Shoulderuewasher

Data protection

Privacy Policy

Last updated . This extended statement explains what personal data we collect through shoulderuewasher.world, why we process it, how long we keep it, and which independent remedies exist if you disagree with our practices.

Plain-language summary

We run an informational nutrition guidance studio in Helsinki. Most visitors browse anonymously until they email us or buy materials. We avoid surprise tracking: optional analytics or marketing tools activate only through the cookie preferences panel.

01 Introduction

European Union data protection law—including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Finland’s national implementing acts—requires transparency whenever organisations handle personal data. This Privacy Policy satisfies that transparency obligation for activities tied to the website shoulderuewasher.world and to offline coordination performed by the same brand.

The Policy applies whether you simply read articles, download educational nutrition worksheets, contract consulting conversations, or correspond about refunds. Where an individually negotiated agreement contradicts this document on a specific commercial point, the agreement controls for that engagement only.

Not medical advice

Personal data you share about meals or routines is processed strictly for informational coaching context. We do not use your messages to diagnose diseases or to infer special-category health outcomes beyond what you voluntarily disclose.

Visitors from online advertising

If you reached shoulderuewasher.world through paid placements shown in Finland or elsewhere in the EU/EEA, the same privacy principles apply. Landing pages identify the business, link to legal policies, and describe non-medical services only. Measurement tags on this domain respect your cookie choices; platforms that served the ad process data under their own policies.

We do not bait-and-switch travellers from ads to unrelated offers, and we do not withhold pricing, refund rules, or contact channels required for informed purchasing decisions.

02 Data controller

The controller deciding why and how personal data is processed is Shoulderuewasher. Correspondence address: Mannerheimintie 96, 00250 Helsinki, Finland. Generic inbox: online@shoulderuewasher.world. Telephone: +358 300 20200.

We have not appointed an EU representative separate from the controller because processing occurs within Finland and we do not systematically monitor individuals outside the Union beyond incidental website visits. Should processing patterns change, we will update this Policy accordingly.

03 Material scope

This Policy covers:

  • HTTP/S interactions with pages hosted on shoulderuewasher.ddd.
  • Email threads initiated through addresses published on the site.
  • Calendar scheduling tools embedded or linked from proposals we send after you express interest.
  • Invoicing, receipts, and fulfilment records connected to educational downloads or programs.

Third-party platforms that you reach via outbound links operate under their own policies; review those documents before submitting personal data elsewhere.

04 Categories of personal data

Depending on your choices, we may process:

Identity & contacts

Full name, billing address, delivery email, telephone numbers you supply on forms or invoices.

Commercial records

Purchase references, VAT identifiers where legally required, chosen payment channel category (we typically never store full card numbers because payment processors tokenise them).

Communications

Message bodies, attachments, consent timestamps, and outcome notes tied to customer-care replies.

Technical telemetry

Server logs including truncated IP addresses, user-agent strings, timestamps, HTTP status codes.

05 Potentially sensitive narratives

GDPR Article 9 protects special categories of personal data such as explicit health details. We do not ask you to upload clinical diagnostics. If you voluntarily describe allergies or dietary constraints inside free-text boxes, we treat that text as confidential coaching context and minimise duplication across internal notes.

You may request erasure of such narratives subject to statutory retention exceptions (for example unresolved payment disputes).

06 Sources of personal data

Most records originate directly from you. Occasionally we receive forwarding introductions from partner studios when you have already given consent for that introduction; we confirm legitimacy before merging details into our CRM notes.

07 Purposes and lawful bases

  1. Website integrity — legitimate interests (Art. 6(1)(f) GDPR) in securing TLS endpoints, mitigating bots, and diagnosing outages.
  2. Pre-contract discussions — steps prior to entering a contract (Art. 6(1)(b)) when you request quotations.
  3. Contract delivery — performance of contracts (Art. 6(1)(b)) when we supply PDF guides or schedule consulting blocks.
  4. Legal compliance — obligations such as Finnish Accounting Act recordkeeping (Art. 6(1)(c)).
  5. Optional measurement cookies — consent (Art. 6(1)(a)) collected via the banner documented in our Cookie Policy.

Where legitimate interests apply, we balance them against your freedoms; you may object under Article 21 GDPR where grounds relate to your particular situation.

08 Recipients and processors

We engage subprocessors bound by Article 28 GDPR agreements. Typical categories include secure hosting within the EU/EEA, transactional email delivery, calendar scheduling APIs, accounting SaaS, and—only if you consent—analytics or advertising measurement vendors.

An up-to-date overview of processor categories is available on written request; naming individual vendors may be restricted where confidentiality clauses apply, but we never sell mailing lists.

09 International transfers

If a processor stores backups outside the EEA, we implement EU Commission Standard Contractual Clauses (2021/914) or rely on adequacy decisions. Copies of transfer impact assessments may be summarised upon justified request.

10 Storage periods

  • Marketing inquiries without conversion: up to twenty-four months unless you ask sooner for deletion.
  • Contracts and invoices: aligned with Finnish bookkeeping statutes (regularly six or ten fiscal years depending on document type).
  • Cookie consent strings: until you reset preferences or withdraw consent, plus an additional grace window for audit evidence.
  • Security logs: rolling ninety-day retention unless an incident investigation requires isolation of forensic subsets.

11 Technical and organisational measures

Measures include role-based access control, encrypted transport (HTTPS), segregated production credentials, periodic credential rotation, vulnerability patching windows aligned with severity scoring, and confidentiality commitments from anyone handling raw message queues.

No cloud architecture eliminates risk entirely. Notify us without undue delay if you suspect unauthorised account usage so we can revoke sessions.

12 Data subject rights

You may contact us to exercise rights of access, rectification, erasure, restriction, objection (where applicable), and data portability for structured datasets produced automatically. Consent-based processing may be withdrawn without retroactive invalidity.

Identity verification may require answering security questions when disclosure risks harming another person’s privacy.

Supervisory authority

You may lodge a complaint with the Office of the Data Protection Ombudsman (Finland) if you believe processing infringes GDPR.

13 Automated decision-making

We do not make solely automated decisions that produce legal or similarly significant effects concerning you. Pricing adjustments always involve human review.

14 Children

Offerings target adults. If guardians discover that a minor submitted personal data without consent, email us to arrange deletion.

15 Changes

Material revisions receive an updated publication timestamp at the top of this Policy. Continued use after thirty days constitutes acknowledgement unless mandatory law requires express renewed consent.

16 Contact

Privacy-related correspondence should reference “Privacy Request” in the subject line and indicate whether you seek access, correction, deletion, or portability. We respond within one month unless complexity warrants an extension permitted under Article 12 GDPR.

For complementary technical detail about cookies, open the Cookie Policy. Commercial rules appear in the Terms of Use.