GDPR
Last updated 7 July 2026
Croft is built for Europe from day one, and data protection is part of that commitment. This page summarises how we comply with the EU General Data Protection Regulation (GDPR) and the rights it gives you. It complements our Privacy notice.
Data controller
Croft Oy is the controller of personal data processed through this website. You can reach our data-protection contact at privacy@croft.fi.
Lawful basis for processing
We contact you about Croft on the basis of your consent (Article 6(1)(a) GDPR), given when you join the waitlist. You may withdraw it at any time without affecting processing carried out beforehand. We process limited security data — a salted one-way hash of your IP address and your browser’s user-agent — on the basis of our legitimate interest (Article 6(1)(f) GDPR) in protecting the Services against abuse.
Data minimisation and pseudonymisation
We collect only what the waitlist needs to function. IP addresses are never stored in raw form — they are pseudonymised with a salted one-way hash before any storage or rate-limiting use, and cannot be reversed by us.
Erasure by design
Every email we send includes a one-click unsubscribe link, and unsubscribing deletes your record immediately — the right to erasure, built into the mechanism itself rather than handled on request.
Your rights
Under the GDPR, you have the right to:
Access — obtain a copy of the personal data we hold about you.
Rectification — have inaccurate data corrected.
Erasure — have your data deleted (“right to be forgotten”).
Restriction — limit how we process your data.
Portability — receive your data in a portable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — at any time, where processing is based on consent.
Exercising your rights
To exercise any of these rights, email privacy@croft.fi. We will respond within the timeframes required by the GDPR, normally within one month.
International transfers
Waitlist data is stored at rest in the European Union (Frankfurt, Germany). Limited processing by our email-delivery and hosting providers may take place outside the European Economic Area; where it does, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.
No automated decision-making
We do not use personal data collected through this website for automated decision-making or profiling.
Complaints
If you believe we have not handled your data properly, you have the right to lodge a complaint with your local supervisory authority. In Finland this is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).