Forestmobility

Data protection

Privacy Policy

How we collect, use, and protect personal data for visitors and clients of our educational digital wellness services—written for humans first, auditors second.

  • GDPR & Finnish law
  • EU / EEA focus
  • Controller in Helsinki

Last updated

Overview and material scope

We provide organisational education about digital wellness—facilitated sessions, structured programs, and downloadable guides. None of that activity constitutes healthcare, telemedicine, or psychological treatment. Consequently we do not build clinical records, issue diagnoses, or infer special categories of data about health through this website. If you voluntarily disclose sensitive information in a message, we will limit internal circulation to what is needed to respond safely and may redirect you to qualified professionals.

Finnish law implements the General Data Protection Regulation (EU) 2016/679 together with complementary national statutes. Where this policy uses GDPR article references, they apply to natural persons in the EU/EEA and, where the GDPR applies extraterritorially because of targeting, to other residents benefiting from similar protections.

Reading this page does not create a contract. A separate order form, statement of work, or checkout flow—when available—defines commercial terms.

Data controller and representative contact

The controller responsible for processing described here is Forestmobility, with its principal contact point at Pasilan asema-aukio 1, Mall of Tripla, 00520 Helsinki, Finland. The most reliable way to reach our data protection enquiries is email: online@forestmobility.world. You may also call +358 9 868 9240 for operational questions; complex rights requests may still be confirmed in writing so we can verify identity proportionately.

When we act strictly as a processor on behalf of your employer—such as delivering workshops under their direction and using their systems—the employer typically remains controller for employee data. In such cases we will point you to their privacy team unless contractually agreed otherwise.

Categories of personal data

Depending on how you interact with us, we may process:

  • Identity & professional context: name, job title, employer, country or city of work, and languages used in sessions.
  • Contact data: email address, telephone number, invoicing address, and optional calendar identifiers when you book a meeting.
  • Communication content: text you type into forms, notes you attach, or agenda items you approve.
  • Technical metadata: IP address, timestamps, user agent string, approximate region from IP geolocation, HTTP referrer, and diagnostic event IDs when debugging outages.
  • Cookie identifiers: as described in our Cookie Policy, including optional analytics or marketing tags if you consent.
  • Financial identifiers: payment references, last four digits of cards when shown by payment gateways, and bank details needed for refunds.

We avoid collecting government identification numbers or unnecessary copies of identity documents. If payment regulations require verification, we will explain the narrow purpose before asking.

Purposes of processing

Service delivery

Scheduling, delivering workshops, distributing materials, and providing support tied to your engagement.

Sales & onboarding

Answering inquiries, preparing proposals, performing light creditworthiness screening where customary.

Compliance & integrity

Fraud prevention, sanctions screening lists where mandated, maintaining audit logs, handling disputes.

Product improvement

Aggregated analytics about site navigation and anonymised feedback themes—never selling raw contact lists.

Legal bases under GDPR Article 6

Contract preparation and performance: Article 6(1)(b) covers inquiry handling when you intend to buy services, attendance lists for paid deliveries, and billing. Legitimate interests: Article 6(1)(f) supports network security, improving documentation clarity, and light corporate analytics balanced against opt-out rights where applicable. Legal obligation: Article 6(1)(c) applies to tax archives and responses to lawful authority requests. Consent: Article 6(1)(a) governs optional newsletters, certain cookies, or marketing beyond soft organisational follow-up— you may withdraw consent without affecting prior lawful processing.

Special categories

We do not aim to process Article 9 data. Workshop discussions stay at the level of workload design. If someone shares health information unsolicited, we treat it under Article 9(2)(a) explicit consent only if they clearly intend us to keep it; otherwise we delete or minimise as soon as practicable.

Processors and categories of recipients

Infrastructure, email transmission, calendar booking, document signing, customer ticketing, and accounting tools may process personal data under written Article 28 agreements. A current list of material categories—without naming every micro-service—is available on request for enterprise buyers performing due diligence.

We may disclose information to professional advisers (lawyers, auditors), acquirers in a merger with continued notice obligations, or public authorities when legally compelled after reviewing the scope of the demand.

Retention schedules

  • Marketing-qualified leads without purchase: up to twenty-four months of inactivity, then deletion or anonymisation.
  • Signed contracts and related correspondence: life of the relationship plus up to ten years where Finnish accounting and tax law requires ledger retention.
  • Security logs: ninety days by default; extended only for active incident response or regulatory inquiry timelines.
  • Cookie consent logs: twelve months unless regulations require a different proof window.

When deletion is impossible because data sits in immutable backups, we isolate segments until rolling expiry cycles purge them.

Technical and organisational measures

Transport encryption via TLS, disk encryption for laptops where supported, role-based access with periodic reviews, separation of production and test environments, vendor security questionnaires for high-risk tools, and incident response playbooks including notification timelines under Articles 33–34 GDPR when legally required.

Staff with elevated access complete confidentiality commitments. Remote work follows device guidelines; loss of equipment triggers remote wipe commands when enrolled in mobile device management.

Data subject rights and complaints

You may request access, rectification, erasure, restriction, objection to certain legitimate-interest processing, and portability where technically feasible. Automated decision-making with legal or similarly significant effects does not occur in our standard workflows; if that changes, we will update this policy and explain logic and consequences.

Exercise rights by emailing the controller address above. We may ask for reasonable verification without over-collecting. You may complain to the Finnish Office of the Data Protection Ombudsman at tietosuoja.fi, or to your habitual residence supervisory authority under Article 77 GDPR.

International transfers outside the EEA

Some subprocessors store data in the United States or other third countries. Where European adequacy decisions do not apply, we implement Standard Contractual Clauses (2021 versions) or other Article 46 mechanisms, supplemented by transfer impact assessments documented internally.

Minors

Services are directed to organisations. We do not market to children. If you are a parent or guardian and believe we collected a minor’s data inadvertently, contact us immediately for deletion.

Policy evolution

Material changes appear on this page with an updated publication stamp. Where consent underpins processing, we will obtain fresh consent if the law requires it. Continued use of the site after non-material clarifications constitutes notice; significant reductions of your rights will not be buried in footnotes.

Related: Cookie Policy · Terms of Use