Satori Koulutuspalvelut
FIEN
Contact

Legal notice · GDPR

Privacy policy

This notice meets the EU General Data Protection Regulation (GDPR, 2016/679) and the Finnish Data Protection Act (1050/2018). It explains how personal data is handled on the satorikoulutuspalvelut.fi site and in the work of Satori Koulutuspalvelut.

Updated 14 May 2026. If the two versions ever differ in interpretation, the Finnish version prevails.

1. Controller and contact details

Satori Koulutuspalvelut
Business ID 2941105-7
Helsinki, Finland

Data protection matters are handled by Teemu Hyyryläinen.
Email: teemu@satorikoulutuspalvelut.fi
Phone: +358 50 596 7167

Satori Koulutuspalvelut has not appointed a separate data protection officer, as the operation is small in scale. For any data protection question, contact Teemu directly using the details above.

2. Purposes and legal bases

Personal data is processed for the following purposes:

  • Providing and running training services. Course registrations, invoicing, delivering training materials, passing certification details to Scrum Alliance. Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and a legal obligation (the Finnish Accounting Act).
  • Responding to enquiries. Replying to messages sent through the contact form and any follow-up discussion. Legal basis: steps prior to a contract (GDPR Art. 6(1)(b)), or legitimate interest (Art. 6(1)(f)) where the enquiry does not yet lead to a contract.
  • Sending the newsletter. Emailing the training letter to subscribers. Legal basis: consent (GDPR Art. 6(1)(a)). Consent can be withdrawn at any time.
  • Improving the site and services. Traffic analytics, improving the user experience, tailoring content. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) for anonymised data; consent (GDPR Art. 6(1)(a)) for identifying data (see cookies).
  • Marketing and ad optimisation. Conversion tracking and remarketing for Google Ads campaigns. Legal basis: consent (GDPR Art. 6(1)(a)).
  • Meeting legal obligations. Keeping accounting records and reporting to authorities where required. Legal basis: legal obligation (GDPR Art. 6(1)(c)).

3. Categories of personal data

3.1 Contact form data

When you send a message through the contact form, the following data is processed:

  • Name, email address, the topic you selected, message content
  • Company name (optional)
  • The page open when you sent the message (the path you came from)
  • A cryptographic hash of your IP address (to prevent abuse)
  • Browser type (shortened)
  • Timestamp and the GDPR consent you gave

3.2 Newsletter subscriber data

  • Email address
  • Subscription source (e.g. blog, footer, form)
  • A hash of your IP address
  • Subscription time and language preference (FI/EN)

3.3 Course registration data

Course registrations run through Eventilla (Eventilla Oy, Finland), which is a separate controller for the participant registration step. Eventilla passes Satori the participant’s name, email, any dietary requirements and invoicing details so the course can be run. Read Eventilla’s own privacy policy at eventilla.com/tietosuojaseloste.

3.4 Certification data

To issue a Scrum Alliance certification, the participant’s name and email address are transferred to Scrum Alliance (Scrum Alliance Inc., USA). This is part of delivering the service — without the transfer, the certificate cannot be issued.

3.5 Site usage data

  • Browser type and version, operating system, screen resolution
  • Time spent on a page, navigation paths, elements clicked
  • Geographic location (city level) derived from the IP address
  • With your consent, more detailed visitor identifiers (see cookies)

4. Where the data comes from

Mostly from you directly: through the form, by email, by phone, or when you register for a course. Site usage data is recorded automatically from your browser through cookies and similar technologies — how precisely depends on the consent you give.

5. Disclosures and processors

Personal data is disclosed to third parties only to the extent the service requires. The processors in use:

ProcessorPurposeLocation
Vercel Inc.Site hosting + Vercel Analytics (anonymous)USA, EU (CDN)
Supabase Inc.Database (contact messages, newsletter subscribers)Ireland, EU
ResendEmail delivery (contact notifications, newsletter)USA
Eventilla OyCourse registrations and paymentsFinland
Scrum Alliance, Inc.Recipient of certification dataUSA
Google LLCGoogle Analytics 4, Google Ads (with the user’s consent)USA, EU (servers)
Accounting firmBookkeeping and processing of invoicing dataFinland

A data processing agreement (DPA) required by the GDPR is in place with each processor, or the processor has published an equivalent term publicly.

6. Transfers outside the EU/EEA

Some processors (Vercel, Resend, Google, Scrum Alliance, and some Supabase operations) are located in the United States. These transfers rely on:

  • The EU–US Data Privacy Framework where the processor is certified (Vercel, Google).
  • EU Standard Contractual Clauses (2021/914) for other processors, complemented by technical and organisational safeguards where needed.

Further detail on the transfers and their safeguards is available on request directly from the controller, using the contact details above.

7. Retention periods

  • Contact messages: 12 months from the enquiry, unless a longer-term client relationship arises from it. Deleted earlier on request.
  • Newsletter subscribers: for as long as the subscription is active. You can unsubscribe at any time; after that, the data is deleted within 30 days — kept for this period so that the effects of automated bot subscriptions can be prevented.
  • Course registrations and participant data: for the duration of the course and certification, and after that the 6 years required by the Accounting Act from the end of the financial year for invoicing data.
  • Analytics data: Vercel Analytics: 30 days. Google Analytics 4 (with consent): 14 months. Aggregate data: indefinitely.
  • Marketing identifiers: Google Ads cookies are valid for a maximum of 13 months.
  • Accounting vouchers and invoices: the 6 years required by the Accounting Act (1336/1997) from the turn of the year following the end of the financial year.

8. Cookies and tracking technologies

The site uses cookies and other browser-based identifiers. Cookies are grouped into categories by purpose. Only strictly necessary cookies are loaded without your consent — everything else only after you have given consent through the cookie banner. You can change your consent at any time on the cookie policy page.

9. Your rights

Under the GDPR you have the following rights regarding your own personal data:

  • Access (Art. 15): you can request a copy of the data held about you.
  • Rectification (Art. 16): you can ask for inaccurate data to be corrected.
  • Erasure (Art. 17): you can ask for data to be deleted when there is no longer a basis for processing it (e.g. after unsubscribing from the newsletter). Data covered by statutory retention obligations (accounting) is kept for the period the law requires.
  • Restriction (Art. 18): you can ask for processing to be restricted, for example while you have contested the accuracy of the data.
  • Portability (Art. 20): you can receive the data held about you in a machine-readable format and ask for it to be transferred to another controller.
  • Objection (Art. 21): you can object to processing based on legitimate interest (e.g. anonymised analytics).
  • Withdrawing consent: you can withdraw consent at any time — for example cookie consent through the cookie banner, or the newsletter subscription via the link at the bottom of every letter.
  • The right not to be subject to automated decision-making (Art. 22): Satori Koulutuspalvelut does not make automated decisions with legal effects based on your personal data.

To exercise your rights, send a message to teemu@satorikoulutuspalvelut.fi. Requests are handled within one month. Your identity is verified before any data is disclosed.

10. Security

Appropriate technical and organisational measures are in place to protect personal data:

  • TLS encryption (HTTPS) for traffic between the site and the servers.
  • The database can only be reached from the server with a service key; access from a browser or the public network is blocked by Row Level Security.
  • IP addresses are processed in hashed form to prevent abuse — the raw IP address is not stored.
  • Regular updates and security audits.
  • Personal data is processed only to the extent the service requires, and only the people who handle it have access.

11. Changes to this notice

This privacy notice may be updated as the law changes, as processing practices develop, or as the services change. Changes take effect when the updated notice is published on the site. Material changes are announced in advance on the site’s home page, or by email to the data subjects a change materially affects.

12. Right to lodge a complaint with the supervisory authority

If you believe your personal data has been handled contrary to data protection law, you can lodge a complaint with the Office of the Finnish Data Protection Ombudsman:

Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki, Finland
P.O. Box 800, 00531 Helsinki
Phone (switchboard): +358 29 566 6700
Email: tietosuoja@om.fi
Website: tietosuoja.fi/en

We’d still encourage you to contact us first, so we can look into and put right any concerns directly.