Privacy Policy

Last updated: 20.11.2025

Introduction

Oulu University, Tampere University, and VTT as joint controllers; referred to as “we” are committed to protecting your privacy and ensuring transparency in how we handle your personal data. In alignment with our institutional missions and in compliance with the General Data Protection Regulation (GDPR), we may collect and process the following types of personal data:

1. Information We Collect

We may collect and process the following types of personal data:

1.1 Information You Provide

Account Information: When you register on our website, we collect your name, email address, and other details you provide.
Comments: If you leave a post on our site, we collect the data shown in the post form, your IP address, and browser user agent string to help with spam detection.
Contact Forms: Information you provide when submitting a contact form, such as your name, email address, and message content.

1.2 Automatically Collected Information

To provide our services, we automatically collect certain information to enhance user experience, ensure security, and improve our offerings. This data collection is conducted in compliance with the GDPR, specifically under Article 6.1_(e), which permits processing when it is necessary for the purposes of public interests pursued by the data controller.

Cookies

We utilise cookies to enhance your browsing experience, analyse site traffic, and personalise content. While some cookies are essential for the website’s functionality and are exempt from consent requirements, others, particularly those used for analytics and personalisation, require your explicit consent before being placed on your device. For a detailed overview of the types of cookies we use and your options regarding cookie preferences, please refer to the “Cookies” section below.

Log Data

When you access our services, our servers automatically record information known as log data. This may include your IP address, browser type, operating system, referring URLs, pages visited, and the date and time of each request. We process this information to monitor and analyse usage patterns, detect and prevent fraudulent activities, and ensure the security and integrity of our systems. This processing is based on public interests for maintaining a secure and efficient service, as permitted under Article 6.1_(e) of the GDPR.

1.3 Media

If you upload images to the website, avoid uploading images with embedded location data (EXIF GPS). Visitors to the website can download and extract location data from images.

2. How We Use Your Data

We process and use your personal data under legal bases for the following purposes:

To provide and manage your account.
To process and respond to your inquiries or comments.
To improve our website and user experience.
To send you updates, newsletters, or promotional materials (only if you have opted in).
To comply with legal obligations and ensure the security of our website.

3. Cookies

Cookies are small text files stored on your device to enhance your browsing experience. We use the following types of cookies:

3.1 Essential Cookies

These cookies are necessary for the website to function properly, such as login sessions and security features.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist. If you log out of your account, the login cookies will be removed.

3.2 Functional Cookies

These cookies remember your preferences, such as your screen display choices, to improve your experience.

3.3 Analytics Cookies

We use third-party analytics tools to collect anonymized data about website usage, such as page views and traffic sources.

3.4 Managing Cookies

You can manage or disable cookies through our cookie banner settings. However, disabling cookies may affect the functionality of the website.

4. Embedded Content from Other Websites

Articles on this site may include embedded content (e.g., videos, images, articles). Embedded content from other websites behaves as if you visited those websites directly. These websites may:

Collect data about you.
Use cookies.
Embed additional third-party tracking.
Monitor your interaction with the embedded content, including tracking your interaction if you have an account and are logged in to that website.

We are not responsible for the privacy practices of these third-party websites.

5. Who We Share Your Data With

We do not sell or rent your personal data to third parties. However, we may share your data with:

Service Providers: Third-party services that help us operate our website, such as hosting providers, analytics tools (Google Analytics), and spam detection and other security services (Wordfence).
Legal Authorities: If required by law or to protect our legal rights.

If you request a password reset, your IP address will be included in the reset email.

6. How Long We Retain Your Data

Comments: If you leave a comment, the comment and its metadata are retained indefinitely to recognize and approve follow-up comments automatically.
User Accounts: For registered users, we store the personal information provided in their user profile. Users can see, edit, or delete their personal information at any time (except their username). Website administrators can also see and edit this information.
Cookies and Log Data: (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

7. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Rectification: Request corrections to inaccurate or incomplete data.
Erasure: Request the deletion of your personal data, except where we are required to retain it for legal or security purposes.
Data Portability: Request to receive your data in a structured, commonly used, and machine-readable format.
Objection: Object to the processing of your data for specific purposes, such as direct marketing.
Withdraw Consent: Withdraw your consent for data processing at any time.
Complaint:

If you believe that the processing of your personal data infringes upon your rights under the GDPR, you have the right to lodge a complaint with the supervisory authority.

Contact Information for the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu):

Postal Address: P.O. Box 800, 00531 Helsinki, Finland
Visiting Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Email: tietosuoja@om.fi
Phone Numbers:
- Switchboard: +358 (0)29 566 6700
- Registry: +358 (0)29 566 6768
- General guidance for private persons: +358 (0)29 566 6777

For more information or to submit a complaint, please visit the official website: https://tietosuoja.fi/en/home

For other personal data requests you may exercise the rights and contact us at h2miri@oulu.fi

We will respond to all requests within one month, in accordance with GDPR Article 12.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

If you are located outside of Finland, your data may be transferred to and processed in Finland, where data protection laws may differ. By using our website, you consent to this transfer.

10. Third-Party Services

We use third-party services to enhance our website functionality. These services may collect and process your data according to their privacy policies. Examples include:

Social Media Plugins: For sharing content.
Wordfence Security: For spam detection and security purposes.

11. Legal Basis for Processing

At H2MIRI, comprising Oulu University, Tampere University, and VTT as joint controllers, we process personal data in accordance with the legal bases outlined in Article 6.1 _(a),(e) of the General Data Protection Regulation (GDPR). Each processing activity is grounded in one or more of the following lawful bases:

Consent

We process personal data based on your explicit consent for specific purposes, such as subscribing to newsletters or participating in voluntary surveys. You have the right to withdraw your consent at any time.

Legal Obligation

We process personal data to comply with legal obligations to which we are subject. This includes obligations under applicable laws and regulations that require us to retain certain records or provide information to public authorities.

Public Interest or Official Authority

As a funded procurement, we process personal data as necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in us. This includes research activities, educational services, and other functions aligned with our institutional missions.

Each processing activity is assessed to determine the appropriate legal basis, ensuring compliance with GDPR requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated policy will be posted on this page with the “Last Updated” date.