Privacy Policy

Privacy at Edufication bases on the Data Protection Act 1050/2018 and the GDPR, EU General Data Protection Regulation 679/2016. This privacy statement document specifies the information on processing personal data at Edufication.

Register administrator

South-Eastern Finland University of Applied Sciences, Xamk (Business ID: 2472908-2)
P.O. Box 68 (Patteristonkatu 3 D)
FI-50101 Mikkeli

company main number: +358 40 655 0555

Data controller

Virnex Group Oy (Business ID: 3180456-2)
Askonkatu 9
FI-15100 Lahti
+358 40 505 3133

Contact details in register matters

More information on data protection and the processing of personal data is available through the email of Xamk’s Digital Services Specialist Teppo Rantaniva at: and the email of Xamk’s Data Protection Coordinator at

Register name

The register name is Edufication which comprises the web service and online store system and the Claned learning platform.

Purposes of processing personal data

South-Eastern Finland University of Applied Sciences is committed to protecting the privacy of its users and to complying with data protection legislation and good data protection practices in its operations. The processing of personal data is necessary for South-Eastern Finland University of Applied Sciences to provide services to all its customers and students. This privacy statement describes the practices of South-Eastern University of Applied Sciences concerning the collection and processing of personal data.

Personal data are collected for example due to delivering orders, allocating  payments correctly, identifying customers and / or persons registered/ indicated by customers, verifying customer transaction history and transaction rights, reporting and marketing. Personal data are also collected to enable logging in to the Claned learning environment.

Information on the online service users is collected to determine access rights and to monitor service use. The online service system creates log files containing personal data for the purposes of customer history and troubleshooting.

Legal basis for processing personal data

The lawfulness of processing personal data bases on Article 6 of the GDPR 679/2016 as follows:

Legal basis follows Article 6 (1)(b) when processing personal data is necessary for executing contracts which data subjects enter through online store purchases and payments. This also applies to taking necessary steps at the data subjects’ request prior to entering such contracts.

According to Article 6 (1)(a), by accepting the Edufication Privacy statement and Terms of service data subjects give consent to the processing of their personal data for one or more specific purposes. This consent results in a contract between data subjects and the data controller. When registering to the Claned learning platform, data subjects accept the service provider’s terms of service.

Processing personal data has legal basis, according to Article 6 (1)(f), when processing is necessary to achieve legitimate data controller or third-party interests. This legitimate interest of the data controller bases on a relevant and appropriate relationship between data subjects and the controller, resulting from the data subjects being the data controller’s customers, and from the processing taking place for purposes that the data subjects could have reasonably expected at the time of the personal data collection and in the context of an appropriate customer relationship.

Information content of the register

Possible personal data to register include the following:

general customer register: customer number, first name, last name, local address, post office, telephone number, email address, order history, username and direct marketing authorization

order register: contact information, ordered products

course registration: name, contact information, guardian information, if necessary

mailing lists: email address

Personal data will be stored in the registers until they are deleted manually. Order information is stored until deleted manually or on a scheduled basis. Electronic receipt records are stored until deleted manually, but at least for six years.

Regular sources of information

The main sources of information are online store customers when placing orders, registering and making their online payments.

Regular destinations of disclosed data

No personal data will be disclosed to third parties. Personal data may be transmitted to other systems of the data controller, such as the cash register system, accounting, invoicing, access control and learning environments. Depending on the payment service provider, customers’ contact information is transmitted to the payment system when paying for the order to facilitate problem situations and returning payments.

Data transmission outside the EU or the EEA

No personal data will be transmitted outside the EU or the EEA.

Register security principles

The online store system maintenance is protected by user specific login names, passwords and access rights. The data in the database is protected by usernames and passwords and processing the data is limited to the use of the online store system. The data stored in the system is protected by operating system level permissions. All communications between the online store maintenance, the online store and the payment service provider are SSL-secured.

The online store server maintenance connection is only allowed for the server and system providers. The online store system provider has full access to view and delete all data collected. Only data controllers with such work-related responsibilities are entitled to access and delete the data collected. 

Right to inspect personal data

Data subjects have the right to access and inspect the personal data stored in the register and to receive copies of the data. Inspection requests must be made electronically or in writing and addressed to the contact person in the register.

Right to demand the correction of data (rectification)

Data subjects have the right to demand incorrect data in the Edufication register to be corrected or deleted. Correction requests must be addressed electronically or in writing to the contact person of the register.

Other rights related to processing personal data

Data subjects have the right to prohibit the data controller from processing person-specific data for the purposes of direct mail, distance selling and other direct marketing as well as market and opinion research.

Using Microsoft Clarity for Optimizing the Service and Experience

We use Microsoft Clarity in order to better understand our users’ needs and to optimize this service and experience. Microsoft Clarity is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Microsoft Clarity uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Microsoft Clarity stores this information on our behalf in a pseudonymized user profile. Microsoft Clarity is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see Microsoft Clarity’s site.