Privacy policy

We (Springvest Corporation) are committed to protecting your rights and keeping your personal data safe.

In this privacy notice, “you” refers to shareholders, customers, prospective customers, employees of our clients, responsible persons, representatives, and beneficial owners. This notice explains why and how we collect, use, store, and protect your personal data.

1. What personal data we collect and for what purpose

Personal data is most often collected directly from you or obtained when you use our services. We sometimes need additional information to ensure data is up to date and accurate.

The personal data we collect and its purpose can be categorised as follows:

  • Know-your-customer data for anti-money laundering and sanctions compliance: personal identification number and name (we are obliged to collect and archive KYC data, such as a copy of a passport or identity card).
  • Contact details for managing the client relationship: address, telephone number, and email address.
  • Data related to statutory requirements: information related to customer due diligence and prevention of money laundering.
  • Financial data related to statutory requirements (including client categorisation and suitability assessment): financial data contained in service agreements.
  • Data related to statutory requirements: telephone and electronic communications that lead to, or may lead to, transactions.
  • We also process your personal data for the planning, targeting, sending, and development of marketing, as well as for organising client events.
  • Client outreach: we also collect personal data used in client outreach from sources other than the individual themselves, for the purpose of acquiring new clients.
  • If you are a partner or a representative of a partner, we process your data in order to carry out the partnership.

Personal data we may collect from you

  • From new clients, we collect name, personal identification number, address, email address, telephone number, and the information required by our due diligence obligation in order to provide you with our services and products.
  • We also collect information from messages you send to us digitally.
  • We record and monitor telephone calls and electronic communications to verify the content of transactions and confirm that an order has been placed. The purpose of recording and monitoring is to ensure that the client has received all information required by regulation, to ensure the quality of our customer service and operations, and to use recordings for staff training. Recordings are processed only by authorised personnel and are retained for a pre-defined period in accordance with applicable legislation.
  • For client outreach purposes, we collect information such as name and telephone number from sources other than the individuals themselves.
  • For security reasons, we may have surveillance cameras at our office.

Personal data we may collect from third parties

  • Data available from public sources: registers maintained by authorities (e.g. the trade register) and sanctions lists (e.g. those maintained by the EU or the UN).
  • Data available from other external sources: data providers that supply information on, for example, beneficial owners and politically exposed persons, as well as banks from which we receive payment information.

2. The legal bases on which we may collect, use, and retain your personal data

We use your personal data to fulfil our statutory and contractual obligations, to provide services, and to make you offers. Automated decision-making (profiling) may also be used to the extent that it is necessary for the conclusion or performance of a contract between the data subject and the data controller.

Legal bases

  • Compliance with obligations required by law, regulations, and authorities. Such statutory obligations include, for example: customer identification; sanctions screening and the prevention, detection, and investigation of money laundering, terrorist financing, and fraud; other obligations related to service- or product-specific legislation; obligations related to accounting regulations; and the obligation to maintain a statutory register of shares and their owners.
  • Conclusion, management, and performance of our contracts. For our contracts, we require information for, for example, the provision and execution of investment services, customer service during the contract period, and the preparation, presentation, or defence of any legal claim.
  • Legitimate interest for marketing purposes.
  • Consent to the processing of data for marketing purposes, e.g. for sending a newsletter. The consent request will set out the processing of the relevant data and the right to withdraw consent.

Automated profiling

We may also use automated decision-making (profiling) in the provision of our services, to the extent that it is necessary for the conclusion or performance of a contract between the data subject and the data controller.

3. Who we may share your personal data with

Providing services and complying with our contracts requires us to share your personal data. We may share your personal data with other parties, such as authorities, service providers, and business partners. We always ensure, before sharing data, that the relevant confidentiality obligations are observed.

Third parties:

  • We share information necessary for the performance of a contract with companies we work with (e.g. the issuer).
  • We share your personal data with authorities to the extent required by law (for example, the Financial Supervisory Authority, and tax and police authorities).
  • We share your personal data with contractual partners who process personal data on our behalf (e.g. suppliers providing software development, maintenance, server, and IT support services).

Transfer of data to third countries:

As a general rule, we do not transfer your personal data outside the EU/EEA. We may transfer your personal data to organisations operating outside the European Economic Area, i.e. in so-called third countries, only if one of the following conditions is met:

  • The level of data protection in the country in question has been deemed adequate by a decision of the European Commission.
  • Other necessary safeguards have been put in place, for example by following standard contractual clauses approved by the European Commission.
  • An exception applies to the specific situation (e.g. performance of a contract requires it, or you have given your consent to the transfer).

4. How we protect your personal data

Technical, administrative, and physical protection of data is important to us. We use appropriate technical, organisational, and administrative security measures to protect data against loss, unauthorised access, disclosure, alteration, and destruction.

  • Data held electronically in the register is protected by technical means generally accepted in the information security industry (e.g. firewalls, passwords).
  • Only those individuals (e.g. employees of our agents and contractual partners) who need the register data to perform their duties have access to it, based on specifically granted user rights.
  • Any manual (paper-based) material is stored in locked cabinets.
  • Staff are bound by a contractual duty of confidentiality in relation to all client and personal data.
  • We use services that include artificial intelligence features, such as automatic text suggestions, summarisation, and content generation. When using these features, personal data may be processed using AI if it is included in documents, emails, or other material handled by an employee in which AI is utilised.

AI features are part of the tools we use and do not independently store, retain, or use personal data for training or development purposes. The processing of personal data is based on the client agreement.

Personal data is not shared with third parties without a lawful basis. AI features are not used for profiling or automated decision-making. Personal data is processed only for pre-defined and agreed purposes, and all processing ensures that human involvement in decision-making is maintained.

5. Your privacy rights

As a data subject, you have rights in relation to the personal data we hold about you. Requests to exercise these rights will be assessed on a case-by-case basis. You have the following rights:

Right to request access to your personal data

You have the right to access the personal data we hold about you. The right of access may, however, be restricted on the basis of legislation and the privacy practices of other individuals.

Right to request correction of inaccurate or incomplete data

If data is inaccurate or incomplete, you have the right to request that it be corrected, unless legislation restricts this.

Right to request erasure of data

You have the right to request the deletion of your data in, among others, the following cases:

  • The personal data is no longer needed for the purposes for which it was collected.
  • You withdraw your consent to the processing and there is no other justified reason for the processing.
  • You object to the processing and there is no acceptable reason to continue it.
  • You object to the processing for direct marketing purposes.
  • The processing of data is unlawful.

Please note that we are nonetheless obliged to retain your personal data where this is necessary to comply with statutory obligations or to handle legal claims.

Right to restrict the processing of personal data

If you dispute the accuracy of the data we have recorded or the lawfulness of the processing, or if you have objected to the processing of your data in accordance with your rights, you may request that the processing of your personal data be restricted to storage only. Processing will then be limited to storage until the accuracy of the data has been verified, or it has been possible to check whether our legitimate interests override yours.

If you do not have the right to request the deletion of your data from our registers, you may instead request that we restrict the processing of that data to storage only. If the processing of your registered data is necessary solely for the purpose of establishing a legal claim, you may also require that further processing be restricted to storage only. We may process your data for other purposes if establishing a legal claim requires it or if you have given your consent.

Right to object to processing on the basis of legitimate interest

You always have the right to object to the processing of your personal data for direct marketing purposes.

Right to data portability

You have the right to receive the personal data you have provided to us in a machine-readable format, where the personal data has been processed solely by automated means and on the basis of consent or the performance of a contract. Data may also be transferred to another controller if it is safe and technically feasible to do so.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the supervisory authority (the Data Protection Ombudsman) if you consider that the processing of your personal data has violated the data protection regulation.

Right to withdraw consent

You have the right to withdraw your consent to the processing of your personal data at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out on the basis of your consent before its withdrawal.

6. Cookies

We collect, process, and analyse data relating to the use of our websites (information relating to website visitors that is processed in telecommunications networks for the purposes of sending, distributing, and making messages available) and use cookies for purposes including delivering products and services to you, providing a secure online environment, and carrying out marketing activities. More information about cookies is available in our cookie policy.

7. How long we retain personal data

  • We retain your data for as long as it is needed for the purpose for which it was collected and processed, or for as long as required by law and regulations.
  • We retain your data for as long as it is needed for the performance of a contract and as required by data retention requirements under applicable laws and regulations.
  • Where we retain your data for purposes other than the performance of a contract, such as for the prevention of money laundering, we retain data for as long as is necessary for that purpose and/or as required by law and regulations. For example, we retain customer due diligence data, data relating to transactions (such as call recordings, emails, and entries), and other data relating to services provided to clients for five (5) years after the end of the client relationship and, at the request of the Financial Supervisory Authority, for up to seven (7) years.

8. Changes to the privacy notice

We continuously develop our services, products, and websites, which means that this privacy notice may be updated from time to time. We will notify you of any significant changes as required by law.

9. Data controller

If you have any questions about personal data matters, please contact us using the details below.

  • Springvest Corporation (data controller)
  • Address: Siltasaarenkatu 8–10, 00530 Helsinki
  • Telephone: +358 9 315 46989
  • Business ID: 2492165-6
  • Data Protection Officer: Tomi Hietala (ext.)
  • Email: tomi.hietala@laininen.fi