1 DATA CONTROLLER Name: Cityjorma Oy (Business ID: 3227849-6) Address: V.E. Törmäsentie 10 A 4 99870 Inari, FINLAND Telephone: +358 50 4946 993 Email address: info@northernpolar.com

2 DATA PROTECTION OFFICER Name: Samu Hurskainen Address: V.E. Törmäsentie 10 A 4 99870 Inari, FINLAND Telephone: +358 50 4946 993 Email address: info@northernpolar.com.

3 NAME OF REGISTER Customer-, partnership and marketing register.

4 PURPOSE OF PROCESSING PERSONAL DATA The grounds for processing personal data are based on a contractual customer or partner relationship, or explicit consent of the customer. The main purpose for the register is to manage personal data required for cooperation between Cityjorma Oy. and its customers and partners and to ensure smoothness of customer service and purchased services and goods.

Personal data are handled for the following purposes:

  • Program- and accommodation service purchases and their implementation and verification
  • Program- and accommodation services purchased through web shop, their implementation and verification
  • Business planning and product development
  • Marketing communication, newsletters, targeted advertising and other advertising
  • Improvement of website user experience
  • Market research and other researches and analysis

As the data controller, Cityjorma Oy ensures that the data subject’s benefits and rights are carefully assessed. Personal data is collected according to this privacy policy, and they are not handled, changed, or moved differently than as mentioned in this privacy policy.

5 CONTENT OF REGISTER The register may include the following details:

  • Contact details including name, phone number, email address, accommodation name and address in travel destination
  • Nationality
  • Ages of children
  • Possible allergies and special diets that substantially affect the implementation of the service
  • Medical information that substantially affects the implementation of the service
  • Credit card details when accommodating in accommodation facilities of partners of Cityjorma Oy
  • Information of the services and goods a customer has purchased and their delivery and invoicing
  • Data subject’s inquiries, comments or other reactions online
  • Material sent by the data subject (for example a photo)
  • Customer feedback, permits, agreements and prohibitions
  • Business ID, contact person’s position in the company and invoicing details (corporate customer)

Cityjorma Oy requests adults to inform of their underage children’s ages to ensure safe and smooth customer service. Additionally, customers are requested to inform of possible allergies, special diets, and medical information when they can substantially affect the ordered service’s safety and smoothness.

Technically collected information of online use can include IP address and location details, usage and timing, device details, OS type and software version, browser type and language settings, interactions across different service channels, and external sites from which users have arrived and where they navigate to from Cityjorma Oy’s platform. The company may also collect service usage information with cookies.

6 REGULAR DESTINATIONS OF DISCLOSED DATA Personal data is disclosed to suppliers and partners of Cityjorma Oy. only when the owner of personal data (data subject) is participating in a purchased or offered service which is organized partially or wholly by a supplier or partner. In isolated cases, data may be disclosed upon the data subject’s request or if required by competent authorities based on existing legislation.

7 TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS The data are not transferred to third countries or international organizations. In rare cases, Cityjorma Oy. discloses data to third parties or international organizations if authorized by the data subject, and after a joint assessment with the Finnish Data Protection Authority on the risk and security measures of the recipient’s location.

8 PRINCIPLES OF SECURING REGISTER Cityjorma Oy diligently safeguards personal data throughout its life cycle using appropriate means. The company only collects and processes data essential for its operations.

Digital access is limited using personal usernames and passwords, tailored according to employee roles. Documents are securely stored, access is restricted, and staff are bound by confidentiality. System suppliers handle data in secure server environments, and data is disposed of per security guidelines.

9 RIGHT TO ACCESS Data subjects have the right to know the personal data stored about them. After a detailed request, they have the right to access this information. Requests should be sent in writing to the Data Protection Officer (refer to section 2).

10 RIGHT TO RECTIFICATION AND ERASURE Cityjorma Oy has the authority to correct inaccurate data. They also periodically ensure data remains relevant and up-to-date. A data subject can demand the removal of their data unless prohibited by law or if data retention is mandated by authorities or other legal obligations.

11 OTHER RIGHTS PERTAINING TO PERSONAL DATA PROCESSING Data subjects can request restrictions on their personal data processing. They can also obtain and transfer their data in a structured, machine-readable format to another data controller. Moreover, they have rights against data processing, automated decision-making, and profiling.

12 ERASURE OF DATA AND TIME OF STORAGE Data remains in the register for at least a year post contractual obligations unless otherwise stipulated or mandated by law. Data can also be removed upon request unless there’s a legal or authoritative requirement for retention.

13 CHANGES TO PRIVACY POLICY Cityjorma Oy may update this privacy policy. The most recent version is always accessible on their website.

Last updated 20th September 2023.