Privacy Policy

1. Name of register:

Muumimaailma Oy’s customer register

2. Data controller:

Muumimaailma Oy (business ID 0925595-8) Kaivokatu 5, 21100 Naantali, Finland (+358) 02 511 1111 Register contact person: Administrative Director Jarkko Kuitunen,

3. Personal data processors

The data controller may use subcontractors and service providers for data processing. The data controller signs written agreements with all its subcontractors and ensures that all subcontractors follow this Privacy Policy and any instructions provided by the Data Controller.

4. The purpose and legal basis for processing personal data

The register is used to maintain the use and participation information of the data controller’s mobile app, online shop, point-of-sale system, Magic Bracelet system, and email marketing system. Personal data are processed in order to facilitate communication between the data controller and data subjects, to provide electronic services and, based on a data subject’s consent, to handle orders, enrolments, correspondence, purchases, reports, and any other activities related to customer relationships as well as to plan and develop business activities. Use and participation data as well as location data included in the register may also be used for profiling and for targeting marketing activities and customer communications to topics that would interest the data subject. Personal data are also processed for the purposes of sending newsletters, information on events, and other marketing communications. For the part of direct marketing, the processing of personal data is based on the data subject’s consent and the data controller’s legitimate interest.

5. Data subject groups, data content and data groups in the register

Mobile app

The register contains the name and contact information of the users of the Moominworld mobile app connected to the unique identifier of their mobile device. The personal data are collected from the data subjects themselves and is based on the data subject’s consent. Some data are shared with the Moominworld’s point-of-sale system and the email marketing system. These types of data include:

  • Name
  • Email address
  • Phone number
  • Marketing consent
  • Place of residence

Other types of data collected for the register:

  • Payment method details (optional)
  • Location data (optional)
  • Order data (optional)
  • Purchased services and products
  • Order date

Location data will not be transferred outside the mobile app’s management system. Location data will only be used when the application is in use. Location data are used to guide the user within Moominworld (navigation). When a customer makes an order using the mobile app, the purchase data will be transferred to Moominworld’s point-of-sale system.

Online shop

The register collects the name and contact information of the users of the online shop connected to information on their order. The personal data are collected from the data subjects themselves and is based on the data subject’s consent. Types of data collected include:

  • Name
  • Email address
  • Address
  • Language
  • Marketing consent
  • Order data
  • Purchased services and products
  • Order date

If the customer’s data can be found in the user data of the mobile app, data on purchases made at the online shop will be automatically transferred to the customer’s mobile app.

Point-of-sale system

The register collects information on purchases made by data subjects through the Moominworld’s point-of-sale system only with the data subject’s consent. Idenfication is based on the data subject’s unique identifier which the data subject receives upon registering into the Muumimaailma Oy customer register. The point-of-sale system only produces data on the data subject’s purchase history, and these data will not be automatically transferred to other systems. The point-of-sale system automatically receives data from other systems, for example, when the customer registers as a user in the mobile app. These types of data include:

  • Name
  • Customer number
  • Email address
  • Phone number

Magic Bracelet system

So-called RFID-based data are used when a customer registers an identifier with an RFID chip. These are used for activating features within the park. The features include different kinds of special effects, information boards, and other similar personalised content. When activating features, the following data are collected:

  • RFID identifier
  • Location visited
  • Use data, including date and time of visit

Email marketing system

The email marketing system is used for email communications and marketing activities between Muumimaailma Oy and its customers. The personal data are collected from the data subjects themselves and is based on the data subject’s consent. Data types collected for the email marketing system:

  • Name
  • Email address
  • Marketing consent

6. Regular data sources

Personal data stored in the register are primarily received from the users themselves. Customers can save their data through the Moominworld app and online shop. Some data are collected automatically when a customer does certain kinds of activities during their visit. These include using the app and the RFID service. In the app, personal data are stored and connected to the mobile device’s use data when the user registers the app on their device. Additionally, the register automatically collects the device’s unique identifier.

7. Regular disclosure of data

Personal data are not disclosed to third parties without the data subject’s consent with the exception of subcontractors involved in the maintenance of the data controller’s services and app. Additionally, the details of the winner of a product raffle may be disclosed to the data controller’s partner (e.g. external raffle organiser) for the purpose of delivering the prize. The data controller may also disclose data to, for example, authorities upon request in accordance with and as required by applicable laws. Personal data are not transferred outside the European Union or the European Economic Area. The technical administration and development of the platform on which the register is stored may be implemented remotely outside the EU, taking into account any legal requirements.

8. Personal data storage times

Personal data are stored for as long as the data subject uses the mobile app or has given their consent to the processing of their personal data or for as long as is required for the management of the customer relationship between the data subject and the data controller.

9. Register’s principles of protection

Data are only stored digitally. There are no physical copies of the register. Data are transferred from the mobile app to the register platform in an encrypted form. The electronic register is kept in an enviroment that is protected from unauthorised external communications. Only specific employees of the data controller or its subcontractors have the right to process and maintain the register’s data as per their job description. The data processors are bound by confidentiality. The data are protected using appropriate technical measures, and physical access to the storage location is protected with access control and other security measures. The data in the register are backed up securely so that they can be restores if the need arises. The level of protection is audited regularly with either external or internal audits.

10. Data subject’s rights

The data subject has the following rights:

  1. The data subject has the right to request access to personal data pertaining to them from the data controller as well as to request the rectification or removal of said data or to limit their processing or to prohibit processing and to transfer their data from one filing system to another.
  2. The data subject has the right to check and, if necessary, rectify their personal data stored in the register. Any requests must be made to the data controller in writing. The data subject has the right to request changes to such data pertaining to them that is incorrect in the register.
  3. To the extent that the processing of personal data is based on the data subject’s consent, the data subject has the right to cancel their consent at any time without affecting the legality of any processing of said data before the consent was cancelled.
  4. The data subject has the right to file a complaint with the authorities regarding the processing of their personal data.

The data subject always has the right to prohibit the processing of their personal data for the purposes of direct marketing or marketing research. The data subject can inform the data controller of such a prohibition when they begin using the app or a service as well as later in the Moominworld app’s settings.