This Privacy Policy (“Privacy Policy”) describes what personal data of the data subject (“you” or “data subject”) Cactos Oy (3249847–2), (“Cactos”, “we”, or “the controller”) processes as the controller, and how and for what purposes such personal data are processed. This Privacy Policy also describes how personal data is transferred to third parties and how you can exercise your rights related to the processing of personal data.
This Privacy Policy applies to the processing of personal data in connection with the use of Cactos Spine software provided by Cactos. Cactos complies with applicable data protection legislation, including the General Data Protection Regulation (EU 2016/679) and the Finnish Data Protection Act (1050/2018). Terms not defined in this Privacy Policy shall be interpreted in accordance with applicable data protection legislation.
Cactos Oy (3249847–2)
Kuortaneenkatu 2, 00510 Helsinki
Mikael Lindqvist, General Counsel
Email: mikael@cactos.fi
The personal data processing described in this Privacy Notice concerns the processing of personal data of users of the service provided by Cactos (customer representatives / end users of the service).
Cactos processes the personal data of its customers’ representatives, which are collected in connection with logging in to and using the Cactos Spine service, for the purpose of providing the services in accordance with the agreement between Cactos and its customer, for enabling access to the information systems for the customer’s representatives, and for enabling contract management, invoicing, sales, and direct marketing
Below is described in more detail what personal data Cactos may process and the legal basis for the processing:
The processing of personal data is based on Cactos’s legitimate interest for the purpose of fulfilling the agreement concluded between Cactos and its customer and on the data subject’s separate explicit consent insofar as this has been specified in more detail in connection with the consent.
The processing of personal data carried out by Cactos as described in this Privacy Notice is not subject to automated decision-making. Insofar as the processing of personal data is based on legitimate interest, you have, as the data subject, the right to obtain additional information about the applicable legitimate interest through the contact details presented in section 2 of this Privacy Notice.
Cactos collects personal data primarily from the data subject themself. However, Cactos may also receive personal data from other representatives of the customer.
Personal data may be transferred or disclosed as necessary to Cactos’ service providers and electricity market participants
In exceptional circumstances, Cactos may also disclose or transfer personal data to other third parties if required by applicable law, regulation, or another order of an authority. Cactos may also transfer personal data within its group companies, as well as in connection with a possible merger, acquisition, or business transfer in which Cactos or its business or part thereof is sold to the data recipient.
Cactos transfers personal data outside the EU or EEA, if it is necessary for the implementation of the purposes of personal data processing. If personal data are processed outside the EU or EEA, Cactos takes care that the conditions for data transfer set in the EU’s Data Protection Regulation are fulfilled, and that the collected data are transferred only to such third countries or parties whose level of data protection the European Commission has found sufficient (for example, under the EU-U.S. Data Privacy Framework), or that the recipient of the personal data has committed to the European Commission’s standard contractual clauses concerning the processing of personal data, and, if necessary, has taken care of sufficient technical additional protective measures.
If the international data transfer is based on the Commission’s standard contractual clauses, you have, as the data subject, the right to obtain the applied standard contractual clauses for your review by contacting the address mentioned in section 2 of this Privacy Policy.
Cactos stores the personal data it processes only as long as they are necessary for those purposes for which the personal data are processed.
The personal data of the customer’s representative are stored for no longer than five (5) years from the termination of the agreement concerning the provision of the service or from the change of the customer’s representative, unless there is a basis for longer retention of the information, for example due to law or the processing of a legal claim. Cactos assesses the necessity of data retention regularly, taking into account the applicable legislation.
Cactos follows good information management practices, a high duty of care, and effective data security measures in the processing of personal data, in addition to which the information security of systems as well as the confidentiality, integrity, and availability of personal data are ensured by appropriate technical and organizational measures.
Access to the data is granted only to persons employed by Cactos or to its authorized parties whose performance of work tasks requires the processing of personal data. The personal data is protected with personal user IDs and passwords. Cactos requires from its personnel and partners a commitment to the careful processing and confidentiality of customer data.
Find more information about Cactos' Data Security Policy here
The data subject has the rights described in this section in accordance with applicable data protection legislation. Please note that the applicability of these rights in individual cases depends on the purpose and legal basis of the processing of personal data.
If the data subject wishes to exercise their rights, the data subject must submit a request concerning the exercise of these rights by email to the address indicated in Section 2 of this Privacy Policy. As a rule, Cactos does not charge any fee for handling such a request from the data subject. However, if the requests made by the data subject are manifestly unfounded or excessive, for example if they are made repeatedly, Cactos may, in accordance with applicable data protection legislation, charge a reasonable fee based on the administrative costs incurred in handling the request, or refuse to act on the request.
The data subject has the right to obtain confirmation as to whether or not personal data concerning them are being processed and the information required under applicable data protection legislation. The data subject also has the right to obtain a copy of the personal data undergoing processing.
The data subject shall have the right to access the personal data that is stored in the register. The data subject shall have the right to request the correction of inaccurate or imprecise personal data.
The data subject has the right, in situations provided for under data protection legislation, to have its personal data erased. This right applies, for example, in situations where the personal data are processed for the purposes of direct marketing. Exercising the right to erasure may, however, affect the extent to which Cactos is able to provide its services to you. The purposes of processing are described in the section of this Privacy Policy concerning the purposes of processing.
The data subject may request the controller to restrict the processing of their personal data. This right applies, for example, where the accuracy of the personal data is contested, or where the original purpose of the processing is no longer applicable.
The data subject has the right to object, on grounds relating to their particular situation, to the processing of their personal data where such processing is based on the controller’s legitimate interests. In such a case, Cactos will cease processing the personal data unless the processing is permitted under an exception provided for in the General Data Protection Regulation. The data subject also has the right to object to the processing of personal data for direct marketing purposes at any time and without providing any specific reason.
The data subject has the right, in situations provided for under data protection legislation, to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller where technically feasible.
Where the processing of personal data by Cactos is based on the data subject’s explicit consent, the data subject has the right to withdraw their consent. In relation to cookies, consent may be withdrawn through the cookie banner available on the website. The cookie banner can be accessed at any time via the cookie icon displayed on the website. If you withdraw the consent, it may limit Cactos’s ability to provide certain services to you.
The data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes applicable data protection regulations.
Cactos may update this Privacy Policy from time to time due to changes in data processing practices or applicable legislation. The most recent version of this Privacy Policy is always available on Cactos’s website.
Version History
Version
1. First Privacy Policy published on 19.06.2025
2. Privacy Policy updated on 22.10.2025