Privacy Policy
Updated 15 July 2026
1. Data controller
Alō Helsinki Oy
Pengerkatu 11 A, 00530 Helsinki, Finland
Business ID: 3573670-4
mika@alohelsinki.fi
For any data protection matters, you may contact us at the email address above.
2. Name of the processing
User register of the Alōkas portal and website visitor analytics.
3. Purposes and legal bases of processing
We process personal data for the following purposes:
- Providing event services and managing contracts (legal basis: contract)
- Sending quotations and invoices (legal basis: contract)
- Managing the customer relationship and communications (legal basis: legitimate interest; the interest being the maintenance and management of the customer relationship)
- Managing subcontractor and supplier relationships and handling procurement and purchase invoices (legal basis: contract, legitimate interest and legal obligation)
- Website visitor analytics and usage statistics (legal basis: legitimate interest; the interest being to ensure the functionality and security of the web service and to compile statistics on and develop its use)
- Retaining the contact details of suppliers' and subcontractors' contact persons for possible future contact and cooperation (legal basis: consent)
- User and access management of the Alōkas portal, including management of credentials and logins (legal basis: contract and legitimate interest; the interest being the security of the service and the proper management of credentials)
Providing certain data is a partial precondition for entering into a contract: providing contact and invoicing details is necessary so that we can conclude the contract and deliver the service. Without this data we cannot deliver the service.
We do not carry out automated decision-making or profiling based on personal data.
4. Personal data processed
| Data category | Data | Source |
|---|---|---|
| Contact details | Name, email, phone | Customer |
| Company details | Company name, Business ID | Customer / Finnish Patent and Registration Office (PRH) |
| Invoicing details | Address, e-invoicing details, reference | Customer / Tieke (e-invoicing address registry) |
| Event details | Event name, date, background information | Customer / staff |
| Contract details | Contract terms, time of acceptance, IP address | System |
| Login details | Email, encrypted password, session identifier, most recent login time | System |
| Subcontractor and supplier details | Contact person's name, email, phone, company name and Business ID, contract and invoicing details | Subcontractor |
| Visitor analytics data | Anonymised IP address, browser and device type, operating system, referring website, pages viewed, time and duration of visit, approximate location (country and city) | System (Matomo) |
5. Retention period
Customer data is retained for the duration of the customer relationship and thereafter for the period required by the Accounting Act (6 years from the end of the financial year). A customer may request the erasure of their data, in which case the data is erased within the limits permitted by law.
Subcontractor and supplier data is retained for the duration of the contractual relationship and thereafter for the period required by the Accounting Act (6 years from the end of the financial year).
The contact details of suppliers' and subcontractors' contact persons may additionally be retained, based on the data subject's consent, for one year for possible future contact and cooperation. Consent is requested from the supplier after the first instance of cooperation by means of a separate message. Consent may be withdrawn at any time, after which the data is erased unless there is another lawful basis for retaining it.
For the Alōkas portal, the system stores each user's most recent login time. This is a single value that is updated on each login, with the previous value being overwritten. The data is erased when the user account is deleted.
Website visitor analytics data is retained at the level of an individual visit for a maximum of 14 months, after which it is erased or aggregated into non-identifying statistical form. Aggregated statistics may be retained for longer.
6. Disclosures and transfers of data
Personal data is not disclosed to third parties for marketing purposes. Data may be disclosed:
- To our accountant and financial administration system (Netvisor) for invoicing, payment processing and accounting. The accountant and the system provider act as processors of personal data on our behalf and only in accordance with our instructions.
- To authorities in order to fulfil statutory obligations.
- To subcontractors participating in the delivery of an event who use the same Alōkas portal, to the extent necessary for delivering the event.
- To the cloud services we use, Google Workspace and Slack, which act as processors of personal data (see International transfers below).
Subcontractors process the data only in accordance with our assignment and only to the extent necessary to deliver the service. Subcontractors are bound by an obligation of confidentiality.
Website visitor analytics is implemented using the open-source Matomo software, which we host ourselves on our own server within the EU/EEA. Visitor data is not disclosed to third parties and is not used for advertising.
International transfers. We use Google Workspace and Slack as working tools, in which personal data may be processed. The parent companies of these service providers (Google LLC and Slack/Salesforce) may process data also in the United States, and to that extent personal data may be transferred outside the EU/EEA. Such transfers are based on the European Commission's EU–US Data Privacy Framework adequacy decision, under which both service providers are certified, and additionally on the Standard Contractual Clauses (SCCs) approved by the European Commission. Otherwise, personal data is not transferred outside the EU/EEA.
7. Data security
Data is protected by appropriate technical and organisational measures. Passwords are stored in encrypted form (bcrypt). Connections are protected with SSL/TLS encryption. Access to the data is restricted to authorised persons only. The website visitor analytics server is also located within the EU/EEA, and access to visitor data is restricted to authorised persons only.
8. Cookies and visitor analytics
The Alōkas portal uses a strictly necessary session cookie to maintain the login session. The cookie is valid for the duration of the browser session.
For website visitor analytics we use our self-hosted Matomo analytics, which is implemented without cookies. Visitors are not identified by cookies and are not tracked across different websites, the IP address is anonymised, and tracking respects the browser's Do Not Track setting. We do not use tracking or advertising cookies, nor third-party analytics services.
9. Rights of the data subject
You have the right to:
- Access the data stored about you
- Rectify inaccurate data
- Request erasure of your data by email
- Restrict the processing of your data in the situations provided by law
- Download your own data in a machine-readable format
- Object to processing based on legitimate interest, such as visitor analytics
- Withdraw your consent at any time; withdrawal does not affect the lawfulness of processing carried out before the withdrawal
- Lodge a complaint with the supervisory authority (Office of the Data Protection Ombudsman, tietosuoja.fi)
You can prevent website visitor analytics by enabling your browser's Do Not Track setting or by using the opt-out function on our website.
The opt-out function stores a small cookie in your browser to remember your choice. Some browsers automatically delete this cookie if the site is not visited regularly, so please check your choice again if necessary.
You are not opted out — your visits are recorded anonymously.
mika@alohelsinki.fi