Privacy Statement
This is an English translation of the original Finnish version, valid as of 1 October 2025, available here.
In this data privacy statement, we describe how your personal data is processed in connection with Puhti’s services.
- Controller and contact information
Puhti Lab Oy
In the marketing of the service and later on this page, the company is referred to by the brand name Puhti.
Customer service
Email: asiakaspalvelu@puhti.fi
Telephone number: +358 (0)10 338 7049 (Mon-Fri, 9 a.m. to 4 p.m.)
Postal address: Puhti Lab Oy, Arkadiankatu 6, 00100 Helsinki - What data do we collect?
Puhti collects data that is necessary for the customer relationship between you and Puhti and for the purposes for which the data is used. Puhti collects the following categories of personal data:
Health data:
• Results of laboratory tests, body composition measurements, and grip strength measurement.
• Other health and wellness data provided by the customer, such as satisfaction data and information related to measurements, health, and well-being.
• Usage data of the clinics and measurement devices, such as appointment information.
• Customer service chat recordings and phone call recordings that reveal health or wellness-related data
• Information about your use of our services, such as ordered tests and services and other order details that reveal health or wellness-related data
Other personal data:
• Basic and contact information (e.g., name, personal identification number, address, phone number, email address)
• Permission information – such as marketing consents
• Online behavior data – such as login details, other data obtained from your use of our services, including offline behavior, data collected by cookies on websites
• Information related to the data processing device – such as IP address, cookie data
• Customer service chat recordings and phone call recordings that do not reveal health or wellness-related data
• Communications – for example, survey responses and other feedback and messages sent to us that do not reveal health or wellness-related data
• Data about your use of our services that does not reveal health or wellness-related data
• Email marketing data – we monitor the effectiveness of our email marketing by analyzing message opens and link clicks. This information is used to target communications and marketing, as well as for service development. - What sources do we obtain personal data from?
The personal data processed includes information obtained from you during the ordering process, upon joining the service, or during the customer relationship.
The results of the tests you have acquired through Puhti and which are produced by the laboratory and measurement devices.
We also receive tracking information on how you use our website and services. Puhti may also process derived data, which is derived or inferred from the information received. Our service is also connected to parties providing identification, authentication, credit information, payment processing, or similar services, and receives related information from them.
Additionally, user online behavior is monitored and analyzed. You can find more information and an up-to-date list of the technologies in use in our cookie policy at https://www.mehilainen.fi/evasteet (Mehiläinen.fi) and https://www.puhti.fi/evasteasetukset/ (Puhti.fi).The above-mentioned services are used for website development, customer service organization, and targeted marketing. - What purposes do we process personal data for?
We process health information for the following purposes:
Service implementation and development
• Customer relationship management – for example, receipt of order, notifications related to the service including completed laboratory results and customer sample collection instructions, and other customer instructions.
• Service provision and maintenance, order management and delivery
• Identification of data subjects
• Retention of transaction data
• Organization, implementation, and monitoring of laboratory tests and measurements
• Subcontractor communication with our contract laboratory and other contractual partners
• Management of information entered by the user
• Invoices, debt collection, refunding payments to customers
• Archiving of contracts and invoices
• Development of Puhti’s services and business operations, and related customer service development
• Planning of Puhti’s operations, development, statistics, reporting, audits, and other tasks necessary for the exercise of the rights and obligations of the controller
• Processing of customer feedback, management of complaints and disputes
• Handling of official inquiries based on EU or Finnish legislation, e.g., the General Data Protection Regulation
• Transfers of personal data (e.g., business transfers, assignments, or business transactions)
• Justification, presentation, or defense of legal claims
• Partner reporting (as separately agreed with corporate customers as part of the service)
• Statistical processing, e.g. for service development purposes
• Collecting, monitoring, and analyzing customer interest data, as well as choices and preferences related to services and locations, and the related development of customer service.
Service and marketing communications
• Informing and reminding the customer using customer and health data, for example, about possible follow-up tests and feedback surveys
• Communication related to Puhti’s services and targeted direct marketing (for current and potential future customers)
• We may send you service and direct marketing communications related to your previous interactions and purchase history, such as reminders, surveys, offers, or information about Puhti’s services. You can opt-out of receiving this communication by clicking on a link attached to each message or by notifying Puhti’s customer service (contact details in section 1). - What is the legal basis for the processing of personal data?
The processing of personal data is based on, among other things, the following legal grounds:
• Legal obligations: When you use Puhti’s services, the processing of your personal data is primarily based on the applicable national healthcare legislation, such as the Act on the Processing of Customer Data in Healthcare and Social Welfare (703/2023).
• Contract: We must establish a contractual relationship between you and Puhti and fulfil our contractual obligations.
• Consent: Your given consent. If our processing of personal data is based on your consent, you can withdraw your consent at any time.
• Legitimate interest: Implementation of Puhti’s legitimate interests. Puhti’s legitimate interest is based on the registered customer relationship or other similarly significant relationship between Puhti and the data subject. - Who processes my personal data and where is it disclosed?
At Puhti, personal data is processed for the above-mentioned purposes. Puhti may outsource the processing of personal data to external service providers who process personal data on Puhti’s behalf.
Laboratory services
Puhti acquires laboratory services from Mehiläinen, which processes patient data generated in its operations as an independent controller and healthcare unit. The results of the laboratory tests ordered by Puhti’s customer will also be delivered to Puhti’s online service for the customer to see.
At Mehiläinen, laboratory results are processed and stored in accordance with healthcare legislation.
Patient data generated at Mehiläinen can be viewed in the OmaMehiläinen app and the OmaKanta service. Patient data generated at Mehiläinen is available to Mehiläinen’s healthcare professionals, for example, when you visit Mehiläinen. For more information about Mehiläinen’s privacy statement, please visit: https://www.mehilainen.fi/en/privacy-statements
Tests for sexually transmitted diseases: A positive result is always reported in accordance with the Communicable Diseases Act.
At Puhti, your data and the test results you have ordered can be viewed in Puhti’s online service so that you can view them and monitor your progress. Puhti retains personal data only as long as necessary for the implementation of the purposes described in this privacy statement. Puhti generally retains personal data for as long as the customer relationship is considered to exist between Puhti and the data subject, after which personal data is retained from the end of the customer relationship for as long as retention is necessary for the fulfillment of Puhti’s legal obligations or legitimate interests or, for example, for the preparation, presentation, or defense of a legal claim.
Puhti is part of the Mehiläinen Group, but it operates independently, and Puhti does not have access to patient data in Mehiläinen’s patient information system. However, Mehiläinen does disclose patient data, i.e., in this case, ordered laboratory test results, to Puhti.
From Puhti’s report, you can move to Mehiläinen’s healthcare services and receive advice on laboratory results and health-related issues. Mehiläinen provides healthcare services as an independent healthcare unit and controller.
Body composition and grip strength measurements
Puhti acquires the devices used in its measurement services from Inbody Co Ltd., which processes the personal data generated from these operations as an independent data controller in Europe. The results of body composition measurements ordered by a Puhti customer are also delivered to Puhti’s online service for the customer to view. In the Puhti service, your data and the results of the laboratory and measurement tests you have ordered are available in the Puhti online service so you can review them and track your progress. Puhti retains personal data only for as long as is necessary to fulfill the purposes described in this privacy policy. Puhti generally retains personal data for as long as a customer relationship can be considered to exist between Puhti and the data subject. After the customer relationship ends, personal data is retained for as long as necessary to fulfill Puhti’s statutory obligations or legitimate interests, or for purposes such as establishing, exercising, or defending a legal claim.
Customer data is not generally transferred outside of the European Union or the European Economic Area. However, Puhti may transfer personal data (excluding laboratory test results, body composition, and grip strength measurements) to countries such as the United States, where the transfer is primarily based on the European Commission’s decision on the adequate level of data protection in the United States, or alternatively on other transfer mechanisms in accordance with data protection legislation. - Profiling and automated decision making
Our operations do not involve profiling or automated decision-making. - Your rights
Right to information about the processing of personal data: You have the right to receive information about the processing of personal data, for example, for what purposes or how personal data is processed. Puhti informs about the processing of personal data in this privacy statement. You can also contact Puhti regarding the processing of personal data in the manner specified in section 1 of this privacy statement.
Right to access personal data: You have the possibility to review your own data through your own Puhti reporting page. The service covers personal data you have reported as well as health-related test and measurement results and information you have provided. You can also make a written request for inspection of personal data to Puhti in the manner specified in section 1 of this privacy statement.
Right to rectification of data: You can make a written request for rectification to Puhti’s office and request the correction of inaccurate and incorrect personal data.
Right to erasure of data: Your data can be deleted from Puhti based on your request, unless there is a specific reason to deny the deletion request.
Withdrawal of consent: When processing is based on your consent, you can withdraw your consent at any time. You can withdraw your consent by contacting our customer service.
Right to data portability: If the processing of personal data is based on your consent or a contract, and the processing is carried out automatically, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. If you want, you can save the test results for yourself through your My Journal reporting page.
Right to restrict the processing of personal data: Under certain conditions, you have the right to request that the processing of your personal data be restricted, for example, if you contest the accuracy of your data, in which case processing will be restricted for a period enabling Puhti to verify their accuracy.
Right to object to processing: You have the right to object to the processing of your personal data on grounds relating to your particular situation, to the extent that the processing is based on Puhti’s legitimate interest. In such a case, Puhti will no longer process the personal data unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. To the extent that personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing.
Prohibition of electronic direct marketing: You can refuse to receive marketing communications by opting out in each message or by notifying Puhti’s customer service (contact details in section 1).
Right to lodge a complaint with a supervisory authority: If you believe that the processing of your personal data is in breach of the data protection legislation, you have the right to lodge a complaint with the supervisory authority at the office of the Data Protection Ombudsman. - How is personal data protected?
Data protection and security are of primary importance to us. Healthcare customer data is processed primarily with healthcare information systems registered with the National Supervisory Authority for Welfare and Health (Valvira). Personal data is processed within the EU/EEA area in a high-security server environment designed for healthcare services.
Laboratory and measurement test results are accessed only by those individuals responsible for laboratory testing who must handle health data to provide the service and who are bound by statutory or contractual confidentiality obligations. Personal data is processed in accordance with individual user IDs and the authorizations required by job responsibilities.
Contact Information
For matters related to a data subject’s patient and personal data, you can contact Mehiläinen’s Health Data Management team.
Health Data Management
info.terveystiedot@mehilainen.fi
Please note that we can only accept written requests for ordering, correcting, and accessing log data related to patient and personal information. Your identity will be verified at a Mehiläinen clinic using a photo ID or alternatively through the OmaMehiläinen online service. This ensures that information is disclosed only to individuals who are entitled to it.
You can also submit a data request through the nearest Mehiläinen clinic, where your identity will be verified with a photo ID. You can find the nearest Mehiläinen clinic on our website at https://www.mehilainen.fi/haku?k=toimipisteet
If you are sending sensitive information via email, you can use Mehiläinen’s secure email service if necessary.
Regarding public social and health services, we ask that you direct inquiries and requests related to the processing of personal data to the health or social services department of each public client (such as a wellbeing services county) in accordance with the practices instructed by each public client.
Mehiläinen’s Data Protection Officer is Kim Klemetti (tietosuoja@mehilainen.fi).
