PRIVACY POLICY

Toneco Oy
(Updated 02/02/2026)

This Privacy Policy describes how Toneco Oy (“Toneco”, “we”, “us”) processes personal data in accordance with the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Finnish data protection legislation.

This Privacy Policy applies to the processing of personal data of customers, potential customers, business partners and other stakeholders of Toneco Oy and Audio Friends Oy in connection with websites, marketing, customer relationships, products and services.

---

1. Data Controller

Toneco Oy
Haagan pappilantie 2 a
00320 Helsinki
Finland
Tel: +358 10 666 2230
Email: sales@toneco.com
Business ID: 0845125-2

---

2. Contact Person for Data Protection Matters

Toni Reunanen
Sales Director
Email: toni.reunanen@toneco.fi

---

3. Purposes and Legal Bases for Processing

Personal data is processed for the following purposes:

• Management and administration of customer relationships
• Provision and delivery of products and services
• Processing of orders and payments
• Customer communications
• Marketing, including direct marketing
• Website functionality and analytics
• Business development and customer surveys
• Compliance with legal obligations

Legal Bases under GDPR

Processing of personal data is based on one or more of the following legal grounds pursuant to Article 6 GDPR:

1. Contract (Art. 6(1)(b)) – Processing necessary for the performance of a contract or to take steps prior to entering into a contract.
2. Legal obligation (Art. 6(1)(c)) – Processing necessary to comply with statutory obligations (e.g., accounting legislation).
3. Legitimate interest (Art. 6(1)(f)) – Processing based on our legitimate business interests, such as maintaining customer relationships, business development, and direct marketing to corporate representatives.
4. Consent (Art. 6(1)(a)) – Processing based on the data subject’s explicit consent (e.g., SMS marketing and certain electronic direct marketing).

Where processing is based on consent, the data subject has the right to withdraw consent at any time.

---

4. Categories of Data Subjects

Data subjects include:

• Customers
• Potential customers
• Website visitors
• Representatives of client organizations
• Business partners and stakeholders

---

5. Categories of Personal Data Processed

We may process the following categories of personal data:

• Name
• Postal address
• Telephone number
• Email address
• Organization and title
• User account details
• Ordered products and services
• Payment and invoicing information
• Purchase transaction data
• Communications and customer feedback
• Technical identification data (IP address, browser data, cookies, log data)

We do not process special categories of personal data as defined in Article 9 GDPR.

---

6. Sources of Personal Data

Personal data is collected:

• Directly from the data subject (e.g., via contact forms, service orders, customer feedback, registrations)
• During contractual negotiations
• Through website interactions
• From publicly available sources (e.g., company registers, business directories, company websites)

---

7. Retention Period

Personal data is retained only as long as necessary for the purposes for which it was collected, including for satisfying legal, accounting, or reporting requirements.

• Data processed based on legitimate interest is retained for a maximum of two (2) years from the most recent interaction.
• Data processed under a contractual relationship is retained for the duration of the contract and thereafter as required by applicable accounting and statutory obligations.
• Marketing consent data is retained until consent is withdrawn.

After the retention period expires, personal data will be securely deleted or anonymized.

---

8. Recipients and Data Processors

Personal data is not sold or disclosed to third parties for their independent use.

We may use external service providers (data processors) for:

• IT system maintenance
• Website hosting
• Marketing tools
• Payment processing

Processing agreements in accordance with Article 28 GDPR are in place with all processors.

---

9. International Data Transfers

Personal data is primarily stored within the European Union or European Economic Area.

Where data is transferred outside the EU/EEA (e.g., to the United States), such transfers are safeguarded through:

• European Commission Standard Contractual Clauses (SCCs), and/or
• Other lawful transfer mechanisms in accordance with Chapter V of the GDPR.

Appropriate technical and organizational safeguards are implemented to ensure an adequate level of protection.

---

10. Technical and Organizational Security Measures

We implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

• Access control and user authentication
• Role-based access restrictions
• Confidentiality obligations
• Firewalls and network security measures
• Encrypted communications where applicable
• Secure, monitored and access-controlled server facilities

Access to personal data is restricted to authorized personnel only.

---

11. Data Subject Rights

Under the GDPR, data subjects have the following rights:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (“right to be forgotten”) (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))

Requests must be submitted in writing to sales@toneco.com.

Data subjects also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu).

---

12. Website Analytics and Cookies

Website usage is monitored anonymously through log files and cookies.

Personal data is not directly combined with anonymous traffic statistics.

Cookies are used in accordance with applicable electronic communications and data protection legislation. Non-essential cookies require prior consent.

Users may manage cookie preferences through browser settings or the website’s consent management tool.

---

13. SMS Marketing and Email Newsletters (Electronic Direct Marketing)

Where a data subject provides their contact details (such as phone number and/or email address) and gives explicit consent, Toneco Oy may send electronic direct marketing communications, including:

• SMS messages regarding products, services, campaigns, events and other updates; and/or
• Email newsletters and other marketing emails concerning new features, offers, services and company news.

Electronic direct marketing is based on:

• Explicit consent in accordance with Article 6(1)(a) GDPR and applicable electronic communications legislation.

Consent is:

• Voluntary
• Specific to the selected communication channel (SMS and/or email)
• Given through a clear affirmative action

The data subject:

• May withdraw consent at any time, free of charge
• May opt out of marketing emails via the unsubscribe link included in each email
• May opt out of SMS marketing by following the instructions included in the SMS message or by contacting sales@toneco.com

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Contact details collected for marketing purposes will not be disclosed to third parties for their independent marketing purposes.

We maintain records of consent in order to demonstrate compliance with Article 7(1) GDPR.

---

14. Amendments to this Privacy Policy

We reserve the right to amend this Privacy Policy to reflect changes in legislation, regulatory guidance, or business practices. The latest version will always be available on our website.