Privacy Policy for the Processing of Personal Data

Last Updated December 1st, 2023

1. Data Controller

Name: Aerial Unlimited
Address: Sahurintie 8, 20320 Turku
Business ID: 3353014-7

2. Contact Person for Matters Concerning the Register

Name: Iiro Linden / aerialunlimited.ry@gmail.com
Address: Sahurintie 8, 20320 Turku / https://aerialunlimited.fi

3. Register Name

Association's reservation system customer register
Customer register based on the association's reservation system for billing

4. Legal Basis and Purpose of Processing Personal Data

The register contains personal data of the association's members and former members. Personal data is processed with the consent of the data subject or based on the membership relationship between the club and the member. The legal basis for processing is the legitimate interest of the data controller, particularly for the following processing purposes:

• Upkeep of membership records
• Educational information
• Photography and videography
• Electronic member communication
• Invoicing
• Customer service and implementation and development of activities
• Analysis and statistics

5. Processed Personal Data

We process the following necessary personal data or categories of personal data for the purpose of use:

• Contact information (name, address, phone number, email address)
• Possible consents and permissions
• Information related to the membership (such as billing information and information about a minor's guardian)
• Photographs and videos taken during educational activities (used for activity development and communication support)

6. Regular Data Sources

The information to be stored in the register is obtained when the person registers and otherwise voluntarily provides their information through the website's forms, email, phone, social media, and other situations where the person provides their data. The provided information is only used for purposes agreed upon with the customer, such as billing for a service. Information is updated in the register only when the customer updates it.

7. Regular Disclosures of Personal Data and Transfers

We do not sell or rent personal data of the data subject to third parties. We may disclose information to third parties in the following cases:

• Organizing education, events, camps, etc.: Necessary personal data of the registered individual is passed on to third parties to organize the event
• Authorities: We may disclose user personal data in a manner required by competent authorities or other parties under currently applicable legislation

Personal data may be transferred forward when changing the register's service provider.

Information may be published to the extent agreed upon with the individual.

8. Regular Transfers of Data and Transfers outside the EU or EEA

The association uses Google's services (Google Drive, Gmail) for maintaining the registers, so information may also be transferred outside the EU and EEA area. Google has committed to comply with the Privacy Shield agreement between the EU and the United States.

9. Data Protection Principles of the Register

Care is taken in the processing of the register, and the information processed with the help of data systems is properly protected. When register information is stored on Internet servers, the physical and digital security of their hardware is taken care of appropriately. The data controller ensures that the stored data, server access rights, and other data critical to the security of personal data are treated confidentially and only by persons whose job description includes it. All information stored in the various systems and devices is protected by passwords. Personal data is protected from external use, and the use of member data is monitored.

10. Checking and Modifying Personal Data

The data subject has the right to check what information concerning them is stored in the register. A request for inspection should be submitted primarily. A request for exercising the right can also be submitted in writing and signed to the address mentioned in the Data Controller's contact details of this privacy policy. The data subject has the right to request correction of incorrect information in writing and signed.

11. Deleting Own Data

The data subject has the right to request the data controller to delete their data from the register. The deletion of information in the membership register may affect the person's ability to participate in activities. A request for exercising the right can also be submitted in writing and signed to the address mentioned in the Data Controller's contact details of this privacy policy.

12. Changes

This privacy policy may be updated from time to time, for example, when there are changes in legislation.