Sign in

Privacy Policy

Noventia Oy, a member of the Citrus Group, is committed to complying with applicable data protection legislation and to respecting the privacy of its customers, partners, and subcontractors. The cornerstones of our business are trust, security, and transparency. We process personal data within the limits permitted by the EU General Data Protection Regulation (2016/679, GDPR) and the Finnish Data Protection Act (1050/2018).

This privacy policy (“Policy”) clearly and transparently describes how we collect and process personal data. Our goal is to ensure that processing is carried out lawfully, with respect for the rights of data subjects and the protection of their privacy. This Policy applies to the processing of personal data in the following situations:

  • Individuals representing Noventia Oy’s customers, potential customers, partners, or service providers
  • Individuals in a contractual relationship with Noventia Oy
  • Individuals who visit our website or contact us.

1. Data Controller and Contact Information  

Noventia Oy
Noventia Oy Maistraatinportti 1, 00240 Helsinki
Business ID: 2105415-5

Contact person for data protection matters:
Data Protection Officer – tietosuoja@citrus.fi

For all matters and questions concerning data protection and the processing of personal data, please contact the Data Protection Officer by email.

 2. Legal Basis and Purpose of Processing Personal Data  

The processing of personal data is based on one or more of the following legal grounds:

  • A contract between us and the data subject or their organization
  • Legal obligations imposed on the company
  • The data subject’s consent
  • The controller’s legitimate interest

In cases where processing is based on legitimate interest, we have carried out a balancing test and assessed that the interests or fundamental rights and freedoms of the individual do not override our legitimate interest.

Personal data are processed for the following purposes: - Acquiring and maintaining customer relationships - Managing client relations - Developing our operations and services - Improving the customer experience - Providing better customer service - Producing additional services - Preventing misuse and fraud - Sales and marketing, including targeted marketing actions - Analytics and statistical purposes - Website development - Processing of job applications and conducting recruitment processes

3 Regular Sources and Types of Personal Data Processed  

Personal data can be collected in several ways, but primarily we collect them directly from the individual or from the company with which a service or assignment contract has been concluded.

Tämän selosteen kattamat käsittelytarkoitukset edellyttävät, että keräämme ja käsittelemme seuraavia henkilötietoja:

  • First and last name
  • Email address
  • Phone number
  • Role or position in the organization
  • Feedback provided
  • IP address and cookie data
  • Website activity, time of visit, and page usage
  • Job application data such as education, previous work experience, and other recruitment-related data, including interview notes and suitability assessments

4 Retention Period of Personal Data  

We retain personal data only as long as necessary to fulfil the purposes of processing and as required by applicable legislation. When data are no longer needed for these purposes or required by law, they are deleted.

Cookie consent is automatically stored in the browser for 12 months, after which consent is requested again unless the user deletes or clears cookies earlier. If our cookie policy changes, we will request visitors to renew their consent. In such cases, the consent status will default to “necessary cookies only” until the user explicitly accepts or rejects other cookies.

5 Disclosure and Transfer of Personal Data  

Noventia Oy, as part of the Citrus Group, may share personal data within the group. Other group companies may process personal data on our behalf for internal administrative purposes such as reporting or operational efficiency. This processing is based on our legitimate interest.

We may also disclose personal data to trusted service providers and subcontractors who support our operations. These partners operate under contractual agreements that comply with the GDPR and other applicable data protection laws.

We may disclose personal data to authorities if required by law — for example, to prevent or investigate fraud or other illegal activities. Data may also be disclosed under a valid court order. In the event of a business sale or other corporate restructuring, data may be transferred to the buyer or another party involved in the transaction.

Noventia Oy ensures that all transfers and processing of personal data comply with data protection and information security practices in accordance with the GDPR. Service providers and their subcontractors may transfer personal data outside the EU or EEA. In such cases, we always follow applicable legislation and implement required safeguards, such as the European Commission’s Standard Contractual Clauses (SCC).

6 Principles of Data Security  

The confidentiality of personal data is of utmost importance to us. We have implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction, or unauthorized access.

  • We use, among others, the following data security measures:
  • Access control: Access to personal data registers is restricted to designated employees who require it for their work tasks.
  • Technical protection: Devices and systems are protected with personal user IDs, regularly changed passwords, firewalls, and other security technologies.
  • Employee awareness: All employees handling personal data are trained and instructed in proper data management and are bound by confidentiality obligations.
  • Backups: Electronic data are regularly backed up.
  • Physical protection: Paper records are stored in locked facilities.
  • Secure disposal: Materials containing personal data are securely destroyed.

7 Rights of the Data Subject  

The data subject has the right to access their personal data that we process and to obtain a copy of it. If the data are inaccurate or incomplete, they have the right to request correction. The correction request must be sufficiently detailed to enable us to make the necessary amendments.

The data subject also has the right to request the deletion of their personal data when processing is no longer necessary for its intended purpose or has been unlawful. If processing is based on consent, the individual may withdraw their consent at any time. Furthermore, the data subject may have the right to receive their data in a structured, commonly used, and machine-readable format and to transmit those data to another controller. In certain cases, the data subject also has the right to object to or restrict processing.

For all questions and requests regarding personal data or the exercise of these rights, please contact the email address listed in section 1.

The data subject also has the right to lodge a complaint with a supervisory authority. In Finland, this authority is the Data Protection Ombudsman (Tietosuojavaltuutettu), whose contact details are available at tietosuoja.fi.

8 Cookies  

A cookie is a small text file that a website stores on a user’s computer or mobile device during a visit. With cookies, we collect general log data and more detailed information about how the site is used and how visitors behave. This helps us improve the functionality and services of our website. The data collected are processed so that individual users cannot be directly identified.

If a cookie contains personal data, such as an IP address, or if an identifier can otherwise be linked to a specific person, we process such data as personal data in accordance with applicable data protection legislation.

Users can control the use of cookies by changing their browser settings. For example, they can block all cookies or configure the browser to delete cookies when closing the window. However, blocking cookies may reduce the usability of certain website features.

9 Changes to the Privacy Policy 

We continuously monitor changes in data protection legislation and strive to develop our business operations. Therefore, we reserve the right to modify or update this privacy policy as needed.

This privacy policy was last updated on November 17th 2025.