Privacy Policy
Oikio Digital Oy & Oikio Oy
Last updated: 1 January 2026
This Privacy Policy explains how the Oikio companies (together “Oikio”) process personal data as part of our digital solutions, expert services and customer service. We respect your privacy and comply with the EU General Data Protection Regulation (GDPR).
1. Controllers and joint controllership
Your personal data is processed by the following companies as joint controllers under Article 26 of the GDPR:
| Company | Business area |
|---|---|
| Oikio Digital Oy, Business ID: 1755007-6 | Digital self-service solutions: Kotisivukone, Mainontakone and Sisältökone |
| Oikio Oy, Business ID: 2754417-1 | Consulting, strategy, data and training services |
The companies use a shared customer relationship management system (CRM), the shared Oikio Studio service channel and shared technical infrastructure. The companies have agreed on their mutual responsibilities in accordance with Article 26 of the GDPR. Both companies are responsible for implementing data subject rights, and data subjects may exercise their rights towards either company.
2. Contact details and service point
We want to make it easy for you to exercise your data protection rights. You may contact either company, but we recommend using our central contact point:
• Email: dpo@oikio.fi
• Postal address: Firdonkatu 2 T 151, 00520 Helsinki
• Service channel: Oikio Studio or your customer contact person
Data Protection Officer: The Oikio companies have voluntarily appointed a Data Protection Officer, even though this is not required by law.
• Data Protection Officer: Jari Puhakka
• Email: dpo@oikio.fi
3. Corporate restructuring and business continuity
A structural change in the Oikio business took effect on 1 January 2026. The arrangement was based on the partial demerger of Fonecta Oy (Business ID 1755007-6). As a result, Oikio Digital Oy is the legal successor of the original legal entity. Oikio Digital Oy is responsible for the business, contracts and data that belonged to that Business ID before the name change, excluding the businesses transferred elsewhere in the demerger. The demerger does not affect the business of Oikio Oy, which continues to be responsible for specialised consulting, strategy, data and training services.
4. Personal data we process
We process information that is necessary for providing our services and managing customer relationships.
4.1 Identification and contact details
Name, title, company represented, email address and telephone number.
4.2 Customer and contract information
Contract information, order history, invoicing details, payment delays and debt collection information.
4.3 Service-specific content and log data
User IDs, service usage history, materials entered into Kotisivukone and Sisältökone, and Mainontakone campaign data.
4.4 Communications data
Messages in Oikio Studio, chat logs, email communications and training registrations.
4.5 Marketing data
Cookie data, marketing consents and opt-outs. More information about our cookie practices is available on our website.
5. Legal bases for processing
| Legal basis | Purpose | Examples |
|---|---|---|
| Contract, GDPR Article 6(1)(b) | Performance of a contract or steps before entering into a contract | Providing services, processing orders, invoicing |
| Legal obligation, GDPR Article 6(1)(c) | Compliance with statutory obligations | Accounting, taxation |
| Legitimate interest, GDPR Article 6(1)(f) | Legitimate interests of the controller or a third party | Customer relationship management, service development, information security |
| Consent, GDPR Article 6(1)(a) | Consent given by the data subject | Electronic direct marketing, cookies |
6. Recipients and disclosures of data
Personal data may be disclosed to the following recipient groups:
• Subcontractors and service providers, such as IT services, cloud services, payment services, accounting and debt collection. These parties process data on behalf of the controller under a data processing agreement.
• Authorities, such as tax authorities, enforcement authorities and other competent authorities, where required to comply with legal obligations.
• Internal transfers within the Oikio group, where data may be transferred between joint controllers for customer relationship management.
• Fonecta Group Oy group companies, where data may be transferred to other Fonecta Group Oy companies for the legitimate interests of the group, such as group administration and shared services.
• Advertising platforms, such as Google, Meta and other advertising platforms, for delivering Mainontakone services.
7. Transfers outside the EU/EEA
As a rule, personal data is not transferred outside the European Economic Area (EEA). We primarily process personal data on servers located in the EU/EEA.
If we exceptionally use service providers whose servers are located outside the EU/EEA, we ensure an adequate level of data protection through mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs), EU–US Data Privacy Framework certification or another equivalent transfer mechanism, together with supplementary safeguards where necessary. Further information on possible transfers and transfer mechanisms is available on request.
8. Data retention periods
- Customer and contract information: for the duration of the customer relationship and, as a rule, for 3 years after it ends, in case of possible legal claims.
- Accounting records: 6 years from the end of the financial year, based on a legal obligation.
- Marketing data: for the duration of the active customer relationship or until consent is withdrawn. Direct marketing opt-outs are retained indefinitely.
9. Data subject rights
You have the following rights under the GDPR
| Right | Description |
|---|---|
| Right of access | The right to receive confirmation of processing and a copy of your data. |
| Right to rectification | The right to request correction of inaccurate data. |
| Right to erasure | The right to request deletion of data, unless there is a legal basis for retaining it. |
| Right to restriction of processing | The right to restrict processing in certain situations. |
| Right to object | The right to object to processing based on legitimate interest or to direct marketing. |
| Right to withdraw consent | The right to withdraw consent at any time. |
Right of access
An access request can be submitted using an electronic form. The form is signed with an electronic signature using online banking credentials or a mobile certificate.
Alternatively, the access request can be sent in writing and signed to: Oikio Companies / Data Protection Officer, P.O. Box 6, 00521 Helsinki, Finland.
Direct marketing opt-out
You can opt out of direct marketing from both companies with one notice by clicking the “Unsubscribe” link in our emails or by sending a message to dpo@oikio.fi.
10. Artificial intelligence and automated decision-making
Oikio Digital Oy’s self-service solutions use artificial intelligence (AI), for example in content production and advertising optimisation.
Automated decision-making and profiling
We do not make automated decisions that would have significant legal effects on data subjects without human involvement. Mainontakone campaign analytics includes profiling for defining target groups, but this does not result in legal effects for individuals.
AI training
We do not use customers’ confidential data to train general AI models without an explicit agreement.
11. Information security
We protect personal data with appropriate technical and organisational measures:
- Technical safeguards: encryption of data in transit and at rest, access control, firewalls, logging and regular security updates.
- Organisational safeguards: staff data protection training, confidentiality commitments, access rights management as needed and subcontractor audits.
- Data breaches: potential data breaches are reported to authorities and, where necessary, to data subjects within the timeframe required by the GDPR.
12. .fi domain name registrar activities
Acting as a .fi domain name registrar means making registration entries in the .fi domain name register and managing that information, including updates. Entries in the .fi domain name register may only be made by an operator that has submitted a registrar notification to Traficom, i.e. a .fi domain name registrar.
As a .fi domain name registrar, Oikio Digital Oy acts as an independent controller under the GDPR for the personal data of .fi domain name users processed in its registrar activities.
Purpose of processing
As a .fi domain name registrar, Oikio Digital Oy collects and processes personal data of .fi domain name users to register .fi domain names. The registrar enters the data in the .fi domain name register of the Finnish Transport and Communications Agency Traficom and maintains the data, for example when updating the domain name user’s contact details.
Personal data is processed for managing and maintaining domain name registrations, customer relationship management, service development and statistics, invoicing and debt collection, and marketing where the customer has given consent.
Legal basis
The Act on Electronic Communications Services (917/2014) and Domain Name Regulation 68/2016 M form the legal basis under the GDPR for processing personal data of .fi domain name users for registering and managing .fi domain names and carrying out registrar activities.
The .fi domain name registrar stores data in the .fi domain name register in accordance with sections 164(2), 165, 167, 168 and 170 of the Act on Electronic Communications Services.
Personal data processed
The following personal data must be reported to the .fi domain name register and processed in registrar activities. By law, the registrar must provide the following data about the .fi domain name user and keep it up to date:
• Name
• Personal identity code or other unique identifier
• Postal address
• Telephone number
• Contact person and contact person’s telephone number for legal entities
• Email address (service address)
For legal entities, the following personal data relating to contact persons is collected in addition to basic company information:
• basic information about the data subject, such as name, postal address, email addresses, telephone numbers and occupation
• name of the user or contact person
• employer company name and Business ID
• information related to customer relationships, other relevant connections and contracts, such as purchased services with start and end dates, sales information related to the contract, authentication data related to service use, and information on the use of services and benefits
• information on direct marketing consents and opt-outs
• event and user analytics data
• invoicing and debt collection data
• business customer service contacts, support requests and work requests
• recordings of other communications related to customer service situations, such as chat
• IP address
• date of birth in domain services if a Business ID is not available
Regular sources of data
Personal data is mainly obtained from the data subject when registering a domain name or using the service. Data may also be collected and updated from registers maintained by authorities and from partners.
Retention period
Oikio retains personal data at least for the duration of the customer relationship and for a necessary period afterwards. Detailed customer relationship data is then deleted unless pending complaints or disputes require continued processing. Certain data is retained longer where necessary to comply with legal obligations, such as accounting legislation.
Recipients of personal data
Oikio Digital Oy may disclose personal data in the register within the limits permitted and required by applicable law, particularly to national and international bodies responsible for domain name administration and to authorities where legally required.
13. Meta Business Tools and joint controllership
Oikio uses Meta Business Tools to help analyse our products and reach and serve users better. These tools include the Meta pixel and Oikio’s Meta community pages on Facebook and Instagram.
Oikio and Meta Platforms Ireland Limited are joint controllers under Article 26 of the GDPR for personal data relating to users’ activities on our website and applications collected through Meta Business Tools integrations, such as website visits, content interactions and event tracking.
More information about the processing of personal data by Meta and page administrators, and about the division of responsibilities between joint controllers, is available in Meta’s Controller Addendum and the privacy policy of Meta Platforms Ireland Limited at www.facebook.com/privacy/policy.
Oikio has entered into a written joint controllership agreement with Meta Platforms Ireland Limited in accordance with Article 26 of the GDPR.
14. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with the Data Protection Ombudsman if you believe that your personal data has been processed in breach of data protection law.
Office of the Data Protection Ombudsman
• Visiting address: Lintulahdenkuja 4, 00530 Helsinki
• Postal address: P.O. Box 800, 00531 Helsinki
• Email: tietosuoja@om.fi
• Website: www.tietosuoja.fi
15. Changes to this policy
We update this Privacy Policy when necessary. We will notify you of material changes on our website and, where necessary, directly to data subjects. We recommend reviewing this policy regularly.
