Privacy Policy - Lean Habit

Effective from: 4.12.2025
Applies to the site: leanhabit.fi ("Site")

1. Data Controller


Lean Habit Ltd.

Business ID: 3358237-7
Location: Kokontie 1 A 1, 04320 Tuusula
Email: info@leanhabit.fi
Phone: p. 044 296 2382

Data Protection Contact: Elina Sotaniemi, elina@leanhabit.fi

1. Data Controller


Lean Habit Ltd.

Business ID: 3358237-7
Location: Kokontie 1 A 1, 04320 Tuusula
Email: info@leanhabit.fi
Phone: p. 044 296 2382

Data Protection Contact: Elina Sotaniemi, elina@leanhabit.fi

1. Data Controller


Lean Habit Ltd.

Business ID: 3358237-7
Location: Kokontie 1 A 1, 04320 Tuusula
Email: info@leanhabit.fi
Phone: p. 044 296 2382

Data Protection Contact: Elina Sotaniemi, elina@leanhabit.fi

2. For what purposes and on what grounds do we process data


The purposes of processing and legal bases (GDPR):

  • Site operation and data security (logs, load, error monitoring) – legitimate interest.

  • Contacts and meetings (forms, email, calendar booking) – contract / pre-contractual actions.

  • Customer relationship management and sales (leads, offer details, project communication) – legitimate interest.

  • Marketing and communication (news, invitations, B2B contacts) – consent / legitimate interest.

  • Visitor statistics and development (GA4) – consent.

  • Legal obligations (e.g., accounting) – legal obligation.

2. For what purposes and on what grounds do we process data


The purposes of processing and legal bases (GDPR):

  • Site operation and data security (logs, load, error monitoring) – legitimate interest.

  • Contacts and meetings (forms, email, calendar booking) – contract / pre-contractual actions.

  • Customer relationship management and sales (leads, offer details, project communication) – legitimate interest.

  • Marketing and communication (news, invitations, B2B contacts) – consent / legitimate interest.

  • Visitor statistics and development (GA4) – consent.

  • Legal obligations (e.g., accounting) – legal obligation.

2. For what purposes and on what grounds do we process data


The purposes of processing and legal bases (GDPR):

  • Site operation and data security (logs, load, error monitoring) – legitimate interest.

  • Contacts and meetings (forms, email, calendar booking) – contract / pre-contractual actions.

  • Customer relationship management and sales (leads, offer details, project communication) – legitimate interest.

  • Marketing and communication (news, invitations, B2B contacts) – consent / legitimate interest.

  • Visitor statistics and development (GA4) – consent.

  • Legal obligations (e.g., accounting) – legal obligation.

3. What information do we process

  • Basic information: name, organization, position, email, phone.

  • Communication information: content of the contact, meetings, information related to offers/orders, consents, and refusals.

  • Technical information: IP address (anonymized in GA4), device/browser information, cookies, page views, and events.

3. What information do we process

  • Basic information: name, organization, position, email, phone.

  • Communication information: content of the contact, meetings, information related to offers/orders, consents, and refusals.

  • Technical information: IP address (anonymized in GA4), device/browser information, cookies, page views, and events.

3. What information do we process

  • Basic information: name, organization, position, email, phone.

  • Communication information: content of the contact, meetings, information related to offers/orders, consents, and refusals.

  • Technical information: IP address (anonymized in GA4), device/browser information, cookies, page views, and events.

4. Where the information is obtained

  • From yourself (forms, email, meetings).

  • Technical data generated from the use of the site with your consent (see section 5).

  • Reasonable B2B sources (e.g. publicly available contact information of companies).

4. Where the information is obtained

  • From yourself (forms, email, meetings).

  • Technical data generated from the use of the site with your consent (see section 5).

  • Reasonable B2B sources (e.g. publicly available contact information of companies).

4. Where the information is obtained

  • From yourself (forms, email, meetings).

  • Technical data generated from the use of the site with your consent (see section 5).

  • Reasonable B2B sources (e.g. publicly available contact information of companies).

5. Cookies, Analytics and Google Services

The site uses cookies and similar technologies. You can manage your consent in the cookie banner and change your preferences at any time (link: Cookie Settings).

Cookie Categories

  • Necessary: Basic functions of the site, security, and remembering your consent.

    • Provider: Framer (The site is built with Framer; it uses technical/session cookies and CDN caching. These are not used for marketing tracking.)

  • Analytics (optional): Google Analytics 4 compiles aggregate data for the development of the site. We use Consent Mode v2 and IP Anonymization; storage lasts 2-14 months depending on GA settings.

  • Embeds (optional): e.g. YouTube/Vimeo may set their own cookies when you play content.

  • Google Search Console: does not set cookies for visitors; it is used to monitor the site's discoverability.

You can also disable cookies from your browser settings; note that this may affect the functionality of the site.

5. Cookies, Analytics and Google Services

The site uses cookies and similar technologies. You can manage your consent in the cookie banner and change your preferences at any time (link: Cookie Settings).

Cookie Categories

  • Necessary: Basic functions of the site, security, and remembering your consent.

    • Provider: Framer (The site is built with Framer; it uses technical/session cookies and CDN caching. These are not used for marketing tracking.)

  • Analytics (optional): Google Analytics 4 compiles aggregate data for the development of the site. We use Consent Mode v2 and IP Anonymization; storage lasts 2-14 months depending on GA settings.

  • Embeds (optional): e.g. YouTube/Vimeo may set their own cookies when you play content.

  • Google Search Console: does not set cookies for visitors; it is used to monitor the site's discoverability.

You can also disable cookies from your browser settings; note that this may affect the functionality of the site.

5. Cookies, Analytics and Google Services

The site uses cookies and similar technologies. You can manage your consent in the cookie banner and change your preferences at any time (link: Cookie Settings).

Cookie Categories

  • Necessary: Basic functions of the site, security, and remembering your consent.

    • Provider: Framer (The site is built with Framer; it uses technical/session cookies and CDN caching. These are not used for marketing tracking.)

  • Analytics (optional): Google Analytics 4 compiles aggregate data for the development of the site. We use Consent Mode v2 and IP Anonymization; storage lasts 2-14 months depending on GA settings.

  • Embeds (optional): e.g. YouTube/Vimeo may set their own cookies when you play content.

  • Google Search Console: does not set cookies for visitors; it is used to monitor the site's discoverability.

You can also disable cookies from your browser settings; note that this may affect the functionality of the site.

6. Recipients and Processors

We use trusted service providers who process data according to our instructions:

  • Website/hosting: Framer (+ its infrastructure, such as CDN).

  • Analytics: Google Ireland Ltd (GA4).

  • Email/office applications: Google Workspace.

  • Scheduling / meetings: Calendly.

  • CRM and lead processing: Pipedrive.

    We enter into data processing agreements (DPA) with processors.

6. Recipients and Processors

We use trusted service providers who process data according to our instructions:

  • Website/hosting: Framer (+ its infrastructure, such as CDN).

  • Analytics: Google Ireland Ltd (GA4).

  • Email/office applications: Google Workspace.

  • Scheduling / meetings: Calendly.

  • CRM and lead processing: Pipedrive.

    We enter into data processing agreements (DPA) with processors.

6. Recipients and Processors

We use trusted service providers who process data according to our instructions:

  • Website/hosting: Framer (+ its infrastructure, such as CDN).

  • Analytics: Google Ireland Ltd (GA4).

  • Email/office applications: Google Workspace.

  • Scheduling / meetings: Calendly.

  • CRM and lead processing: Pipedrive.

    We enter into data processing agreements (DPA) with processors.

7. Transfers outside the EU/EEA area

Data may be transferred outside the EU/EEA area (e.g., Google). In such cases, we use the European Commission's standard contractual clauses (SCC) and other safeguards required by the GDPR.

7. Transfers outside the EU/EEA area

Data may be transferred outside the EU/EEA area (e.g., Google). In such cases, we use the European Commission's standard contractual clauses (SCC) and other safeguards required by the GDPR.

7. Transfers outside the EU/EEA area

Data may be transferred outside the EU/EEA area (e.g., Google). In such cases, we use the European Commission's standard contractual clauses (SCC) and other safeguards required by the GDPR.

8. Retention Periods

  • Leads and contacts: generally 24 months from the last contact, unless the customer relationship continues.

  • Customer and contract materials: 6–10 years (accounting law, etc.).

  • Logs/security data: 6–12 months.

  • GA4 data: 2–14 months (depending on GA settings).

    When the retention basis ends, the data will be deleted or anonymized.

8. Retention Periods

  • Leads and contacts: generally 24 months from the last contact, unless the customer relationship continues.

  • Customer and contract materials: 6–10 years (accounting law, etc.).

  • Logs/security data: 6–12 months.

  • GA4 data: 2–14 months (depending on GA settings).

    When the retention basis ends, the data will be deleted or anonymized.

8. Retention Periods

  • Leads and contacts: generally 24 months from the last contact, unless the customer relationship continues.

  • Customer and contract materials: 6–10 years (accounting law, etc.).

  • Logs/security data: 6–12 months.

  • GA4 data: 2–14 months (depending on GA settings).

    When the retention basis ends, the data will be deleted or anonymized.

9. Security

We use secure connections (TLS), access control, and backups. We restrict access rights according to tasks and train our staff. We monitor partners with contracts.

9. Security

We use secure connections (TLS), access control, and backups. We restrict access rights according to tasks and train our staff. We monitor partners with contracts.

9. Security

We use secure connections (TLS), access control, and backups. We restrict access rights according to tasks and train our staff. We monitor partners with contracts.

10. Profiling and Automated Decisions

We do not make automated decisions or profiling that would have legal effects on you.

10. Profiling and Automated Decisions

We do not make automated decisions or profiling that would have legal effects on you.

10. Profiling and Automated Decisions

We do not make automated decisions or profiling that would have legal effects on you.

11. Rights of the Data Subject

You have the right to:

  • access your personal data and request a copy of it,

  • request rectification, erasure, and restriction of processing,

  • object to processing (including direct marketing),

  • withdraw consent at any time (e.g. analytics cookies),

  • transfer data from one system to another to the extent that the right applies.

Requests: info@leanhabit.fi. We will respond without undue delay.

You have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman – Ratapihantie 9, 00520 Helsinki, tel. 029 566 6700, www.tietosuoja.fi.

11. Rights of the Data Subject

You have the right to:

  • access your personal data and request a copy of it,

  • request rectification, erasure, and restriction of processing,

  • object to processing (including direct marketing),

  • withdraw consent at any time (e.g. analytics cookies),

  • transfer data from one system to another to the extent that the right applies.

Requests: info@leanhabit.fi. We will respond without undue delay.

You have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman – Ratapihantie 9, 00520 Helsinki, tel. 029 566 6700, www.tietosuoja.fi.

11. Rights of the Data Subject

You have the right to:

  • access your personal data and request a copy of it,

  • request rectification, erasure, and restriction of processing,

  • object to processing (including direct marketing),

  • withdraw consent at any time (e.g. analytics cookies),

  • transfer data from one system to another to the extent that the right applies.

Requests: info@leanhabit.fi. We will respond without undue delay.

You have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman – Ratapihantie 9, 00520 Helsinki, tel. 029 566 6700, www.tietosuoja.fi.

12. Third Party Services

The site may contain links and embeds to third parties. They are governed by the respective privacy policies and cookie policies of those services.

12. Third Party Services

The site may contain links and embeds to third parties. They are governed by the respective privacy policies and cookie policies of those services.

12. Third Party Services

The site may contain links and embeds to third parties. They are governed by the respective privacy policies and cookie policies of those services.

13. Changes to this statement

We continuously develop our services and may update this statement. The current version is always available on the Site; we will separately notify significant changes.

Contact for data protection related inquiries: info@leanhabit.fi

Updated: 4.12.2025