Privacy policy


Privacy Policy

Data protection and the protection of your personal data is our top priority. We inform you below about the processing of your personal data on our website.


In the following, we refer to our entire offer, which appears under the brand name Näckrosgården , including our social media profiles (collectively referred to as "service" or "services"), irrespective of the way in which it is made accessible to you and the terminal device  you use to access it.


Your privacy is a primary objective for us when processing personal data, which we always take into account. Personal data collected when using our services is processed by us in accordance with the statutory provisions of the FinnishData Protection Act (tietosuojalaki) and the EU's General Data Protection Regulation (GDPR)(collectively referred to as "GDPR").


In the following, we inform you about the collection and processing of personal data during the general use of our services (irrespective of the actual use of our services) as well as during the use of our services and, if applicable, beyond that. In this privacy policy, you will also find some general information - for example, on your data subject rights or general additions to previously listed processing, such as the storage period.


Personal data (hereinafter referred to as "data") are processed by us only as necessary and for the purpose of providing a functional and user-friendly website, including its contents and the services offered there.


In accordance with Art. 4 No. 1. of the GDPR, "processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


With the following privacy policy, we inform you in particular about the nature, scope, purpose, duration and legal basis of the processing of personal data, insofar as we decide either alone or jointly with others on the purposes and means of the processing. In addition, we inform you below about the third-party components we use for optimisation purposes and to increase the quality of use, insofar as third parties process data on their own responsibility.


Our privacy policy is structured as follows:


I. Information about us as the responsible party

II. Rights of users and data subjects and the legal basis of processing

III. Information on data processing

IV. Retention, Sharing and Security

V. Miscellaneous and closing


I. Information about us as the responsible party

The responsible provider of this website in the sense of data protection law is:


Libäck Invest Oy Ab

Equatorn 10 A 11

68600 Pietarsaari



Näckrosgården is a registered subsidiary of Raamt Ab Oy


The webshop is owned and operated by:

Libäck Invest Oy Ab

Equatorn 10 A 11

68600 Pietarsaari


Company number: 1877867-0


If you have any questions regarding our terms and conditions please contact us on tel. +358 2 3619 0900 or by email on


II. Rights of users and data subjects and the legal basis of processing

With regard to the data processing described in more detail below, users and data subjects have the right to


to confirmation as to whether data relating to them is being processed, to information about the data processed, to further information about the data processing and to copies of the data (cf. also Art. 15 GDPR);
correction or completion of incorrect or incomplete data (cf. also Art. 16 GDPR);
immediate erasure of the data concerning them (cf. also Art. 17 GDPR), or, alternatively, insofar as further processing is necessary in accordance with Art. 17 (3) GDPR, restriction of processing in accordance with Art. 18 GDPR;
to receive the data concerning them and provided by them and to transfer this data to other providers/controllers (cf. also Art. 20 GDPR);
to lodge a complaint with the supervisory authority if they are of the opinion that the data concerning them is being processed by the provider in breach of data protection provisions (cf. also Art. 77 GDPR).

In addition, the provider is obliged to inform all recipients to whom data has been disclosed by the provider of any correction or deletion of data or restriction of processing that takes place on the basis of Articles 16, 17 (1), 18 GDPR. However, this obligation does not apply if such notification is impossible or involves a disproportionate effort. Notwithstanding this, the user has a right to information about these recipients.


Likewise, according to Art. 21 GDPR, users and data subjects have the right to object to the future processing of data concerning them, insofar as the data is processed by the provider in accordance with Art. 6 (1) f) GDPR. In particular, an objection to data processing for the purpose of direct advertising is permissible.


In accordance with Art. 13 GDPR the following informs you about the legal basis of us processing your data and unless the legal basis is not specifically mentioned, the following applies:


Consent – This is where we have asked you to provide explicit permission to process your data for a particular purpose. (Art. 6 Para. 1 lit. a and Art. 7 GDPR)


Contract – This is where we process your information to fulfil a contractual arrangement we have made with you. (Art. 6 Para. 1 lit. b GDPR)


Answering your business enquiries – This is where we process your information to reply to your messages, e-mails, posts, calls, etc. (Art. 6 Para. 1 lit. b GDPR)


Legitimate Interests - This is where we rely on our interests as a reason for processing, generally this is to provide you with the best products and service in the most secure and appropriate way. (Art. 6 Para. 1 lit. f GDPR). Of course, before relying on any of those legitimate interests we balance them against your interests and make sure they are compelling enough and will not cause any unwarranted harm.


Legal Obligation – This is where we have a statutory or other legal obligation to process the information, such as for the investigation of crime. (Art. 6 Para. 1 lit. c GDPR)


III. Information on data processing

Your data processed when using our website will be deleted or blocked as soon as

the purpose of the storage no longer applies,  and
the deletion of the data does not conflict with any legal obligations to retain data.


Server data

For technical reasons, in particular to ensure a secure and stable Internet presence, data is transmitted by your Internet browser to us or to our web space provider. These so-called server log files include the type and version of your internet browser, the operating system, the website from which you accessed our website (referrer URL), the website(s) of our website that you visit, the date and time of the respective access as well as the IP address of the internet connection from which our website is used.


The data collected in this way is temporarily stored, but not together with other data about you.


This storage takes place on the legal basis of Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the improvement, stability, functionality and security of our website.


The data is deleted again after seven days at the latest, unless further storage is required for evidence purposes. Otherwise, the data is exempt from deletion in whole or in part until the final clarification of an incident.



We use so-called cookies on our website. Cookies are small text files that are stored on the storage medium of your end device, e.g. on a hard drive, and which provide us, as the party setting the cookie, with certain information. Cookies cannot execute programs or transmit viruses to your end device. For more general information on cookies, please visit All About Cookies and should you wish to learn more about the cookies we use on our website please read our Cookie Policy.


Contract processing

The data transmitted by you in order to make use of our range of goods and/or services are processed by us for the purpose of contract processing and are necessary to this extent. Conclusion and processing of the contract are not possible without the provision of your data.


The legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.


We delete the data once the contract has been fully processed, but in doing so we must observe the retention periods under tax and commercial law.


Within the scope of contract processing, we pass on your data to the transport company commissioned with the delivery of goods or to the financial service provider, insofar as the transfer is necessary for the delivery of goods or for payment purposes.


The legal basis for the transfer of data is then Art. 6 Para. 1 lit. b) GDPR.


Customer account / registration function

If you create a customer account with us via our website, we will collect and store the data you enter during registration (e.g. your name, address or e-mail address) exclusively for pre-contractual services, for the fulfilment of the contract or for the purpose of customer care (e.g. to provide you with an overview of your previous orders with us).


At the same time, we also store your IP address and the date of your registration together with the time of day. Of course, this data will not be passed on to third parties.


In the course of the further registration process, your consent to this processing is obtained and reference is made to this Privacy Policy. The data collected by us in this process will be used exclusively for the provision of the customer account.


Insofar as you consent to this processing, Art. 6 para. 1 lit. a) GDPR is the legal basis for the processing.


If the opening of the customer account also serves pre-contractual measures or the fulfilment of the contract, the legal basis for this processing is also Art. 6 (1) (b) GDPR.


In accordance with Art. 7 (3) of the GDPR, you can revoke your consent to the opening and maintenance of the customer account at any time with effect for the future. To do so, you only need to inform us of your revocation.


The data collected in this respect will be deleted as soon as processing is no longer necessary. However, we must observe retention periods under Finish tax and commercial law.


When placing an order in our online shop without setting up a customer account, all data necessary for execution and processing are requested by means of mandatory fields. Your data will only be used to process your order. The legal basis for the storage is Article 6 lit. b) GDPR.



If you register for our free newsletter, the data you requested for this purpose, i.e. your e-mail address and - optionally - your name,  will be transmitted to us. At the same time, we store the IP address of the internet connection from which you access our website as well as the date and time of your registration. During the further registration process, we will ask for your consent to send you the newsletter, describe the content in detail and refer to this privacy policy. We use the data collected exclusively for sending the newsletter - in particular, it is therefore not passed on to third parties.


The legal basis for this is Art. 6 para. 1 lit. a) GDPR.


In accordance with Art. 7 (3) GDPR, you can revoke your consent to receive the newsletter at any time with effect for the future. To do so, you simply need to inform us of your revocation or click on the unsubscribe link contained in each newsletter.


Contact requests / contact options

If you contact us via the contact form or e-mail, the data you provide will be used to process your request. The provision of the data is necessary for the processing and answering of your enquiry - without the provision of this data we cannot answer your enquiry or at best only to a limited extent.


The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR.


Your data will be deleted if your enquiry has been conclusively answered and the deletion does not conflict with any legal obligations to retain data, e.g. in the case of any subsequent contract processing.




Google Analytics

We use Google Analytics on our website. This is a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as "Google".


Google guarantees that the data protection requirements of the EU are also complied with when processing data in the USA. The Google Analytics service is used to analyse the usage behaviour of our website. The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, optimisation and economic operation of our website. Usage and user-related information, such as IP address, location, time or frequency of visits to our website, is transferred to a Google server in the USA and stored there. However, we use Google Analytics with the so-called anonymisation function. This function enables Google to truncate the IP address within the EU or EEA.


The data collected in this way is in turn used by Google to provide us with an evaluation of visits to our website and of the usage activities there. This data may also be used to provide other services related to the use of our website and the use of the internet. Google states that it will not associate your IP address with any other data. In addition, Google keeps a record of your IP address . Google also offers a so-called deactivation add-on together with further information on this. This add-on can be installed with the usual Internet browsers and offers you further control over the data that Google collects when you call up our website. The add-on informs the JavaScript (ga.js) of Google Analytics that information about your visit to our website should not be transmitted to Google Analytics. However, this does not prevent information from being transmitted to us or to other web analytics services.


Google Adsense

This website uses Google AdSense, an advertising integration service provided by Google Inc. ("Google"). Google AdSense uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. Google AdSense also uses so-called web beacons (invisible graphics). Through these web beacons, information such as visitor traffic on these pages can be analysed.


The information generated by cookies and web beacons about the use of this website (including your IP address) and delivery of advertising formats will be transmitted to and stored by Google on servers in the United States. This information may be passed on by Google to contractual partners of Google. However, Google will not merge your IP address with other data stored by you.


You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.



We use the online marketing services of the provider Criteo GmbH, Gewürzmühlstr. 11, 80538 Munich, Germany, on the basis of the analysis, optimisation and economic operation of our online offer.


Criteo's services allow us to display advertisements for and on our website in a more targeted manner in order to present users only with ads that potentially match their interests. If, for example, a user is shown ads for products in which he or she has shown interest on other web sites, this is referred to as "remarketing". For these purposes, when our website and other websites on which Criteo is active are called up, Criteo executes a code directly and so-called (re)marketing tags (invisible graphics or code, also referred to as "web beacons") are integrated into the web site. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). This file records which web sites the user has visited, which content the user is interested in and which offers the user has clicked on, as well as technical information on the browser and operating system, referring web sites, time of visit and other information on the use of the online offer. Criteo may also combine the aforementioned information with information from other sources. If the user subsequently visits other web sites, he or she can be shown ads tailored to his or her interests.


The processing of user data is pseudonymous, i.e. no clear user data (such as names) is processed and IP addresses of users are shortened. Processing only takes place on the basis of an online identifier, a technical ID. Any IDs communicated to Criteo (e.g. of a customer support system) or e-mail addresses are thus encrypted as so-called hash values and stored as a series of characters that do not allow identification.



We have integrated components of the company AddThis on this website. AddThis is a so-called bookmarking provider. The service enables a simplified bookmarking of internet pages via buttons. By moving the mouse over the AddThis component or by clicking on it, a list of bookmarking and sharing services is displayed. AddThis is used on more than 15 million websites and the buttons are displayed more than 20 billion times a year, according to the operating company.


The operating company of AddThis is AddThis, Inc. 1595 Spring Hill Road, Suite 300, Vienna, VA 22182, USA.


Each time you call up one of the individual pages of this website that is operated by us and on which an AddThis component has been integrated, the Internet browser on your information technology system is automatically prompted by the respective AddThis component to download data from the website This technical process receives data from the AddThis component, which is then sent to your computer. As part of this technical process, AddThis receives information about the visit and which specific individual page of this website is used by the information technology system you are using. Furthermore, AddThis obtains information about the IP address of the computer system used by the data subject, which is assigned by the Internet service provider (ISP), the browser type, the browser language, the website called up before our website, the date and the time of the visit to our website. AddThis uses this data to create anonymised user profiles. The data and information transmitted to AddThis in this way enable AddThis itself and the companies associated with AddThis or its partner companies to target visitors to the controller's Internet pages with personalised and interest-based advertising.


AddThis displays personalised and interest-based advertising on the basis of a cookie set by the company. This cookie analyses the individual surfing behaviour of the computer system used by the data subject. The cookie stores the visits to Internet pages originating from the computer system.


Facebook Custom Audiences - Facebook Pixel

This website uses the so-called "Facebook Pixel" of the social network "Facebook" for the following purposes:

Facebook (website) Custom Audiences We use the Facebook Pixel for remarketing purposes in order to be able to address you again within 180 days. This enables users of the website to be shown interest-based advertisements ("Facebook ads") when they visit the "Facebook" social network or other websites that also use this method. In this way, we pursue the interest of showing you advertising that is of interest to you in order to make our website or offers more interesting for you.


Facebook Conversion In addition, we would like to ensure with the help of the Facebook Pixel that our Facebook Ads correspond to the interest of the users and do not have a harassing effect. With the help of the Facebook pixel, we can track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").

Due to the marketing tools used, your browser automatically establishes a direct connection with the Facebook server as soon as you have agreed to the use of cookies requiring your consent. By integrating the Facebook pixel, Facebook receives the information that you have accessed the corresponding web site of our website or clicked on one of our advertisements. If you are registered with a Facebook service, Facebook can assign the visit to your account.


We are jointly responsible with Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook) for the collection and transfer of data as part of this process. This is for the following purposes:


The creation of individualised or appropriate ads, and for their optimisation.
The delivery of commercial and transactional messages (e.g. via Messenger).
The following processing operations are therefore not covered by joint processing:

Processing that occurs after collection and transmission is the sole responsibility of Facebook.

The creation of reports and analyses in aggregated and anonymised form is carried out as part of commissioned processing and is therefore our responsibility.

For joint responsibility, we have concluded a corresponding agreement with Facebook, which can be accessed here:  This sets out the respective responsibilities for fulfilling the obligation under the GDPR with regard to joint responsibility.


We have agreed with Facebook that Facebook can be used as a point of contact for the exercise of data subject rights. This is without prejudice to the competence of the data subjects' rights.



We use YouTube on our website. This is a video portal of YouTube LLC, 901 Cherry Ave, 94066 San Bruno, CA, USA, hereinafter referred to as "YouTube". YouTube is a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as "Google". Google, and thus also its subsidiary YouTube, guarantees that the EU data protection requirements are also complied with when processing data in the USA.


We use YouTube in connection with the "extended data protection mode" function in order to be able to show you videos. The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in improving the quality of our website. According to YouTube, the "enhanced data protection mode" function means that the data described in more detail below is only transmitted to the YouTube server when you actually start a video.


Without this "extended data protection", a connection to the YouTube server in the USA is established as soon as you call up one of our Internet pages on which a YouTube video is embedded.


This connection is necessary in order to be able to display the respective video on our website via your internet browser. In the course of this, YouTube will at least record and process your IP address, the date and time as well as the website you visited. In addition, a connection to Google's "DoubleClick" advertising network is established.


If you are logged into YouTube at the same time, YouTube will assign the connection information to your YouTube account. If you wish to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.


For the purpose of functionality and to analyse user behaviour, YouTube permanently stores cookies on your end device via your internet browser. If you do not agree to this processing, you have the option of preventing the storage of cookies by making a setting in your internet browser.


IV. Retention, Sharing and Security


Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, the data processed by us will be deleted or restricted in their processing in accordance with Art. 17 and 18 GDPR. If the data is not deleted because they are required for other and legally permissible purposes, their processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.


When do we disclose your Personal Data?
We may share your information with organisations that help us provide the services described in this policy and who may process such data on our behalf and in accordance with this policy, to support our online offer and our services. If you wish to learn more about how the relevant provider process your personal data, please follow the link embedded in the above mentioned providers name.
Typically and unless otherwise stated in this policy, data may be shared on the basis of our contractual and pre-contractual obligations, in accordance with Art. 6 para. 1 lit. b) GDPR. Equally, if you have consented to it, or where there we have a legal obligation to do so or on the basis of our legitimate interests (e.g. when using agents, hosting providers, tax, business and legal advisors, customer care, accounting, billing and similar services that allow us to perform our contractual obligations, administrative tasks and duties efficiently and effectively). If we commission third parties to process data on the basis of a so-called "processing agreement", this is done on the basis of Art. 28 GDPR.
In relation to meta data obtained about you, we may share a cookie identifier and IP data with analytic service providers to assist us in the improvement and optimisation of our website which is subject to our Cookies Policy.
We may also disclose information in other circumstances such as when you agree to it or if the law, a Court order, a legal obligation or regulatory authority ask us to. If the purpose is the prevention of fraud or crime or if it is necessary to protect and defend our right, property or personal safety of our staff, the website and its users.

Transfers to third countries

If we process data in a third country (i.e. outside the EEA) or if this is done in the context of using third-party services or disclosing or transferring data to third parties, this is only done if it is done in order to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests.

Online Payment, Secure data transmission and Credit card information
The transmission of your personal information during an order transaction is encrypted using industry standard Secure Socket Layer ("SSL") technology, (SSL encryption version 3). Any credit card information you provide will not be stored by us, but will be encrypted and collected directly from our payment service provider Paytrail
via hypertext transfer protocol secure ("https").
We may share information with Paytrail, and you may need to provide credit or debit card information directly to the provider in order to process payment details and authorise payment following a secure link. The information which you supply to in such cases is not within our control and is subject to Paytrail’s own Privacy Notice and Terms and Conditions.


Security measures

For security reasons and to protect the transmission of  content, that you send to us, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.


V. Miscellaneous and closing


Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).If we commission third parties to process data on the basis of a so-called " processing agreement.


Online presences in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.


Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages.


Obligation to provide personal data

You are not obliged to provide us with personal data. However, depending on the individual case, the provision of certain personal data may be necessary for the provision of the above services. If you do not provide us with this personal data, we may not be able to provide the service.


Automated individual decision-making including profiling

We do not make automated decisions in individual cases, including profiling.


Do Not Track

Do Not Track is a privacy preference you can set in most browsers. We support Do Not Track because we believe that you should have genuine control over how your info gets used and our site responds to Do Not Track requests.


Do Not Sell My Personal Information

We do not sell information that directly identifies you, like your name, address or phone records.



It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.


Children Data

Our website is not intended for children and we do not knowingly collect data relating to children. If you become aware that your Child has provided us with Personal Data, without parental consent, please contact us and we take the necessary steps to remove that information from our server.


Integration of third-party services and content

Within our online offer, we use content or service providers on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer, we use content or service offers from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content").


This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the display of this content. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our web site, as well as being linked to such information from other sources.



The services for hosting and displaying the website are partly provided by our service provider (Shopify) as part of processing on our behalf. Unless otherwise explained in this privacy policy, all access data and all data collected in forms provided for this purpose on this website are processed on their servers. If you have any questions about our service providers and the basis of our relationship with them, please contact them as described in this privacy policy.


Content Delivery Network

For the purpose of a shorter loading time, we use a so-called Content Delivery Network ("CDN") (Shopify) for some offers. With this service, content, e.g. large media files, are delivered via regionally distributed servers of external CDN service providers. Therefore, access data is processed on the servers of the service providers. Our service providers work for us within the framework of order processing. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this privacy policy.



This policy and our commitment to protecting the privacy of your personal data can result in changes to this policy . Please regularly review this policy to keep up to date with any changes.


Queries and Complaints

Any comments or queries on this policy should be directed to us. If you believe that we have not complied with this policy or acted otherwise than in accordance with data protection law, then you should notify us.