Skip to main content

TinkyBell’s Privacy Policy Statement

TinkyBell clients and potential clients
TinkyBell staff

Your Privacy Matters

Our business activities involve providing travel agency services for business and organizational clients. Providing these services would not be possible without us collecting and handling personal data. Personal data includes any information that relates to an identified or identifiable living individual, such as names, email addresses, personal identity codes and photographs. We appreciate that people value their privacy, and we are committed to handling all personal data in accordance with this privacy policy and the law.

As a business travel agency, we often also act as a processor for our businesses and organizational clients, who are the controllers. For our role as a processor, the principles of processing personal data are described in our clients’ privacy policies or statements and in the agreements we have made with our clients. All processing of our clients’ personal data is always based on a service and data protection agreement between us and the client organization, and we only process the client’s personal data for and on behalf of the client for as long as we have a standing agreement.


The controller for the processing of personal data described in this privacy policy statement is TinkyBell (hereinafter referred to as “TinkyBell” or “we”):

TinkyBell Oy
Business ID: 2670838-1
Rantapolku 10
67700 Kokkola, Finland
Tel.: 358 45 899 3007

Person in charge of data protection: Heli Lindén

You can contact us using the above-mentioned contact details for any questions or requests related to data protection.

For What Purposes Does TinkyBell Collect Personal Data and on What Basis?

We collect, store and process personal data for predetermined purposes. We always ensure that we have a legal basis for storing and processing personal data. The legal basis for and main purposes of processing personal data include the following:

Providing Business Travel Agency Services to Companies and Other Organizations

  • We collect and process personal data to provide business travel agency services and to fulfill our contractual obligations. Organizing business trips may require us to disclose personal data to third parties such as airlines, hotels and authorities (e.g. for travel authorizations and visas).
  • We process personal data for example to invoice for our services, to accept and handle orders, and to book and organize trips for our business and organizational clients.
  • We may also use personal data in responding to feedback.

    In this case, the legal basis for processing personal data is, above all, the performance of a contract, but also our legitimate interests and, in some cases, also the data subject’s express consent.

Marketing and Handling Client Communications

  • We may process personal data for the purposes of handling client communications and providing information on our services.
  • We may conduct customer satisfaction surveys.
  • If you have given us your express consent (where such consent is required by law), we may send you marketing emails. You can withdraw your consent at any time. Even if our marketing activities do not require your consent, you are always free to decline direct marketing targeted at you.
  • We may use third-party services in our marketing and communications.

    In this case, the legal basis for processing personal data is, above all, our legitimate interests, and, in some cases, also the data subject’s express consent.

Human Resource Management

  • Any personal data that relates to staff members is collected and processed primarily for human resource purposes such as fulfilling employment contract obligations, paying salaries, handling taxation, satisfying other rights and obligations arising from the employment relationship, and meeting legal requirements related to the employment relationship.

    In this case, the legal basis for processing personal data is the performance of a contract and compliance with a legal obligation, and sometimes also a staff member’s express consent.

Compliance with a Legal Obligation and Other Legal Requirements

  • We may also process personal data to comply with legal obligations (e.g. bookkeeping, employment contracts law and taxation), respond to or make legal claims, prevent and investigate fraud, or provide information required by a court of law or some other authority.

    In this case, the legal basis for processing personal data is, above all, compliance with legal obligations, as well as our legitimate interests.

What Personal Data Does TinkyBell Collect?

We mainly only collect and process personal data related to our clients and staff.


We typically collect and process the following personal data about our clients (in so far as it is necessary to manage the client relationship and organize travel):

  • The name of the company
  • The name of the person
  • Sex
  • Email
  • Telephone number
  • Title
  • Address (for the workplace, but sometimes also the home address)
  • Invoicing address
  • Date of birth
  • Seating preference (aisle/window)
  • Special dietary requirements
  • Other travel preferences, such as airlines, hotel chains and room types
  • Frequent flyer, hotel membership and car rental membership card numbers
  • Passport number and expiry date
  • Nationality
  • Passport copy
  • Credit card number, if necessary
  • ICE contact details
  • Consent for or ban on marketing

We may process the above-mentioned information not only as a controller, but also as a processor. In the latter case, it is the client organization’s responsibility to ensure that they are allowed to disclose their staff’s personal data and that there is a legal basis for storing and processing the data.


We mainly collect and process the following data about our employees:

  • Name
  • Personal identity code
  • Details for salary payment and taxation
  • Contact information
  • Employment contract

Where Do We Obtain the Data?

The main source of personal data is the data subject himself/herself or the data subject’s employer. We may also obtain data from public sources and registers.

Who Processes Personal Data, and Are Data Disclosed?

Personal data are mainly processed by TinkyBell’s staff as part of their regular duties.

We may also outsource personal data processing to some extent, and many of the systems we use for storing and processing personal data are cloud services. Most of the stored and processed data are electronic. We use third-party service providers particularly for the following:

  • Cloud storage of data and secure transfer of files and data
  • Customer relationship management (CRM)
  • Accounting and invoicing

When using third-party service providers, we ensure that the confidentiality of personal data is maintained and that the data is processed legally and for our purposes only.

Otherwise, we may disclose data if required by law, a court of law or a competent authority, if we are responding to or making a legal claim or if we are in the process of investigating or preventing fraud. We may also disclose personal data with the data subject’s express consent. We may also disclose personal data if we become part of a company acquisition or some other corporate transaction.

Does TinkyBell Transfer Data Outside the EU?

In general, we do not disclose personal data outside the EU, but because data are primarily stored and processed electronically and especially in cloud services, some of our service providers may be located in non-EU countries. Such service providers include, for example, Dropbox (for storing and transferring data) and Zoho (for CRM). Data may also be transferred outside the EU if a client’s travel arrangements make this necessary. However, we will always ensure that any data transfer outside the EU will incorporate the necessary protections in accordance with the law. The primary options are (1) data transfer to an EU Commission approved country with an adequate level of data protection, (2) data transfer to an EU–U.S. Privacy Shield certified company (transferee in the United States) or (3) use of standard contractual clauses for data transfers between EU and non-EU countries.

How Long Does TinkyBell Store Personal Data?

We never store personal data for longer than is necessary for the purpose of processing it or for longer than is required by law or under our agreement. The storage period for personal data may vary depending on the purpose of use, the legal basis for processing, and the situation. We can also remove personal data if data subjects withdraw their consent or ask for their data to be removed (as long as we have no legal basis for processing the data), if the contractual relationship ends, or if the data are outdated or inaccurate. The storage periods may also be guided by the law (e.g. accounting, taxation and employment contracts law) and possible time limits related to legal claims (e.g. statute of limitations). We aim to update and remove any unnecessary, inaccurate or outdated data.

How Does TinkyBell Store and Protect Personal Data?

We mainly store personal data electronically, and the data are protected in accordance with the general standards in the field. We only use reputable and secure service providers for storing and processing data. We treat all personal data as confidential and do not disclose them generally or sell or lease them for marketing purposes.

Do I Have to Give TinkyBell My Personal Data? What Happens if I Refuse?

In a client relationship, providing and agreeing to the processing of personal data is, to some extent, obligatory for the performance of the contract, so we can ensure that the persons making agreements on behalf of our business clients are authorized to do so, that we fulfill our contractual obligations and that our rights are respected. We are unlikely to be able to provide the services requested from us if we are not allowed to process your personal data. As regards our employees, we also need to process personal data to comply with employment contracts and legal requirements.

What Are My Rights? How Can I Control the Use of My Personal Data?

Withdrawing consent
If the legal basis for processing your personal data is your express consent, you can withdraw your consent at any given time by notifying us using the contact details provided under “Controller”.

Right of access
You have the right to know whether we process your personal data and to know what personal data on you we process. You also have the right to obtain more information about the purposes of the processing.

Right to rectification
You have the right to ask us to rectify any incorrect, outdated or otherwise incomplete personal data.

Right to object to direct marketing
Even if we do not require your express consent for direct marketing, you have the right to object to the processing for direct marketing purposes by notifying us using the contact information provided above.

The right to object to processing
If we are processing your personal data based on public interest or our legitimate interests, you have the right to object to the processing of your personal data if the processing has no notable reason that would override your rights or if the processing is not necessary to handle a legal claim. Please note that if you object to the processing of your personal data, we will probably no longer be able to provide services to you.

The right to restrict processing
Under certain circumstances, you have the right to require us to restrict the processing of your personal data.

The right to data portability
If we have processed your personal data with your express consent or for the performance of a contract, you have the right to receive the personal data you have electronically provided to us in a commonly used format so that you can transmit those data to another controller.

How Can I Exercise My Rights?

You can exercise the above-mentioned rights by contacting us using the contact information provided above. Please note that we must take reasonable measures to verify your identity. If you think that we have processed your personal data unlawfully, you can also lodge a complaint with a competent supervisory authority (in Finland: the Data Protection Ombudsman).

Can This Privacy Policy Be Updated?

We may update our privacy policy to reflect changes in our operations or principles of processing personal data. Updates may also be relevant if the applicable legislation is amended. The changes will take effect as soon as we have published the updated privacy policy statement. For this reason, please read this privacy policy regularly.