Skip to content

Privacy policy

Kodan Oy | Last updated: 11 March 2026

This privacy policy explains how Kodan Oy collects, uses, and protects your personal data. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), applicable Finnish data protection legislation, and the Act on the Protection of Privacy in Working Life (759/2004).

We maintain two separate data registries, the Business Partner Registry and the Recruitment Registry, each described in detail below.

1. Data Controller

Kodan Oy
Vilhonkatu 5, 00100 Helsinki, Finland
Phone: +358 (0)44 552 5952
Privacy contact: marko.loukkola@kodan.fi

2. Business Partner Registry

This registry covers data relating to our current, past, and prospective business partners and their contact persons, as well as anyone who has interacted with our marketing activities.

2.1 Purpose and legal basis

We process business partner data for the following purposes:

  • Managing sales activities and customer relationships

  • Project coordination and communication

  • Sending newsletters and other email marketing communications

  • Organising and managing events, webinars, and workshops

  • Digital advertising and retargeting on digital advertising platforms

  • Creating and using custom audiences and lookalike audiences on advertising platforms

  • Analysing website behaviour and marketing performance (via cookies and tracking tools)

  • Maintaining and developing business partner relationships

The legal basis for processing your data depends on the specific activity:

  • Legitimate interest: We rely on this for managing our professional business relationships, sales activities, and B2B marketing.

  • Consent: Where required by applicable law, we will request your consent before processing your data.

2.2 Data collected

We may collect the following data about business partner contacts:

  • Full name and job title

  • Business email address and phone number

  • Company name and address

  • Records of prior communications (emails, calls, meetings)

  • Newsletter subscription status and communication preferences

  • Event attendance and participation information

  • Website interaction data (pages visited, content downloaded) collected via cookies

  • Advertising interaction data (e.g. ad clicks, form submissions via advertising platforms)

2.3 Sources of data

We collect data primarily through:

  • Direct contact with the individuals concerned

  • Company websites and public professional directories (e.g. LinkedIn)

  • Event registrations and webinar sign-ups

  • Newsletter subscriptions and website contact forms

  • Cookies and tracking technologies on our website

  • Digital advertising platforms when contacts interact with our ads or campaigns

2.4 Data retention

We retain business partner data according to the following principles:

  • Active business relationships: retained for the duration of the relationship

  • After a business relationship ends: retained for up to 5 years

  • Inactive prospects: deleted once we determine there is no longer a realistic business potential, reviewed periodically.

  • Newsletter subscribers: retained until unsubscribed; list reviewed and cleaned regularly

  • Event participation data: treated as general marketing data and retained accordingly

  • Advertising audience data: managed in line with the respective platform's data retention settings

2.5 Data processors and international transfers

We use third-party platforms and service providers to support our sales, marketing, and communication activities. These may include CRM systems, email marketing tools, digital advertising platforms, and analytics services. The specific tools we use may change over time.

Some of these providers are based outside the EU/EEA, including in the United States. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

Third-party advertising platforms may act as independent data controllers for their own purposes. We recommend reviewing the privacy policies of any platforms you interact with directly.

2.6 Newsletter and email marketing

We send a newsletter and other marketing emails to business contacts. Each email includes a clear and easy unsubscribe link. You can opt out at any time by clicking the unsubscribe link in any email or by contacting us directly.

We will not send further marketing communications to contacts who have unsubscribed. Unsubscribe requests are processed promptly and no later than within 10 business days.

Also, individual sales emails sent by Kodan personnel may also include open and click tracking for the purpose of managing and improving relationship management.

2.7 Events and webinars

When you register for or attend a Kodan event or webinar, we collect registration details such as name, email address, and company. This data is used for managing the event, communicating with participants, and for subsequent marketing activities. Event participation data is treated as general marketing data and retained accordingly.

2.8 Digital advertising

We run paid advertising campaigns on digital advertising platforms. These platforms may use data about you — such as your email address or website visit behaviour — to show you relevant Kodan advertisements. This may include:

  • Custom audiences: uploading contact lists to advertising platforms to reach known contacts

  • Lookalike audiences: platforms identifying users with similar characteristics to our contacts

  • Website retargeting: showing ads to people who have previously visited our website (requires cookie consent)

You can manage your advertising preferences within the settings of any platform where you see our ads.

2.9 Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects in relation to business partner data.

3. Recruitment Registry

This registry manages applications and information submitted by people interested in working at Kodan Oy.

3.1 Purpose and legal basis

We process applicant data for the purpose of evaluating job applications and conducting our recruitment process, including sourcing potential candidates for future roles.

Legal basis: Legitimate interest. Kodan Oy has a legitimate interest in processing applicant data to find and hire suitable employees and to manage a professional recruitment process. We also process data to fulfil our obligations under the Finnish Act on the Protection of Privacy in Working Life. Where explicit consent is required — for example, for extended storage of data beyond the standard retention period — we will request it separately.

3.2 Data collected

We collect the following types of data from applicants:

  • Full name, email address, and phone number

  • Educational background and work experience (CV/résumé)

  • Job preferences and competence profile

  • Interview notes and assessments

  • Any additional information provided voluntarily by the applicant

3.3 Data retention

Applicant data is stored for a maximum of two (2) years from the date of application, unless the applicant gives explicit consent for longer storage (for example, to be considered for future openings). Data is deleted upon request at any time.

3.4 Data processors and international transfers

Applicant data may be stored and processed using a range of tools, including cloud-based collaboration and document management platforms (such as file storage services and shared workspaces). Some of these tools may be operated by providers outside the EU/EEA. Where data is transferred outside the EU/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs).

Access to applicant data across all tools is limited to employees involved in the recruitment process.

3.5 Recruitment agencies and sourcing

We may engage third-party recruitment agencies to assist in finding candidates. In such cases, the agency may receive relevant applicant data (such as CV and contact details) to the extent necessary to carry out the search. Agencies are required to handle personal data confidentially and in compliance with GDPR.

Depending on the nature of the engagement, a recruitment agency may act as a data processor on our behalf, or as an independent data controller with respect to data they collect directly from candidates. Candidates will be informed when a third-party agency is involved in their recruitment process.

When sourcing passive candidates from public sources such as LinkedIn or professional directories, we adhere to the principle that data should primarily be collected from the individual concerned. Candidates sourced in this way will be informed of the processing of their personal data at the latest upon first contact.

3.6 Access control

Access to applicant data is restricted to Kodan Oy employees directly involved in the recruitment process, and any engaged third parties as described above. Data is treated as confidential and is not shared with any other external parties.

3.7 Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects in the recruitment process. All hiring decisions are made by Kodan Oy personnel.

4. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — You can request a copy of the personal data we hold about you.

  • Right to rectification — You can ask us to correct inaccurate or incomplete data.

  • Right to erasure — You can request that we delete your personal data.

  • Right to restriction of processing — You can ask us to limit how we use your data in certain circumstances.

  • Right to data portability — You can request your data in a structured, machine-readable format.

  • Right to object — You can object to processing based on legitimate interest, including for direct marketing purposes. If you object to marketing, we will stop immediately.

  • Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us. You’ll find the proper contact information under the header “8. Contact”.

We will respond within 30 days. If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu): www.tietosuoja.fi.

5. Cookies

Our website uses cookies to personalise content, enable advertising features, and analyse traffic. Cookies set by third-party advertising platforms may be used for retargeting and campaign measurement. For full details and to manage your preferences, see our Cookie Policy at kodan.fi/cookies

6. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. Access to data is restricted to authorised personnel on a need-to-know basis.

7. Changes to This Policy

We may update this privacy policy from time to time. The latest version is always available at kodan.fi/privacy. We will communicate significant changes through appropriate channels.

8. Contact

For questions about this policy or how we handle your personal data, please contact:

Kodan Oy
Marko Loukkola
Vilhonkatu 5, 00100 Helsinki, Finland
marko.loukkola@kodan.fi
+358 (0)44 552 5952