This policy explains how Jointscartilage collects, uses and protects your personal data in accordance with the General Data Protection Regulation (GDPR), the Finnish Data Protection Act (1050/2018) and other applicable legislation.
Last updated:
Summary: Jointscartilage collects only the personal data necessary to operate our services. We do not sell your data. We do not use it for purposes beyond what is stated here. You have the right to access, correct or delete your information at any time.
1Data Controller Details
The data controller responsible for the personal data collected through this website and associated services is:
Jointscartilage
Vantaanportinkatu 3
01510 Vantaa
Finland
Business ID (Y-tunnus): 2847891-2
References to "we", "us" or "our" throughout this policy refer to Jointscartilage in its capacity as data controller.
2Personal Data We Collect
We collect personal data through the following channels and in the following categories:
2.1 Contact Form Submissions
When you submit a query through our contact form, we collect:
Full name
Email address
The contents of your message
Date and time of submission
Your GDPR consent record
2.2 Membership Registration
When you register as a member or enquire about membership, we may collect:
Full name
Email address
Telephone number (if provided)
Preferred membership tier
Emergency contact details (collected during orientation for active participants)
Correspondence records related to your membership
2.3 Website Usage Data
When you browse our website, we may automatically collect the following through cookies and server logs, subject to your consent preferences:
IP address (anonymised where possible)
Browser type and version
Device type and operating system
Pages visited and time spent
Referring website or source
This data is collected only if you consent to analytics cookies. See our Cookie Policy for full details.
2.4 Ride Participation Records
For members participating in group rides and programs, we maintain records including:
Ride attendance dates and route names
Program participation records
Coordinator notes relevant to safety or scheduling (e.g. ability level selection)
3Purposes of Processing
We process your personal data for the following specific purposes:
Responding to enquiries: To process and respond to contact form submissions and direct communications.
Membership administration: To manage your membership registration, billing, tier changes, and related correspondence.
Ride coordination: To organise group rides, communicate schedule updates, cancellations and safety information to participating members.
Program delivery: To administer workshops, route consultations and other educational programs you have registered for.
Marketing and advertising measurement: Where you consent to marketing cookies, we may process pseudonymous usage data to measure the effectiveness of online advertising campaigns and to understand how visitors arrive at this website.
Legal and safety obligations: To maintain records required by Finnish law, to respond to regulatory requests, and to safeguard participant safety during organised activities.
Website improvement: To analyse aggregated, anonymous usage data in order to improve the functionality and content of our website — only where analytics cookies are consented to.
Communications: To send member newsletters and program announcements to those who have actively opted in to receive them.
We do not use your personal data for automated decision-making or profiling in ways that produce legal or similarly significant effects on you.
4Legal Basis for Processing
Our processing activities are carried out on the following legal bases under Article 6 of the GDPR:
Consent (Article 6(1)(a)): Processing related to contact form submissions (where explicit consent is given), marketing communications, and analytics cookies.
Contract performance (Article 6(1)(b)): Processing necessary to fulfil your membership agreement, including ride coordination, program access and billing administration.
Legal obligation (Article 6(1)(c)): Processing required to comply with applicable Finnish law and EU regulations, including record-keeping and regulatory reporting.
Legitimate interests (Article 6(1)(f)): Processing for internal administrative purposes, basic website security and fraud prevention, where these interests are not overridden by your rights and interests.
Where we rely on consent as our legal basis, you have the right to withdraw your consent at any time without affecting the lawfulness of any processing carried out before withdrawal.
5Data Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, subject to legal requirements:
Contact form data: Retained for 12 months from the date of submission, or longer if your enquiry leads to an ongoing membership or service relationship.
Membership data: Retained for the duration of your active membership and for 3 years following the termination of your membership, in accordance with Finnish commercial record-keeping obligations.
Ride participation records: Retained for 3 years following the date of the activity, primarily for safety and insurance documentation purposes.
Financial and billing records: Retained for 6 years in accordance with Finnish accounting legislation (Kirjanpitolaki 1336/1997).
Website analytics data: Retained in aggregate, anonymised form for up to 26 months. No individually identifiable analytics data is retained beyond 12 months.
Consent records: Retained for as long as the activity to which the consent relates, plus 3 additional years for compliance purposes.
When data reaches the end of its retention period, it is securely deleted or anonymised in a manner that renders individual identification impossible.
6Data Sharing and Transfers
We do not sell, rent or trade your personal data to any third party. We may share your data only in the following limited circumstances:
6.1 Service Providers (Data Processors)
We use a small number of third-party service providers who process data on our behalf under data processing agreements. These may include:
Email delivery service providers (for transactional emails and newsletters)
Website hosting providers
Analytics service providers (where you have consented to analytics cookies)
All processors are required to handle data in accordance with GDPR and our documented instructions. We do not permit processors to use your data for their own purposes.
6.2 Legal Requirements
We may disclose personal data to competent authorities if required by Finnish law, court order, or to protect the legal rights or safety of individuals associated with our organisation.
6.3 International Transfers
Our primary operations are based within the European Economic Area (EEA). Where any processor is located outside the EEA, we ensure that adequate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
7Your Rights
Under the GDPR and Finnish data protection law, you have the following rights in relation to your personal data:
Right of access (Article 15 GDPR): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
Right to rectification (Article 16 GDPR): You have the right to request correction of inaccurate or incomplete personal data.
Right to erasure (Article 17 GDPR): You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected.
Right to restriction of processing (Article 18 GDPR): You may request that processing of your data be restricted in certain circumstances, such as while a correction request is being handled.
Right to data portability (Article 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, machine-readable format.
Right to object (Article 21 GDPR): You have the right to object to processing based on legitimate interests. We will consider whether our interests override yours and inform you of the outcome.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time by contacting us or adjusting your cookie preferences.
Right not to be subject to automated decisions: We do not carry out automated decision-making with legal or similarly significant effects.
To exercise any of these rights, please contact us using the details in Section 1 or Section 12. We will respond within one calendar month of receiving a verified request. In complex cases, we may extend this by a further two months, with notification.
8Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction or disclosure. These include:
All website traffic is served over HTTPS with TLS encryption.
Access to personal data systems is restricted to authorised personnel only, with role-based access controls.
Staff with access to personal data receive training on data protection responsibilities.
Physical documents containing personal data are stored securely and access is controlled.
Regular reviews of data handling practices to identify and address vulnerabilities.
Incident response procedures are in place; data breaches are reported to the Finnish Data Protection Ombudsman within 72 hours where required by Article 33 GDPR.
While we take all reasonable measures, no internet-based data transmission is entirely risk-free. We encourage you to use strong, unique passwords for any accounts and to contact us immediately if you suspect unauthorised access to your personal data.
9Cookies
We use cookies and similar technologies on our website. Strictly necessary cookies are always active; all other categories require your explicit consent. You can manage your cookie preferences at any time through the Cookie Settings option in our cookie banner.
For full details of the cookies we use, the purposes they serve and your options, please read our Cookie Policy.
10Minors
Our website is intended for use by individuals aged 16 and over. We do not knowingly collect personal data from individuals under the age of 16 without verifiable parental or guardian consent. If you believe a minor has submitted personal data to us without appropriate consent, please contact us and we will take prompt steps to delete the information.
Participants under the age of 18 who wish to join organised rides must have a parent or guardian provide written consent prior to participation. This requirement is communicated during the orientation process.
11Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or operational circumstances. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active members by email.
We encourage you to review this policy periodically. Continued use of our website or services after changes are published constitutes acknowledgement of the updated policy.
12Contact and Complaints
If you have any questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how we have handled your data, please contact us:
If you are not satisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):
Website: tietosuoja.fi
Address: PO Box 800, FI-00531 Helsinki, Finland
Cookie Notice
We use cookies to improve your experience. Read our Cookie Policy for details.
Cookie Settings
Select which categories of cookies you consent to.