Privacy policy

Version 2.0 · Effective date 15 July 2026

1. Who we are

Framme Group Oy Ab, business ID 2382074-9, Pieni Roobertinkatu 9, 00130 Helsinki, Finland ("Framme", "we") is the data controller for the processing described in this notice. Privacy contact: Jani Modig, privacy@framme.com.

2. Roles: Data controller and processor

We are the controller — and this notice applies — for: framme.com visitors; registered users of free (Solo) accounts and their purchases; representatives of our business customers (contract administration, billing, support, marketing); and delivery recipient data for orders placed under the Framme Shop Terms.

We are the processor for personal data that our subscription customers (Professional and Enterprise plans) process through their own branded shops — including their recipients' data for their campaigns. That processing is governed by the customer's own privacy notice and our data processing terms (Standard Contractual Clauses attached to the Framme Shop Service Agreement), not by this notice. If you received a gift through a company's Framme-powered shop, that company is the controller of your data; contact them first, and we will assist them in responding.

3. What data we process and why

PurposeDataLegal basis (GDPR Art. 6)
Providing the Service and user accountsName, email, phone, employer organisation, account preferences, credentialsContract (6(1)(b))
Orders, production and deliveryOrder and quote history, billing address, delivery recipient name/address/phone/email, order communicationsContract (6(1)(b)); for recipient data: legitimate interest (6(1)(f)) in fulfilling our customer's order
PaymentsPayment method details processed by our payment service provider; we do not store full card numbersContract (6(1)(b)); legal obligation (6(1)(c)) for accounting
Invoicing, accounting, taxBilling data, transaction recordsLegal obligation (6(1)(c))
Customer support and feedbackCommunication historyContract / legitimate interest
Marketing to business contacts, newslettersName, email, organisation, marketing permissions and restrictionsLegitimate interest (6(1)(f)) for existing customers; consent (6(1)(a)) otherwise; you can opt out at any time
Service development and analyticsAggregated or pseudonymised usage dataLegitimate interest (6(1)(f))
Security, abuse prevention, legal claimsLogs, access recordsLegitimate interest (6(1)(f))

4. Where data comes from

From you (forms, email, phone, meetings, orders); from your employer when it designates you as a contact; from our customers when they provide delivery recipient details; and from public or commercial registers (e.g. credit information and company registers) for business verification.

5. Who we share data with

We use service providers (processors) for hosting, payment processing, transactional email, parcel tracking, third-party logistics, production and branding, and business software. Carriers and customs authorities receive recipient data as independent controllers to perform delivery. We do not sell personal data and do not share it for third-party marketing.

Current sub-processor categories and processing locations:

CategoryServiceLocation
Cloud hostingApplication hosting and storageEU (Frankfurt, Germany)
Transactional emailOrder and account emailsEU (Ireland)
Payment processingCard payments at checkoutEU (Ireland)
Parcel trackingDelivery trackingHong Kong / global — transfers under EU Standard Contractual Clauses
CarriersDelivery of productsGlobal, per destination
Third-party logistics (warehousing)Storage and fulfilmentFinland, Canada, United States, Chile, Australia
Production and branding partnersManufacturing and branding of productsEU and per product

6. International transfers

We store primary application data in the EU (AWS eu-central-1, Frankfurt; transactional email via AWS SES eu-west-1, Ireland). Deliveries and warehousing outside the EU (e.g. Canada, US, Chile, Australia) require transferring recipient and logistics data to those destinations; such transfers rely on European Commission Standard Contractual Clauses, adequacy decisions, or the necessity of the transfer for performing the contract (GDPR Art. 49(1)(b)–(c)).

7. How long we keep data

Account data: for the life of the account and up to 24 months after closure. Order, invoicing and accounting data: as required by the Finnish Accounting Act (generally 6–10 years). Delivery recipient data: for the fulfilment, claims and carrier-claim periods, then deleted or anonymised. Marketing data: until you opt out or the data is no longer needed.

8. Cookies

You've probably come across this question on other sites before landing here. Cookies, according to our wise CTO Ahmad, are small text files stored on your device when you visit websites. They remember what you do while visiting a site, so the next time you're there, you don't have to repeat annoying things like entering a password again.

When you first visit framme.com, a banner asks for your choice. Essential cookies run without consent because the site literally doesn't work without them (logins, carts, security). Everything else — analytics that help us understand traffic — runs only if you click accept. The same applies to our live chat: its cookies are set only if you accept Support & Chat cookies. Rejecting is exactly one click, same as accepting, and you can change your mind anytime via Cookie settings in the footer. You can also clear or block cookies in your browser settings, though the site may sulk a little without the essential ones.

CookieTypePurposeDurationParty
session_idEssentialLogin session, securitySessionFramme
silktideCookieChoice_* (local storage)EssentialRemembers your cookie choicePersistent (local storage)Framme
__stripe_mid, __stripe_sidEssentialSecure payments and fraud prevention at checkout1 year / 30 minutesStripe
_ga, _ga_*Analytics (consent)Traffic measurement2 yearsGoogle
[chat cookie name(s)]Support & Chat (consent)Live chat session[duration]Chatlio

9. How we protect data

Encryption in transit and at rest, least-privilege access control, logging and monitoring, and contractual safeguards with all processors. Detailed technical measures are described in our customer-facing security documentation provided under NDA.

10. Your rights

You have the right to access your data; to rectify inaccurate data; to erasure ("right to be forgotten"); to restrict or object to processing (including direct marketing, at any time); and to data portability. Requests: privacy@framme.com — we may need to verify your identity, and we respond within one month (GDPR deadline). You also have the right to lodge a complaint with a data protection supervisory authority.

11. Changes

We update this notice when our processing changes; the current version is always at framme.com/privacy and material changes are notified to registered users.