Privacy

Johku Privacy Policy

Johku is an Internet technology created for the new era of digital commerce, whereby a company, entity or other entity with a business identifier (hereinafter " Merchant ") sells its products and services and, in turn, an individual customer, company or entity (hereinafter " User ") buys the products and services sold by the Merchant. Johku is developed and operated by Aptual Commerce Oy (ID:2735384-2, hereinafter "Johku" or " We").

This document describes in more detail the principles and rights of the data subject and the Merchant that Johku applies to the processing of personal data. The new EU Data Protection Regulation is one of the most significant international legal changes in the field of data protection, which aims to increase transparency and manageability of the processing of personal data from the individual's perspective. In our development work, we aim to fully comply with the provisions of the Regulation and to go even further.

By using the Johku-based shop and by purchasing from Merchants, you accept the terms of this Privacy Policy as your own. Similarly, by using Johku to sell products and services, the Merchant accepts the terms of the Privacy Policy as applying to him/her.

Where the privacy documentation was last modified on 5.12.2023

Processing of personal data in Johku

1 Merchants and others interested in Johku

1.1 Collection of data, creation of registers and the data controller

1.2 What data we process, why and for how long

1.3 Specific situations for data processing

1.3.1 Google Calendar and Johku

1.4 Data retention period

1.5 Disclosure and transfer of data

1.6 Safety, security and risks

1.7 Rights of the data subject

2 All users who buy from Johku based shops

2.1 Data collection, creation of registers and data controllers

2.2 What data we process, why and for how long

2.2.1 My Johku service makes the processing of personal data transparent

2.2.2 We act on the user's terms

2.3 Data retention period

2.4 Disclosure and transfer of data

2.5 Safety, security and risks

2.6 Rights of the data subject

3 Subcontractors and partners (processing of personal data)

Amazon Web Services, Inc.

Google Inc.

Crisp IM SAS.

Freshworks Inc.

LINK Mobility Poland Sp. z o.o. (SMSAPI)

Mighty Software, Inc.

Typeform S.L.

UAB Omnisend

Zapier, Inc.

Contact

For questions related to our privacy policy, registers and or processing of personal data, please contact:

Sami Hänninen
sami@johku.com
tel. 358 40 721 7717

Aptual Commerce Oy / Johku (ID:2735384-2)
Niittymäentie 13, 46110 Tuohikotti, FINLAND
puh. 358 40 721 7717
support@johku.com

1 Merchants and others interested in Johku

1.1 Collection of data, creation of registers and the data controller

When dealing with Johku as a Merchant or other party interested in Johku technology, Johku collects anonymous tracking data from its websites about the use of its online services for its own analytics registry. If the above party subscribes, registers or otherwise contacts Johku, data about the User will be stored in marketing, merchant, customer and/or customer support registers. At the same time, the processes will ask for explicit consent for electronic marketing. In all of the above situations, the data controller is Aptual Commerce Oy ("Johku").

1.2 What data we process, why and for how long

As a matter of principle, we aim to minimise the amount of data processed in all our processes. We only collect information that is essential for establishing, analysing and developing a successful customer service process and for managing the customer/contractual relationship.

In our processes with merchants and other parties interested in Johku, we collect and process the following information: name, address, telephone number, email address, company name, business ID, billing address and other information provided to us or generated by the use of Johku. We also separately collect information about the use of our services in order to improve the user experience and to analyse the use of our services using cookies and other technical information. For example, when you visit our services, we record the following information: IP address, browser type, type of computer or other device, time and date of your visits, time spent on the website, website from which you accessed the service or other similar technical information. In addition, we store information related to the different usage situations of the Johku. You can set your web browser to reject cookies. If you choose to refuse the use of cookies, some parts of our services may not function properly. We may also use more advanced forms of electronic marketing to target our communications more precisely. However, we will not do this without appropriate, explicit and verifiable consent.

We collect and process the above information for the following purposes:

  • Merchant's personal data management (Johku users)
  • Maintenance of the Johku service
  • Johku communication and customer relationship management
  • Producing, providing, developing, improving and protecting the Johku service
  • Merchant-specific personalisation of the Johku service
  • Analysis and statistics on the use of Johku
  • Customer development, analysis, grouping and statistics
  • Prevention and detection of abuses
  • Other corresponding uses

The basis for the processing of data relating to the merchant is always the contract that is explicitly created when the merchant registers for the Johku service. Where applicable, the processing is also based on consent to enable the aforementioned purposes.

For other persons interested in Johku, the basis for the processing of data is consent, which explicitly arises, for example, when joining the Johku Ecosystem, subscribing to a newsletter or other communications.

As a rule, personal data concerning data subjects are collected from the data subjects themselves by electronic means when they interact with Johku. The data provided may be combined with data from public sources such as trade registers or social media accounts that have been made public.

1.3 Specific situations for data processing

1.3.1 Google Calendar and Johku

Users may choose to use Google Calendar to view their reservations on Johku and to limit the availability of products to be reserved.

When a user grants Johku access to their calendar, Google Calendar allows the following:

  • Johku can create calendars for selected products and/or resources.
  • Johku can create, update and destroy events in calendars created by Johku in Google Calendar from products and/or resources.
  • Johku can retrieve a list of a user's Google Calendars and, based on this, create a checklist to allow or deny access to resources.
  • Johku can read reserved dates and times from user-selected calendars to block or allow the availability of resources.

Johku uses an access token stored in Johku's settings, which is created when you connect to Google Calendar, to update your Google Calendars.

If the user allows Johku to use their Google Calendars, the user has the option to turn on the synchronisation of reservations with Google Calendar. This functionality automatically creates, updates and deletes events in the Google Calendar corresponding to the product/resource, including all subscription details.

Johku does not download or store information from a user's existing Google calendars and their events. Johku only uses and stores the names of calendars selected by the user in its database. Calendar names are only displayed to authenticated users with access to product and resource management.

1.4 Data retention period

The data will be stored for as long as the data subject and Johku have a valid contract and/or consent. Johku informs all data subjects at regular intervals and actively offers the possibility to remove their data from the register.

Data may be kept longer to the extent necessary to fulfill the terms of the contract or to comply with obligations imposed by current legislation, such as accounting obligations (6 years after the end of the financial year) and to demonstrate that they have been properly fulfilled.

1.5 Disclosure and transfer of data

The information collected by Johku in its registers is for the exclusive use of Johku.

Data may be disclosed to our partners or other merchants with the user's consent (e.g. to share a sales channel with other Johku merchants) In principle, disclosure of data may only take place for purposes that do not conflict with Johku's privacy policy.

Data may also be disclosed to buyers in the context of corporate restructuring, in case Johku sells or otherwise reorganises its business.

Data may be transferred to partners and/or subcontractors of the controller's choice (Annex: Subcontractors and partners ), who process the data on behalf of the controller, on the basis of an agreement between the parties. In such cases, the data processor is not entitled to process the transferred data on its own behalf.

The data will not be transferred outside the territory of the Member States of the European Union or the European Economic Area, unless this is necessary for the purposes of the processing of personal data or for the technical implementation of the processing. Johku maintains a list of its collaborators and subcontractors (Annex: Subcontractors and collaborators ), including the location of the operator concerned and the data protection principles applicable to the transfer.

1.6 Safety, security and risks

Access to complete data is only available to the controller's staff. All staff members have a valid confidentiality agreement.

Johku is located exclusively in a server environment managed by Aptual Commerce Oy, which is isolated from other servers. The server environment is protected by a firewall and access to remote management is strictly limited to certain persons, at the end of a secure connection. There are no other services in the same server environment. The server environment is hosted in a highly reliable and highly secured Amazon EC2 cloud (https://aws.amazon.com/ec2/), physically located in Sweden within the EU.

The server environment uses fresh, secure software versions. All browser traffic uses an encrypted HTTPS connection (Johku.com SSL rating is A , https://www.ssllabs.com/ssltest/analyze.html?d=johku.com&latest)

All data is protected against unauthorised access and against accidental or unlawful destruction, alteration, disclosure, transmission or other unlawful forms of processing.

In cases where Johku uses partners or subcontractors to process its registers (Annex: Subcontractors and partners ), Johku pays particular attention to the service provider's privacy practices and technical implementation. In addition, partners and subcontractors must comply with the requirements of the GDPR. Johku has valid agreements with all data processors it uses.

1.7 Rights of the data subject

Administrator users can check the information stored about themselves and, if necessary, make corrections directly in the Johku settings. For other registers, the merchant may at any time make a request for information about him/herself to the contact person on the main page of this section, to check, request correction and otherwise exercise his/her rights under data protection legislation.

In addition, every data subject has the right to file a complaint against the controller with a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach of the GDPR has taken place.

Under no circumstances will Johku use profiling and automated decision-making based on profiling.

Requests for information and changes to registers are free of charge.

2 All users who buy from Johku based shops

2.1 Data collection, creation of registers and data controllers

When a user orders products or services from a Johku-based store, Johku collects anonymous tracking data about the purchase process. The personal data entered during the ordering process is stored in the My Johku register and in the merchant's limited customer register. In this process, Aptual Commerce Oy acts as the data controller of the My Johku register and as the data processor for the Merchant's customer register. The merchant, in turn, acts as the controller of its own customer register.

The merchant may choose to collect more extensive tracking data from the purchase process and use its own customer register in third party systems by using third party services and/or applications connected to Johku or by transferring data as raw data outside Johku. The principles that the merchant follows in the use of data should be clearly stated in the merchant's own privacy policy.

2.2 What data we process, why and for how long

As a matter of principle, we aim to minimise the amount of data processed in all Johkun processes. We only collect information that is essential for establishing, analysing and developing a successful trading process and managing the customer/contractual relationship.

2.2.1 My Johku service makes the processing of personal data transparent

For all users who order from Johku based shop, we collect and process the following information: first and last name, address, postal code, postal town, country, telephone number, email address, order history from different Johku merchants, order source page, IP address, opt-in acceptance of terms and conditions, opt-in consent for electronic marketing. For corporate and institutional customers, the following are also collected: company name, business ID, e-invoice address, e-invoice broker ID, reference and brand. In addition to these, we also collect and process other information related to the order process.

We collect and process the above information for the following purposes:

  • Centralised management of the user's data to be registered in the course of trade and technical enabling of the data subject's rights under the GDPR (review, rectification, right to be forgotten, restriction, right to transfer from one system to another).
  • User-centric management of e-marketing authorisations and other merchant-specific services
  • Shopping with My Johku account, such as pre-loading order information to the order form on Johku stores.
  • Communication and customer relationship management related to the My Johku service
  • Producing, providing, developing, improving and protecting the My Johku service
  • User-specific and user-oriented personalisation of the Johku serviceUser-specific and user-oriented personalisation of the Johku service
  • Analysis and statistics on the use of Johku
  • Customer development, analysis, grouping and statistics
  • Prevention and detection of abuses
  • Other similar uses

2.2.2 We act on the user's terms

My Johku has been created to give users greater power to manage their own personal data related to their shopping online.

The basis for the processing of all users' data is the contract that is created when ordering products and/or services from different merchants. To the extent that data are used for electronic marketing, the basis for processing is consent.

As a rule, personal data concerning data subjects is collected from the data subjects themselves by electronic means when they interact with and through Johku.

2.3 Data retention period

The data will be stored for as long as the user and Johku have a valid mutual agreement and/or consent.

Data may be kept longer to the extent necessary to fulfil obligations imposed by applicable legislation, such as, for example, accounting and consumer responsibilities, and to demonstrate their proper fulfilment.

2.4 Disclosure and transfer of data

The information collected by My Johku is exclusively for Johku's use.

With the user's consent, data may be disclosed to merchants using Johku or Johku's partners. Johku provides the user with tools in My Johku to manage possible disclosure situations. In principle, disclosure can only take place for purposes that do not conflict with Johku's privacy policy.

Data may also be disclosed to buyers in the context of a business restructuring, if Johku sells or otherwise reorganises its business.

Data may be transferred to partners and/or subcontractors of the controller's choice, who process the data on behalf of the controller, on the basis of an agreement between the parties. In such cases, the data processor is not entitled to process the transferred data on its own behalf.

The data will not be transferred outside the territory of the Member States of the European Union or the European Economic Area, unless this is necessary for the purposes of the processing of personal data or for the technical implementation of the processing. Johku maintains a list of its partners and subcontractors, including the location of the operator concerned and the data protection principles applicable to the transfer.

2.5 Safety, security and risks

Access to complete data is only available to the controller's staff. All staff members have a valid confidentiality agreement.

Johku is located exclusively in a server environment managed by Aptual Commerce Oy, which is isolated from other servers. The server environment is protected by a firewall and access to remote management is strictly limited to certain persons, at the end of a secure connection. There are no other services in the same server environment. The server environment is hosted in a highly reliable and highly secured Amazon EC2 cloud (https://aws.amazon.com/ec2/), physically located in Sweden within the EU.

The server environment uses fresh, secure software versions. All browser traffic uses an encrypted HTTPS connection (Johku.com SSL rating is A , https://www.ssllabs.com/ssltest/analyze.html?d=johku.com&latest)

All data is protected against unauthorized access and against accidental or unlawful destruction, alteration, disclosure, transmission or other unlawful forms of processing.

In cases where Johku uses partners or subcontractors to process its registers (Annex: Subcontractors and partners ), Johku pays particular attention to the service provider's privacy practices and technical implementation. In addition, partners and subcontractors must comply with the requirements of the GDPR. Johku has valid agreements with all data processors it uses.

2.6 Rights of the data subject

Johku communicates with the user through the My Johku service whenever the user's personal data is processed. The message from the Service will always contain information about the controller carrying out the processing and a link to the My Johku Service.

In My Johku, the user can check the data stored about him/herself and, if necessary, make corrections. The Service also includes functionality that allows the user to download data in a structured format for transfer from one system to another. The My Johku service can be accessed at any time at johku.com/customer

My Johku also offers the possibility to terminate the My Johku contract and delete data from My Johku. If a user stops using My Johku and terminates his/her contract with Johku, all automated functionalities related to the management of his/her own data will cease and Johku will no longer be able to pursue the user's interests in relation to the merchant. After termination of the contract, the user must manage his/her own data (review, rectification, right to be forgotten, limitation, right to transfer from one system to another) in writing directly with the merchant holding the register.

Under no circumstances will Johku use profiling and automated decision-making based on it.

The use of the My Johku service is free of charge.

3 Subcontractors and partners (processing of personal data)

Johku strives to provide the safest and highest quality service possible to its customers. We use subcontractors and partners to provide our services. In practice, this means that our subcontractors and partners are also involved in the processing of personal data on a case-by-case basis.

All subcontractors and partners must comply with Johku's Privacy Policy and there must be a valid contract between the parties.

The following is a list of the subcontractors Johku uses to process data:

Amazon Web Services, Inc.

Purpose: Technical server platform, cloud service
Physical location: Sweden (EU)
Data transfers outside the EU or EEA: Do not transfer.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
AWS DPA, Supplementary Addendum to AWS GDPR DPA 
Registers concerned: My Johku, Johku Merchant Register

Google Inc.

Purpose: Google Workspace, fonttien käyttö, recaptcha
Physical location: Googlella on palvelinkeskuksia ympäri maailmaa:
Data Center Locations.
Data transfers outside the EU or EEA: Possible.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
Google Cloud DPA
Registers concerned: Johku Merchant Register, Johku Customer Register

Crisp IM SAS.

Purpose: merchant support
Physical location: France
Data transfers outside the EU or EEA: No.
Privacy statement:
Privacy Policy
Registers concerned: Johku Merchant Support Register, Johku Customer Register

Freshworks Inc.

Purpose: merchant support
Physical location: USA
Data transfers outside the EU or EEA: Yes.
EU Standard Contractual Clauses:
Freshworks DPA
Privacy statement:
Privacy Policy
Registers concerned: Johku Merchant Support Register

LINK Mobility Poland Sp. z o.o. (SMSAPI)

Purpose: tekstiviestipalvelut Johkun sisällä, silloin kun kauppias ottaa ne käyttöönb
Physical location: Poland (EU)
Data transfers outside the EU or EEA: Possible.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
SMSAPI General Terms and DPA
Registers concerned: My Johku

Mighty Software, Inc.

Purpose: Johku Ecosystem
Physical location: USA
Data transfers outside the EU or EEA:Yes.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
Mighty Networks EU DPA
Registers concerned: Johku Ecosystem Merchant Community

Typeform S.L.

Purpose: Johkun asiakkuuksienhallinta
Physical location: USA
Data transfers outside the EU or EEA:yes.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
Typeform DPA
Registers concerned: Johku Customer Register, Johku Ecosystem Merchant Community

UAB Omnisend

Purpose: Johku's customer relationship management and marketing
Physical location: Lithuania (EU)
Data transfers outside the EU or EEA: Possible.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
Omnisend DPA
Registers concerned: Johku Customer Register

Zapier, Inc.

Purpose: Johku's customer relationship management, Johku Ecosystem community
Physical location: USA
Data transfers outside the EU or EEA:Yes.
Privacy statement:
Privacy Policy
EU Standard Contractual Clauses:
Zapier DPA
Registers concerned: Johku Customer Register, Johku Ecosystem Merchant Community

The Future of Entrepreneurship

Johku is a fast-growing e-commerce platform in Finland. Its support for all product types, coupled with a vast array of features, makes Johku a competitive choice for numerous companies.

Ilkka Lariola, CECO

Ilkka Lariola, CECO

Johku Ecosystem and New Merchants
Sami Hänninen, CEO

Sami Hänninen, CEO

Concept Design and Development
Minna Mikkola

Minna Mikkola

Communications, Merchant Support