1. Who we are
Framme Group Oy Ab, business ID 2382074-9, Pieni Roobertinkatu 9, 00130 Helsinki, Finland ("Framme", "we") is the data controller for the processing described in this notice. Privacy contact: Jani Modig, privacy@framme.com.
2. Roles: Data controller and processor
We are the controller — and this notice applies — for: framme.com visitors; registered users of free (Solo) accounts and their purchases; representatives of our business customers (contract administration, billing, support, marketing); and delivery recipient data for orders placed under the Framme Shop Terms.
We are the processor for personal data that our subscription customers (Professional and Enterprise plans) process through their own branded shops — including their recipients' data for their campaigns. That processing is governed by the customer's own privacy notice and our data processing terms (Standard Contractual Clauses attached to the Framme Shop Service Agreement), not by this notice. If you received a gift through a company's Framme-powered shop, that company is the controller of your data; contact them first, and we will assist them in responding.
3. What data we process and why
| Purpose | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the Service and user accounts | Name, email, phone, employer organisation, account preferences, credentials | Contract (6(1)(b)) |
| Orders, production and delivery | Order and quote history, billing address, delivery recipient name/address/phone/email, order communications | Contract (6(1)(b)); for recipient data: legitimate interest (6(1)(f)) in fulfilling our customer's order |
| Payments | Payment method details processed by our payment service provider; we do not store full card numbers | Contract (6(1)(b)); legal obligation (6(1)(c)) for accounting |
| Invoicing, accounting, tax | Billing data, transaction records | Legal obligation (6(1)(c)) |
| Customer support and feedback | Communication history | Contract / legitimate interest |
| Marketing to business contacts, newsletters | Name, email, organisation, marketing permissions and restrictions | Legitimate interest (6(1)(f)) for existing customers; consent (6(1)(a)) otherwise; you can opt out at any time |
| Service development and analytics | Aggregated or pseudonymised usage data | Legitimate interest (6(1)(f)) |
| Security, abuse prevention, legal claims | Logs, access records | Legitimate interest (6(1)(f)) |
4. Where data comes from
From you (forms, email, phone, meetings, orders); from your employer when it designates you as a contact; from our customers when they provide delivery recipient details; and from public or commercial registers (e.g. credit information and company registers) for business verification.
5. Who we share data with
We use service providers (processors) for hosting, payment processing, transactional email, parcel tracking, third-party logistics, production and branding, and business software. Carriers and customs authorities receive recipient data as independent controllers to perform delivery. We do not sell personal data and do not share it for third-party marketing.
Current sub-processor categories and processing locations:
| Category | Service | Location |
|---|---|---|
| Cloud hosting | Application hosting and storage | EU (Frankfurt, Germany) |
| Transactional email | Order and account emails | EU (Ireland) |
| Payment processing | Card payments at checkout | EU (Ireland) |
| Parcel tracking | Delivery tracking | Hong Kong / global — transfers under EU Standard Contractual Clauses |
| Carriers | Delivery of products | Global, per destination |
| Third-party logistics (warehousing) | Storage and fulfilment | Finland, Canada, United States, Chile, Australia |
| Production and branding partners | Manufacturing and branding of products | EU and per product |
6. International transfers
We store primary application data in the EU (AWS eu-central-1, Frankfurt; transactional email via AWS SES eu-west-1, Ireland). Deliveries and warehousing outside the EU (e.g. Canada, US, Chile, Australia) require transferring recipient and logistics data to those destinations; such transfers rely on European Commission Standard Contractual Clauses, adequacy decisions, or the necessity of the transfer for performing the contract (GDPR Art. 49(1)(b)–(c)).
7. How long we keep data
Account data: for the life of the account and up to 24 months after closure. Order, invoicing and accounting data: as required by the Finnish Accounting Act (generally 6–10 years). Delivery recipient data: for the fulfilment, claims and carrier-claim periods, then deleted or anonymised. Marketing data: until you opt out or the data is no longer needed.
8. Cookies
You've probably come across this question on other sites before landing here. Cookies, according to our wise CTO Ahmad, are small text files stored on your device when you visit websites. They remember what you do while visiting a site, so the next time you're there, you don't have to repeat annoying things like entering a password again.
When you first visit framme.com, a banner asks for your choice. Essential cookies run without consent because the site literally doesn't work without them (logins, carts, security). Everything else — analytics that help us understand traffic — runs only if you click accept. The same applies to our live chat: its cookies are set only if you accept Support & Chat cookies. Rejecting is exactly one click, same as accepting, and you can change your mind anytime via Cookie settings in the footer. You can also clear or block cookies in your browser settings, though the site may sulk a little without the essential ones.
| Cookie | Type | Purpose | Duration | Party |
|---|---|---|---|---|
| session_id | Essential | Login session, security | Session | Framme |
| silktideCookieChoice_* (local storage) | Essential | Remembers your cookie choice | Persistent (local storage) | Framme |
| __stripe_mid, __stripe_sid | Essential | Secure payments and fraud prevention at checkout | 1 year / 30 minutes | Stripe |
| _ga, _ga_* | Analytics (consent) | Traffic measurement | 2 years | |
| [chat cookie name(s)] | Support & Chat (consent) | Live chat session | [duration] | Chatlio |
9. How we protect data
Encryption in transit and at rest, least-privilege access control, logging and monitoring, and contractual safeguards with all processors. Detailed technical measures are described in our customer-facing security documentation provided under NDA.
10. Your rights
You have the right to access your data; to rectify inaccurate data; to erasure ("right to be forgotten"); to restrict or object to processing (including direct marketing, at any time); and to data portability. Requests: privacy@framme.com — we may need to verify your identity, and we respond within one month (GDPR deadline). You also have the right to lodge a complaint with a data protection supervisory authority.
11. Changes
We update this notice when our processing changes; the current version is always at framme.com/privacy and material changes are notified to registered users.