Privacy Policy
Last updated: April 2025
1. Data controller
The data controller for personal data processed through Satomaa is:
2. What data we collect and why
Consumers (buyers)
| Data | Why |
|---|---|
| Name, email address | To create your order, send a confirmation email, and send a pickup reminder |
| Phone number | Optional. Shared with the producer so they can contact you about your order |
| Order history | To display your past orders in your account and to allow producers to fulfil your order correctly |
| Payment data | We do not process or store any payment data. Payments are made directly between you and the producer (via MobilePay or at pickup). Satomaa never sees card numbers, bank details, or payment credentials |
Producers (sellers)
| Data | Why |
|---|---|
| Name, email address | Account login and identification |
| Profile photo, bio, farm/business name | Displayed publicly on your producer profile and event pages to build consumer trust |
| Phone, website, Instagram | Optional. Displayed on your event page if you choose to share them |
| Certifications (e.g. organic, local) | Displayed as trust badges on your profile and events |
| Pickup address and instructions | Shown to consumers who have placed an order for your event |
| Product listings and sales data | To run your events and show you order summaries |
3. Legal basis for processing
We process your personal data on the following legal grounds under GDPR Article 6:
- Contract performance — processing name, email, and order data to fulfil your order or run your producer account.
- Legitimate interest — operating a secure and functional marketplace, preventing fraud, and sending transactional emails (order confirmation, pickup reminder) that users reasonably expect.
- Legal obligation — retaining accounting records as required by Finnish bookkeeping law (Kirjanpitolaki 1336/1997).
- Consent — any optional marketing emails. You can withdraw consent at any time by emailing us.
4. How long we keep your data
| Data category | Retention |
|---|---|
| Account and profile data | Until you delete your account, then up to 12 months |
| Order records | 6 years from the end of the financial year, as required by Finnish bookkeeping law |
| Email communication logs | Up to 12 months |
5. Who we share your data with
We do not sell personal data. We share data only with the following service providers who process it on our behalf under GDPR-compliant data processing agreements:
Supabase
Database and user authentication · EU (AWS eu-west-1)
Resend
Transactional email (order confirmations, reminders) · EU data residency available
Vercel
Web hosting and infrastructure · EU region
Between producers and consumers: When you place an order, your name, email, and optionally phone number are shared with the producer so they can fulfil your order. By ordering you consent to this sharing.
6. Cookies and tracking
Satomaa uses only the minimum cookies necessary to run the service:
- Session cookie — keeps you logged in while you use the site. Deleted when you log out or close your browser.
- CSRF protection cookie — protects against cross-site request forgery attacks. No personal data.
We do not use advertising cookies, tracking pixels, or third-party analytics scripts. We do not track you across other websites.
7. Your rights
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your data, subject to legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to limit how we process your data in certain circumstances.
- Object — object to processing based on legitimate interest.
- Withdraw consent — if processing is based on consent (e.g. marketing), you can withdraw at any time.
To exercise any of these rights, email imran.conttact@gmail.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
8. Data security
All data is transmitted over TLS-encrypted connections. Your data is stored in the EU. Access to personal data is restricted to authorised personnel only. We use industry-standard security practices and require our service providers to do the same.
9. Complaints
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman:
10. Changes to this policy
We may update this policy from time to time. We will notify registered users by email of any significant changes before they take effect. The “last updated” date at the top of this page always reflects the current version.