4. Information Contained in the Registry

Only the data necessary for the purposes of the registry will be stored. The customer registry of OpenTupa Oy may contain the following information about customers (the term "customer" in this statement refers the person enrolling to our courses): Name Email address Customer history

5. Sources of Data and Legal Basis for Processing

The basis for processing personal data is a customer relationship, customer consent, or an agreement or other relevant connection provided by the customer. The source of the data is the information provided directly by the customer.

6. Regular Data Disclosures

OpenTupa Oy may, in some cases, transfer personal data to third parties who act as data processors. Data may be transferred to third parties for services such as marketing services and IT services.

OpenTupa Oy may also transfer or disclose personal data to its group companies or to business successors, for example, in cases of corporate restructuring, business sale, merger, demerger, bankruptcy, or liquidation.

OpenTupa Oy ensures, in all situations, that data is stored and processed appropriately and securely through contractual arrangements.

Data may also be disclosed to authorities based on applicable legislation.

7. Transfer of Data Outside the EU or the European Economic Area

We do not transfer data outside the EEA except in situations permitted by data protection laws.

8. Principles of Data Protection and Retention Period

Personal data stored in the registry is always handled confidentially, and access is limited to necessary personnel only. The registry and its data are stored on secure servers, and electronic data transfer is carried out over encrypted and protected connections when necessary.

For non-electronic data, the information is stored in locked and/or monitored facilities. Data is stored only for as long as it is needed for the purposes for which it was collected, and will be securely destroyed once the retention period has expired.

When using third-party services as described in section six, OpenTupa Oy will enter into agreements with these parties regarding the processing of personal data, ensuring that these parties comply with the obligations of the General Data Protection Regulation (GDPR), particularly regarding data security. If daycare services are provided as outsourced services or via service vouchers, document retention will follow the guidelines set by municipal authorities.

9. Rights of the Data Subjects

Right to Access

OpenTupa Oy offers you the right to access the personal data we process about you. You may contact us and request to know the personal data we process about you and the legal basis for such processing.

Right to Rectification

The data subject has the right to request the correction of incorrect, incomplete, outdated, or unnecessary information by contacting us.

Right to Erasure

The data subject may also request OpenTupa Oy to delete their personal data from our systems. OpenTupa Oy will perform the actions requested by the data subject unless we have a legitimate reason to retain the data, such as to fulfill legal obligations. Data may not be immediately removed from all backup or other similar systems.

Right to Object

You also have the right to request restrictions on the processing of your personal data if it is processed for purposes other than providing our services or fulfilling a legal obligation. You may also object to the processing of your personal data even if the processing is based on your earlier consent. Objecting to the processing of personal data may result in more limited opportunities to use our services.

Right to Restrict Processing

You may request us to restrict the processing of certain personal data. A request for data processing restriction may result in more limited opportunities to use our website and services.

Right to Data Portability

If our processing is based on your consent, you have the right to receive your personal data from us in a structured, commonly used, and machine-readable format so that you can transfer the data to another data controller.

You may exercise your rights by contancting OpenTupa by the contact form or by contacting the company director. Service users must submit requests from the email address registered in our system, and responses to requests will be sent primarily to that email address.

In addition to the rights mentioned above, you also have the right to file a complaint with the supervisory authority, particularly in the member state of your habitual residence or place of work, or where the alleged violation of data protection law occurred. In Finland, the supervisory authority is the Data Protection Ombudsman.

10. Changes to this Privacy Policy

OpenTupa Oy may occasionally make changes to this privacy policy without prior notice. However, if this privacy policy is changed and the processing is based on the data subject’s consent, we will notify all registered users via their provided email addresses or otherwise in writing.