1. Data controller and representative information
The controller responsible for processing personal data is Originalexceptio.world, with its principal contact address at Asematie 4, 01300 Vantaa, Finland. You may reach our privacy contact at talk@originalexceptio.world. Please include a clear subject line such as “Privacy request” and enough detail for us to verify your identity proportionately to the request.
Why we publish this Policy. Transparency supports trust. We want you to understand what we collect, why we use it, how long we keep it, and which rights you can exercise without needing legal training.
2. Scope of this Policy
This Policy covers personal data obtained through the website, email, optional telephone contact if published, pre-order or purchase flows when available, customer support tickets, and marketing subscriptions you opt into. It does not govern third-party platforms that we may link to; their privacy notices apply when you leave our site.
If you apply for a role with us in the future, a separate employment privacy notice would apply and would be provided at the point of collection.
3. Categories of personal data
Depending on your interaction, we may process:
- Identity data: full name, title, or similar identifiers you supply.
- Contact data: email address, telephone number, shipping address, billing address.
- Transaction data: order identifiers, payment status (payment card data is handled by payment processors where checkout is available).
- Communication data: message content, attachments you choose to send, channel metadata.
- Technical data: IP address, browser type and version, time zone, device type, operating system, referral URL, on-site navigation paths, and approximate location derived from IP.
- Preference data: cookie choices, marketing preferences, language settings.
- Aggregated analytics: statistics that do not identify you directly when configured appropriately.
4. Purposes and legal bases
We process personal data only when a lawful basis under Article 6 GDPR applies. Typical mappings include:
Contract and pre-contract
Processing orders, responding to purchase-related questions, and taking steps at your request before a contract.
Legitimate interests
Securing the site, preventing fraud, improving content, measuring aggregated traffic when cookies are not required, and internal reporting, balanced against your rights.
Legal obligation
Tax, accounting, product safety, and responding to lawful requests from public authorities.
Consent
Non-essential cookies, certain marketing emails, and optional surveys where we ask explicitly.
Where we rely on legitimate interests, you may object under Article 21 GDPR and we will assess your situation. Marketing emails include an unsubscribe link when consent or soft opt-in is not the basis.
5. Retention periods
We retain personal data no longer than necessary for the purposes, unless a longer period is required by law. Indicative benchmarks:
- Marketing consents and suppression lists: until you withdraw consent or unsubscribe, plus a minimal record to honor opt-outs.
- Customer and inquiry records: commonly up to twenty-four months after the last meaningful contact unless a dispute or warranty case extends the need.
- Accounting and tax: according to Finnish bookkeeping rules, often six to ten years.
- Security logs: short rolling windows unless an incident requires preservation.
- Cookie consent records: up to twelve months or as needed to demonstrate compliance.
6. Recipients and processors
We share data with service providers that assist hosting, email delivery, analytics when enabled, payment processing, and customer relationship tools. They process data only on documented instructions and implement appropriate safeguards. We may disclose information when required by law or to protect vital interests.
In the event of a merger or asset sale, personal data may transfer subject to continued protection commitments.
7. International transfers
When data leaves the European Economic Area, we rely on mechanisms such as Standard Contractual Clauses, adequacy decisions, or other tools recognized under Chapter V GDPR, together with supplementary measures where appropriate after a transfer impact assessment.
8. Security measures
We implement technical and organizational measures proportionate to risk, including access controls, encryption in transit for connections that support it, patching, logging, backups, vendor review, and staff confidentiality expectations. No system is perfectly secure; we monitor and improve controls over time.
9. Your rights
Subject to conditions in Articles 15–22 GDPR, you may request access, rectification, erasure, restriction, data portability, and objection, and withdraw consent where processing is consent-based. You may lodge a complaint with the Finnish Office of the Data Protection Ombudsman or, if you reside elsewhere in the EU, with your local supervisory authority.
We respond without undue delay and in principle within one month, extendable in complex cases with notice. We may request verification information to prevent unauthorized disclosure.
10. Automated decision-making
We do not make decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you.
11. Children
The site is intended for adults. We do not knowingly collect data from children under sixteen without parental authority. If you believe we have such data, contact us for prompt review and deletion.
12. Changes to this Policy
We update this Policy when our practices or the law evolve. Material changes may be highlighted on the site. The refresh date at the top reflects the latest substantive revision. Continued use where legally permissible may constitute notice.
13. Contact
Privacy questions: talk@originalexceptio.world. Postal address: Originalexceptio.world, Asematie 4, 01300 Vantaa, Finland.