Koskinen Family Business Oy (“Koskinen & Co”) collects, controls, and processes personal data according to this privacy policy and applicable legislation, including the EU General Data Protection Regulation (GDPR).
Our work requires that we collect, control, and process some personal data about you. We are committed to respecting and protecting your privacy.
Our services are not directed at individuals under age 16, and we do not knowingly collect personal data from children.
We may use the personal data we collect: (a) to create or maintain customer relationships; (b) to offer services, products or other legitimate interests; (c) to provide services, products or other legitimate interests; (d) to develop services, products or other legitimate interests; (e) to fulfil contract requirements; (f) to take steps to create contracts; (g) to fulfil legal obligations; or (h) to pursue legitimate interests that do not override your privacy rights.
We may collect the following categories of personal data: (a) contact details (name, email, phone number); (b) company details (company name, job title); (c) communication details (chat transcripts, email correspondence, text messaging, meeting memos); (d) usage details (website and service usage); (e) relationship details (information shared while using services); and (f) other legitimate personal data necessary for the purposes described in this privacy policy.
Personal data may be collected: (a) from publicly available sources (web, social media); (b) from direct communication or service usage; (c) from sources accessed to fulfil contract requirements; (d) from shared partners, service providers, and third parties; or (e) from representatives.
There is always a legal basis for collecting and processing your data. Legal bases include: (a) freely given consent; (b) contract performance; or (c) legitimate interest fulfilment.
Legitimate interests include maintaining customer relationships, providing and improving services, ensuring network and information security, and marketing to existing and prospective customers. These interests cannot override fundamental rights requiring data protection.
If processing is based on consent, you may withdraw it anytime by contacting matias@koskinen.co. Withdrawal does not affect the lawfulness of processing before withdrawal.
Personal data is accessible, controlled, and processed by Koskinen & Co employees.
Some data processing is outsourced to third parties with appropriate security measures ensuring privacy protection and legal compliance.
Data may be processed by third-party service providers, including cloud services, communication tools, and AI-assisted tools. A current list of sub-processors is maintained at www.koskinen.co/legal/sub-processors or is available upon request.
All sub-processors have appropriate data processing agreements and adequate GDPR-compliant protections.
Data is not transferred elsewhere unless contract performance, legal obligations, or public authority demands require it.
We use AI tools and services in the course of providing our consulting services. These tools are used for tasks such as analysis, research, drafting, content generation, software development, and building search and retrieval systems for client data.
Your data is not used for training AI models (modifying model weights or parameters). AI tools may be used for indexing, vector embeddings, and retrieval-augmented generation (RAG) solely for service delivery. These techniques do not modify the AI model and all data remains within secured infrastructure.
AI service providers may temporarily retain data for operational and safety purposes in accordance with their own data processing terms. Such retention does not constitute AI training.
A current list of AI service providers is maintained at www.koskinen.co/legal/sub-processors. Further details on AI-assisted processing are described in our Data Processing Agreement at www.koskinen.co/legal/dpa.
Personal data retention periods: (a) Customer relationship data: duration of business relationship plus six years for accounting and legal compliance; (b) Communication records: duration of business relationship plus five years for contractual reference; (c) Website usage data: up to twenty-four months; (d) Marketing data: until consent withdrawal or processing objection; (e) AI processing data (vector embeddings, search indexes, cached AI-generated responses): duration of the engagement plus a reasonable transition period not exceeding ninety (90) days, after which all such data is deleted.
After these periods, data is securely deleted or anonymised.
Data may be transferred outside the EU or EEA by third parties. Data processing likely involves international transfers.
For international data transfers to countries not covered by an adequacy decision of the European Commission, we rely on the European Commission’s Standard Contractual Clauses and ensure adequate protections complying with GDPR requirements.
We have ensured that third parties maintain data servers within the EU or EEA, or employ appropriate security measures for compliant international transfers.
Data is protected with appropriate security measures. Computers accessing data are encrypted. Data processing service access uses two-factor authentication where applicable and strong passwords. VPN connections are used wherever possible.
We use AI tools to assist with our work, but all decisions that affect you are made by humans. AI tools may generate drafts, analyses, or recommendations, but these are always reviewed by a person before any action is taken. We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you without human involvement.
Cookies improve user experience and display relevant content. Cookies are small data files that are stored on your device.
Cookie types used: (a) Necessary cookies: required for website functionality; (b) Analytics cookies: understand visitor interactions; (c) Marketing cookies: track visitors across websites for relevant advertisements.
Users may opt out of non-essential cookies upon first website access or through browser settings. Disabling certain cookies may affect website functionality.
Under GDPR, you have the following rights: (a) Right of access: know whether data is collected and obtain copies; (b) Right to rectification: correct inaccurate, expired, or incomplete data; (c) Right to restrict processing: limit what data is processed, duration, and methods; (d) Right to data portability: receive data in structured, commonly used, machine-readable format; (e) Right to erasure: request erasure unless processing is necessary for legal obligations or contract performance; (f) Right to object: object to processing unless compelling legitimate grounds exist; (g) Right to withdraw consent: withdraw consent anytime without affecting prior lawfulness; (h) Right to lodge a complaint: lodge complaints with the Office of the Data Protection Ombudsman (tietosuoja.fi).
These rights may be exercised by contacting the organization.
This privacy policy may be updated if our work or legislation changes. Changes take effect upon publication.
If changes expire the legal basis for data collection, control, and processing, we will ensure legal basis restoration. Otherwise, data is deleted per applicable privacy laws.
Koskinen Family Business Oy Email: matias@koskinen.co Phone: +358 40 845 7632