Riimuki
Riimuki
Our Story

Our mission

To make beautiful art part of everyday life.

Learn more about Riimuki

Get updates on new collections, limited pieces, and the stories that shape them.

General information

  • Privacy Policy
  • Cookies Policy
  • Return and Refund Policy
  • Delivery Policy
  • Terms & Legal Notice (Impressum)
  • GDPR compliance

Get help

  • FAQs
  • Contact us

Country & language

© 2025 Riimuki. All rights reserved.

GDPR Policy

Effective Date: August 9, 2025

1. Introduction

This GDPR Policy explains how Riimuki aims to comply with the General Data Protection Regulation (EU) 2016/679 (GDPR). It outlines the personal data we may process, the legal bases we rely on, the safeguards we apply, and your rights.

2. Data Controller

  • Riimuki (Finland) is the data controller for personal data processed via this website and related services.
  • Email: hello@riimuki.com
  • Postal: PO 17, Oulu, Finland 90101

3. Personal Data We Process

We aim to process only what is necessary to operate and improve our services:

  • Contact details: name, email address.
  • Order & delivery details: delivery address, country, phone (where required for carriers).
  • Payment details: processed securely by Stripe; we do not store full card numbers.
  • Communications: messages you send us, including support and pre-order interest.
  • Analytics & usage data: collected with your consent via PostHog’s EU service (eu.posthog.com).

4. Legal Bases for Processing

Under GDPR, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): to process orders, arrange delivery, and provide customer support.
  • Consent (Art. 6(1)(a)): for analytics and marketing emails. You can withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): to improve our services and maintain site security in a privacy-respecting way.
  • Legal obligation (Art. 6(1)(c)): to meet accounting, tax, and consumer protection requirements.

5. Processors We Use

We use carefully selected providers who act on our instructions. Our current main processors include:

  • AWS (Amazon Web Services) – hosting and infrastructure in eu-central-1 (Frankfurt).
  • AWS SES – transactional and opt-in marketing emails, hosted in the EU.
  • Vercel – hosting and content delivery. Operates a global edge network (including EU), with possible transfers of request data (e.g., IP addresses) to the United States. Transfers are protected by Standard Contractual Clauses (SCCs).
  • Stripe – secure payment processing. Stripe primarily processes data in the EU for EU customers but may transfer some personal data to the United States for operational purposes. Transfers are protected by SCCs and Stripe’s participation in the EU–US Data Privacy Framework.
  • PostHog – analytics and performance measurement via their EU service (eu.posthog.com).
  • Logistics/delivery partners – for shipping and tracking (final partner will be confirmed before launch).

6. International Data Transfers

Our backend and core services are hosted in the European Economic Area (EEA). Where necessary, certain providers may transfer personal data outside the EEA to countries such as the United States. Where this occurs, we rely on safeguards such as Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law:

  • Order records: retained as required by law or operational necessity.
  • Support communications: retained for a reasonable period to manage requests.
  • Marketing data: retained until you unsubscribe or withdraw consent.
  • Analytics data: retained according to PostHog’s configuration and data minimisation settings.

8. Your GDPR Rights

You have the right to:

  • Access, correct, or delete your personal data.
  • Restrict or object to certain processing.
  • Withdraw consent at any time for consent-based processing.
  • Request a copy of your data (data portability).
  • Lodge a complaint with your supervisory authority.

9. Security

We apply technical and organisational measures to protect your data, including encryption in transit and secure infrastructure. No system is entirely risk-free, but we act promptly if an incident occurs.

10. Other Policies

For related information, please see:

  • Privacy Policy
  • Cookie Policy
  • Terms & Conditions
  • Delivery Policy
  • Returns & Refunds Policy

11. Updates to This Policy

We may update this GDPR Policy from time to time. Changes will be posted here with an updated effective date.

12. Contact

Questions or requests about your personal data: