Privacy statement

Kastu (Ravintola Kastu Oy) Privacy Statement

This Privacy Statement describes the processing of personal data of Ravintola Kastu Oy. The subject of our processing is our customers' information in Kastu-application,, and our loyalty programs.

Contact details of the Data Controller

Ravintola Kastu Oy (later Kastu)
Helsingintie 3
24100 SALO
+358 50 471 4558

What information do we collect and for what purpose?

We only collect data that is necessary for the operation and development of our service.

The information we collect directly from you

  • When you register to the service, we collect your name, e-mail address, and password. This information is collected for identification, communication, and implementation of the service. We do not store passwords in a readable form. For the marketing purposes, we ask for a separate consent.
  • The information required for payments is not stored in our system. We do keep the tokens of the payment cards that you saved, their type, validity, and last 4 digits. The information does not include the complete card number, security code, or other information required for online payments. Kastu does not charge the card. All of the payments are handled by a PCI Certified Payment Partner - the Bambora Payform. Payment procedure in their service is secure, as all of the payment information is transmitted using encrypted connection so that no third party can access it.
  • We store your purchase history (receipts), which is required by the Accounting Act, and we use that information for the use of purchase behavior profiling. We will anonymize the data if you withdraw the consent.
  • Our loyalty programs' Membership Details stored are limited to: Membership Number, Membership Type, Membership Validity Period.
  • When you contact our customer support through an email, we collect the information you provide us in order to be able to help you with your case. We may also store that information to develop our customer support.

We collect the aforementioned information directly from you. You hand over information by signing up, signing in, using the service, adding a payment card, making purchases or making a customer service request. This information is used for communication and to either develop or provide services.

Personal information we collect from third parties

Third parties may collect or receive information from Kastu-application, and other apps and use that information to provide measurement services and targeted ads. These third parties in our service include:


  • Google Firebase Crashlytics add-on collects anonymous crash and analytics data. We are using this data to optimize the user experience and to locate and fix the emerging issues of Kastu-application. You consent to data collection by registering to service and accepting this privacy policy. You can stop the data collection by signing out and restarting the application. (Firebase Privacy Policy)
  • Facebook collects and handles your information if you select Facebook as the method of registration and/or sign in. You consent to data collection by using your Facebook account. We are using the anonymous analytics data collected by Facebook to optimize and develop our service. When you are using a Facebook account to register, we save your name, email address, and Facebook id number. You can stop the data collection by removing the Kastu-application authorization in the settings of your Facebook account. Facebook id remains in our database and you can ask for removal by following the instructions given in the "Use of rights" chapter. (Facebook Privacy Policy)


  • On our website, we might collect some information to be able to provide the best possible user experience. We need that information for analyzing the way our service are being used. Based on the collected information, we optimize the quality, content, adaptability, and relevancy of our service to match our customers' needs. The information is collected using cookies and user accounts. It contains anonymous usage data, e.g. technical information about your browser and device. You consent to the data collection by using our website.
  • Some of the tools that we use for data collection are Facebook Pixel and Google Analytics. Third parties may collect or receive this information and use it to provide measurement services and targeted ads. Read more about privacy policy of Facebook and Google.
  • You may clear or block cookies and other information collected in your browser settings or by using specific add-ons. Please notice that emptying cookies doesn't stop the data collection. You may activate collection blocking either beforehand or while using the service. In your mobile device, you may disable location sharing. Complete blocking of cookies and/or location services may affect our ability to provide services.

What kind of rights you have and how to use them?

You have the rights to personal information held by Kastu.

  • You have the right to access the personal data in our possession. However, access to information may be restricted by the privacy of the legislation and the privacy of other persons.
  • You have the right to request correction of incorrect or incomplete information.
  • You have the right to be forgotten. You may request the removal of your data. Data deletion can be done, for example, in cases when you withdraw the consent, and there is no other reason for the processing, or when you deny the data processing, and there is no other reason for the continuation of processing.
  • You have the right to limit the processing of your personal data.
  • You have the right to object to the processing of your data.
  • You have the right of data transferability. Upon request, you may receive personal data in machine-readable form. This right applies to personal information that has been processed automatically by agreement or consent to the breach.
  • You're entitled to withdraw the consent, at any time, without prejudice to the lawfulness of the processing before withdrawal if the processing is based on consent. Canceling consent may affect our ability to provide services.
  • You also have the right to file a complaint with the Data Protection Authority if you suspect that your personal data is being used improperly or unlawfully.

Use of Rights

To use your rights, please contact the Kastu customer service Access to stored personal data is also possible through our web site and iOS and Android applications.

For what purpose we use the information and on what basis do we handle them?

Kastu handles personal information to meet statutory and contractual obligations. The legal bases of our processing are:

Implementing the contract: Fulfilling contractual obligations, i.e. providing our service, is the main legal basis for our processing of personal data. The contract is formed between Kastu and you (Data Subject) when you register to the service. You will accept the processing of data according to this Privacy Statement by using the service. Kastu will process personal information to the extent necessary for providing or developing the service.

Statutory Obligation: In addition to our contracts, we have statutory obligations to deal with personal information. Examples of these include Accounting Act and public event and restaurant legislation.

Consent: To develop our website we collect analytical information on the use of the pages based on your consent. Acceptance of data collection is given at the site upon arrival. Regarding the information collected for marketing purposes, a separate consent will be collected from you, and that consent can be withdrawn at any time. Third parties may still use the collected data to provide measurement services and targeted ads. You are able to block the use of cookies by changing the browser settings in accordance with the browser manufacturer's instructions and deleting any cookies from the browser's cache. Clearing cookies do not stop the procedure of data collection.

How long will we keep the data?

Personal data is kept only for a contractual period unless otherwise required by law, such as the Accounting Act. For example, purchase transactions are maintained for the period required by the Accounting Act, but the information is anonymized at the end of the contractual relationship.

Website anonymous visitor analytics information will only be retained as long as it is necessary to track and develop marketing and customer service, a maximum of 26 months.

Customer support data is kept for the maximum of 24 months.

Data Processors and Cross-Border Processing

Data processing is being done by employees of Kastu, in accordance with the current Personal Data Act. Kastu reserves the right to outsource the processing of personal data to a third party, thereby guaranteeing contractual arrangements that personal data will be processed in accordance with the Personal Data Act and otherwise appropriately.

Information related to purchase transactions is transferred to our payment service provider, Bambora Payform, for charging. Bambora Payform contact information:

Bambora PayForm, Paybyway Oy (Business ID 2486559-4)
Phone: 029 300 5050 (on weekdays from 9am to 6pm)
Mailing address: Laserkatu 6, 53850 Lappeenranta

Otherwise, data will not be combined with other registers and will not be disclosed to third parties, unless required by law (e.g. the Accounting Act).

The server system used to provide the service is located in the Heroku server of Salesforce, Ireland. For information on the principles of the Heroku Privacy Policy, see the links below:

What are the risks involved in personal data processing and how do we protect the data?

The largest (still minor) risk is the personal data ending in the wrong hands, for example in connection with data theft or leakage. If this unlikely event occurs, the information can be used to find out the behavior of the Data Subjects, determine Data Subjects’ locations on event days, and send junk mail. Announcements of the large-scale data leaks are always provided to each party of the contract, regardless of whether or not the party is subject to the notification obligation.

The purpose of the Kastu security operations are to secure the availability of information and information systems, to ensure their confidentiality, to ensure data integrity, and to minimize any possible damage caused by deviations. The hedging activities are based on an activity risk assessment and are proportioned to managing the hedged item and the risks it poses.

Your personal data is always processed in accordance with the Personal Data Protection Act.