Privacy Policy
We openly describe how we process your personal data securely and in accordance with GDPR.
Data Controller
Company: Willit Oy
Business ID: 3570240-8 / FI35702408
Address: Löytökyläntie 311, 91310 Arkala
Willit Oy provides an online marketplace service, in connection with which we process personal data for purposes such as providing and developing the service.
All personal data is stored within the EU or EEA, primarily in Finland.
What Data We Collect
Data You Provide
We collect the following data in connection with using the service:
- Identification and contact details (e.g., name, email address).
- User settings and communication preferences.
- Orders, listings, and payment transaction references.
- Customer service contacts.
Automatically Collected Data
We collect limited technical data to ensure the service works properly:
- Pageview and visitor statistics in aggregated form.
- Search terms and phrases to develop the service.
- Error and performance data.
Data is processed in such a way that an individual user cannot be identified without additional information.
Purposes and Legal Bases for Processing Personal Data
We process personal data for the following purposes:
Providing the service
User account management, order processing, and customer service.
Legal basis: Performance of a contract
Service communications
Sending service-related notifications and messages.
Legal basis: Contract
Service development and security
Bug fixing and usage analysis.
Legal basis: Legitimate interest
Fraud prevention and security
Preventing fraud, abuse, and data security breaches.
Legal basis: Legitimate interest
Recommendations and personalization
Recommending relevant content and items to the user. Recommendations may be based on usage data and may involve profiling. You can object to this processing at any time.
Legal basis: Legitimate interest
Marketing
Communications and sending marketing messages. You can withdraw your consent or opt out of marketing at any time.
Legal basis: Consent or legitimate interest where applicable
Legal claims and dispute resolution
Handling complaints, asserting and defending legal claims.
Legal basis: Legitimate interest
Statutory obligations
Accounting, taxation, other statutory obligations, and regulatory requirements.
Legal basis: Legal obligation
Data Protection
We use appropriate technical and organizational safeguards to protect personal data. Data is stored in secure systems within the EU/EEA and access rights are limited to personnel who need them. Data transfers are encrypted.
Data Retention Periods
We retain personal data only as long as necessary to fulfill the purposes of use:
- User account: as long as the account is active. After closure, data is deleted or anonymized within 12 months.
- Accounting and contract data: 6–10 years as required by law.
- Usage data: anonymized or deleted within approximately 18 months.
Disclosures and Processors of Personal Data
We use external service providers to process personal data, such as:
- Cloud and hosting services.
- Payment service providers (e.g., Visma Payments Oy).
- Customer service and communication systems.
These parties process personal data only according to our instructions.
If personal data is transferred outside the EU/EEA, we ensure the transfer takes place in accordance with the GDPR, for example based on a European Commission adequacy decision or Standard Contractual Clauses.
Cookies
We only use strictly necessary cookies:
- Session cookie for login.
- Cookie related to security.
We do not use analytics or tracking cookies or external tracking scripts.
Automated Decision-Making
We do not make decisions about you that are based solely on automated processing and would have significant legal effects.
Minors
The service is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors.
Rights of the Data Subject
You have the right to exercise the rights provided under the GDPR in relation to your personal data. However, the scope of these rights may vary depending on the basis of processing and the situation.
You have the right to:
- Be informed whether we process personal data concerning you, and access this data.
- Request the rectification of incorrect or incomplete data.
- Request the deletion of data when there is no longer a basis for its processing.
- Request restriction of processing in certain situations.
- Transfer the data you have provided in a structured and commonly used format to another controller.
- Object to the processing of personal data when processing is based on legitimate interest.
- Prohibit the use of personal data for direct marketing at any time.
- Withdraw the consent you have given, if processing is based on consent.
- File a complaint with the data protection authority if you believe processing violates the GDPR.
Please note that exercising these rights may require verification of your identity, and in certain cases we may not be able to fulfill your request if there is a statutory or other justified reason for processing.
Data Breaches
We report data breaches to the supervisory authority and, where necessary, to data subjects in accordance with data protection legislation, within the 72-hour deadline required by the GDPR.
Contact
If you have questions about data protection or wish to exercise your rights, please contact us:
We respond to requests within 30 days.