Skip to content
Sotto Pizzeria
Suomeksi
← Back to home

Privacy Policy

How we process personal data and respect your rights.

Last updated 4 May 2026

This privacy policy explains how Sotto Pizzeria processes personal data and how you can exercise your rights as a data subject. We comply with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

Data controller

Sotto Pizzeria Oy

Business ID: 3158814-2

Domicile: Helsinki, Finland

Email for data requests: info@sotto.fi (subject line: ”Data protection request”).

What data we collect

We collect personal data when you contact us, use the site or submit an inquiry:

  • Contact details: name, email, phone number
  • Group inquiry details: group size, date, location, selected packages, allergies, possible delivery address
  • Job application details: name, contact information, CV, motivation, experience
  • Business contact details (franchise inquiries): company, desired location, background
  • Technical data: IP address, browser type, site usage via cookies
  • Newsletter subscription details: email address and consent

Purposes and legal bases

We process your personal data for the following purposes:

  • Customer service and responding to inquiries — legitimate interest (GDPR Art. 6(1)(f))
  • Processing inquiries and contracts — pre-contractual / contract performance (Art. 6(1)(b))
  • Processing job applications — pre-contractual and legitimate interest
  • Site improvement and analytics — legitimate interest (essential cookies) or consent (analytics and marketing cookies, Art. 6(1)(a))
  • Marketing communications (newsletter, targeted ads) — consent (Art. 6(1)(a))
  • Compliance with legal obligations such as accounting — legal obligation (Art. 6(1)(c))

Retention periods

We retain data only as long as necessary:

  • Contact messages and feedback: 24 months
  • Inquiries and confirmed orders: 24 months (accounting records 6 years as required by law)
  • Job applications: 6 months from the hiring decision, unless retained longer with the applicant's consent
  • Newsletter subscription data: until you unsubscribe
  • Analytics data: according to provider settings (typically 14 months for Google Analytics 4)

Data recipients and processors

We use trusted service providers (data processors). Transfers are based on data processing agreements (DPA) and, where applicable, EU Standard Contractual Clauses (SCC) or the EU–US Data Privacy Framework (DPF):

  • Wolt Oy (Business ID 2646674-9) — online store order processing, payments and delivery. Wolt acts as an independent controller for its own order records.
  • Microsoft Corporation (M365) — email communication and storage (EU servers)
  • Mailchimp / The Rocket Science Group LLC (Intuit) — newsletter delivery, USA (DPF-certified)
  • Sanity.io — content management and storage (EU servers)
  • Vercel Inc. — site hosting, USA (DPF-certified)
  • Google Ireland Limited — Google Analytics 4 and Google Tag Manager
  • Microsoft Corporation — Clarity user analytics (heatmaps), USA (DPF-certified)
  • Anthropic PBC — Sotto chat assistant, USA (DPF-certified)
  • Meta Platforms Ireland Limited / TikTok Technology Limited — targeted advertising (only with user consent)

Transfers outside the EU

Some of our processors are located outside the EU/EEA, primarily in the United States. Such transfers are protected by the EU–US Data Privacy Framework certification or EU Standard Contractual Clauses, together with appropriate safeguards.

Automated decision-making and profiling

We do not make automated decisions with significant legal effects on you. We do not engage in profiling beyond ad targeting, for which we ask separate consent via the cookie banner.

Your rights

As a data subject you have the following rights:

  • Request access to your personal data
  • Request rectification or completion of incorrect data
  • Request erasure of your data (”right to be forgotten”)
  • Restrict processing in certain situations
  • Object to processing based on legitimate interest
  • Receive your data in a portable format (data portability)
  • Withdraw your consent at any time (affects only future processing)

To exercise these rights, send a message to info@sotto.fi with the subject line ”Data protection request”. We aim to respond within one month.

Right to lodge a complaint

If you believe that we process your personal data unlawfully, you have the right to file a complaint with the Office of the Data Protection Ombudsman (tietosuoja.fi).

Changes to this policy

We may update this policy when needed. The updated version is published on this page.

Last updated: 4 May 2026

Order now