Privacy Policy

The data controller responsible for your personal data is:

• Book & Stories (sole trader / toiminimi)
• Business ID (Y-tunnus): 3576053-6
• Address: Kahvipavunkuja 6, Helsinki 00990, Finland
• Email: [email protected]

We are registered in Finland and process personal data in accordance with Finnish and European data protection law.

We do not have a separate Data Protection Officer. For all data processing enquiries, please contact us using the details above.

We collect personal data in the following categories:

• Identity and contact data: first and last name, email address, phone number, and delivery address (street, city, postal code, country/region).
• Account data: if you create an account — login credentials and account settings managed through our authentication provider (Clerk).
• Order and transaction data: ordered items, order totals, payment statuses, promo codes used, and order history.
• Payment data: payments are processed directly by Stripe, Inc. We do not receive or store full card numbers, CVV codes, or other sensitive payment data. We may receive the payment method type and the last four digits of the card number for display in your account.
• Delivery data: chosen delivery method, carrier, and (where applicable) pick-up point address.
• Correspondence data: content of messages sent to us via the contact form or by email.
• Technical and behavioural data: IP address, browser type and version, device type, operating system, pages visited, date and time of access, referrer URL — collected automatically via server logs and analytics tools.
• Cookie data: see Section 7 (Cookies).
• Newsletter subscription data: email address and, optionally, name and preferred language — when subscribing to our newsletter.
• Book request data: name, email address, and details of the requested book.

We do not collect special categories of personal data (such as health data, racial or ethnic origin, religious beliefs, or political opinions) and do not knowingly process data of children under 13.

We process your personal data only when there is a legal basis to do so in accordance with Article 6 of the GDPR.

We do not sell your personal data. Data is shared only where necessary with the following categories of recipients, acting as data processors under contract or with other appropriate safeguards:

• Payment processing — Stripe, Inc. (USA): processes payment transactions. Stripe is PCI DSS Level 1 certified. Transfer to the USA is based on Standard Contractual Clauses (SCCs) approved by the European Commission. Stripe privacy policy: stripe.com/privacy.
• Delivery and logistics — delivery services (e.g. Posti, Matkahuolto, or DHL): receive your name and delivery address to fulfil the order. These carriers are based in Finland or the EU.
• Authentication services — Clerk, Inc. (USA): manages account creation and authorisation. Transfer to the USA is based on SCCs. Clerk privacy policy: clerk.com/privacy.
• Analytics: we may use privacy-focused analytics tools to analyse traffic. Data is anonymised or pseudonymised where required.
• Email delivery: a third-party provider is used to send transactional emails and newsletters. Only the email address and name are shared.
• CAPTCHA / bot protection: Cloudflare Turnstile may be used on forms. Cloudflare privacy policy: cloudflare.com/privacypolicy.
• Hosting: our website is hosted on servers in the EU/EEA.

We may also disclose personal data where required by law, court order, or at the request of a competent public authority (e.g. for tax or law enforcement purposes).

Some of our service providers (in particular Stripe and Clerk) are located in the USA. When transferring personal data outside the EU/EEA, we ensure an adequate level of protection by relying on one or more of the following mechanisms: (a) adequacy decisions by the European Commission; (b) Standard Contractual Clauses (SCCs); or (c) other approved transfer mechanisms in accordance with Chapter V of the GDPR.

You may request a copy of the relevant safeguards by contacting us using the details in Section 1.

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

When the retention period expires, data is securely deleted or anonymised.

We use cookies and similar technologies (e.g. local storage) on our website. Cookies are small text files stored by your browser on your device.

• Strictly necessary cookies: required for the website to function (e.g. session management, shopping cart, security, and remembering your cookie choices). These cannot be disabled.
• Preference cookies: remember choices such as your language selection. These are optional and can be managed through the cookie settings on this website.

We do not use Google Analytics cookies, advertising cookies, or other marketing cookies on this website.

The legal basis for strictly necessary cookies is our legitimate interest in ensuring website functionality. The legal basis for optional preference cookies is your consent (Art. 6(1)(a) GDPR and the Finnish Electronic Communications Services Act, implementing the ePrivacy Directive).

As a GDPR data subject, you have certain rights. To exercise them, please contact us at [email protected]. We will respond within one month (this may be extended by a further two months for complex requests).

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) if you believe your data is being processed unlawfully. Website: tietosuoja.fi.

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption of data in transit using TLS/SSL protocols.
• Access controls restricting data processing to authorised personnel on a least-privilege basis.
• Use of reputable third-party processors with verified security certifications (e.g. PCI DSS Level 1 for payments via Stripe).
• Regular review of data processing practices and security measures.

Our website may contain links to third-party websites. We are not responsible for their privacy policies or content. We recommend reviewing the privacy policies of any third-party sites you visit.

Our services are not intended for children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us for its prompt deletion.

We may periodically update this Privacy Policy to reflect changes in our data processing practices, legal requirements, or our business. The updated version with a revised effective date will be published on this page.

For material changes, we will take reasonable steps to notify you (e.g. by email if you are a registered customer or newsletter subscriber, or by posting a prominent notice on the website).

For any questions, comments, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

• Email: [email protected]