Privacy Policy

The controller responsible for your personal data on this customer service is:

• Sopu, Y-tunnus 3519999-6
• Operating address: Kapponkatu 17, 21210 Raisio, Finland
• Postal address: [Add postal address if different from the store address]
• Customer service email: [Add customer-service email]
• Customer service phone: [Add customer-service phone]
• Privacy contact: [Add privacy / data-protection email]
• Data Protection Officer, if appointed: [Add Data Protection Officer details if one is appointed, otherwise remove this item]

• identity and contact details, such as your name, email address, phone number, and saved customer profile information
• address details, such as delivery address, postal code, city, and address coordinates when address validation or delivery availability checks are used
• order data, such as items ordered, modifiers, special instructions, order type, delivery notes, order totals, and order history
• payment-related metadata, such as payment status, Stripe checkout session references, saved-card summaries, currency, totals, and other order-payment references needed to verify a paid checkout and keep accounting records; Sopu does not store your full card number or CVC
• account and authentication data, such as session identifiers, sign-in provider information, verified-phone status, and account settings
• technical usage data needed to run the service, such as guest cart identifiers, session cookies, browser storage values, and server logs related to requests, security, and troubleshooting

• to provide the service and fulfil your orders, including delivery or pickup, customer account access, and order status updates: contract
• to process payments, verify paid checkout sessions, prevent misuse of the service, and secure customer accounts: contract and legitimate interests
• to comply with accounting, tax, bookkeeping, and other mandatory legal requirements related to orders and payments: legal obligation
• to process refunds, corrections, receipt delivery, and payment-related customer service: contract and legal obligation
• to respond to customer service requests, complaints, and refund issues: contract, legal obligation, and legitimate interests
• to maintain, debug, and improve the reliability and security of the service: legitimate interests
• to use non-essential cookies or similar technologies, if they are added later: consent

• directly from you when you browse the service, create an account, sign in, save settings, enter a delivery address, or place an order
• from payment and authentication providers when you use card payments, Google sign-in, magic-link sign-in, or phone verification
• from Google Maps geocoding services when the service resolves or validates an address that you provide or confirms your delivery area

• payment processor: Stripe, for card payments and related payment confirmation flows
• payment and banking participants, such as the customer's card issuer, acquiring bank, or authentication partners, where needed to complete and verify a transaction
• authentication and identity providers: Stack Auth, Google sign-in, and phone-verification providers such as Firebase when enabled in the service
• address and map provider: Google Maps / Google Geocoding for address resolution and delivery availability checks
• accounting, invoicing, bookkeeping, or receipt providers used by Sopu: [Add any accounting, invoicing, bookkeeping, or receipt-delivery providers used by Sopu]
• service providers that host, operate, support, or secure the customer service and its database infrastructure
• other external services used by Sopu: [Add any other external services you use, for example hosting, database, email, SMS, customer support, delivery, accounting, CRM, ERP, analytics, or consent-management tools]

• when you pay by card, the payment provider and related payment-service participants may process payment and authentication data to complete the transaction securely
• card issuers or payment providers may require strong customer authentication or other verification steps before a payment can be completed
• Sopu may compare payment-session information, order totals, and order ownership details to confirm that a paid transaction matches the order being placed

Some service providers used by Sopu may process personal data outside the European Economic Area. When that happens, Sopu will rely on lawful transfer mechanisms such as an adequacy decision, Standard Contractual Clauses, or other safeguards required by applicable data protection law.

• active customer account and contact data: for as long as the account is needed, and after that only as long as required for legal, security, or dispute-handling purposes
• order, payment, and bookkeeping records: for as long as required by accounting, tax, consumer-protection, and other legal obligations
• guest-cart and session cookies: typically up to 30 days or until cleared earlier
• browser session-storage items used for login flow or checkout notes: until the browser session ends or the data is cleared earlier
• local browser data used for order continuity, such as the latest order reference: until replaced or removed by the user or the service

Subject to applicable law, you have the right to:

• request access to your personal data
• request rectification of inaccurate or incomplete data
• request erasure where the legal conditions are met
• request restriction of processing in certain situations
• object to processing based on legitimate interests
• receive portable data where the right to portability applies
• withdraw consent at any time for processing based on consent

You also have the right to lodge a complaint with the Office of the Data Protection Ombudsman in Finland. Information is available at tietosuoja.fi.

You can exercise your privacy rights by contacting Sopu at [Add privacy / data-protection email]. To help us process your request safely and correctly, we may need to verify your identity and ask for enough information to identify the account, order, or processing activity your request relates to.

If Sopu uses any external customer-support, CRM, consent, or ticketing tools for privacy requests, those services should also be named in this policy before publishing.

Some information is required for Sopu to provide the service. For example, an email address, verified phone number, and the relevant order details are needed for checkout, and a delivery address is needed for delivery orders. If you do not provide the required data, Sopu may not be able to complete your order or provide account-based features.

The service may automatically validate delivery-area eligibility, order totals, and payment-confirmation checks as part of normal ordering and fraud-prevention workflows. Sopu does not intend to make decisions based solely on automated processing that produce legal or similarly significant effects on you without appropriate human review.

For privacy requests or questions, please contact Sopu at [Add privacy / data-protection email]. For order-specific customer service matters, please use [Add customer-service email] or [Add customer-service phone].

Sopu should keep this privacy policy accurate and up to date. If the customer site starts using new processors, new external services, new marketing tools, or new categories of personal data, this privacy policy should be updated before or at the time those changes take effect.