Privacy Policy


1. The use and processing of personal data. 
2. Sensitive data: Indiegrapes Oy does not process any sensitive personal data relating to its customers. 
3. Data disclosure and transfer. 
4. Data security. 
5. Access to information and exercising your rights. 
6. Data retention. 
7. Use of cookies. 
8. Amendments to this privacy policy. 
9. Controller and contact details.


Indiegrapes Oy (Indiegrapes) is committed to protecting your privacy and processing your personal data transparently and in accordance with current legislation and best practices. This privacy policy covers the processing of personal data that Indiegrapes undertakes in order to enable commerce, provide customer service, collect customer feedback, and organise customer events. It applies to the personal details of consumers, corporate customers, and registered users of the website.

This privacy policy details exactly how Indiegrapes is committed to collecting, processing and protecting your personal data during and after your customer relationship with us.

Below you will find more detailed definitions of the concepts we have used in this privacy policy.

“Personal data” 
Personal data means all the identified and identifiable data relating to a person. For example, name, social security number, location data, network identification information, and address details.

“Processing personal data”   
Processing personal data means all of the information processing operations that are targeted at personal data, either automatic or manual. Examples of processing personal data include collecting, saving, storing, editing, altering, removing or deleting data.

“Data subject”                    
The identified or identifiable natural person whose data is being processed. For example, a customer or employee.

A natural person, legal person, authority, agency or other body that, either together or with another party, defines the purposes and methods for processing personal data.

1. The use and processing of personal data

Personal data may be processed on the basis of your personal consent, an agreement you make with Indiegrapes, our statutory obligations, or a legitimate interest associated with our operations. We collect and process personal data only to the extent that is required for you to use services of Indiegrapes for the following purposes:

Contractual obligations

  • Processing complaints and product returns
  • Communicating with customers with regard to orders
  • Handling purchase ban agreements
  • Organising customer events

Data subject’s consent

  • Sending the newsletter to a subscriber

Legitimate interest*

  • Registering and creating customer accounts for the online shop or mobile app
  • Processing customer surveys and feedback, including answering customer queries, solving problems, correcting errors, and investigating disturbances and threats
  • Measuring customer satisfaction and enhancing our customer experience to develop customer service staff’s competence and guarantee high-quality service
  • Quality control and assurance for Indiegrapes products
  • Developing the online shop and mobile app
  • Analysing use of the online shop
  • Processing the contact details of the contact person for a purchase ban agreement
  • Analysing and keeping statistics on customer service events
  • Processing court-ordered distraint measures

Personal data is primarily collected directly from you. For example, when you place an order in our online shop, seek the assistance of sales staff in our stores, or contact our customer service centre. When you shop in our online shop, we can verify your identity and age using strong electronic identification.  We can check with Suomen Asiakastieto Oy to verify the signatory rights of corporate customer representatives.

The reason why we are processing personal data will define what information we collect at any given time and for what purpose. We will only process the following personal details about you on the legal grounds specified below:

  • Order information: name, telephone number and email address; order date, delivery address and delivery time; content of the order, payment method, gift recipient (if applicable), and any message relating to the order
  • Data processed when handing over orders: handover date, type of ID shown, and a record that ID has been shown
  • Data relating to online shop registration: name, telephone number and email address; reviews, lists, notes, reminders and stores; newsletter subscription (yes/no); chat conversations and order history. For corporate customers, we also collect: company name and business ID, license to dispense alcohol, and the names and roles of other users related to the corporate account.
  • Data relating to returns and complaints: Name, order number, products returned, reason for complaint, and date of return.
  • Data relating to customer service, quality assurance and service development: date of contact, content of the conversation, description of the issue (if applicable), technical details and IP address of the device used
  • Data relating to organising customer events: name, telephone number and email address; event location (municipality)
  • Analysing use of the online shop: browsing history in the online shop, purchase history, location data.
  • Data relating to sending newsletters: email address, newsletter subscription (yes/no)
  • Data relating to purchase ban agreement: customer’s name, postal and email address, telephone number, customer’s photograph provided by the customer of taken from the store’s surveillance camera, purchase ban details, name and contact information of the contact person or the legal guardian.

* “Legitimate interest” refers to data processing that forms an essential aspect of the controller’s business and that the customer can reasonably assume to be part of the controller’s operations. The controller often has to process personal data in order to carry out business-related tasks. In this context, the processing of personal data cannot necessarily be justified on the basis of a statutory obligation or contractual grounds. However, the processing of personal data can be justified on the basis of ‘legitimate interest’. Before personal data is processed on the basis of legitimate interest, the controller must always ensure that conducting business in accordance with this legitimate interest will not seriously violate the data subject’s rights and freedoms.

2. Sensitive data

Certain categories of personal data are classified as “sensitive personal data”. Sensitive personal data will reveal personal characteristics such as race or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic or biometric data, or information about a natural person’s health, sexual behaviour or sexual orientation.

Indiegrapes does not process any sensitive personal data relating to its customers.

3. Data disclosure and transfer

Indiegrapes is committed to protecting the confidentiality of your personal data, and we will only disclose your data to specific partners when necessary, for example, in order to process payments and deliver orders.

When processing the data we have collected, we also use subcontractors and service providers to assist us in areas such as technical system maintenance and customer service. These partners have the right to process your personal data only to the extent that is necessary in order to provide the services in question. This means that they cannot use your data for their own purposes. Our contractual terms and conditions require our partners to comply with data processing legislation and ensure adequate data security.

Your personal data will not be disclosed to any parties outside the European Union and European Economic Area.

4. Data security

Indiegrapes has implemented appropriate technical and organisational data security mechanisms to prevent the deletion and misuse of your personal data, as well as any other similar unlawful access to data. These mechanisms include firewalls, encryption and machine room security.

The processing of your personal data is also restricted by access control and the management of user rights. Your personal data will only be processed by employees that have the right and need to do so in order to carry out their job.

5. Access to information and exercising your rights

You have the right to check what data we have collected about you and to say how we may use that data. You can decide whether you wish to receive email communications from us. In certain circumstances, you have the right to have your data removed or request your data to be transferred to another controller. In this section, we will detail your rights under current legislation and how to exercise them:

  • Right to withdraw consent

When your personal data is being processed on the basis of personal consent from you, you have the right to withdraw this consent at any time, For example, you may at any time end your subscription to our newsletter by withdrawing your consent.

  • Right to check and correct data

You have the right to check what data we have collected about you, or to receive assurance that no data about you is being held in our filing system. If there are any errors, inaccuracies or other deficiencies in your data, you can request us to correct or add information.

  • Restricting or objecting to data processing

If your data is incorrect in some respect (for example, it is outdated), you have the right to request a temporary restriction on the processing of your data until we have verified its accuracy. Whenever the processing of your personal data is based on the controller’s legitimate interest, you have the right to object to the processing of your personal data. We will then no longer be able to process your personal data, unless we can present a justifiable reason why this processing is so important and why it can be considered weighty enough to supersede your rights. We will also be allowed to continue processing your data if we need it to prepare, present or defend a legal claim.

  • Right to have data removed (Right to be forgotten)

In certain circumstances, you have the right to be forgotten. In that case, we will remove all the data we have collected about you, unless this data is still required for the purposes it was originally collected for (such as to investigate a misdemeanour). Unless there are other justifiable grounds for processing your data, we will also remove your data if you object to the processing of your personal data, or if the processing of your personal data is based on your personal consent and you withdraw this consent. However, please note that we may have statutory legal obligations to retain your personal data for a certain period of time.

  • Right to transfer data from one system to another

You may request your personal data to be transferred, in which case we will send your personal data to you in machine-readable format, so you can either retain it yourself or transfer it to another controller. If it is technically possible, we will also transfer your data directly to another controller at your request. This is only possible in situations in which we are processing your personal data on the basis of your personal consent or contractual grounds, and only covers data that you have provided us with yourself.

  • Right to appeal

In addition to the aforementioned rights, you also have the right to appeal to the supervisory authorities with regard to the processing of your personal data.

How can I submit a request to check personal data?

You can submit a request to check your personal data by emailing us at Before disclosing personal details, we will need to verify your identity, so that we do not disclose your data to the wrong person.

6. Data retention

We will retain your personal data for the period required in order to carry out the purpose for processing your data, for as long as we are required to do so by law, or until you request us to remove your data.

We will only retain your data for as long as required in order to carry out the purposes specified in Section 1, and always within the current boundaries of the law.

After this, your data will either be deleted or made unidentifiable, by irreversibly converting it into a format in which individual persons can no longer be identified.

The retention period is determined by the duration of your customer relationship or while any action relating to misdemeanours is still pending. A customer’s personal data will be stored until the customer requests its removal from the register, unless legislation prevents the removal of such data.

You can edit cookie settings here:


A cookie is a tiny text file that your browser stores on your computer. Cookies contain a unique identifier, and we use them to identify and count visitors to our website. Cookies can be used for measurement and research purposes, for example, to develop websites or to determine how and how much a service is used.

The Service is implemented using strictly necessary, functional, analytical, and marketing cookies to enable the functionality of the Service and the measuring of Service usage.

Some of the cookies used by Indiegrapes’s e-services are so-called necessary cookies. These cookies are necessary for the service to function properly, as they perform tasks such as transferring products to your shopping basket or enable discussion in the chat function.

By analytics cookies we mean measurement techniques, such as Google Analytics. The measurement is used to calculate the number of visitors and to identify possible compatibility and usage issues, as well as development targets. Cookies are also used to identify the customer groups which use the Service and aim the communications of the Service accordingly. Individual customers are not identified when categorising customer groups.

Marketing cookies mean cookies, which are directed to help us to target Indiegrapes’s services, and to communicate in a more personal manner. For example, we are able to create categorised audiences and send them targeted communications, such as additional information regarding existing and upcoming services of Indiegrapes. Marketing cookies are not used to market individual alcohol brands. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media plugins

Indiegrapes’s websites also have so-called social media plugins to third party websites (e.g. Facebook’s and Twitter’s Share buttons). These social plugins are uploaded on these third-party service providers’ servers. Social media service providers process data as controllers and as joint controllers with Indiegrapes when applicable.

The platform providers collect via social media plugins information regarding users’ visited sites.

Data relating to a data subject is disclosed only when data subject actively shares material through social media plugins, e.g. Share button.

Cookie management

You can manage your cookie settings by clicking “Change settings” in the cookie banner. Later on, you can access preferences in the website’s Cookie Settings.

Cookie removal

You can disable use of cookies in browser settings. Google Analytics cookies can be deleted here. If you wish to disable to cookies from marketing networks, who share information between different networks, you can do it here.

If you wish, you can delete afterwards cookies which you have accepted. You will find instructions how to delete cookies by clicking the link nex to the right browser.

Please notice, that if you use multiple browsers, the cookies must be deleted from each browser separately.