Buutti Oy (2828574-9)
Teknologiantie 2, 90590 Oulu, Finland

Legal basis and purpose of processing personal data

This statement describes the privacy policy with which we comply when processing the personal data of our customers, job applicants, training applicants, individuals participating in our events, and the users of our website.
The justification for the personal data processing may be based on the following:
– a person’s consent
– an agreement to which the data subject is party
– the controller’s legal obligation
– the controller’s legitimate interest
The following contains a more detailed description of why personal data is saved in a given case, and how it is processed and stored.
As the controller, we are responsible for implementing the protection of your privacy and the secure storage of your data. You are responsible for familiarizing yourself with this privacy policy. If you have any questions whatsoever in relation to your privacy or the processing of your data, please get in touch with us. Our contact details:
Buutti Oy (business ID 2828574-9) Contact person: Mikko Koistinen
Teknologiantie 2, 90590 Oulu, Finland, / tel. +358 40 066 3463

Website users

We process data generated during the use of our website to ensure its functionality. We obtain your data when you use our website. We save your IP address and the browsing data concerning the website. We delete the data of website users within two (2) years of a user’s visit to our pages.
Your data is also processed by our service provider Google Analytics and Google (infrastructure). The disclosure of data to third parties is discussed in the “Disclosure of data” section.

We use cookies, and our service providers also use cookies. You can block the use of cookies at any time. We discuss cookies in more detail below.

Job applicants, training applicants and individuals participating in our events

We obtain your contact details (name, address, phone number, and email address) when you apply for a job or training with us or sign up for one of our events. You may also be identifiable from the photos we take at our events.
In the processing of job or training applications and in communication related to recruitment, we process, in addition to your contact details, documents related to the search for a job (applications, CVs, portfolios) and the data they contain, information on the progress and outcome of a recruitment, and our employees’ assessments of your suitability for a job or training.
Your data may also be processed by people working in our recruitment, sales, and HR administration. Furthermore your data, such as your CV, may be presented to our customers, prior to which we will separately ask for your permission to do so.
We store the data of job applicants, training applicants or individuals participating in an event for two (2) years from the submission of the application or the updating of any data, after which the data is deleted automatically. We discuss your rights in terms of your data below.
Your data is also processed by our service providers Greenhouse and RecRight (recruitment systems), as well as Google (infrastructure).

Individuals in the employment of customers and potential customers

We process your contact details (name, address, phone number, and email address) and other data concerning you (including the name of your employer/the organization you represent, your job title or role) to help us manage customer services and the customer relationship, customer communications and marketing, and in the development and planning of our business. We also process data on orders. The agreement concerning the customer account in question may have an effect on how we collect and process your data.
We obtain the data primarily from materials available in the public domain (like LinkedIn, your company’s web pages, Duunitori) or when you become our customer, when we meet you at a trade fair, or in the event that you contact us.
We use your data for keeping in touch and targeting our marketing, in relation to which we also use data on any permission for or opting out of direct marketing.
Your data is also processed by our service providers Pipedrive (sales management system), LeadFeeder (analysis tool for visits to our website), Active Campaign (email marketing tool), and Google (infrastructure).

We store your customer data for as long as the relevant agreement is valid and for a period of five (5) years from the termination of the customer relationship, after which the data is deleted. We keep any data stored for marketing purposes for two (2) years from the last time we contacted you, after which the data is deleted. We discuss your rights in terms of your data below.

Your rights

Your rights in terms of your data are listed below. If you wish to exercise your rights, please send us an email about it to:
Right to access and rectification
You have the right to check the personal data on you that we process. If you discover any inaccuracies or incompleteness in your data, you have the right to request us to rectify or supplement the data.

Right to object

You have the right to object to the processing of your data at any time. If you object to the processing of your data, we suspend the processing of your data until such time as we have investigated whether such a compelling legitimate interest or legitimate grounds as referred to in the General Data Protection Regulation (GDPR) exist which override your right to object. Nor will the processing of personal data be ceased if such processing is necessary for the establishment, exercise, or defense of a legal claim.

Direct marketing opt-out

You have the right, at any time, not to accept the use of your data for direct marketing. We never sell or otherwise disclose your personal data to third parties so that they can target direct marketing at you. We buy online marketing from Facebook and Google, among others. However, these companies never receive data from us based on which you could be identified, and the marketing involved is not direct marketing; rather, it is based on cookies. See the section on cookies for further information.

Right to erasure

If you feel that the processing of some data on you is unnecessary for our tasks, you have the right to request us to erase the data in question. We will process your request, after which we will either erase your data or inform you of the legitimate grounds based on which the data cannot be erased. If you disagree with our decision, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman (you can find instructions on how to lodge a complaint at You also have the right to request us to limit the processing of the contested data for as long as the matter is resolved.

Right to lodge a complaint

You have the right to lodge a complaint with the Office of the Data Protection Ombudsman if you feel that we infringe the valid data protection legislation when processing your personal data (you can find instructions on how to lodge a complaint at

Disclosure of data

There are some other parties processing your personal data in addition to us. We have ensured that all the parties processing your personal data comply with the data protection legislation. We may disclose your personal data to a third party, such as our service provider, in the following cases:
– When you have given your consent for the disclosure of your data.
– When the service provider processes your personal data on our behalf and according to our instructions.
– When there is a legitimate interest for the disclosure of the data, such as when we are organizing an event with a third party. In such cases, you are always informed of the disclosure of your data.
– In changes involving our business operations, such as when we are part of a corporate transaction, merger or the disposal of a business or part thereof.
– To the extent required or permitted by the law.
– When we deem the disclosure of the data to be necessary for the enforcement or protection of our rights, the protection of your security and the security of others, the investigation of misuse, or to respond to a request by the authorities.

Our service providers may transfer the data outside the EU/the EEA. Our service providers in the United States have joined what is referred to as the Privacy Shield program between the EU and the United States. The program aims to ensure the secure processing of European data in the United States. The European Commission has stated that service providers with certification from the program guarantee a level of information security and data protection in line with the high European standards. You can find a list of certified service providers at

Principles of protecting the register

The secure processing of your data is important to us. We protect the internet connection (https:), employ a firewall, and encrypt data. We also protect your data by ensuring that your data cannot be viewed by anyone other than by those for whom it is necessary to do so because of their job. Access to your data requires a personal user ID and password, at both the hardware and software levels. Our personnel undertake to protect your personal data by signing non-disclosure agreements.

We protect all data transfers with encryption methods. Your data is stored on secure servers which are strongly protected against both technological and physical break-ins, and against natural disasters. The information system is protected by firewalls and other technological means. The data is backed up at regular intervals. We use cookies on our website.
When you visit our website, we send a cookie to your data terminal. Cookies are small, passive text files which do not harm your data terminal or files. The cookies ensure the security, efficiency, and user-friendliness of the service. Among other things, cookies help us identify frequent visitors, facilitate the login of visitors, and prepare aggregate data on the visitors. This feedback allows us to improve our products and services on a continuous basis and provide our customers with individualized services, for example.
We never obtain data from which you would be directly identifiable. Cookies allow us to collect the following kind of information:
A user’s IP address
The hour
The pages used
Browser type
The URL from which a user enters the page in question
The server from which the user enters the page in question
The domain name from which the user enters a page
You can disable the use of cookies if you wish to do so. If you decide to do so, please note that our website may not be displayed to you correctly or that its use may become more difficult.
Internet browsers usually accept cookies automatically. If you wish to do so, you can nevertheless modify your browser settings, and at any time, 1) block the installation of new cookies and 2) remove any cookies already installed on your computer.
Further information on targeted advertising based on browser use is available on the website Your Online Choices.