Tietosuojaseloste / Privacy Notice

Effective date: [17/11/2025]

1.    Controller and contact point

Oy Steve the Clerk Ltd (“Steve the Clerk”, “we”)

Business ID: 2828251–3

Address: Jykintie 10, 35400 Längelmäki
Email for data protection matters: dataprotection@stevetheclerk.com
(You may send all requests concerning your rights to this address.)

2.     Who is this notice intended for

This notice concerns the processing of personal data of visitors to our website (stevetheclerk.com and any possible subdomains). It does not cover separate customer or job applicant processes.

3.     Personal data processed and sources of data

We process only the data necessary for the specified purpose:

  • Form data: Name, email address, and the content of your message when you contact us via the website.
  • Usage and device data: IP address, cookie identifiers, technical details of the browser and device, time of visit, and session events.
  • Marketing and advertising data (based on your consent): Website behaviour, conversion events, interests, and identifiers related to ad impressions across various platforms.
  • B2B company-level identification: Information about the visitor’s company (e.g., company name, industry) obtained from public sources linked to the IP address. Individual persons are not identified without consent.

4. Purposes and legal basis for processing

Responding to contact requests and initiating customer relationships

We process the data submitted through the contact form in order to respond to your enquiry and assess potential opportunities for collaboration.

  • Legal basis: legitimate interest (enabling communication) and/or pre-contractual measures.
  • Retention: up to 12 months from the last contact, unless the relationship continues.

Website operation, security, and development

We process usage and log data to provide the service, monitor performance, and prevent misuse; we apply privacy by design/default principles.

  • Legal basis: legitimate interest.
  • Retention: log and technical event data typically for 12 months.

Analytics and advertising measurement

We utilise cookies and similar technologies (such as Google Analytics, Google Ads, Microsoft UET, and conversion tracking) to understand website usage and measure the effectiveness of advertising.

  • Legal basis: consent (non-essential cookies).
  • Retention: cookie/identifier-specific, typically 1–13 months depending on settings.

Targeted digital advertising

Meta (Facebook/Instagram), LinkedIn, and Microsoft Ads process identifiers and behavioural data to target campaigns; we only set pixels with your consent.

Legal basis: consent (profiling/behavioural targeting) or, in certain B2B cases, legitimate interest based on LIA assessments.

You can object to or withdraw your consent at any time.

B2B company-level visitor identification

Leadfeeder identifies company visits based on IP address; individual identification is not carried out without consent.

Legal basis: legitimate interest; processing is limited to company-level data.

Note: We do not make decisions that have legal effects solely on the basis of automated processing (no automated decision-making as defined in Article 22).

Profiling is limited to advertising targeting within the scope of your consent.

5.     Recipients and Processors

We use trusted service providers who have data processing agreements (in accordance with Article 28 of the GDPR) and who implement adequate safeguards:

  • Meta Platforms (Facebook/Instagram advertising), LinkedIn, Microsoft Ads, Google Ads – campaign targeting and measurement.
  • Leadfeeder/Dealfront – company-level visitor identification to support B2B sales.
  • WordPress + form tools – receiving and forwarding contact requests.
  • Pipedrive (CRM) – handling contacts in the B2B sales process (if the contact leads to further actions).

We only disclose information to authorities if required by law.

6. International Transfers

Some of our service providers may be located outside the EU/EEA area. In such cases, we use the EU Standard Contractual Clauses (SCCs) and, if necessary, additional safeguards; we assess the risks related to the transfers (TIA). We communicate these transfers transparently and request your consent when required.

7.     Retention Periods (Principles)

We retain personal data only for as long as necessary for the stated purposes or to fulfil statutory obligations:

  • Form data: ≤ 12 months from the last contact, unless the customer relationship continues.
  • Technical logs and information security: typically ≤ 12 months.
  • Advertising/analytics: cookie and platform-specific periods (usually 1–13 months, e.g. Google Ads, Meta, Microsoft Ads).

Principles and deletion procedures are documented (ROPA, deletion processes).

8. Cookies and Consent Management

We use a Consent Management Platform (CMP), which allows you to:

  • give or withdraw your consent for non-essential cookies,
  • view category-specific descriptions and retention periods,
  • manage your targeted advertising settings (Meta/LinkedIn/Microsoft Ads/Google Ads pixels).

Essential cookies are used for the functionality of the service.

9. Rights of the Data Subject

You have the right to review your information, request correction or deletion, request restriction of processing, object to processing based on legitimate interest (including profiling/marketing), and withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You may also request the transfer of your data in a machine-readable format when the processing is based on consent or a contract. Please send your request to dataprotection@stevetheclerk.com.

You also have the right to lodge a complaint with the Office of the Data Protection Ombudsman (Lintulahdenkuja 4, 00530 Helsinki, tietosuoja@om.fi, tietosuoja.fi).

10. Data Security

We protect data using appropriate technical and organisational measures (access control and the principle of least privilege, encryption, log monitoring, backups, vulnerability management). We have a data breach management procedure: we assess incidents, make the necessary notifications to the supervisory authority without undue delay and no later than within 72 hours, and inform affected individuals when required by regulation. Staff receive regular training.

11. Children’s Data

This website is not intended for individuals under 18 years of age, and we do not knowingly collect personal data from children.

12. Links and Third-Party Websites

Our website may contain links to external services. We are not responsible for the privacy practices of third parties; please review their privacy statements.

13. Changes to This Statement

We may update this statement. The latest version is always available on this page. We will notify you of significant changes on the website before they take effect and update the effective date accordingly.