Styxreonthep Living with less stress and more presence

Home Privacy policy

Data protection

Document date:

Privacy policy for visitors and correspondents

This policy tells you who is responsible for personal data on the public site, which operations we perform, on which legal bases, for how long we keep information, which safeguards we use, and which rights you may have under the General Data Protection Regulation and related national law, including Finland’s implementation and the parallel rules some people call the AVG in the Netherlands when the same EU text is applied there.

  • Controller in Helsinki
  • GDPR & EEA
  • Forms & logs

Controller and ways to reach us

The controller for the processing described here is Styxreonthep, with postal address Mannerheimintie 1, 00100 Helsinki, Finland, email contact@styxreonthep.world, and telephone +358 9 622 9930. A controller is the body that decides why and how personal data is processed, within the meaning of the GDPR. When you write to that address, we will answer in a reasonable period that reflects the nature of the request, and, where the law provides a one-month default with a possible extension, we will tell you if an extension and the reason for it are needed.

Under Finnish business and tax rules, a Y-tunnus (Finnish business ID) and, where applicable, a VAT number are used on official invoices and for identification. A public copy for advertising verification (for example, Google Ads) may be provided in writing on request, and business address and contact details appear on the Contact page, so the site matches your verification documents.

Sources and broad categories of data

We do not run a public database where visitors must register a profile to read general pages. The categories we are likely to process include: technical and usage metadata that servers, anti-abuse systems, and optional analytics can generate (for example, an IP address in truncated form, time stamps, a general device class, and error codes), message content and contact details you provide when you use the form or your own email client, consent records and cookie preferences stored on the device in line with the cookies policy, and a small amount of business correspondence to manage questions, follow-up, and, where a paid service exists, the records needed for accounting and the return policy. We do not ask you for sensitive categories of data through the public form, and you should not send health or other special-category text unless we have a separate secure channel and a clear legal basis, which a general contact page is not.

Why we use data and the legal bases we rely on

We use technical information to run a secure, available site, to detect and limit abuse, and to understand, on an aggregate level, which parts of the information design work for readers, where a compatible legal basis is legitimate interests balanced against your rights. We will apply reasonable minimisation, review retention, and offer objection where the law makes that right meaningful in the situation.

We use the content of a contact form on the basis of consent to the specific processing for answering your message, and, if you move toward a service with a price, on pre-contractual steps or contract as applicable. We use accounting-related records where a legal obligation requires retention in trade or tax law. We use a vendor who processes data for us in line with written instructions, as described in the “processors” part of the controller section of our internal file, which is reflected at a high level in this public document.

How long we keep data in ordinary situations

We keep a normal contact request and our reply in a way that can be revisited for a period that is up to twenty-four months from the last substantive message in a thread, unless a longer time is required for a concrete legal claim, a supervisory question, or a tax record. Security logs on infrastructure may be kept for a shorter rolling window that the provider or we choose between roughly thirty and one hundred and eighty days, then overwritten, unless a security incident still needs investigation. If we generate aggregate statistics, we aim to work with outputs that are not easily linked back to an identifiable person. If a number in an administrative table below conflicts with a mandatory rule, the law wins.

Data group Indicative period Notes
Email or form thread As above, from last reply Shorter if you ask to erase and we have no contrary duty
Web server and error logs Rolling window, provider dependent May be longer if law enforcement requests in scope
On-device storage for consent Under your control We do not have direct delete access to your browser; you can clear it

Technical and organisational security

We use providers who apply encryption in transit for normal web traffic, access control to mailboxes and administration panels, separation of functions so that a mistake in one project does not automatically expose an unrelated one, and patching and monitoring according to a proportionate risk view. We train people who can see personal data to use it only for the task at hand, and to avoid informal copies outside approved tools. We maintain a breach assessment process so that, if a likely risk to you appears, a notification to a supervisory authority and, where the law so requires, a message to you can be made without undue delay after we learn enough to describe the case fairly.

Processing outside the European Economic Area

If a processor stores or accesses data in a country that does not have an adequacy decision from the European Commission, we look for a transfer tool the GDPR makes available, such as standard contractual clauses with a transfer impact assessment as needed, and any supplementary measure that a serious gap might require, following case law and guidance. We do not treat a transfer to the United States or another third country as automatically adequate without that layer of work when personal data is in scope, even if a provider is well known.

Your rights under the GDPR, in an overview that is not a substitute for the full articles

Where the law gives you a right to access, you can ask what we are doing with your data and, in many cases, receive a copy in a common format. A right to rectification helps you fix mistakes. A right to erasure can apply in several situations, for example if data is no longer needed for a purpose, if you validly object in a case that fits, or if you withdraw consent and there is no other ground. A right to restriction can apply while a dispute is checked. A right to portability can apply to data you provided and that we process on contract or consent with automated means, in a machine-readable way where the conditions hold. A right to object can apply to processing based on legitimate interests, and you always have a free path to object to direct marketing if we were to use that channel. You can withdraw consent for consent-based work without affecting the lawfulness of what happened before, where that is what the text of the law provides.

Supervisory authority and cross-border work

If you are in Finland and our processing falls under the remit of the Office of the Data Protection Ombudsman, you may contact that body. In other EEA countries, a local authority may be your first point of contact under practical guidance, without prejudice to jurisdiction rules. A list of national authorities and their websites is available from the European Data Protection Board network’s public information.

Automated individual decision-making

We do not design the public site to make decisions about you based solely on automated processing, including profiling, that produce legal or similarly significant effects for you, within the sense of Article 22 GDPR, and we do not use such a system on the pages this policy covers. If a future product with a different risk profile appears, a separate, concrete statement will be published before the feature is in production, or at the time the law contemplates, whichever matches the facts.

Children and vulnerable contexts

The site is not aimed at small children, and the typical reader is an adult who can enter a form. We do not knowingly try to build profiles of children from the public pages, and if we learn that we have received personal data in a way that a parent or guardian should have been involved, we will take proportionate follow-up, including deletion where the law and the facts make that the sound step.

Contact for privacy questions and requests

Use the contact details in the “controller” section, ideally with a clear subject, for example Data protection request: access or Data protection request: erasure, so routing is fast. In some cases we may need to verify identity before sending data to a mailbox, in order to protect other people from accidental disclosure, and the law can allow a reasonable fee in rare cases if a request is clearly excessive, though a simple first request in ordinary consumer conditions is not where we would expect that to arise.

Cookies policy Terms of use Return policy

Lawful & fair
Minimise data
Respect rights