Skip to Content

GDPR & DPP

General Data Protection Regulation and Data Protection Policy

Effective Date: 11.02.2026

Website: https://acnova.eu

Definitions

General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Data Protection Policy (DPP) — The Company’s data protection policy.

The following abbreviations are used throughout this document: GDPR — General Data Protection Regulation DPP — Data Protection Policy

1 Data Controller

Company: Acnova Oy

Business ID: 2155334-1

Registered Address: Sulantie 14 G, 04300 Tuusula, Finland

Email for data protection requests: privacy@acnova.eu

Website: https://acnova.eu

Acnova Oy acts as the Data Controller in accordance with the GDPR and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).

2 Scope

This GDPR & DPP applies to all data subjects interacting with the website https://acnova.eu, including:

  • website users
  • B2C customers
  • B2B clients
  • private label partners
  • distributors
  • prospective clients
  • subscribers to marketing communications

Processing is carried out through:

  • the website
  • the Odoo 19 Enterprise ERP/CRM system
  • Acnova Oy’s own server located in Finland (Hetzner)
  • email communication
  • payment systems

Email marketing is carried out exclusively through Odoo. At the time of publication of this Policy, Cloudflare is not used. Server logs are not transferred outside the European Union.

3 Categories of Personal Data Collected

3.1 Registration Data

  • first and last name
  • company name
  • company registration number
  • VAT number
  • username and password

3.2 Contact Data

  • email address
  • telephone number
  • delivery address
  • billing address

3.3 Payment Data Payment information is processed via Stripe. Acnova Oy does not store bank card details.

3.4 Order Data

  • order history
  • order contents
  • amounts
  • order statuses
  • delivery information

3.5 Technical Data

  • IP address
  • browser type
  • device information
  • server logs
  • cookies

3.6 Marketing Data

  • newsletter subscription
  • website behaviour
  • interaction history

3.7 Cookie Data

  • analytical cookies
  • technical cookies of Odoo
  • Meta Pixel may be used subject to obtaining prior consent from the user through the cookie management system

4 Legal Basis for Processing

Personal data is processed on the following legal grounds:

4.1 Performance of a Contract — Article 6(1)(b) GDPR

4.2 Legal Obligation — Article 6(1)(c) GDPR

4.3 Legitimate Interest — Article 6(1)(f) GDPR

4.4 Consent of the Data Subject — Article 6(1)(a) GDPR

Legitimate interest includes the protection of the business against fraud, abuse, and unlawful actions, as well as the protection of trade secrets and confidential information.

5 Data Retention Periods

5.1 Accounting Data Retained for 6–10 years in accordance with Finnish legislation.

5.2 Order Data Retained for at least 6 years.

5.3 B2B Accounts Deleted after 36 months of inactivity.

5.4 Marketing Data Retained until consent is withdrawn.

5.5 Security Logs and Technical Logs HTTP logs and network request logs are retained for up to 90 days. System audit logs (including data modifications and administrative actions) are retained for up to 12 months. The retention period may be extended in the event of security incident investigations, disputes, or compliance with legal obligations.

5.6 Cookie Data Retained in accordance with the settings of the specific cookie.

The Company reserves the right to extend data retention periods where necessary to protect legitimate interests, resolve disputes, or comply with legal obligations.

6 Third Parties — Data Processors

6.1 Odoo ERP and CRM system version Odoo 19 Enterprise. Hosted on Acnova Oy’s own server in Finland.

6.2 Stripe Payment service provider.

6.3 Google Analytics Website analytics service.

6.4 Meta Meta Pixel may be used subject to obtaining prior consent from the user through the cookie management system.

6.5 Logistics Partners PostNord is currently used for the delivery of goods. Personal data is transferred solely to the extent necessary for the performance of delivery.

7 International Data Transfers

Acnova Oy’s server is located in Finland. Personal data is not transferred outside the European Union, except where international services are used that operate under Standard Contractual Clauses or adequacy decisions of the European Commission.

8 Rights of the Data Subject and Protection Against Abuse

The data subject has the right:

  • to access their personal data
  • to request rectification
  • to request erasure
  • to request restriction of processing
  • to data portability
  • to withdraw consent
  • to lodge a complaint with the supervisory authority in Finland

Identity Verification

Prior to fulfilling a request, Acnova Oy has the right to request verification of the applicant’s identity. The Company has the right to refuse disclosure of information where reliable identification of the applicant is not possible.

Manifestly Unfounded or Excessive Requests

In accordance with Article 12(5) GDPR, the Company has the right to:

  • refuse to act on a request if it is manifestly unfounded or excessive;
  • charge a reasonable administrative fee for repetitive or excessive requests.

Excessive requests may include, in particular:

  • repeated identical requests without objective grounds;
  • requests intended to cause harm to the Company;
  • requests showing signs of abuse of rights;
  • mass automated requests.

The Company reserves the right to document and retain information regarding abuse of data subject rights in order to protect its legitimate interests.

9 Automated Decision-Making

Acnova Oy does not engage in automated decision-making, including profiling, which produces legal effects concerning the data subject or similarly significantly affects their rights and freedoms within the meaning of Article 22 GDPR.

All decisions relating to:

  • order processing
  • pricing
  • approval of B2B or private label requests
  • conclusion of contracts

are made with human involvement.

If automated decision-making mechanisms are implemented, this Policy will be updated, and data subjects will be provided with information regarding the logic, significance, and envisaged consequences of such processing in accordance with Article 22 GDPR.

10 Confidentiality of Commercial Information

Access to personal data does not extend to:

  • trade secrets
  • confidential information relating to private label projects
  • technological processes
  • internal correspondence
  • internal reports and analytics

The disclosure of personal data shall not infringe the rights and freedoms of other persons or disclose protected trade secrets. Data shall be provided only to the extent that does not infringe the rights and freedoms of third parties.

11 Security Measures

Acnova Oy implements the following security measures:

  • SSL encryption
  • server location in Finland
  • role-based access control in Odoo 19 Enterprise
  • activity logging
  • data backups
  • employee access control
  • limitation of administrative privileges
  • regular software updates

12 Data Breach Procedure

In the event of a personal data breach:

  • the supervisory authority is notified within 72 hours
  • data subjects are notified where required
  • the incident is documented
  • measures are taken to mitigate the consequences

13 Contact Information

Acnova Oy

privacy@acnova.eu

https://acnova.eu