Atlantinkatu 14, Jätkäsaari, Helsinki 
ROSES24.FI PRIVACY POLICY
1. General
This Privacy Policy (the “Policy”) describes how we process the personal data of customers and visitors of the ROSES24.FI website and the ROSES24.FI online store.
This Policy has been prepared in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and applicable Finnish data protection legislation.
Our aim is to protect the privacy and personal data of our customers and to ensure transparent processing in compliance with all applicable requirements.
2. Data controller
The data controller for the personal data processed in the ROSES24.FI online store and in the physical store is:
ROSES24SUOMI OY
Business ID: 3400085-4
Address: Atlantinkatu 14, 00180 Helsinki, Finland
Phone: +358 942 727 622
E-mail: [email protected]
ROSES24SUOMI OY transfers personal data necessary for processing payments to its authorised payment partners, including Montonio Finance UAB, Revolut Bank UAB, PayPal (Europe) S.à r.l. et Cie, S.C.A., and, where applicable, other payment service providers used from time to time (together, the “Payment Service Providers”).
3. Categories of personal data processed
We process various categories of personal data that you provide to us directly or that arise in connection with your use of the ROSES24.FI services, including in particular:
Identification and contact details:
first and last name
phone number
e-mail address
delivery and/or billing address
Account data:
information provided when registering a user account (e.g. username or name, password)
password is stored in encrypted form
Payment data:
bank or payment card details (in connection with online payments via Payment Service Providers)
other details necessary for processing payments and refunds (e.g. transaction identifiers)
Purchase data:
order and purchase history in the ROSES24.FI service (order dates, products or services purchased, amounts, payment method)
purchase data related to the ROSES24.FI loyalty programme (points earned and used, loyalty status, loyalty transaction history), if you participate in the loyalty programme
Customer service data:
information you provide when contacting our customer service (questions about products and services, complaints, feedback)
data on communication with customer service (e.g. content of messages, outcome of the case)
call recordings, if you have given your consent to the recording of calls
Website usage data:
technical information about the use of the website (IP address, cookies and other online identifiers, browser and device type and version, pages visited, actions taken on the site)
Audio and video surveillance data:
video and audio recordings captured by the CCTV system in our physical store at Atlantinkatu 14, 00180 Helsinki, Finland
All of the above data is treated as confidential and processed solely for the purposes described in this Policy.
4. Purposes and legal bases of processing
We collect and process personal data for clearly defined and legitimate purposes. The main purposes and corresponding legal bases under the GDPR are as follows:
Processing and fulfilling orders
receiving and processing orders
arranging the delivery of products
issuing invoices and receiving payments
notifying you about the status of your order
Legal basis: performance of a contract (Article 6(1)(b) GDPR).
Customer service
responding to enquiries and contacts
resolving issues related to products and services
handling returns, complaints and claims using your contact and order data
Legal basis: performance of a contract and, in certain cases, our legitimate interest to provide high-quality customer service (Article 6(1)(f) GDPR).
Personalisation and improvement of services
analysing your purchase history and interactions with us (e.g. which products you have ordered in the past)
providing product recommendations and personalised offers
improving the quality of our services and product range
When you contact us by phone, we may identify you by your phone number (see section 6) and take your order history into account.
Legal basis: our legitimate interest to develop our services and offer relevant products to our customers (Article 6(1)(f) GDPR).
Recording telephone calls for quality control
recording calls with your prior consent
monitoring and improving the quality of customer service and training staff
documenting the content of orders and agreements (e.g. confirmation of order details or delivery address) for resolving disputes
Legal basis: your explicit consent (Article 6(1)(a) GDPR).
Deliveries and logistics
processing delivery addresses and contact details
transferring necessary data to courier and logistics partners in order to deliver your order
Legal basis: performance of a contract (Article 6(1)(b) GDPR).
Processing of payments and refunds
transferring payment data (amount, currency, payment instrument, transaction identifiers) to Payment Service Providers
using bank account details to issue refunds in case of cancellations or returns
Legal basis: performance of a contract; compliance with legal obligations for accounting and taxation (Article 6(1)(c) GDPR).
Loyalty programme management
using purchase data for the ROSES24.FI loyalty programme
accruing and redeeming points and other benefits
determining and changing your loyalty status and providing programme-related advantages
Legal basis: performance of the contract (loyalty programme terms) (Article 6(1)(b) GDPR) and our legitimate interest to maintain and strengthen customer relationships (Article 6(1)(f) GDPR).
Marketing communications
sending marketing and information messages (news, campaigns, special offers, loyalty-related messages) to your e-mail address and/or phone number
Legal basis: your consent to direct marketing (Article 6(1)(a) GDPR) or, in certain cases, our legitimate interest to inform existing customers about similar products and services, provided that you can always object to such processing (Article 6(1)(f) GDPR).
Website operation and security
ensuring the technical functionality of the online store
storing your preferences (e.g. shopping cart contents, language settings)
preventing fraud and misuse and ensuring IT security
Legal basis: our legitimate interest to ensure the functionality, security and user-friendliness of the website (Article 6(1)(f) GDPR). For non-essential cookies, the legal basis is your consent.
Video surveillance in the store (security)
preventing crime, damage and incidents
protecting customers, employees and property
documenting incidents or disputes related to customer service situations
Legal basis: our legitimate interest to protect property, life and health and to fulfil our safety obligations (Article 6(1)(f) GDPR).
Compliance with legal obligations
retaining data for accounting and tax purposes
disclosing data to public authorities where required by law
Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR).
Protection of our legitimate interests
processing personal data in order to establish, exercise or defend legal claims (e.g. debt collection, legal proceedings)
Legal basis: our legitimate interest (Article 6(1)(f) GDPR).
We do not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, except for limited marketing and personalisation activities that do not have a significant impact on your rights and freedoms.
5. Recording of telephone calls
To ensure the quality of our customer service and to train our staff, your calls to ROSES24.FI (e.g. to our customer service) may be recorded.
At the beginning of the call, we will always inform you that the call may be recorded and ask for your consent. Calls are recorded only if you consent.
Purposes of call recording:
monitoring the quality of our customer service and staff performance
training and coaching of employees
documenting the content of agreements and orders (e.g. confirmation of an order or delivery address) for resolving possible disputes
Recordings are not used for other purposes and are not disclosed to third parties, except where explicitly required by law (e.g. an official request from law enforcement authorities).
Legal basis: your consent (Article 6(1)(a) GDPR).
If you do not want your call to be recorded, you can:
end the call; or
use another contact channel (e.g. e-mail).
Retention period:
call recordings are retained for no longer than 1 year from the date of the call
after this period, recordings are automatically deleted unless a longer retention period is necessary, for example, for the handling of a complaint or legal proceedings
Access to recordings:
only specifically authorised ROSES24.FI employees (e.g. quality managers or designated supervisors) may access recordings
such employees are bound by confidentiality obligations
recordings may be disclosed to third parties only in cases required by law (e.g. to the police upon an official request).
6. Automatic caller identification
To improve the speed and convenience of our services, we use automatic caller identification.
If you call us from a phone number that has been used in previous orders or that is linked to your customer profile, our system may:
automatically recognise your phone number
associate the number with your account and/or order history
Purpose:
to speed up identification and reduce the number of clarifying questions
to provide more personalised support based on your previous orders and contacts
Legal basis: our legitimate interest to enhance customer service efficiency and satisfaction (Article 6(1)(f) GDPR).
Automatic caller identification does not restrict your rights. If you do not wish your calls to be processed in this way, you can:
use another contact channel (e.g. e-mail); or
ask the agent to ignore your previous history and identify you by other means.
7. Cookies and website technical data
The ROSES24.FI website uses cookies and similar technologies to ensure its functionality, usability and statistical analysis.
Cookies are small text files stored on your device that allow the website to:
recognise you when you return
remember your choices and preferences (e.g. language, shopping cart contents)
Strictly necessary (functional) cookies:
are required for the basic functions of the online store (login, cart, language selection)
are processed on the basis of our legitimate interest to provide you with the online service you have requested
disabling these cookies may cause the website to malfunction
Analytical and preference cookies:
collect anonymised or pseudonymised statistics about the use of the website (e.g. pages visited, clicks, time spent)
help us improve the structure and content of the website
may require your consent under applicable law; you can withdraw your consent at any time via your browser settings or the cookie settings on our website
Marketing cookies:
may be used to display targeted advertising and offers based on your interests
at the time of adoption of this Policy, we do not use third-party marketing cookies without your knowledge and/or consent
if such technologies are introduced in the future, we will obtain your prior consent
When you visit the ROSES24.FI website, we may also collect the following technical information:
IP address and other network identifiers
date and time of your visit
information about your browser and operating system
the URL of the requested page and the referring page, if any
This information may be stored in server log files for a limited period of time (typically no longer than 1 year) and is used for ensuring security, diagnosing technical problems and investigating possible misuse or attacks (e.g. hacking attempts).
Legal basis: our legitimate interest to protect the integrity of the website and prevent misuse (Article 6(1)(f) GDPR).
8. Video surveillance in the store
Our physical store ROSES24.FI located at Atlantinkatu 14, 00180 Helsinki, Finland is under continuous video surveillance, which may also include audio recording.
Cameras are placed visibly and areas under surveillance are marked with appropriate signs.
Purposes of video surveillance:
protecting company property
preventing theft, damage and other unlawful acts
ensuring the safety of customers and staff
documenting circumstances of potential incidents and disputes related to customer service
Data processed:
video images (appearance and movements of persons within the camera field of view)
audio (voice, conversations and background sounds), where audio recording is enabled
This data is personal data because it may allow individuals to be identified directly or indirectly.
Processing of surveillance data:
the data controller is ROSES24SUOMI OY (ROSES24.FI)
only specifically authorised employees (e.g. management or security-responsible staff) have access to recordings
these employees are bound by confidentiality obligations
Legal basis: our legitimate interest to ensure safety, prevent damage and protect our rights in case of incidents (Article 6(1)(f) GDPR). When recordings are provided to authorities, the legal basis may also be compliance with legal obligations.
Retention period:
standard surveillance recordings (including audio) are retained for no longer than 7 days and then automatically deleted or overwritten
if an incident occurs (e.g. theft, accident, dispute), the relevant part of the recording may be extracted and retained for as long as necessary to investigate and handle the case or related legal claims
Use of recordings:
recordings are used solely for security and incident investigation purposes
they are not used for marketing or for monitoring employees’ working time
we do not use facial recognition or other biometric identification based on the recordings
recordings may be disclosed to competent authorities (e.g. police) in accordance with applicable law.
9. Disclosure of personal data to third parties
We respect the confidentiality of your data and do not disclose it to third parties except where:
it is necessary for providing our services;
it is required by law; or
you have expressly consented to it.
Personal data may be disclosed to the following categories of recipients:
Courier and logistics service providers
selected courier, postal and logistics companies that receive the data necessary for delivering your order (name, address, phone number, and, where needed, e-mail address)
these partners receive only the data required to perform the delivery
Payment Service Providers
payment processing partners, such as Montonio Finance UAB, Revolut Bank UAB, PayPal (Europe) S.à r.l. et Cie, S.C.A., and other payment service providers we may use
they receive the information necessary to process the payment (e.g. amount, currency, order number, name, contact details, technical transaction data)
payment details are processed in the secure environments of these providers; we do not store full card details (e.g. card number, CVC/CVV code)
Banks and financial institutions
if you choose credit or instalment payment options, we may transfer the necessary personal and financial data to the respective bank or financial institution
such institutions act as independent controllers and process personal data according to their own privacy policies
IT and hosting service providers
external providers responsible for hosting, maintaining and developing our website and underlying systems, and for data backup
access to personal data is limited to what is necessary for providing the respective service
these providers are bound by data processing agreements in accordance with the GDPR
Communication and marketing service providers
e-mail, SMS and CRM systems and marketing automation platforms that we use for sending messages, including loyalty programme communications (information about points, status and personalised offers)
such providers process your contact data (e-mail, phone number, name) only according to our instructions and are not allowed to use the data for their own purposes
Accounting and auditing firms
external accountants and auditors to whom we provide information required for bookkeeping and fulfilling our tax obligations
they are bound by legal confidentiality and data protection obligations
Legal advisers and debt collection agencies
in the event of a dispute or unpaid debt, we may transfer relevant data (contract documents, order details, contact details, payment information) to our legal advisers or debt collection agencies
this is done solely to protect our legal rights and interests
Public authorities and supervisory authorities
personal data may be disclosed to competent authorities (e.g. police, tax authorities, data protection authority) where required or permitted by law
in each case, we carefully assess the legality of the request and disclose only the minimum necessary data
Transfers of personal data outside the EU/EEA (to “third countries”) take place only if an adequate level of data protection is ensured in accordance with the GDPR (e.g. European Commission adequacy decision, standard contractual clauses, or other appropriate safeguards).
10. Retention periods
We retain personal data only for as long as necessary to fulfil the purposes described above or as required by law. Retention periods depend on the data category and the purposes of processing.
For example:
Account data
retained as long as your user account remains active
when the account is deleted, data is deleted or anonymised, except where retention is required by law (e.g. order data for accounting) or necessary for protecting our legal interests (e.g. unresolved disputes)
Purchase data without an account
if you make purchases without registering an account, order and purchase data are typically retained for up to 3 years from the date of purchase
this is necessary for handling repeat enquiries, returns, warranty issues and business analysis
if you participate in the loyalty programme without a full account, purchase data relating to your participation may be retained for the duration of your participation and thereafter for the periods required by law (e.g. for accounting and limitation periods)
Customer service communications
e-mails, chat messages and other communications are normally retained for up to 3 years from the last interaction, unless a longer period is required by law or due to an ongoing dispute
call recordings are retained for no longer than 1 year, unless a longer retention period is necessary for handling complaints or disputes
Marketing data
information about your consent to receive marketing and the marketing messages we have sent is retained until you withdraw your consent or unsubscribe
after you opt out, we may retain minimal information (e.g. your e-mail address in a suppression list) to ensure that no further marketing messages are sent
Video surveillance data
standard CCTV footage is retained for no longer than 7 days and then deleted or overwritten
if a recording is extracted due to an incident, it may be retained for as long as necessary to investigate and handle the case or related claims
Payment and accounting data
data included in accounting records (invoices, payment records, etc.) are retained for the period required under Finnish bookkeeping and tax legislation, typically up to 7 years after the end of the financial year in which the transaction occurred
Data related to disputes and incidents
personal data relevant to claims, disputes or investigations (e.g. call recordings, video footage, correspondence) is retained until the matter is fully resolved and for the applicable limitation period
Once the retention period has expired, personal data is permanently deleted or irreversibly anonymised.
11. Security of processing
We implement appropriate technical and organisational measures to protect personal data against:
unauthorised access
accidental or unlawful loss, destruction or alteration
unauthorised disclosure or other unlawful forms of processing
Such measures include, among others:
Secure data storage
personal data is primarily stored on servers located within the EU/EEA
data centres meet relevant information security standards
Encryption and secure connections
the ROSES24.FI website uses SSL/TLS encryption (https)
confidential data is transferred via secure channels to Payment Service Providers
Access control
access to personal data is limited to those employees who need it to perform their job duties (e.g. customer service, accounting, IT)
employees are bound by confidentiality obligations
access to particularly sensitive data (e.g. payment data, call recordings, CCTV footage) is strictly restricted
Internal policies and training
we maintain internal data protection and information security policies
staff receive appropriate training on data protection and confidentiality
Technical protection and monitoring
software and systems are kept up to date, and we use appropriate protection against malware and unauthorised access
where necessary, we engage external experts to audit and improve our security measures
Data processing agreements
all external service providers processing personal data on our behalf are bound by data processing agreements requiring them to protect personal data in accordance with the GDPR and our instructions
Although no method of data transmission over the Internet or method of electronic storage is completely secure, we continuously work to improve our security measures and reduce the risks of data breaches and unauthorised access.
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will act in accordance with the GDPR: we will notify the competent supervisory authority and, where required, inform you and provide recommendations on how to mitigate possible negative effects.
12. Rights of data subjects
Under the GDPR, you have several rights in relation to your personal data. ROSES24.FI respects these rights and facilitates their exercise.
In particular, you have the right to:
Right to information
obtain clear and transparent information about how we process your personal data, for which purposes, on what legal basis, to whom we disclose it, and for how long we retain it.
Right of access
obtain confirmation as to whether we process personal data concerning you
receive a copy of the personal data we hold about you (the first copy is free of charge; a reasonable fee may be charged for additional copies as permitted by law)
Right to rectification
request the correction of inaccurate or incomplete personal data
you can also correct some basic details yourself via your user account
Right to erasure (“right to be forgotten”)
request the deletion of your personal data in certain situations, for example when the data is no longer necessary for the purposes for which it was collected, when you withdraw your consent and there is no other legal basis for processing, or when processing is unlawful
we will not delete data that we are legally obliged to retain or that we need to retain for the establishment, exercise or defence of legal claims (e.g. accounting records for a legally required period)
Right to restriction of processing
request that the processing of your personal data be restricted (excluding storage), for example while we verify the accuracy of the data or assess an objection to processing
during the restriction period, we will not process the data for purposes other than storage and certain limited purposes (e.g. legal claims)
Right to data portability
where processing is based on your consent or a contract and carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and/or to transmit those data to another controller, where technically feasible
Right to object
object at any time to the processing of your personal data based on our legitimate interests (including profiling)
in such cases, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or unless the data is needed for legal claims
where personal data are processed for direct marketing purposes, you have an absolute right to object at any time; if you do so, we will stop processing your data for direct marketing (including related profiling)
Right to withdraw consent
where processing is based on your consent, you have the right to withdraw your consent at any time
withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal
Right not to be subject to automated decision-making
you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you
we do not carry out such automated decision-making without human involvement in our operations
Right to lodge a complaint with a supervisory authority
if you believe that the processing of your personal data infringes the GDPR or other applicable data protection legislation, you have the right to lodge a complaint with the competent supervisory authority (see section 15)
we nevertheless encourage you to contact us first so that we can try to resolve the issue directly.
We aim to respond to your requests without undue delay and in any case within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. In such cases, we will inform you of any extension and the reasons for the delay.
To protect your data, we may need to verify your identity before acting on your request, for example by asking you to provide additional information.
In principle, the exercise of your rights is free of charge. However, where requests are manifestly unfounded, excessive or repetitive, we may charge a reasonable fee or refuse to act on the request, as permitted by the GDPR.
13. Direct marketing and loyalty programme
We may use your contact details (e-mail address, phone number) for direct marketing and loyalty programme communications, subject to the following conditions:
you have given your explicit consent; or
you are an existing customer and applicable law allows us to send marketing messages about similar products and services, provided that you are always given the opportunity to object.
Marketing communications may include:
information about ROSES24.FI products and services
information about campaigns, discounts and special offers
personalised offers for loyalty programme members (information about points, status, additional benefits)
invitations to events and surveys
Form and frequency of messages:
most messages are sent by e-mail
in some cases, with your consent, we may also send SMS messages or call you regarding offers
we aim to keep the frequency reasonable and not to overload you with messages
Opting out of marketing:
You can opt out of receiving marketing communications at any time by:
clicking the unsubscribe link included in each marketing e-mail;
following the instructions in an SMS (e.g. replying “STOP”); or
contacting us using the contact details provided in section 14.
Opting out of marketing does not affect service messages related to your orders or our contractual obligations (such as order confirmations, delivery notifications or customer service responses).
We may use your purchase history and preferences to personalise marketing messages to a limited extent (profiling). Such profiling does not have significant legal effects on you and you can object to this processing at any time.
14. Contact details
If you have any questions about this Policy, the processing of your personal data or you wish to exercise your data protection rights, you can contact us at:
E-mail: [email protected]
Phone: +358 942 727 622
Postal address for written requests:
ROSES24SUOMI OY (ROSES24.FI)
Business ID: 3400085-4
Atlantinkatu 14, 00180 Helsinki, Finland
Please describe your request clearly and provide your contact details so that we can process it appropriately and respond.
15. Supervisory authority
The supervisory authority responsible for data protection in Finland is:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: www.tietosuoja.fi
E-mail: [email protected]
Phone: +358 29 566 6700
Postal address:
Tietosuojavaltuutetun toimisto
PO Box 800
00521 Helsinki, Finland
If you believe that the processing of your personal data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with this authority.
16. Changes to this Policy
We reserve the right to review and update this Policy from time to time, for example due to changes in legislation, our services, systems or business operations.
In case of significant changes (for example, if we begin to process personal data for new purposes that require consent), we will inform you separately, for example via our website and/or by e-mail.
This Policy was last updated on 9 December 2025.
Previous versions of this Policy are available upon request.
Thank you for choosing ROSES24.FI. We are committed to ensuring that your experience with us is not only convenient, but also safe in terms of the protection of your personal data.
