Privacy policy

4dBarn Privacy Policy, updated 12.4.2022.

This is 4dBarn Oy’s Privacy Policy and is written in accordance with the EU General Data Protection Regulation (GDPR), which informs data subjects about the processing of their personal data. Last updated 12 April 2022. 


1. Registry managed by

4dBarn Oy

Isokatu 16 B 11
90100 Oulu, Finland


2. Contact person in matters related to the registry

Virpi Huotari - CEO.

E-mail: virpi.huotari(at)4dbarn.com

Phone number:  +358 400 786933

3. List of Data subject groups

Groups of registers containing personal data of data subjects:

  • Customer register
  • Marketing register
  • Website visitors


4. Criteria and purpose of processing personal data 

Customer register

The legal basis for processing personal data is the legitimate interest of the controller or the agreement between the parties. Personal data is used for customer communications and other customer relationship management, management, development, analysis, measurement, service provision and personalisation, and business development and planning. 


Consent may be requested from the customer to disclose and process personal data in the provision of external services.


Marketing register

The legal basis for processing personal data is having obtained consent for marketing to individuals and the legitimate interest of the controller in the event there is contact between companies and other organisations. 


Website visitors

The website visitor data are processed based on the legitimate interest of the data controller, e.g., ensuring data security and collecting statistics about website visitors to the site.


Consent may be required for the use of non-essential cookies.


5. Types of data collected in the register and data retention policy


Customer register

  • The person’s name
  • Contact information (address, e-mail address, and phone number)
  • The name of the company, company size and other information describing the company’s operations
  • Company contact and billing information 
  • Customer relationship management information such as contracts, products and services purchased, and other necessary information
  • Information about the services used by the customer and their changes
  • Consent and prohibited uses 
  • Social media service identifiers, to the extent that their use in communication has been approved
  • The network connection IP address
  • Any other information collected with the customer’s consent


The information is retained for as long as it is needed to implement the customer’s agreement/contract or develop customer service.  Some personal information, such as contact information, is retained for possible further cooperation. In addition, some personal information is retained for archival purposes in accordance with the requirements of the Accounting Act (e.g. billing information, contact person details, contact information, services purchased, correspondence related to a transaction, and other possible accounting material certifying the transactions).


Marketing register

  • The person’s name
  • Contact information (address, e-mail address, and phone number)
  • The name of the company, company size and other information describing the company’s operations
  • Business contact details
  • Consent and prohibited uses 
  • Information that promotes marketing and sales, such as marketing actions targeted at the data subject
  • Social media service identifiers, to the extent that their use in marketing has been approved
  • The network connection IP address
  • Any other information collected with consent


The data will be kept for as long as it is needed for marketing purposes, the person withdraws his or her consent, or prohibits the use of his or her data for direct marketing. The company’s or other organisation’s contact person’s contact details will also be removed from the register if they are found to have left that role.  


Website visitors

  • IP address
  • Essential cookies
  • Non-essential cookies and the consent on which their use is based


The data is kept for as long as it is needed to keep the website secure. The purpose and retention policy of cookies is described in more detail in connection with the cookie notification on the website.

6. Lawful data sources

Customer register and marketing register

The data stored in the register is obtained from the customer, e.g. messages sent via web forms, e-mail, telephone, social media, instant messaging services, marketing services, events, training, contracts, affiliates, customer meetings, and other situations in which a customer discloses information.


The contact details of companies and other organisations may also be collected from publicly available sources such as websites, directory services, and other companies.


Website visitors

Data is automatically collected when you visit the website and in instances where the website visitor consents to the use of non-essential cookies.

7. Lawful disclosure and transfer of data outside the EU or the EEA

The data will not be disclosed for any purpose other than the original purpose of processing personal data mentioned in this document. 


The data may be published to the extent agreed with the customer individually.


The data may be disclosed to our subcontractors with whom the controller has an agreement to process personal data. In this situation, our subcontractor uses the data in the role of the personal data processor on behalf of the controller. Our subcontractors keep data confidential and within the scope of the cooperation agreement and will not disclose it to third parties. We use subcontractors to finalise plans and carry out marketing activities.


The controller may transfer data with the data subjects' consent outside the EU or the EEA and through boilerplate contract clauses and additional safeguards approved by the European Commission.


Personal data processors we use:


General Information

  • Website and e-commerce maintenance and development services (including Shopify and its subprocessors)
  • E-mail and cloud providers (e.g. Google)
  • Security and network service providers
  • Cooperation and project management platforms (e.g. Slack and Trello)
  • Social media services and instant messaging services to the extent that consent has been obtained for their use in communication (e.g. Facebook, Instagram, LinkedIn, Twitter, YouTube, TikTok, WhatsApp, and Line)
  • Accounting and other billing and bookkeeping services
  • 3. Third parties’ visitor tracking and marketing services: subject to the consent of non-essential cookies


Customer register 

  • Learning platforms (LearnWorlds and its subprocessors)
  • Remote work applications (Microsoft Teams)
  • Subcontractors (e.g. Arkkitehtitoimisto Jouni Pitkäranta Oy)


Marketing register

  • Marketing and e-mail newsletter services (e.g. Hubspot and its subprocessors)
  • Advertising platforms (e.g. Google, Meta)


8. Registry security principles

Securely processing your personal data is important to us. Your data is mainly stored in an electronic system. Access to the system requires a username and password. Firewalls and other technical means also protect the system. The controller shall ensure that the data stored, the access rights to the servers, and other information critical to the security of personal data, are all kept confidential and only known to the employees to whose job description it belongs. Paper documents such as signed contracts are kept in locked facilities. The aim is to minimise data collection and retention time.


9. Right to access data and right to correct data

Every person in the register has the right to access their data stored in the register and correct any incorrect data or complete incomplete data. If a person wishes to access or correct their personal data stored, they must send a written request to the registrar at virpi.huotari (at) 4dbarn.com. If necessary, the controller may ask the applicant to prove his or her identity. The controller will respond to the customer within the time limit set by the EU Data Protection Regulation (generally within one month).

10. Other rights related to the processing of personal data

The data subject has the right to request the erasure of his or her personal data from the register (“the right to be forgotten”) if the processing is no longer necessary or the data have been processed with consent, and the data subject withdraws his or her consent. However, the controller may have statutory or other rights not to erase the data requested. 


Data subjects also have other rights under the EU General Data Protection Regulation. Requests should be made in writing and sent to the registrar at virpi.huotari(at)4dbarn.com. If necessary, the controller may ask the applicant to prove his or her identity. The controller will respond to the customer within the time limit set by the EU Data Protection Regulation (generally within one month).


The data subject may appeal our decision to the Finnish Data Protection Supervisor and demand that we limit the processing of the disputed data until the matter is resolved. 


The data subject has the right to lodge a complaint with the Data Protection Officer if he or she feels that we are in breach of the applicable data protection legislation regarding the processing of personal data.

Data Protection Officer contact details: https://tietosuoja.fi/yhteystiedot