Register and Privacy Statement 

This is the Register and Privacy Statement of Sanaraja Oy. It complies with the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Drafted 6 June 2023. Updated on 16 July 2025. 

1. Data controller 

Sanaraja Oy (Business ID: 3356097-9) 

Mustanlahdenkatu 20 B 132, 33210 Tampere, FINLAND 

info@sanaraja.fi 

2. Contact person for the register and privacy statement 

Leenu Miikki, leenu@sanaraja.fi 

Sanaraja Oy, Mustanlahdenkatu 20 B 132, 33210 Tampere, FINLAND 

3. Legal basis and the purpose of processing personal data 

The legal basis for processing personal data is the data controller’s legitimate interest (in this case, a client relationship) which complies with the Personal Data Act (523/1999, 8 §). The basis for processing personal data is a contractual relation, consent, compliance with statutory obligations or the data controller’s legitimate interest in situations required by the client relationship. 

The purpose of processing personal data is to invoice assignments, maintain and develop a client relationship, provide and develop services, as well as statistical monitoring. 

Data is not used for automated decision-making or profiling. 

4. Data content of the register 

Data stored in the register includes: the name of the client or company, contact details (phone number, email address, postal address, business ID), client feedback information supplied by the client, and the information related to the client’s order, invoicing and delivery. 

The client’s data is stored as long as needed for invoicing the order, unless storing the information longer is required by authorities, or permitted under the law. After the client or commission relationship has ended, the required data is stored up to 5 years.

5. Regular data sources 

The data stored in the register is collected from the clients themselves when they make an offer request or enter a Contract of Service with Sanaraja Oy. Data of corporate clients are also collected from their own platforms. 

6. Regular disclosure of information and transfer of data outside the EU or the EEA 

Sanaraja Oy can disclose the personal data it has collected to the accounting firm tending to the company’s financial administration to meet the accounting obligation, as well as to the authorities in statutory cases. The client’s personal data is not disclosed to any other third parties. Some service providers, such as Google and Microsoft, may offer their services outside of EU and ETA region. However, all our service providers comply with the GDPR.

7. Principles of protecting the register 

The client’s personal data is stored confidentially, and its processing is limited. Only the employees who require the personal data to carry out their assigned tasks are authorised to process the data. Sanaraja Oy adheres to the Personal Data Act and other applicable statutes related to personal data protection that are in effect in Finland. 

Sanaraja Oy endeavours to protect the personal data from accidental, unlawful or unauthorised loss, access to data, disclosure, processing, altering or destruction. 

The client’s personal data is stored securely in locations that can only be accessed by the data controller. Electronic data is protected by means of passwords and usernames (e.g. a password-protected cloud platform or email).

8. Right of inspection and right to rectification 

The client or corporation is in control of all their personal data disclosed to Sanaraja Oy. The client has a right to inspect, what data related to themselves, or the corporation are stored in the register and demand the rectification of any inaccurate data or supplementing of incomplete data. The request for inspection must be submitted to the email address disclosed in Section 2: Contact person for the register and privacy statement. If necessary, the controller may ask the person submitting the request to provide proof of their identity. The controller must respond to the client within a period of time specified in the GDPR (as a rule, within one month).

9. Other rights pertaining to the processing of personal data 

The client is, in certain situations, entitled to request that their or the corporation’s personal data be erased from the register (“right to be forgotten”) and limit and deny the processing of their personal data. The request must be submitted in writing to the data controller. If necessary, the controller may ask the person submitting the request to provide proof of their identity. The controller must respond to the client within a period of time specified in the GDPR (as a rule, within one month). 

However, we kindly ask you to note that the disclosure and consent to process data may be a prerequisite to use our services in certain situations. Sanaraja Oy reserves the right to discontinue the service or deny access to services, if the person or corporate in the register does not disclose the information necessary for the service or demands the data to be erased.