General information

Starstuff Oy (later”company”, or “we”) respects your privacy and is dedicated to protecting the privacy of persons using our products and services. This privacy policy describes how the company processes personal data; what kinds of personal data the company collects, for which purposes the data is used and to which parties the data can be disclosed. This privacy policy applies to the use of our website and platform, and the services related to those.

Personal data refers to any information relating to a natural person (“data subject”) that can identify him/her directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). The company complies with the GDPR in all processing of personal data in conjunction with other applicable national data protection legislation (data protection legislation). 

Controller

Controller: Starstuff Oy

Address: c/o Maria01, Lapinlahdenkatu 16, 00180 HELSINKI

Email: hello (at) starstuff.space

Purposes and legal basis for processing personal data

Personal data will be processed for the following purposes: 

• Registration to use our services and user account management based on contract or its preparation.

• Delivery of services based on contract or its preparation.

• Invoicing (including debt collection) based on contract or its preparation.

• Customer service, feedback and related communications  based on company's legitimate interest.

• Management and administration of our relationship with our business partners based on company's legitimate interest.

• Provision of information and materials related to our services, for example by newsletters and direct marketing based on company's legitimate interest or data subject’s consent.

• Identifying potential customers who are using our services for the purposes of targeting relevant marketing to such persons based on company's legitimate interest.

• Registrations for our events based on company's legitimate interest.

• Market and customer analysis and surveys based on company's legitimate interest.

• Business planning and product development based on company's legitimate interest.

• Monitoring the use of our website and service to improve the functionality and user experience and to present the content of our website and service in a manner ideal for the visitor’s device based on consent.

• Providing marketing on our website and service using cookies based on consent. 

• Enabling social media services such as videos and sharing buttons based on consent. 

• Fulfilment of statutory obligations, such as obligations under tax and accounting legislation based on statutory obligation.

• Ensuring security of our services and preventing abuses based on statutory obligation or legitimate interest.

• Establishing, exercising, or defending against legal claims based on statutory obligation, or our legitimate interest.

For processing activities that are based on a legitimate interest, we have carefully balanced such legitimate interest with the data subjects right to privacy and concluded that our interest outweighs the data subjects’ rights and freedoms.

Automated decision making and profiling 

Profiling refers to the automatic processing of personal data in which some of your personal characteristics are evaluated using personal data. We profile customers, for example, for marketing and service development purposes. However, we consider that such profiling does not have the legal effects referred to in the data protection regulation or any other significant effects on the object of the profiling.

Based on their purchase data and other customer data, the customer is profiled into a customer group that has certain characteristics or is considered to be interested in certain types of products or services.

Various calculation models are used to create profiles, which can be based on either simple rules or more complex calculation models. The calculation models are based, for example, on the products or services you use and purchase or on your geographic location. Information can also be collected through surveys and statistics. With the help of the collected data, we aim to optimize the benefits of our service for customers.

The company does not make automated decisions.

Personal data of Minors

Our service is intended for users over 13 years old, and we do not process personal data of younger people. If you believe that we might have any data about a child under the age of 13, please contact us at help(at)starstuff.space.

What personal data is collected, stored and processed? 

The company collects only such personal data from the data subject that is relevant and necessary for the purposes described in this privacy policy.

The following personal data from the data subjects will be processed:

• Name and e-mail address from registered Google users

• Information related to service accounts such as nickname, username and password.

• Consents and objections related to direct marketing.

• Other information necessary for maintaining the business partner relationship, such as billing information, feedback, other message history and marketing preferences.

• Information about the use of our services, including data collected through profiling.

• Electronic identification and behavior data such as 

• User’s IP address and log data

• creator ID

• virtual space IDs

• item IDs

• creator’s email

• time stamp of creating spaces/items 

• images that users have uploaded and created 

• event data about actions performed by users, e.g. walking, talking, creating space.

Data sources

The personal data is mainly collected directly from the data subjects themselves, for example, in connection with using our services or contacting us.

In addition, and with the permission of the data subject, data may be collected in other ways in a marketing context.

Personal data may be updated and supplemented by collecting data from social media providers, such as Meta and Google.

Retention of personal data

Personal data collected in connection with our services shall be retained as long as need for the purposes defined in this privacy policy and as required by the law, unless such data is replaced through regular updates or otherwise. The periods vary greatly from one type of processing to another.

We retain your personal data for the duration of your active use of the service. When you are inactive for two years, we delete or anonymize your data. For accounting purposes, we store the necessary data for the current year and six years after that.

Detailed retention times can be provided upon requests.

We evaluate the necessity and accuracy of the personal data on a regular basis and endeavor to ensure that the incorrect and unnecessary personal data are corrected or deleted.

Who has access to the personal data?

For the purposes stated in this privacy policy, the personal data may be disclosed, when necessary, to authorities, and to other third parties, such as third-party service providers (such as our IT vendors and marketing agencies conducting marketing on our behalf etc.). In such case, the personal data will only be disclosed for purposes defined above. For analytics we use e.g. the following service providers: Amplitude, Hotjar ja Google Analytics. We use Stripe as a payment service provider.

List of other processors and other recipients can be provided upon a request.

In addition, the company may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements. 

The personal data is also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the products and services as well as to guarantee the safety of the products and services.

Is data transferred outside the European Union or the European Economic Area?

The servers and data related to our services are mainly hosted within the European Union (EU). In case personal data is exceptionally transferred outside EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as standard data protection clauses adopted or otherwise approved by the EU Commission or competent data protection authority in accordance with the GDPR.

Following service providers can transfer data outside the EU/EEA: 

• Amplitude (EU-U.S. Data Privacy Framework)

• Hotjar’s subprocessors (EU-U.S. Data Privacy Framework)

• Google LLC (EU-U.S. Data Privacy Framework)

• Stripe, Inc. (EU-U.S. Data Privacy Framework)

How is the data protected?

Securing the integrity and confidentiality of personal data is important to us. We have taken adequate technical and organizational measures in order to keep personal data safe and to secure it against unauthorized access, loss, misuse or alteration by third parties. Nevertheless, considering the cyber threats in modern day online environment, we cannot give full guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to personal data or absolute security of the personal data during its transmission or storage on our systems.

Rights of data subjects

The data subject has a number of rights under applicable data protection laws. 

Right of access and right of inspection

The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her is being processed.

The data subject has the right to inspect and view data concerning him or her and, upon a request, the right to obtain the data in a written or electric form. This applies to information that the data subject has provided to the company insofar the processing is based on a contract/consent.

Exercising this right is generally free of charge.

Right to rectification and right to erasure

The data subject has the right to require us to delete or stop processing the data subject’s personal data, for example where the data is no longer necessary for the purposes of processing.

However, please note that certain personal data is strictly necessary in order to achieve the purposes defined in this privacy policy and may also be required to be retained by applicable laws.

Right to data portability

The data subject has the right to receive the personal data that he or she has provided to us in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller. This right applies when the processing of the personal data is based on consent or a contract.

Right to restriction of processing

The data subject has the right, under conditions defined by data protection legislation, to request the restriction of processing of his/ her personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, the company will limit the access to such data. 

Right to object to processing

The data subject has the right to object to the processing of data where we are relying on its legitimate interests as the legal ground for processing. For example, the data subject may object to his/her personal data being used for marketing purposes.

Right to withdraw consent

In cases where the processing is based on the data subjects’ consent, he/she has the right to withdraw his/her consent to such processing at any time.

Exercising rights

Requests regarding the rights of data subjects shall be made in written or in electronic form, and the request shall be addressed to the controller mentioned on this privacy policy.

If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. The company may refuse a request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services.

The data subject may exercise the aforementioned rights by sending a written request to help (at) starstuff.space.

If you have any questions relating to our data protection policies or wish to exercise your rights, please do not hesitate to contact us.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a competent data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current legislation. 

However, we request that the matter be dealt with the company in the first instance. 

The relevant authority in Finland is the Data Protection Ombudsman (www.tietosuoja.fi). 

Changes to the privacy policy

Starstuff may make changes to this privacy policy at any time by giving a notice on the website and/or by other applicable means. The data subjects are highly recommended to review the privacy policy on our website every now and then. If the data subject objects to any of the changes to this privacy policy, the data subject should cease using the services, where applicable, and he/she can request that we remove the personal data, unless applicable laws require us to retain such personal data. Unless stated otherwise, the then-current privacy policy applies to all personal data we process at the time. 

This privacy policy has been published on 13.9.2024, version 1.0