Privacy Policy
Smida Oy · Effective from 27 April 2026 · Version 1.0
1. Data controller
Smida Oy
Business ID: 3620206-9
Albertinkatu 44
00180 Helsinki
Finland
Email: contact@smidapartners.com
Website: smidapartners.com
For questions regarding data protection, please contact us at the email address above.
2. Overview
This privacy policy describes what personal data we process regarding client company contact persons, contact form submissions, and website visitors, and on what legal basis.
3. Personal data processed by register
We process personal data in three registers, described below.
Register 1: Client, prospect, and marketing register
We process contact information of existing and potential client companies for client relationship management, service delivery, sales, and marketing purposes.
Data processed
- Name and title / role (e.g., CEO, CFO)
- Work email address and phone number
- Employer company and business ID
- Contract and billing information (for clients, e.g., service tier, contract period)
- Client relationship data (e.g., service usage history)
- For prospects: publicly available data or data collected through contact (e.g., LinkedIn profile, company website contact details)
Purpose and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Performance of service agreement and active client relationship management | Performance of contract (6(1)(b)) |
| B2B sales, new client acquisition, and marketing communications | Legitimate interest (6(1)(f)) |
| Legal obligations (e.g., accounting record retention) | Legal obligation (6(1)(c)) |
Retention period
Clients: Contact information is retained for the duration of the active client relationship. Contract and billing data is retained for 6 years after the end of the financial year, as required by Finnish accounting law.
Prospects: Data is retained for 5 years from last contact, unless the individual requests earlier deletion.
Register 2: Contact form register
When a person contacts us through our website contact form or email, we store the information necessary to handle the inquiry.
Data processed
- Name and email address
- Message content
- Company (if provided)
- Contact history (previous messages on the same matter)
Purpose and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Handling and responding to inquiries | Legitimate interest (6(1)(f)) |
| Service quality monitoring and improvement | Legitimate interest (6(1)(f)) |
Retention period
Contact form submissions are retained for up to 2 years from the date of inquiry.
Register 3: Website visitor register
We collect technical data about website usage to ensure the site functions properly and to improve our services.
Data processed
- IP address and device type
- Browser and operating system
- Pages visited and visit duration
- Traffic source (referrer)
Purpose and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Website functionality and security | Legitimate interest (6(1)(f)) |
| Visitor analytics and service improvement | Consent (6(1)(a)) — via cookies |
Retention period
Technical usage data is retained for a maximum of 12 months.
4. Data sources
We primarily receive personal data directly from the data subject: through the contact form, contract process, or direct contact. During prospecting, we may collect publicly available professional contact information from sources such as LinkedIn or company websites.
5. Data recipients and international transfers
We do not sell or disclose personal data to third parties for commercial purposes. Data processing may be outsourced to external service providers (e.g., email and cloud services), who process data on behalf of Smida under a GDPR Article 28 data processing agreement. A current list of sub-processors is available upon request at contact@smidapartners.com.
Personal data may be transferred outside the EU/EEA within the limits permitted by law, using European Commission standard contractual clauses or other approved transfer mechanisms. Our server infrastructure is located within the EU/EEA.
Data may also be disclosed to authorities when required by law.
6. Data security
Smida uses appropriate physical, technical, and administrative safeguards to protect personal data from unauthorized access, modification, and loss. These include:
- Encryption of network connections (TLS) and traffic filtering
- Controlled access rights management and monitoring
- Strong authentication for servers and systems
- Staff guidance on data protection and confidentiality commitments
- Risk management in service design, implementation, and maintenance
- Data breach notification to the supervisory authority within 72 hours as required by GDPR
7. Your rights
You have the following rights under GDPR regarding your personal data:
Withdrawing consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw your consent at any time without consequence. This does not affect the lawfulness of processing prior to withdrawal.
Submitting requests: Rights requests can be sent to contact@smidapartners.com. We will respond within the 30-day period required by GDPR.
Right to complain: If you believe your personal data has been processed unlawfully, you have the right to file a complaint with the Data Protection Ombudsman: www.tietosuoja.fi
8. Changes to this privacy policy
We reserve the right to update this privacy policy as our business or applicable legislation changes. We will notify our clients of significant changes via email or on our website before they take effect. The effective date is always shown at the top of this page.