Effective date: 11.11.2025
1. Data Controller
Limonella
Business ID: 3560373-3
Address: Palstatie 4B20, 40520 Jyväskylä-Finland
Tel: 040 819 33 44
Email: info@mylimonella.com
Website: www.mylimonella.com
2. Purpose and Legal Basis for Processing Personal Data
We process personal data only when we have a lawful legal basis as required by the General Data Protection Regulation (GDPR). We commit to processing data lawfully, fairly, and in a transparent manner in relation to the data subject. The purpose and the legal basis of such processing must be identified from the outset and communicated to the data subject.
Our purposes and the corresponding legal bases (Article 6(1) GDPR) are:
Performance of a Contract
Purpose: Managing customer relationships, processing orders, receiving payments, delivering products, and providing fundamental customer support.
Rationale: Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
Legal Obligation
Purpose: Fulfilling mandatory legal and regulatory obligations, such as retaining order information in accordance with the Accounting Act.
Rationale: Processing is necessary for compliance with a legal obligation to which the controller (Limonella) is subject.
Legitimate Interest
Purpose: Analyzing and improving website performance and customer experience, and potentially non-essential customer support.
Rationale: We have a legitimate interest (which must be precisely articulated) in analyzing data to improve user experience and service delivery. This basis is only valid if the processing is demonstrated to be necessary and if our legitimate interests are not overridden by the fundamental rights and freedoms of the data subject, relying on a documented balancing test.
Consent
Purpose: Sending marketing communications and direct electronic marketing (e.g., email).
Rationale: Processing is based on the data subject giving explicit consent to the processing of their personal data for one or more specific purposes. Consent must be freely given, specific, informed, and unambiguous. You may withdraw this consent at any time.
3. Processed Personal Data
The register may contain the following information:
First and last name
Address, email address, and phone number
Order and payment details
Delivery address
IP address and cookie data
Communication history
Inferences drawn from any of the above information to create a profile reflecting consumer preferences or characteristics, if such processing is utilized.
4. Data Retention Period
Personal data will be retained only as long as necessary, adhering to the principle of storage limitation:
Order information is stored in accordance with the Accounting Act (6 years).
Marketing consent data is stored until the customer withdraws their consent.
5. Disclosure and Transfer of Data
Personal data will not be shared with third parties unless necessary for clearly defined purposes. We require that all entities handling data maintain confidentiality and implement appropriate security measures.
Data may be shared with the following categories of recipients:
Payment processing (e.g., Paytrail, Stripe, PayPal).
Shipping services (e.g., Posti, Matkahuolto).
Accounting or IT service providers (Data Processors) under contract. These parties process data strictly on our behalf and according to our documented instructions, and not for their own purposes. The relationship is governed by a written contract that meets the requirements of Article 28 GDPR.
International Data Transfers Data will not be transferred outside the EU or EEA without adequate protection measures.
6. Cookies and Similar Technologies
We use cookies to improve the functionality and user experience of our website. The processing of data via non-essential cookies requires prior, explicit user consent.
Prior Consent Required: Non-essential cookies, particularly those used for advertising or non-essential analytics, are not placed or read until the user has given unambiguous, affirmative consent.
Consent Mechanism: Consent must be freely given, specific, informed, and unambiguous. Our cookie banner ensures that the option to "Reject All" non-essential processing is presented as prominently and is as accessible as the option to "Accept". We avoid using "dark patterns" or asymmetric design features that nudge users toward acceptance.
Transparency: You are provided with clear and comprehensive information regarding the purpose of all cookies and the identity of the third parties involved in placing them.
Management: You can manage or withdraw cookie settings via the site’s cookie banner or through your browser settings. You have the right to object to processing for direct marketing purposes (including cookie-based advertising) free of charge and at any time.
To revoke your consent to cookies, click here.
7. Rights of the Data Subject
You have the right to exercise control over your personal data. Requests concerning these rights will be addressed without undue delay, and in any event within one month of receipt.
You have the right to:
Access the data we hold about you.
Request Rectification of inaccurate or incomplete information.
Request Deletion of your data ("right to be forgotten").
Request Data Portability. You have the right to receive personal data concerning you, which you provided to us (if processed based on consent or contract by automated means), in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
Object to or Restrict certain data processing operations.
Withdraw your marketing consent at any time.
Be informed about the existence of Automated Decision-Making, including profiling, and where such decisions produce legal or similarly significant effects, you have the right not to be subject solely to such a decision.
File a Complaint with the Data Protection Ombudsman (Supervisory Authority) if you suspect misuse.
8. Data Security
Personal data is stored in secure systems and can only be accessed by authorized personnel who require it to perform their work duties.
We implement appropriate Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk:
Technical Safeguards: These include encryption of data (at rest and in transit), robust access controls limiting who can access and modify customer data, and mechanisms for logging and auditing system activity.
Organizational Safeguards: We maintain documented policies and procedures for incident response, ensuring prompt notification to the supervisory authority and affected data subjects in the event of a personal data breach, without undue delay. We regularly review and update these measures based on security risk assessments.
9. Contact Information for Privacy Matters
All privacy-related requests and inquiries regarding the processing of personal data can be sent to: info@mylimonella.com