Privacy Policy

We are committed to handling personal data transparently. We process your personal data in accordance with legal requirements and only collect information necessary for each specific purpose.

​

This privacy notice complies with the EU General Data Protection Regulation (GDPR). It was originally issued on April 13, 2018, with the most recent update on 26.5.2026.

​

1. Data Controller

Supermind Oy

Business ID: 2766008-4

​

c/o Werstas,

Tykistökatu 4,

20520 Turku,

Finland

​

2. Contact Person Responsible for the Register

Petri Lindholm

Phone: +358 400 420 583

Email: petri.lindholm@supermind.com

​

3. Name of the Register

The registers maintained by Supermind Oy include: the customer register, marketing register, stakeholder register, and web service user register.

​

4. Legal Basis and Purpose of Processing

The legal basis for processing personal data under the EU General Data Protection Regulation is:

​

• Consent of the individual, and/or

• Performance of a contract to which the data subject is a party, and/or

• Legitimate interest of the data controller (e.g., an existing customer or business relationship).

​

The purpose of processing personal data is to communicate with customers, maintain customer relationships, and conduct marketing activities. Website visitor behaviour is also tracked in aggregate for analytics purposes using Google Analytics.

​

5. Content of the Register

The web service user register records the pages visited by users on Supermind.com. Visitor data is collected via Google Analytics (Data Processing Terms).

​

The customer and stakeholder registers may include: name, position, company/organization, contact details (phone number, email address, business address), website URLs, IP addresses, and social media profiles and accounts.

​

We maintain data using the following services (links to their GDPR guidelines in parentheses):

​

• Pipedrive – CRM and contact management (https://support.pipedrive.com/en/article/pipedrive-and-gdpr)

• Mailchimp – email marketing (https://mailchimp.com/gdpr/)

• ValueFrame – project and resource management (https://privacy.vismasolutions.com/)

​

Data is retained for as long as necessary for the purposes described in this policy, or as required by applicable law. Retention periods are reviewed regularly.

​

6. Regular Sources of Data

Data recorded in the customer and stakeholder registers is obtained directly from the individual through web forms, email, phone, social media channels, contracts, customer meetings, or other situations where the individual voluntarily provides their information.

​

7. Regular Disclosures and Transfers Outside the EU/EEA

Data is not disclosed to third parties except as agreed with the customer or as required by law. Some of the third-party services listed in Section 5 (including Mailchimp and Pipedrive) may transfer personal data outside the EU/EEA. Where such transfers occur, they are governed by appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework, in accordance with the GDPR requirements for international data transfers.

​

8. Principles for Securing the Register

We handle personal data with care and implement appropriate technical and organisational security measures. When storing data on internet servers, both physical and digital security are ensured. Access to data, server rights, and other sensitive information are strictly controlled and limited to employees whose duties require it.

 

9. Rights of the Data Subject

Under the EU General Data Protection Regulation, individuals have the following rights regarding their personal data:

​

• Right of access – the right to review what personal data is held about them

• Right to rectification – the right to request correction or addition of inaccurate or incomplete data

• Right to erasure – the right to request deletion of their personal data ("right to be forgotten")

• Right to restriction of processing – the right to request that processing be limited in certain circumstances

• Right to object – the right to object to processing based on legitimate interests, including for direct marketing purposes

​

Requests must be submitted in writing to the data controller. Proof of identity may be required. The data controller will respond within the timeframe stipulated by the GDPR, typically within one month.

​

​