Tietosuojaseloste
Privacy statement
Blue Hero Oy 8.8.2025
1. Registrar
Blue Hero Oy
Business ID: 2900609-4
Registry contact person:
Data Protection Officer
Jenny Law
info@littleheroes.fi
2. Purpose of Processing Personal Data
We primarily process personal data to provide daycare services to our customers. The legal basis for processing is either a contract or the preparation of a contract for the use of our services, as well as our statutory obligations. This also includes related activities such as communication, invoicing, and other necessary services.
Consent is the legal basis when processing, for example, photographs or other data that is not essential for service provision. For these other types of processing, we always collect separate consent and provide more information at the time of collection.
3. What Data Is Processed and How Long Is It Retained?
Data may also be used for marketing purposes. In such cases, the legal basis is either the right to send direct electronic marketing to our existing customers or consent in other cases.
You can read more about withdrawing consent and marketing opt-out in section 8: Rights of the Data Subject.3.
To provide our services, we may process the following data:
Name
Address
Phone number
Email address
Personal identity number
Emergency contacts
Early childhood education plans and their follow-up
For children: relevant allergies, health conditions, and medication information (if necessary)
We may also process other information provided by guardians that is necessary for the child’s care.
For marketing purposes, only contact details are processed. Marketing-related data is retained for the duration of the consent, typically 2 years.
All data is retained only as long as necessary for its intended use and is securely destroyed thereafter. Contract-related data is typically retained for 10 years after the end of the contract, and accounting records are kept for 6 years.
4. Where Does the Data Come From?
Personal data is always collected directly from the child’s guardians. We do not collect personal data from other sources.
5. Is Data Disclosed Outside the Company?
Data is not disclosed to third parties except as required by law. Blue Hero Oy uses third-party service providers for service provision, in which case these parties act as data processors on our behalf. This processing is governed by contracts that strictly prohibit them from using personal data for their own purposes.
Examples include IT services, information systems, accounting services, and other necessary support services.
Blue Hero Oy updates children’s data to the national early childhood education data repository (VARDA) as required by law (Early Childhood Education Act).
More about VARDA’s privacy policy:
https://opintopolku.fi/konfo/fi/sivu/varda-palvelun-tietosuojaseloste
6. Are Data Transferred Outside the EU or EEA?
We also use service providers based in the United States, for example for IT services (such as Microsoft). Even in such cases, processing is governed by data processing agreements that bind these providers to process personal data only on our behalf and not for their own purposes.
The primary data transfer mechanism is the EU-U.S. Data Privacy Framework, which has an adequacy decision by the European Commission.
When using service providers outside the EEA, we always require encryption, data security certifications, and other protective measures. We also aim to minimize the amount and sensitivity of data processed in such services.
7. Data Security
Personal data is always processed confidentially. Access to personal data in electronic systems is limited to our employees, and access rights are personal and based on need. Staff can only access the information required for their duties.
Non-electronic data is stored in locked and/or monitored facilities.
All suppliers are vetted at the contract stage and are required to meet appropriate data security standards.
Guardians may access certain data (e.g., communication, photos with consent). When accessing such data, it’s important that personal devices (phones, tablets, etc.) are adequately protected to prevent unauthorized access.
Information about other customers, children, or operational practices must not be shared outside the organization to maintain a secure and trustworthy environment.
8. Rights of Data Subjects
You may exercise your rights at any time by contacting the address provided at the beginning of this statement.
8.1 Right of Access
You have the right to know what personal data is being processed about you and to receive a copy upon request.
8.2 Right to Rectification
You have the right to have inaccurate, outdated, incomplete, or unnecessary data corrected by contacting us.
8.3 Right to Erasure (‘right to be forgotten’)
You can request us to delete personal data from our systems. We will comply unless we have a legal obligation to retain the data (e.g., due to statutory retention requirements). In such cases, data is destroyed only after the legally mandated period ends.
8.4 Right to Withdraw Consent and Object to Processing
You can withdraw your consent at any time without affecting the legality of prior processing.
To withdraw consent, object to processing, or opt out of marketing, contact the address at the beginning of this statement.
8.5 Right to Restrict Processing
You have the right to restrict processing, for example, if there are doubts about the accuracy or lawfulness of the processing.
8.6 Right to Data Portability
While we cannot directly transfer daycare-related data to other service providers due to system limitations, you have the right to receive the personal data you provided in a machine-readable format.
This right applies to data processed automatically based on contract or consent.
8.7 Right to Lodge a Complaint
We hope you will contact us first if you are dissatisfied with the processing of your personal data so we can resolve the matter promptly.
However, you also have the right to file a complaint with the supervisory authority:
Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PO Box 800, 00531 Helsinki
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email: tietosuoja(at)om.fi
9. Changes to This Privacy Statement
Blue Hero Oy may update this privacy statement from time to time without prior notice.
However, if material changes are made, we will inform all affected individuals via their provided email addresses or otherwise in writing.