Skip to content
Close
SEARCH
Book an appointment
Book an appointment
Supply Chain
Timber procurement & logistics
Log receiving & inventory
Material flow tracking
End-to-end fuel supply chain management
Production & Processing
Sawmill operations & wood processing
Manufacturing planning and operation
Maintenance management system
Production monitoring
Sales & Delivery
Demand forecasting & planning
E-commerce solutions
All-in-one cloud ERP
Digital Platform
IT & development
Business intelligence & data analytics
Logo-transparent

Privacy statement

TABLE OF CONTENTS
loading...

1. Scope

This Privacy Statement explains how Pinja Group companies (“Pinja”, “we”) process personal data in connection with our business operations, including sales and marketing, customer relationship management, service delivery, support, procurement, invoicing, compliance, and security.
This statement replaces earlier register-specific notices (such as the “Contact register”).

Notes:

  • End-users of customer solutions: If you use a Pinja solution through your employer, your employer is usually the Data Controller for operational data and Pinja acts as a Data Processor under the customer agreement/DPA. Please contact your employer for privacy matters related to that solution.
  • Job applicants: Please refer to the  privacy information on our career site.

2. Data Controller

The Data Controller is the relevant Pinja Group company with which you have a relationship (for example, the entity you contract with or that contacts you).
For privacy questions and requests, contact our Data Protection Officer:
Email: mail-dpo@pinja.com
Mail: Data Protection Officer, Pinja Digital Oy, Lutakonaukio 7, 40100 Jyväskylä, Finland

3. Personal Data We Process

We process personal data needed to conduct business, deliver services, and secure our systems. We do not intentionally collect special category (sensitive) personal data (such as health or biometric data). If such data is provided to us, we handle it only when necessary and with appropriate safeguards.

We typically process:

  • Professional contact data: name, business email/phone, job title, company, role.
  • Business correspondence and documentation: emails and calls, meeting notes, service/project documentation, support tickets, feedback, and related communications.
  • Technical and security data: IP address, device/browser data, logs, authentication events, traffic and performance metrics.
  • Marketing and website usage data: cookie identifiers, page interactions, newsletter engagement, marketing preferences.
  • Financial and transaction data: invoices, payment-related details, contract/order history.
  • Compliance and regulatory data: audit trails, statutory reporting data, legally required records.

4. Sources of Personal Data

We receive personal data:

  • Directly from you (e.g., when you contact us, sign a contract, subscribe to communications, or use our services).
  • From your employer or organization (e.g., as part of a customer relationship).
  • From public sources (e.g., company websites, professional networks, event listings), where permitted.
  • Automatically via technical logs and cookies when you visit our websites or use our services.

5. Purposes and Legal Bases

We process personal data for the purposes below, using the legal bases in the GDPR.

When processing is based on legitimate interest, we have assessed that our interests in conducting and securing our business and improving our services do not override your fundamental rights and freedoms. You may object to such processing as described in Section 10.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects. We may use basic segmentation for marketing (for example, by industry or interaction history), and you may object to such processing at any time.

  • B2B sales and marketing: Identify potential clients and communicate relevant information (e.g. newsletters, insights, invitations). Legal basis: Legitimate interest and/or Consent (where required for certain marketing cookies or direct marketing).
  • Service delivery and account management: Provide services, manage projects/subscriptions, handle invoicing, and maintain customer relationships. Legal basis: Contract and Legitimate interest.
  • Support and maintenance: Resolve incidents and service requests and communicate service status. Legal basis: Contract (and in some cases Legitimate interest).
  • Service improvement and internal operations: Improve service quality, prevent recurring issues, train staff, and develop offerings. Legal basis: Legitimate interest.
  • Security and incident prevention: Secure our systems and detect/prevent misuse, cyberattacks, and disruptions. Legal basis: Legitimate interest (and where applicable Contract).
  • Procurement and financial management: Manage suppliers, process payments, and handle accounting. Legal basis: Legal obligation and Legitimate interest.
  • Sustainability and corporate responsibility: Track and report sustainability-related operational data (e.g., procurement-related reporting). Legal basis: Legitimate interest (and where required, Legal obligation).
  • Compliance and regulatory obligations: Meet legal requirements (e.g., taxation, accounting rules, data protection obligations) and respond to lawful requests. Legal basis: Legal obligation.
  • Internal governance, auditing and quality assurance: Conduct audits and ensure compliance with internal policies and obligations. Legal basis: Legitimate interest and/or Legal obligation.
  • Consent and preference management: Record and manage marketing preferences, cookie choices, and opt-outs. Legal basis: Consent and Legal obligation.

6. Requirement to Provide Personal Data

Some personal data is required to enter into and manage a contract and to provide services (for example, contact and invoicing details). If you do not provide required data, we may not be able to provide services or respond to requests. Marketing and cookie consents are voluntary.

7. Recipients and Disclosures

Personal data is processed only by Pinja personnel and trusted service providers where needed for business operations. We do not sell personal data.

We may share personal data with:

  • IT infrastructure and security providers
  • Business and service tools (e.g., CRM, marketing automation, documentation, support ticketing, communications tools)
  • Subcontractors involved in service delivery
  • Marketing and sales partners supporting lead generation, campaigns or events
  • Auditors, consultants, and advisors
  • Authorities and courts when required by law

Where a recipient acts as our processor, we require appropriate contractual safeguards (including data processing agreements).

8. International Transfers

We primarily process personal data in the EU/EEA. Some of our service providers may process data outside the EU/EEA (for example, in the United States). In such cases, we rely on recognized transfer safeguards, such as the EU-US Data Privacy Framework (DPF) and/or EU Standard Contractual Clauses (SCCs), and additional safeguards where required.

9. Retention

We retain personal data only for as long as necessary for the purposes described above and/or as required by law. In general:

  • Contract and relationship data: for the duration of the relationship and afterwards as needed for claims handling and legal obligations
  • Accounting and financial records: retained as required by applicable accounting and tax laws
  • Marketing data: retained until you unsubscribe or after a reasonable period of inactivity, unless we have another lawful reason to retain it
  • Security logs: retained for a limited period unless required for investigation or compliance

10. Data Subject Rights and Requests

Depending on the processing and legal basis, you have the right to request access to, rectification (correction) of, deletion of, restriction of, and portability of your personal data where applicable (e.g., where processing is based on consent or contract and carried out by automated means). You also have the right to object to processing based on legitimate interest (including direct marketing) and to withdraw consent at any time where processing is based on consent.

We may ask you to verify your identity. We respond to privacy requests without undue delay and aim to respond within one month. If the request is complex, the deadline may be extended by up to two additional months as permitted by law, and we will inform you accordingly. Requests related to direct marketing and consent withdrawals are implemented as soon as reasonably possible.

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence (e.g., the Office of the Data Protection Ombudsman in Finland).

11. Cookies and Similar Technologies

We use cookies and similar technologies on our public website for essential site functionality, analytics and performance, and marketing and communication effectiveness.

Where required by law, we use consent-based cookies (such as analytics/marketing cookies) only after you have given consent via our cookie banner/settings.

You can change your cookie preferences at any time via the “Cookie Settings” link in the website footer or through your browser settings. Embedded third-party content (such as videos or social media) may set their own cookies.