This is the privacy statement and data register of Hostaan Ltd in accordance with the EU General Data Protection Regulation (GDPR). The statement was originally prepared on August 7, 2019, and last updated on November 26, 2025.

 

Privacy Statement and Data Register

 

1. Data Controller

Hostaan Ltd

Snellmaninkatu 36-38

FI-70100 Kuopio, Finland

 

2. Contact Person Responsible for the Register and Data Protecion Officer

Juha Kouvalainen

+358 (0)17 5800 500

support@hostaan.com

 

3. Name of the Register

Hostaan Ltd Customer, Marketing and Web Service User Register

 

4. Legal Basis and Purpose of Personal Data Processing

The legal bases for processing personal data under the EU General Data Protection Regulation are:

• Contractual agreement in which the data subject is a party
• Legitimate interest of the data controller arising from the customer relationshop or use of our service

We collect, store, and process personal data only for predefined purposes, which include:

• Maintaining services and managing customers
• Customer support and billing
• Communicating weith customers and stakeholders
• Marketing for our own purposes

 

5. Contents of the Register

The register may contain the following information: name, position, organization, organization identifier, billing and contact information (address, phone number, email), personal identification number (when required for domain registration), usernames and IP addresses, details of ordered services and changes, payment history, data on other users of the service, technical logs of all service usage, and other information necessary for managing the customer relationship.

 

IP addresses of website visitors and cookies necessary for service functionality are processed on the basis of legitimate interest, for purposes such as information security and statistical analysis of visitors, in cases where they may be considered personal data. Consent will be requested separately for third-party cookies when necessary..

 

6. Regular Data Sources

Information provided directly by the customer, including preferences and opt-outs

Information generated during the course of the customer relationship

Information collected during service usage

 

7. Processing of Personal Data and Disclosure to Third Parties

Personal data is handled only by our company personnel, always confidentially and only to the extent necessary for their job duties. Disclosure to partners occurs only for purposes supporting the operation of the register.

 

Personal data may be disclosed to our subprocessors only when necessary for providing the service. A detailed list of subprocessors is available in our Data Processing Agreement (DPA). Examples of such subprocessors include service providers for technical support, domain registration, and billing. Personal data is not otherwise transferred outside the EU/EEA.

 

We may also be required to disclose information to authorities or courts to investigate crimes or misuse.

 

8. Principles of Data Protection and Retention Period

Data is processed carefully, and information handled via IT systems is properly secured. Manually processed records are stored in premises with restricted access. Data stored on Internet servers is protected both physically and digitally. The data controller ensures that stored information, server access rights, and other critical data are handled confidentially and only by authorized personnel.

 

After the customer relationship ends, personal data is retained only as long as necessary to support the register’s purpose and as required by law (e.g., accounting legislation for invoice records).

 

9. Right of Access and Right to Rectification or Deletion

Every individual in the register has the right to access their personal data, request correction of inaccurate information, supplement incomplete information, or request deletion of data concerning them (“right to be forgotten”). Requests for access, correction, or deletion must be submitted in writing to the data controller. The data controller may require proof of identity and will respond within the timeframe required by the GDPR (generally within one month).