Privacy statement and monitoring

Old Tea Shop is under the supervision of the Finnish Food Safety Authority. Monitoring reports are published on the website As for organic, the tea trade is monitored by the Food Agency's organic department with annual inspections.

Privacy statement

Generalof the data protection regulationaccording to the data protection and Registry statement on the protection of natural persons in the processing of personal data and on the free movement of this data.

The registrant is Old Tea Shop, i.e. 1269 Mikko Nygren Oy, corporate identity number 2638680-2,
Vilhonkatu 4, 00100 Helsinki

The registration is processed in the Shopify system in Canada and the United States. Shopifyis responsible for system implementation, data security, registry maintenance and data backup. All information in the register is stored and processed in the same register (i.e. in one database).

The name of the register is Old Tea Shop's customer, order, invoicing and marketing information register.

Principles regarding the processing of personal data

Old Tea Shop complies with the following requirements regarding personal data:

a) Personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency");

b) they must be collected for a specific, specific and lawful purpose and must not be subsequently processed in a manner incompatible with these purposes; subsequent processing for archival purposes in the public interest or for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes in accordance with Article 89(1) ("relevance of purpose of use");

c) personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which it is processed ("data minimization");

d) personal data must be accurate and, if necessary, updated; must take all possible reasonable measures to ensure that personal data that are inaccurate and incorrect in relation to the purposes of the processing are deleted or corrected without delay ("accuracy");

e) they must be kept in a form from which the data subject can be identified only for as long as is necessary to fulfill the purposes of data processing; personal data can be stored for longer periods if the personal data is processed only for archival purposes in the public interest or for scientific or historical research purposes or statistical purposes in accordance with Article 89 paragraph 1, provided that the appropriate technical and organizational measures required by this regulation have been implemented to protect the rights and freedoms of the data subject ("storage restriction');

f) they must be processed in a way that ensures the appropriate security of personal data, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures ("integrity and confidentiality").

The customer has the right to find out if his personal data has been stored in the system, the right to correct it, and the right and conditions to have it deleted. The data is stored until the customer requests its deletion. The storage is done for e.g. web analytics (statistical reasons) and e.g. to make it easier to place a new order (customer interest).

Purpose of the register

The purpose of the register is customer contact, maintenance and development of customer and business relationships, and use for reporting and statistical purposes. Old Tea Shop uses this and other information generated during the customer relationship to plan the product and service offer and to target the offer.

Personal data is used within the framework permitted and required by the Personal Data Act. The register will not be handed over to outside parties.

The e-mail address of those who subscribed to the newsletter is used to send the newsletter. The information of those who fill out the contact form is used to respond to the contact.

Information contained in the register

The customer register consists of several separate registers compiled according to the main purpose of use. Together, these customer data form the data sets stored about the customer as follows:

- The customer's contact information and the information that enables ordering: first and last name, street address, zip code, post office, country, language, phone number, email address.
- Customer group information, discount category and other customer-specific additional information.
- Billing address and other billing information
- Possible consent to send direct marketing.
- Information about customer orders, deliveries and returns.
- Identifiers required to log into the service.
- IP address information or other identifier
- Other textual information related to the customer, such as the purpose of the contact request or a wish for the delivery time of the order

The registrant's personal data will be destroyed at the user's request.

Information will not be passed on, except when required by official actions. Due to data processing, some of the data may be located at the company's subcontractors.

Regular sources of information

The register's contact and customer information is obtained from notifications made by the customer to the controller when and during the creation of the customer relationship. A customer relationship is created when a customer registers for the service, places an order, orders direct marketing or makes a purchase. The customer relationship can also be started at the customer's request, e.g. based on a telephone conversation.

For electronic direct marketing (e-mail and text message marketing), the customer's consent is separately requested in accordance with the Personal Data Act. Information on creditworthiness at the time of the customer's order is obtained from the source of Checkout Finland Oy (business ID 2196606-6), DFC Nordic Oy (business ID 1998514-5).

Anonymous web analytics

We can use the following tools and services to collect anonymous information about web browsing:
Google Analytics:
Google Remarketing:
Facebook Pixel:
Microsoft Bing Adds:

Legal basis for processing personal data

There must be a legal basis for the processing of personal data. We process personal data on the basis of someone's consent (e.g. subscribing to a newsletter), a contract (e.g. placing an order), a legal obligation of the data controller (e.g. products that require a legal permission to possess or use), protection of vital interests (e.g. training or a course that is required of participants personal health information), the legitimate interest of the controller or a third party (e.g. web analytics).


Our website uses cookies, which allow us to develop our website for you. The purpose of cookies is to improve and speed up the shopping experience. Cookies can also be used to offer better offers and more personalized product recommendations to the customer. A cookie is a small text file that the web server stores on the user's hard drive. Some of the site's content may require accepting cookies in order to function. The user's web browser probably accepts cookies with ready-made default settings, but the user can also prevent the use of cookies from the browser settings or by deleting cookies from the browser after using the service. More information about browser-specific usage can be found in the browser manufacturer's instructions.

Registry protection

Access to the register requires special access rights. The right of use is limited only to information necessary for the person's job duties and requires the use of personal usernames. The customer register and the information system equipment that processes it are located in closed computer rooms. Hardware and software updates are handled regularly and appropriately, and possible threats are responded to immediately. In case of disturbances, the information is regularly verified by copying. The system is protected by a firewall against outside communications.

Employees handling customer register data are bound by the duty of confidentiality. Information is shared or disclosed to outsiders only due to a statutory reporting obligation, such as the customer's own request or an authority's statutory request.