details of services provided as they appear on invoices. We do not keep personal data longer than necessary, but we also must not delete records that laws require us to keep for a set time.
Child Information: Sensitive information about children (such as health or allergy details) is only retained for as long as needed to provide the service or comply with legal requirements. Generally, we will delete or anonymize particular care-related details about your children once they are no longer relevant (for instance, after the service is completed and any legal retention period or potential need for the information has passed). Basic identifying details (like a child’s first name and age at time of service) might be kept in our internal service records for reference if you use our services again, but you can request their removal.
Marketing Data: If you have consented to receive marketing communications, we will retain your contact information for that purpose until you unsubscribe or ask us to delete it. If you opt out or if we no longer run a newsletter, we will remove or anonymize your contact details from the marketing list.
Website Data: Usage data (analytics logs, etc.) is typically collected in an anonymous form and may be retained for internal analysis. Any identifiable web server logs or security logs are usually retained only for a short period (a few weeks or months) unless they are needed for investigation of security incidents.
Once the applicable retention period expires or the purpose for processing your data has been achieved, we will either securely delete or anonymize your personal data. For example, if you simply inquire about our services but do not proceed with a booking, we may purge your contact details after a reasonable period unless you ask to remain on a mailing list. In all cases, we regularly review the data we hold and erase or anonymize information that is no longer needed. We also take care to fully delete data from all backup systems and archives when required.
Data Security Measures:
We take the security of your personal data very seriously. Given the sensitive nature of childcare services, we implement robust technical and organizational measures to protect information against unauthorized access, alteration, disclosure, or destruction.
Our security practices include:
Secure Infrastructure: Personal data is stored on secure servers with up-to-date security measures. We use reputable hosting providers and cloud services.
Access Controls: Only authorized personnel and contractors who need to know the information to perform their duties have access to personal data. Each caregiver or staff member is given access only to the specific data necessary for their assignment. For example, a babysitter will have access to the information about their assigned client (like the family name, address, child’s needs) but not to other clients’ data.
Staff Training and Policies: We ensure that our team members are trained in data protection best practices and understand the importance of confidentiality. We have procedures in place to handle personal data safely, both in digital form and (if ever printed) in physical form.
Technical Safeguards: Security updates and patches are applied regularly to all software and devices. Our website and any online booking platform are kept updated and are monitored for vulnerabilities.
Data Minimization and Pseudonymization: We follow the principle of collecting only what we need. In our systems, we try to minimize the use of directly identifiable data when not necessary. For example, internal notes might refer to first names rather than full identities where feasible. In some cases, we pseudonymize data (replace identifying details with codes) for analysis purposes so individuals are not easily identified.
While we strive to protect your information with high standards, please note that no method of transmission over the internet or electronic storage is 100% secure. However, we continuously update and enforce our security protocols to reduce risks. If you have any concerns about the security of your data, feel free to contact us.
Your Rights:
As our client or as a user of our services, you have certain data protection rights. We are committed to upholding these rights and facilitating you in exercising them. Your key rights include the following:
Right to Access: You have the right to access the personal data we hold about you. This means you can request a copy of the information we have in our records concerning you or your child. We will provide this information, usually in electronic form, subject to some verification of your identity (to protect privacy).
Right to Rectification: If any of your personal data is incorrect or incomplete, you have the right to have it corrected. For example, if you change your phone number or notice we have misspelled your name, you can ask us to update the data. We strive to keep our records accurate and will promptly make corrections upon request.
Right to Erasure: Also known as the “right to be forgotten,” this allows you to request that we delete your personal data when it is no longer needed for the purposes it was collected. Please note that we cannot delete data that we are required to keep by law or that is necessary for establishing or defending legal claims, but we will inform you if such a situation arises.
Right to Restrict Processing: You have the right to ask us to limit or suspend the processing of your data in certain circumstances. For example, if you contest the accuracy of your data, you can request that we restrict processing while we verify and correct the information. Similarly, if you have objected to processing (see below) and we are considering that request, you can ask that we hold off on other processing during that period. When processing is restricted, we will still store your data but not use it until the restriction is lifted.
Right to Object: You have the right to object to certain types of processing of your data. Most notably, you can object to processing that we undertake based on legitimate interests or to direct marketing. If we are sending you promotional emails under a legitimate interest basis, you can opt out at any time and we will stop. If you object to processing based on other legitimate interests, we will evaluate your request and will cease processing unless we have compelling legitimate grounds to continue (or if it’s needed for legal claims).
Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time. For example, you can withdraw consent for us to hold your child’s health information or to receive newsletters. Once you withdraw consent, we will stop the processing that was based on consent. (Note: withdrawing consent does not affect the lawfulness of processing done before the withdrawal.)
Right to Not Be Subject to Automated Decisions: We do not use your data for automated decision-making or profiling that would have legal or significant effects on you. However, you have the right to not be subject to a decision based solely on automated processing (including profiling) if such a decision would significantly affect you. This is unlikely to apply to our services, as all important decisions (like caregiver assignments) involve human consideration.
We will do our best to honor any requests you make concerning your rights. To exercise any of these rights, please contact us. We may need to verify your identity to ensure that we do not disclose data to an unauthorized person. There is generally no fee for exercising your rights; however, if a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act (we will explain the reason in such cases).
Additionally, you have the right to lodge a complaint with a data protection supervisory authority if you believe that we have infringed your privacy rights. For example, if you are in Finland, you can contact the Finnish Data Protection Ombudsman. We would appreciate the chance to address your concerns directly first, and we commit to resolving any issues to your satisfaction whenever possible.
Contact Us:
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help and will respond as promptly as possible. You can reach us in the following ways:
Email: privacy@[Company].com
Phone: You may call us at +358 44 998 0 899 during our business hours for urgent matters regarding personal data. (Please note that for certain requests, we may ask you to also submit your request in writing for verification and record-keeping purposes.)