This privacy statement applies only to the situations where Compensate Operations Oy (hereinafter referred to as “Compensate” or “we”)  and Facebook Ireland Ltd (hereinafter referred to as "Facebook") act as joint controllers when you visit our website (, hereinafter referred to as “Compensate website” ) or the Shopify landing page (hereinafter referred to as the ”Shopify plug-in page”, Compensate website and Shopify plug-in page are hereafter jointly referred to as the “Websites”).

This results from the fact that Compensate, by setting up certain Facebook Business Tools on Websites, allows Facebook to place cookies on the computer or any other device of you visit the Websites (hereinafter “you” or "Visitor"), regardless of whether you have a Facebook account or not.

Below you will find a description of how Compensate and Facebook handle your personal data when you visit the Websites.

1. Joint controllers

The primary controller is:


Facebook Ireland Ltd.

4 Grand Canal Square

Grand Canal Harbour

Dublin 2 Ireland

You can contact the data protection officer of the primary controller Facebook by clicking here .

The other controller is:

Compensate Operations Oy

Mariankatu 5 A,

00170 Helsinki


I Processing of personal data by Facebook

Compensate uses Facebook Pixel on the Websites. Facebook Pixel is a part of the Facebook Business Tools. Accordingly, Compensate and Facebook have entered into an agreement called Facebook Business Tools Terms and Controller Addendum attached to it to determine the respective responsibilities for compliance with the obligations under the General Data Protection Regulations (hereinafter referred to as the "GDPR") with regard to the joint processing as specified in the applicable product terms of Facebook. The Facebook Business Tools Terms and other terms attached to it also sets out the purposes for which the collection and transmission of personal data that constitutes the joint processing takes place. Facebook processes the personal data according to its privacy principles and statements.  Further information on how Facebook processes Personal Data, including the legal basis Facebook relies on and the ways to exercise Data Subject rights against Facebook Ireland, and the information required by Article 13(1) (a) and (b) of GDPR can be found in the Privacy Policy of Facebook. For more information, please click here .

Facebook is responsible for enabling your rights under Articles 15-20 of the GDPR with regard to the Personal Data stored by Facebook after the joint processing. Facebook is also responsible for granting you a right to object to the processing insofar as the joint processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (GDPR article 6(1) (f).

It is also responsible for the security of the Facebook Pixel (Art 32 GDPR) and for ensuring a notification of a personal data breach to the supervisory authority and for communicating the personal data breach to you (Arts 33 and 34 of GDPR), insofar as a personal data breaches concerns its obligations under the Controller Addendum.

You can amend your privacy settings on Facebook.

II Processing of personal data by Compensate

2. How we collect data

We use Facebook Pixel on the Websites. As mentioned before, the Facebook Pixel belongs to the Facebook Business Tools. It is a snippet of JavaScript code that allows us to track the Visitor activity on the Websites. With your consent, we will use Facebook's "visitor action pixels" and "tracking pixels". In short, Facebook Pixel works by loading a small library of functions which we can use whenever a site visitor takes an action (called an ”event”) that you want to track (called a ”conversion”).

In relation to the joint controllership with data deriving from the use of the Facebook Pixel, we only process one type of data: analytics data. Although we do not normally use analytics data to identify you as an individual, you can sometimes be recognized from it, either alone or when combined or linked with other data. In such situations, analytics data can also be considered personal data under applicable laws and we will treat such data as personal data. In addition, analytics data is collected and transmitted to Facebook. 

We may collect the following analytics data when you visit or interact with the Websites: 

2.1. Analytics Data

The Facebook Pixel collects:

- The HTTP header information which include information about the web browser or app used (eg. user agent, locale country-level, language)

-Information regarding standard/optional events such as “Page view” or “App install”, further object properties, as well as buttons clicked by Visitors

- Online identifiers, such as IP addresses and, insofar as provided, Facebook-related identifiers or device identifiers (such as mobile OS advertising IDs) as well as information on opt-out/limited ad tracking status.

For more detailed information on the cookies the Facebook Pixel uses, please see the Compensate Privacy Policy – Shopify here.  

3. The purpose for collecting analytics data

We use the personal data we collect for i) customer communication, ii) marketing, iii) quality improvement and iv) trend analysis

In general, Facebook pixel can be used to track Visitor behaviour after they have been redirected to our website by clicking on a Facebook and / or Instagram ad. We also target FB/Instagram ads to people who have visited our product listing and create look-a-like audiences based on the information of who has been visiting our product listing. This allows us to record the effectiveness of online advertising on, for instance, Facebook and Instagram advertisements for statistical and market research purposes and, if necessary, create a look-a-like audience from users on our website where Facebook finds people who have attributes similar to our users. 

On the Websites, you will be requested to grant your consent for the processing of personal data. In this event, you may withdraw your consent at any time.

Sometimes Compensate processes personal data to pursue our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g. provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.

We may also process your personal data in order to comply with our legal obligations. 

5.  How we may share your personal data

We only share your personal data within our organization if and as far as reasonably necessary for the purposes of this Privacy Statement.

We do not share your personal data with third parties outside of our organization unless one of the following circumstances applies:

For the purposes set out in this Privacy Statement and to authorized service providers. We may regularly send your personal data to Facebook.

5.1 Data transfers to Facebook

We may use the Facebook Pixel to send Facebook the following types of personal information.

  • Contact information” is information that personally identifies individuals, such as names, email addresses, and phone numbers, that we use for matching purposes only. Facebook  will hash Contact Information that you send to us via a Facebook JavaScript pixel for matching purposes prior to transmission. When using a Facebook image pixel or other Facebook Business Tools, Compensate hashes Contact Information in a manner specified by us before transmission.
  • Event Data” is other information Compensate shares about you and other people when they interact with the Websites, such as visits to the Website, installations of our apps, and purchases of our other products. There are several reasons we may provide Facebook with the Event Data.
Event Data for Measurement and Analytics Services

 We may instruct Facebook to process Event Data (a) to prepare reports on our behalf on the impact of our advertising campaigns and other online content (“Campaign Reports”) and (b) to generate analytics and insights about people and their use of our apps, websites, products and services (“Analytics”).

We may provide Facebook with Event Data to target our ad campaigns to people who interact with our business. We may direct Facebook  to create custom audiences, which are groups of Facebook users based on Event Data, to target ad campaigns (including Website Custom Audiences, Mobile App Custom Audiences, and Offline Custom Audiences). Facebook will process Event Data to create such audiences for Compensate. Facebook will not provide such audiences to other advertisers unless Compensate shares audiences with other advertisers through tools we make available for that purpose, subject to the restrictions and requirements of those tools and our terms.

Event Data To Deliver Commercial and Transactional Messages

Facebook may use the Matched User IDs and associated Event Data to help Compensate reach people with transactional and other commercial messages on Messenger and other Facebook Company Products.

Event Data to Improve Ad Delivery, Personalize Features and Content and to Improve and Secure the Facebook Products

Compensate may provide Event Data to Facebook to improve ad targeting and delivery optimization of our ad campaigns. Facebook may correlate that Event Data to people who use Facebook Company Products to support the objectives of your ad campaign, improve the effectiveness of ad delivery models, and determine the relevance of ads to people. Facebook may use Event Data to personalize the features and content (including ads and recommendations) that we show people on and off the Facebook Company Products. In connection with ad targeting and delivery optimization, Facebook will: (i) use your Event Data for delivery optimization only after aggregating such Event Data with other data collected from other advertisers or otherwise collected on Facebook Products; and (ii) not allow other advertisers or third parties to target advertising solely on the basis of the Event Data.

5.2 Other transfers

Furthermore, we may provide your personal data to our affiliates or to authorized service providers who perform services for us (including, for instance, data storage, accounting, payment, sales, and marketing service providers).

When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual and organizational measures to ensure that your data is processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures.

Please bear in mind that if you provide personal data directly to a third party, such as through a link somewhere on our website, the processing is typically based on their policies and standards.

For legal reasons and legal processes

We may share your personal data with third parties outside our organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, crime, security or technical issues; and/or (iii) protect the interests, properties or safety of Compensate, the Users or the public as far as in accordance with the law. When possible, we will inform you about such processing.

For other legitimate reasons

If Compensate is involved in a merger, acquisition or asset sale, we may transfer your personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all the Users concerned when the personal data are transferred or become subject to a different privacy statement. In addition, Compensate and Foundation may transfer all the personal data defined in this Privacy Statement to each other, if there is a legitimate reason to do so. 

With your explicit consent

We may share your personal data with third parties outside Compensate when we have your explicit consent to do so. You have the right to withdraw this consent at all times. 

6 Transfers to countries outside the European Economic Area (EEA)

We use service providers in several geographical locations. As such, we and our service providers may transfer your personal data to, or access it in, jurisdictions outside the EEA or your domicile. 

We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the  Standard Contractual Clauses  or through other appropriate safeguards. 

More information regarding the transfers of personal data may be obtained by contacting us on any of the addresses indicated above.

7.How long we will store your data

The tracking of users who have landed on our website after clicking on one of our Facebook and Instagram ads can remain active up to 180 days. 

8. Your rights


Under the GDPR, you have the right to  access , rectify,  port , delete and  object  to and restrict processing of your data. Learn more about these rights in your Facebook  settings . You can also contact the data protection officer of Facebook whose contact details can be found in Facebook Ireland’s Data Policy or in this Privacy Policy. 


In relation to the data Compensate processes, here are your rights: 

Right to access

You have the right to access and be informed about your personal data processed by us. We give registered Users the possibility to view certain User Data through their user account on the Services. We give all of you the possibility to request a copy of their personal data.

Right to withdraw consent

In case the processing is based on the consent granted by you, you may withdraw the consent at any time. Withdrawing consent may lead to fewer possibilities to use the Services. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to rectify

You have the right to have incorrect or incomplete personal data we have stored about you corrected or completed by contacting us. Registered Users can correct or update some of their User Data through their user account on the Services. 

Right to erasure

You may also ask us to delete your personal data from our systems. We will comply with such a request unless we have a legitimate ground to not delete the data. 

Right to object

You may have the right to object to certain use of your data if such data are processed for other purposes than necessary for the provision of the Services or compliance with a legal obligation. If you object to the further processing of your personal data, this may lead to fewer possibilities to use the Services.

Right to restriction of processing

You may request us to restrict the processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may, however, lead to fewer possibilities to use the Services.

Right to data portability

You have the right to receive the personal data you have provided to us yourself in a structured and commonly used format and to independently transmit those data to a third party.

How to use your rights

The aforementioned rights may be used by sending a letter or an e-mail to us on the addresses set out above, including the following information: full name, address, and  e-mail address We may request the provision of additional information necessary to confirm your identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded. 

In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection. In Finland, the local supervisory authority is the Data Protection Ombudsman ( ). 

7. Direct Marketing

You have the right to prohibit us from using your personal data for direct marketing purposes, market research and profiling made for direct marketing purposes by contacting us on the addresses indicated above or by using the unsubscribe possibility offered in connection with any direct marketing messages.

8. Information security

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures include for example, where appropriate, encryption, pseudonymization, firewalls, secure facilities, and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability to restore the data. We regularly test our systems, and other assets for security vulnerabilities.

Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as possible.

More information on how we process your data please visit our General Privacy Statement.

Date 14.12.2020