Privacy Policy
Updated 4 December 2025
This privacy policy explains how AT aesthetics Oy collects and processes customers’ personal data. All processing of personal data complies with applicable legislation and follows the data protection principles of the EU General Data Protection Regulation (GDPR).
DATA CONTROLLER
The data controller under the applicable data protection laws is AT aesthetics Oy. AT aesthetics Oy is responsible for ensuring that your personal data is processed in accordance with this privacy policy and relevant data protection legislation.
Contact details of the data controller:
AT aesthetics Oy
Business ID:
Metsäkulmantie 10, 33950 Pirkkala
alisatalasma.aesthetics@gmail.com
1. COLLECTION OF PERSONAL DATA
Your personal data is collected in various ways depending on the situation. I collect and process personal data that:
– you provide when contacting or dealing with me, e.g., during a customer relationship or when you request a quote or information
– is generated when you visit the website
– is obtained from partners during system use or maintenance
– is received through automatic updates
I collect and process the following categories of personal data:
– basic information such as name and contact details (email, address, phone number)
– information related to the customer relationship, payment details, invoicing information, marketing permissions and prohibitions
– customer enquiries, related correspondence, and records concerning data subject rights
– data generated when using the website, such as information collected via cookies or similar technologies (device ID and type, operating system, app settings)
– log data
2. PURPOSE AND LEGAL BASIS OF PROCESSING PERSONAL DATA
I collect and process personal data only when necessary for conducting business, managing customer relationships, and for other legitimate purposes. Your personal data is processed for the following purposes:
Customer relationship management
Personal data is processed to maintain the relationship between you or your organisation and us. The legal basis is contractual necessity.
Marketing
I may contact you about new products or to market and sell other products. I may also process your data for market research and customer surveys. The legal basis is legitimate interest or consent.
Invoicing
I process personal data to send and receive invoices. The legal basis is a legal obligation, contractual necessity, or legitimate interest.
Service development, information security, and internal reporting
Personal data is processed to ensure the security of the customer relationship and the website, to improve quality, and for development purposes. I may also compile internal reports for management. The legal basis is legitimate interest.
Compliance with legal obligations
Personal data may be processed to fulfil legal obligations, such as accounting requirements or responding to legitimate requests from authorities. The legal basis is a legal obligation.
Other purposes based on your consent
Your personal data may also be processed for other purposes when you have given your consent. The legal basis in these cases is consent.
For processing based on legitimate interest, a balancing test has been conducted to ensure the appropriateness of the processing.
3. TRANSFERS AND DISCLOSURES OF PERSONAL DATA
I may transfer or disclose personal data to third parties:
– when a partner or subcontractor processes data on my behalf. Subcontractors are used on a case-by-case basis.
– when I consider disclosure necessary to protect rights, ensure your or others’ safety, investigate misuse, or respond to an authority request
– with your consent, to the parties covered by that consent
A data processing agreement (DPA) is in place with all data processors, or data processing is defined in the main contract. I instruct data processors and ensure proper and appropriate handling of personal data.
4. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA
If data processing requires transfers outside the EU or EEA, appropriate safeguards are used.
I may transfer personal data outside the EU or EEA when a partner or their subcontractor is located outside these areas. Such situations include:
– Squarespace (Squarespace’s data transfer mechanisms)
5. RETENTION OF PERSONAL DATA
Personal data is stored only as long as necessary to fulfil the purposes defined in this policy. The retention period is 10 years.
Personal data is stored for the duration of the customer relationship. It may also be retained after the end of the customer relationship to the extent permitted or required by applicable law. Data is deleted when it is no longer necessary for compliance with the law or for fulfilling the rights or obligations of either party.
6. YOUR RIGHTS AS A DATA SUBJECT
Under the GDPR, you have the right to access the personal data stored about you, request correction of inaccurate data, withdraw your consent for data processing, or request deletion of your data. You may also prohibit the use of your data for marketing purposes.
If processing is based on consent, you may withdraw your consent at any time. After this, your data will no longer be processed unless another legal basis applies.
You can exercise your rights by sending a request to alisatalasma.aesthetics@gmail.com
If you believe your personal data has been processed improperly, you have the right to contact the Data Protection Ombudsman. Contact details can be found on the Data Protection Ombudsman’s website.
7. DATA SECURITY
Access to personal data is restricted to individuals who need it to perform their work duties.
8. CHANGES TO THIS POLICY
This policy may be updated. Please check the privacy policy for the most up-to-date information.
9. CONTACT
If you have any questions about this policy or require further details on how your personal data is processed, please contact alisatalasma.aesthetics@gmail.com
If you’d like, I can also format this in a more web-friendly style (e.g., headings, shorter sections, legal tone adjustments).