Skip to main content

Privacy policy

1. Personal data controller

Company name: Upitrek ltd (Upitrek)
Reg. number: 2368312-3
Address: Kiviniementie 59, 87850 Paltaniemi, Finland
Tel.: +358 40 733 9262
Contact person: Niina Jämsén

2. Upitrek’s customer and marketing register

Register includes personal data of customers and of those who have given their consent for marketing.

3. Purpose of use of personal data

1) Personal data is processed based on an existing customer relationship
The processing of personal data is necessary when dealing with matters related to tour reservations, and or customer communication. Customers’ e-mail addresses are added to our newsletter mailing list. Customers can unsubscribe from the newsletter mailing list by clicking the link included in each newsletter.

2) Personal data is processed based on consent
Voluntary consent is required from the data subject, which is supplied, for example, through a form requesting permission to send the data subject marketing materials. Information about Upitrek’s products and offers are sent out to registered data subjects. The form of communication adopted is a newsletter, distributed via e-mail. The newsletter is published 4-6 times a year.

4. Personal data recorded in the register

The customer register may contain the following information:
* Name
* Address
* Email
* Phone number
* Nationality
* Trips bought and years of travel or the information about the trips the person has been interested in

At the time of booking the client may be asked for other relevant information for the booking eg. dietary requirements, year of birth or size information (height, shoe size) but this information won’t be stored in the register.

5. Regular information sources

Customer information is regularly obtained:
• From the customer as the customer relationship is born
• From the customer through (newsletter subscription) or another way directly from the registered

6. Personal data processors

The controller and its employees process personal data. At the end of their term of employment, measures are in place to prevent former staff from accessing the registry, such as the changing of passwords.

Personal data collected through the Upitrek website’s ( newsletter subscription form is processed for and on behalf of the registrar by Davas Oy using their systems.

Personal information provided by the client may be given to our partners in arranging the travel and other services and also to relevant officials and authorities. Personal information is to be processed only for purposes in the travels or services in question. Any other use on Personal information is prohibited. All Personal information and any copies of it given by us must destroyed when the information is no longer needed for arranging travels or services ordered, unless applicable legislation requires storage of the Personal information.

7. Transferring data outside the EU or EEA

Personal data is stored in a cloud service within which data may be transferred outside the EU or European Economic Area (EEA) in compliance with the requirements of the European General Data Protection Regulation (GDPR).

The MailChimp service is used to send the Upitrek newsletter, and within this service associated data may be transferred outside the EU or EEA. MailChimp uses personal data in compliance with the requirements of GDPR.

The Upitrek website ( uses Google Analytics, which collects statistical data on web visits but does not collect any information that would enable user identification. Information collected from Google Analytics cookies may be stored outside the EU.

8. Duration of processing

• Personal data is retained for a maximum of 10 years after the data subject customer relationship to the controller has ended.
• The data subject may unsubscribe from our marketing list by clicking the link on each of our marketing e-mails.

9. Automatic decision-making and profiling

We are not using the data for automatic decision-making or profiling.

10. Regular disclosure of data

The data is not disclosed outside the company.

11. Protection principles of the register

Computers are protected by a firewall and other technological measures. Mobile devices are protected with login codes and anti-virus software. Documents, which contain personal data and are handled manually, are properly disposed of after use.

12. The data subject’s rights

The data subject has the following rights, and requests for their use should be sent to Upitrek ltd, Kiviniementie 59, 87850 Paltaniemi.

Right to access data: The data subject may check the data we have recorded.

Right to rectification: The data subject may request the rectification of inaccurate or incomplete personal data.

Right to object: The data subject may object to the processing of personal data if the data subject feels that personal data has been processed unlawfully.

Right to forbid direct marketing: The data subject has the right to forbid the use of personal data for direct marketing.

Right to deletion: The data subject has the right to request the deletion of data if personal data processing is not necessary. We will handle the request for deletion and proceed to either delete the data or state a justified reason for not being able to delete the data. It should be noted that the controller may have legal or other rights to not delete the requested data. The controller is obligated to preserve accounting materials for the duration (10 years) set out in the Accounting Act (Chapter 2, Section 10). For this reason, materials related to accounting cannot be deleted before that term has expired.

Withdrawing consent: If the processing of personal data is only based on the data subject’s consent and not for instance on a customer relationship or membership, the data subject may withdraw consent.

The data subject may complain of the decision to the Data Protection Supervisor: The data subject has the right to demand us to restrict the processing of controversial data until the matter is solved.

Right to complain: The data subject has the right to complain to the Data Protection Supervisor if the data subject feels that we are violating the effective data protection regulation when processing personal data.

Contact information of the data protection supervisor:

13. Revisions to the Privacy Policy

We may revise this privacy policy at any time in response to changes in the law or other factors. Last updated: 5.7.2023.