REGISTRY AND PRIVACY POLICY

Drophop Oy

Date of creation: February 6, 2025

Last updated: July 28, 2025

1. Data Controller and Contact Information

Drophop Oy

Business ID: 3456096-2

Address: Niemenkatu 73, 15140 Lahti, Finland

Email: info(at)dropsugarhabit.com

Phone: +35850-5734222

2. Contact Person for Register Matters

Teija Vörlin

Project Manager

Phone: +358505734222

Email: teija.vorlin(at)dropsweets.com

3. Name of the Register

Drophop Oy Customer Register

This Privacy Policy and Register Description covers all Drophop Oy operations involving the processing of customer data, including online store and Drop Sugar Habit mobile application customer relationships.

4. Purpose and Legal Basis for Processing Personal Data

Drophop Oy considers customer privacy extremely important. At Drophop Oy, the processing of customer data is governed by national data protection legislation and the EU General Data Protection Regulation (GDPR). We are committed to data protection and protecting the privacy of Drophop Oy service users, and to complying with legislation concerning the processing of personal data and data protection.

Drophop Oy primarily acts as the data controller for all personal data it processes related to customer relationship management, marketing, and service development. We are responsible for complying with data protection legislation and data protection principles in all personal data processing.

The purposes of personal data processing are:

  • Customer Relationship Management and Maintenance: This includes processing online store orders, deliveries, invoicing, customer service, communication, and handling potential complaints and feedback. The legal basis is a contract (e.g., purchase from the online store, Drop Sugar Habit service terms of use) or a legitimate interest (customer service, customer relationship development).
  • Providing Drop Sugar Habit Mobile Application Functionality: Personal data is processed to enable the core functionalities of the mobile application (e.g., user settings, product usage data, in-app communication, progress tracking). The legal basis is a contract (Drop Sugar Habit mobile application terms of use).
  • Product and Service Development: Collected data is utilized for developing Drophop Oy's products and services, if the data subject has given their consent. This includes measures to improve the functionality of the mobile application and online store, develop new features, and optimize the user experience. The legal basis is a legitimate interest.
  • Marketing and Communication: Data may be used for marketing communications, such as sending newsletters and targeting offers (e.g., via email, push notifications in the mobile application), if the data subject has given their consent or if there is another legitimate interest (e.g., direct marketing aimed at existing customers).
  • Fulfilling Legal Obligations: We process data to fulfill legal obligations, such as requirements related to accounting (Accounting Act 1339/1997) and taxation. The legal basis is a legal obligation.
  • Information Security and Prevention of Misuse: We process data to ensure the security of our services, prevent misuse and fraud, and protect our assets and the interests of our users. The legal basis is a legitimate interest.

5. Categories of Personal Data Processed

We collect and process the following categories of personal data:

  • Basic Information: Name/nickname, gender, language, age, email address, phone number, address details.
  • Customer Relationship Information (Online Store): Customer number, purchase history, orders, delivery information, invoicing details, payment history, customer feedback, complaints.
  • Mobile Application User Data: User ID, encrypted password, user profile data (e.g., created goals, progress tracking), device identifiers, payment details, app version, and data entered by the data subject themselves into the Drop Sugar Habit service.
  • Online Store and Mobile Application Usage Data: IP address, browser type, operating system, time and duration of visit to the website/app, visited pages/screens, clicks and actions, log data, and data collected by cookies and similar technologies. (Users can manage their cookie settings via the cookie banner on the website.)
  • Consents and Choices: Information about consents given by the data subject (e.g., marketing permissions) and other choices made (e.g., push notification settings).
  • Information related to Identification and Verification Tools in Payment Transactions: Authentications in payment transactions.
  • Information related to Data Processing: Date of saving, data source, and log data.

Cookie Policy:

Our websites, online store, and mobile application use cookies and similar technologies to enhance user experience, collect information about service usage, and target marketing. We use cookies and similar technologies for the following purposes:

  • Essential Cookies: These cookies are strictly necessary for the operation of the websites, online store, and application. Essential cookies enable, for example, shopping cart functionality and login. Without these cookies, the services will not function properly.
  • Functional and Preference Cookies: These cookies help improve the user experience by remembering choices made, such as language settings or username.
  • Analytics Cookies: We use these cookies to collect information about how our website and application are used. For example, we receive information about visitor numbers and potential error situations. This information helps us to develop and optimize our services.
  • Marketing and Targeting Cookies: These cookies are used to collect information about your interests, among other things, so that we can offer you more relevant content.

You can manage your cookie settings through the website's cookie banner or your browser settings. For the mobile application, you can manage cookies through your device or app settings. Please note that blocking cookies may affect the functionality of our services.

6. Regular Sources of Data

Personal data is primarily collected from:

  • The Data Subject Themselves:
    • Through ordering products in the online store, creating a customer account, or contacting customer service.
    • Through mobile application registration, user profile creation, app usage, or in-app communication.
    • Through other personal contacts (phone, email, chat).
  • Usage of Drophop Oy's Services:
    • Website, online store, and mobile application analytics systems, log data, cookies, and similar technologies.
  • Public Sources: If necessary, e.g., from the trade register or other public registers.

7. Regular Disclosures of Data and Transfers Outside the EU/EEA

We do not regularly disclose personal data to external parties without the data subject's consent, unless it is necessary for providing the service, fulfilling a legal obligation, or based on legitimate interests mentioned in this policy.

Data may be disclosed or transferred to the following parties:

  • Service Providers: We use reliable third-party service providers who process personal data on our behalf. These service providers include:
    • Payment service providers (online store and application payment transactions).
    • Delivery service companies (product deliveries).
    • IT system and service providers (cloud services, website and mobile application hosting, email services, analytics tools, CRM systems).
    • Marketing and communication partners (newsletter delivery service, advertising platforms).
  • Authorities: If required by law (e.g., police, tax authorities).

Data Transfers Outside the EU/EEA:

When we use external service providers whose servers or offices are located outside the EU/EEA (e.g., in the United States), personal data may be transferred outside the EU/EEA. In such cases, we ensure an adequate level of data protection by using standard contractual clauses approved by the European Commission or other applicable transfer mechanisms that comply with GDPR.

8. Retention Period for Personal Data

We retain personal data only for as long as necessary to fulfill the purposes defined in this policy or to comply with legal obligations.

Retention periods are typically determined as follows:

  • Customer Relationship Data: Retained for the duration of the customer relationship. Retained as long as the person is an active recipient of marketing or until they withdraw their consent. After this, the data will be anonymized.
  • Accounting Material: Retained for the period required by the Accounting Act (1339/1997).
  • Marketing Register Data: Retained as long as the person is an active recipient of marketing or until they withdraw their consent.
  • Mobile Application and Online Store Usage Data (analytics, log data): Retained as long as the person is an active user or until they withdraw their consent. After this, the data will be anonymized.
  • Contract-based Data: Retained for the duration of the contract and, if necessary, thereafter to fulfill potential legal claims or obligations.
  • Research Data: Retained for the duration of the customer relationship. Retained as long as the person is an active user or until they withdraw their consent. After this, the data will be anonymized.

When the data retention period expires, the data will be securely deleted or anonymized in a way that they can no longer be linked to an individual.

9. Principles of Register Protection

Drophop Oy develops and maintains staff understanding of data protection as part of new employee onboarding and by providing training opportunities. We ensure the security of personal data and strive to prevent unauthorized access to data and unlawful processing of data. The purpose of register protection measures is to ensure the confidentiality of Drophop Oy's services, the availability of data, and the realization of data subjects' rights. Drophop Oy complies with the diligence and protection obligations set by law and good data management practices when processing personal data.

Drophop Oy processes all personal data digitally. The register is located on the password-protected server of the software provider used by Drophop Oy.

  • Access Control: Access to personal data is restricted only to personnel who need to process the data for their work duties. Drophop Oy's management decides on granting access rights to Drophop Oy's employees and partners (e.g., online store personnel). Employees have access to personal register data to the extent required by their work duties. Each user has personal usernames and passwords.
  • Data Traffic and System Security: Digitally processed data can only be accessed with a personal username and password. Data traffic between systems (e.g., between the online store and payment service, between the mobile application and the server) is protected by appropriate encryption technologies.
  • Data Backup: Data is regularly backed up and recoverable.
  • Information Security Guidelines and Training: The Data Protection Officer is responsible for staff training on appropriate data processing, data security, and data protection. We regularly update employee guidelines and self-monitoring plans.
  • Partner Agreements: When using external service providers, we ensure through agreements that they comply with an adequate level of data protection and process data only according to our instructions.

10. Data Subject Rights

Every data subject has the right to exercise the following rights regarding personal data processed by Drophop Oy. If you wish to exercise any of the rights mentioned below, please contact the contact person mentioned in section 2 of this policy. We aim to respond to requests without undue delay, within one month at the latest. A request for access can be made once a year free of charge.

  • Right of Access (Right to Inspection): The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed, and if so, the right to access their data and the information contained in this Privacy Policy. The request for access must be submitted to Drophop Oy electronically scanned and signed. The identity of the requesting customer will be reliably verified.
  • Right to Rectification or Completion of Data: Drophop Oy has an obligation to rectify or complete inaccurate or incomplete personal data concerning the data subject in Drophop Oy's customer register without undue delay, either on its own initiative or at the data subject's request. The request for rectification should be made by contacting the Data Protection Officer. The request must be specified and justified.
  • Right to Erasure ("Right to be Forgotten"): The data subject has the right to request the erasure of their personal data in certain situations, for example, if the data is no longer necessary for the original purpose, the data subject withdraws their consent, and there is no other legal basis for processing. Please note that in some situations, we may not be able to erase all data due to legal requirements (e.g., accounting law).
  • Right to Object: The data subject has the right to object to the processing of their personal data in certain situations, such as when processing is based on a legitimate interest or direct marketing. The customer has the right to prohibit the data controller from processing data concerning them for direct advertising, distance selling, other direct marketing, market and opinion research, or other research.

Right to Withdraw Consent:

The processing of personal data is based on the data subject's consent, and the data subject has the right to withdraw their consent at any time. You can manage settings through the website or your browser settings. For the mobile application, you can manage consent through your device or app settings.

11. Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with a competent supervisory authority if they consider that their personal data has been processed in violation of applicable data protection legislation. A complaint can be made specifically to the supervisory authority of the Member State of the data subject's habitual residence or place of work or where the alleged infringement occurred.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

More information: www.tietosuoja.fi

12. Changes to the Privacy Policy

Drophop Oy reserves the right to change this Privacy Policy as needed and as legislation evolves. We will notify of changes on our website or in the mobile application or by other applicable means. We recommend reviewing the content of the policy regularly.