Statements: Privacy Policy

1. General

This privacy policy describes the personal data processing policies of Innovestor Oy (business ID: 2616018-4) and its Group companies Innovestor Ventures Oy (business ID: 2709716-4), Innovestor Life Science Oy (business ID: 3221413-4), Innovestor Ignite Oy (business ID: 2429459-2) and Innovestor Finance Oy (business ID: 2682277-4); the types of personal data collected by the companies, the purposes for collecting the personal data and the parties to which personal data can be disclosed. The privacy policy also describes the obligations followed by the companies when processing personal data. In this privacy policy, the aforementioned companies in the Innovestor Group shall be collectively referred to as “Innovestor” or “Company” unless the individual company referred to is expressly named using its official corporate name.

Personal data means any information relating to a natural person (“data subject”) and enabling direct or indirect identification of said person. Personal data, data subject, data controller, data processor and other key terminology are specified in the General Data Protection Regulation (2016/679) of the EU (“GDPR”) which the Company complies with in any processing of personal data, alongside other applicable data protection legislation (hereinafter collectively referred to as “data protection legislation”). Ensuring data protection is integrated into all of the business operations of Innovestor.

Innovestor Oy is an investment service firm monitored by the Finnish Financial Supervisory Authority, providing licensed issuance services, reception and transmission of orders and supplementary services. Innovestor Ventures Oy and Innovestor Life Science Oy are registered alternative investment funds managers monitored by the Finnish Financial Supervisory Authority, managing alternative investment funds under registration. Innovestor Ignite Oy builds and produces corporate venturing services. Innovestor Finance Oy provides financing and business management consulting and investment activities.

This privacy policy shall apply to any products and services provided by the Company as well as any related functions such as the website, marketing measures and social media. The privacy policy covers the processing of personal data acquired from the Company’s customers and potential customers (both consumers and businesses), cooperating partners, service providers and subcontractors. There is a separate privacy policy for the processing of employees’ personal data; however, this privacy policy covers the processing of personal data related to recruiting, in other words the personal data of job seekers and other individuals related to recruiting.

2. Controller

Controller:	Innovestor Oy (business ID 2616018-4)
Address:	Annankatu 12, FI-00120 Helsinki, Finland
E-mail:	compliance@innovestor.fi

3. Purposes of processing personal data and legal basis for the processing

The grounds and purposes of processing personal data include, but are not limited to, the following:

Purpose of the processing	Legal basis
Purpose of the processing Implementation of contracts concerning the services and products provided by Innovestor (e.g. mandatory customer information, fees, notifications, feedback, communications, appointments and customer service)	Contract or preparation thereof
Fulfilment of statutory obligations, such as obligations arising from the Finnish Act on Detecting and Preventing Money Laundering and Terrorist Financing, the Finnish Act on Investment Services, Act on Whistleblower Protection, and contracts concerning the exchange of taxation-related information	Statutory obligation (especially concerning Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
Implementation of Innovestor’s projects and related obligations and duties	Contract, statutory obligation, legitimate interest of the Company to engage in business operations in order to fulfil the needs of present and future customers and consent for participating in a specific project
Risk management, ensuring safety and security and prevention of malpractice	Statutory obligation to ensure the security of data, prevent malpractice, etc. and legitimate interest to protect the Company’s property and the safety of the personnel
Maintenance, development, quality assurance and communication related to products and services Planning and development of business operations Targeted customer service regarding the Company’s services, customer communications, customer surveys and monitoring the use of services Marketing and targeting of marketing to customers and potential customers as well as organisation and administration of campaigns	The Company’s legitimate interest to inform present and potential future customers of products and services, develop the quality of products and services and market them
Management of voluntary events and services Electronic, personal direct marketing	Consent for participating in a certain event or certain type of marketing (e.g. electronic direct marketing) The data subject has the right to withdraw their consent (see Section 10 Rights of data subjects below)
Recruitment	The Company’s legitimate interest to recruit employees, offer work to the data subject and manage recruitment-related matters

Insofar as the processing of personal data is based on the legitimate interest of Innovestor or a third party, we have assessed that the rights and interests of the data subjects do not supersede said legitimate interest.

4. Categories of personal data to be processed, data contents and sources of data

We shall only collect such personal data of the data subjects that is relevant and necessary for the purposes described in this privacy policy.

4.1 Categories of personal data to be processed

The following data of the data subjects shall be processed:

Category of personal data	Examples of data content
4.1 Contact information	Name, address, telephone number, e-mail address
4.2 Identifying information	Personal identification number, other similar national identifier, date of birth, copy of birth certificate (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
4.3 Customer identification information required by the Act on Detecting and Preventing Money Laundering and Terrorist Financing	Personal data, information concerning financial status, information concerning the origin of assets, actual beneficiaries (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
4.4 Obligations concerning international exchange of taxation-related information	Country of taxation, taxation identification numbers (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
4.5 Identification information collected based on the Act on Whistleblower Protection	Name, e-mail address, telephone number
4.6 Customer transaction information and contractual information	Personal data in the contract and other documentation between the Company and the data subject, communications between the data subject and the Company including recording electronic communication and video meetings (only Innovestor Oy), reclamations and other information on the use of services
4.7 Information related to the use of services	Information concerning financial status, classification of the customer, appropriateness assessment, investment objects, subscription orders (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy), information concerning education and occupation, information on payment transactions
4.8 Technical behaviour information and identification information	Monitoring the data subject’s online behaviour and use of the Company’s services with the use of cookies or similar technical identification information The collected data may include the user’s IP address, visited sites, browser type, Internet address, time and duration of session, etc. (see Section 8 Cookies below)
4.9 Managing the rights of the data subject, such as contents and prohibitions	Marketing bans and consents Communications and measures related to the data subject’s rights (see Section 10 Rights of data subjects below)
4.10 Recruitment-related information	Curriculum vitae and job application as well as other information on education, competence and job history Results of potential aptitude tests, status inquiries and safety analysis reports Information of references and other individuals participating in recruitment
4.11 Other voluntarily disclosed (additional) information	Wishes and preferences related to the contract or marketing/marketing event Other information disclosed during communication or meetings Information in the curriculum vitae related to expert roles in various business programmes (only Innovestor Ignite Oy)

Disclosing the information mentioned in Sections 4.1–4.7 is essential for the management of the obligations based on legislation and the contract between the Company and the data subject as well as for the provision of the Company’s services. Should the data subject fail or refuse to disclose the necessary personal data, concluding or implementing the contract or managing the statutory obligations may be hindered.

The disclosure of information mentioned in Sections 4.8–4.11 is voluntary but necessary if the data subject wishes to use its rights or for us to serve the customer to the best of our ability. Failing or refusing to disclose recruitment-related information hinders the employee’s evaluation and may terminate their recruitment process.

4.2 Primary sources of data

The personal data is primarily collected from the data subject via telephone or e-mail or when meeting the data subject face to face or via video. In addition, data subjects disclose personal data either electronically or on paper through received subscription undertakings as well as investment service and subscription contracts. A representative authorised by the data subject may also disclose data on behalf of the data subject. In addition, the data subject may have disclosed data to the Company when visiting the Company, its website or social media or when participating in events. Data can also be collected in connection with marketing upon the individual’s permission.

4.3 Data collected from other sources

In its marketing activities, the Company may use external service providers that process data subjects’ contact information for marketing purposes.

Personal data can also be collected from a corporation on behalf of which the data subject is acting. In addition, data can be collected and updated in context allowed by legislation from data files maintained by third parties, such as the Finnish Patent and Registration Office or from other public sources and databases such as LinkedIn.

Subcontractors, cooperating partners and other stakeholders disclose personal data of data subjects when required by legislation and contractual obligations.

The Company can collect recruitment-related personal data in accordance with the prerequisites of legislation concerning data protection in working life from recruiting service providers and potential background surveys, such as status inquiries, and by contacting references.

5 Retention of personal data

We retain personal data for as long as is necessary for the purposes specified in the privacy policy unless legislation requires longer retention of personal data (obligations and liabilities related to special legislation, accounting obligations or reporting obligations, for example). Personal data can be retained for a longer period of time if required in order to submit a legal claim or defend against a legal claim or settle a similar conflict.

The retention period and criteria of personal data vary between categories of personal data according to the purpose and processing grounds of each category. When the processing of personal data is based on special legislation that is binding to Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy, the legislation also usually specifies the retention period of the data. The usual requirement is to retain personal data for the duration of the customer relationship and contractual relationship and for five years after the termination of said relationships (especially Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy).

In terms of representatives of corporations, the retention of their personal data is also connected to the duration of their status as a representative with the Company.

Personal data required for marketing shall be retained for as long as the data subject is targeted by a specific marketing activity, in other words participates in an event or is contacted about certain services or products, if the data subject has not reported their objection to the use of personal data in direct marketing or, when the marketing is based on consent, has not withdrawn their consent.

The consents, prohibitions and restrictions for processing personal data shall also be retained for the duration of their validity.

Personal data related to recruitment shall be retained for the duration of the recruitment process and a maximum of six (6) months after the new employee starts their work (statutory maximum trial period). Open applications shall be retained for a maximum of six (6) months after receiving them unless the data subject joins the recruitment process of an open position during that time. Targeted applications shall be retained for a maximum of 24 months after receiving them. The Company can ask the data subject for permission to retain the recruitment data for a longer period of time for future open positions. Should the data subject be employed by the Company, the processing of personal data can be continued on the basis of the employment. This processing is described in a separate privacy policy for employees.

Once the personal data is no longer needed as specified above, the data shall be erased within a reasonable amount of time. The Company shall provide more detailed information on retention periods of personal data or the criteria concerning retention periods upon request.

6 Processors and other recipients of personal data

Personal data is transferred between the companies in the Innovestor Group for purposes related to marketing, customer service, other management of customer relationships and the risk management of the Group. The Companies shall process the personal data according to data protection legislation.

The Company may disclose personal data to third parties and utilise external processors, such as service providers, for processing personal data. Service providers supplying IT systems, financial administration services, legal services and other services as well as subcontractors, for example, may participate in the processing of personal data. The Company shall use sufficient contractual obligations to ensure that the processors of personal data process the data appropriately and according to legal requirements.

In addition, the Company may need to disclose personal data to contractual partners of the Company as well as other third parties due to the Company’s contractual obligations as well as statutory reporting and notification obligations.

The Company shall provide more detailed information on the processors and other recipients of personal data upon request.

The Company shall disclose personal data to the authorities in order to fulfil the legal information rights of said authorities. In addition, the Company may have to disclose personal data if the Company is involved in legal action or other arbitration proceedings. Should the Company become involved in a merger, business transaction or other corporate transaction, it may have to disclose personal data to third parties.

7 Transfer of personal data outside the European Union or the European Economic Area

The Company shall not transfer personal data outside the European Union (EU) or the European Economic Area (EEA). We use Google Analytics as a cookie-based tool to analyze the use of our website and services, as described in section 8 below. Personal data contained in Google Analytics may be transferred outside the EU or EEA and we cannot guarantee the adequacy of the transfer arrangements as required by the GDPR. We are following the guidance of the Finnish Data Protection Authority on this matter.

8 Cookies

A cookie is a small text file stored on your device (persistent cookie) or in the cache (session cookie). The network server of the website creates the cookie. The network server specifies the data contained by the cookie which can then be used when the user visits a website. This enables the storing of data such as the user’s settings and remembering their login information. Cookies provide us with information on the language selections of those visiting our website, the time zone of the used browser and the use of the pop-up form. The user can freely manage and remove cookies installed in their browser. However, prohibiting cookies may restrict the use of the website or services.

We use cookies to improve the quality of the customer experience, analyse user numbers and develop our products and services. Cookies enable us to track whether users arrive on our website through advertisement, therefore analysing the impact of our marketing activities. Automated and cookie-based tools (Meta and Google Analytics) help us analyse the use of our services and website. We analyse how you arrive on our website, how you navigate it and how long you spend in the various sections of our website. Your personal data may be shared with the aforesaid service providers. For more information on their cookie policies, please click on their names.

We can target online marketing based on your cookie settings. You can adjust your cookie settings in your browser settings and, if desired, prevent the use of cookies and targeted marketing. Cookie settings vary depending on your browser (e.g. Chrome, Explorer, Safari). Hence, check your cookie settings to make sure that cookies are used as you wish.

9 Principles of protecting personal data and security of processing

The Company processes personal data in a manner that ensures appropriate security and data protection of the personal data in all situations, including protection against unauthorised processing and against accidental loss, destruction or damage.

The Company uses appropriate technical and organisational protective measures to ensure the aforementioned, including the use of firewalls, encryption technology, secure facilities, appropriate access control and instructions for the employees and subcontractors participating in the processing of personal data.

Paper materials are stored in locked facilities only accessible for authorised individuals. The data is only printed out when necessary, and any paper printouts are destroyed in a secure manner.

Access rights are limited according to job descriptions. All the individuals processing personal data are bound by professional secrecy concerning matters related to the processing of personal data.

The Company may outsource the processing of personal data to service providers, whereupon the Company shall use sufficient contractual obligations to ensure that the personal data is processed appropriately and legally.

10 Rights of data subjects

The data subjects have rights guaranteed by data protection legislation.

10.1 Right to access and verify data

The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her is being processed.

The data subject shall have the right to verify and access the personal data concerning him or her and, upon request, receive the data in writing or in electronic format.

10.2 Right to rectification and erasure of data

The data subject shall have the right to obtain the rectification of inaccurate personal data. In addition, the data subject shall have the right to obtain the erasure of personal data concerning him or her in accordance with valid data protection legislation.

The Company shall also take initiative to erase, rectify and supplement personal data it has observed to be inaccurate, unnecessary, incomplete or outdated for the purposes of the processing.

10.3 Right to data portability, restriction of processing and the right to object to the processing

The data subject shall have the right to transmit the personal data concerning him or her to another controller in accordance with valid data protection legislation.

In addition, the data subject shall have the right to restrict the processing of personal data concerning him or her in accordance with the prerequisites specified by data protection legislation. In addition, in a situation where personal data suspected to be inaccurate cannot be rectified or erased or there is uncertainty concerning the request for erasure, the Company shall restrict access to the data.

The data subject shall have the right to object to the processing and to prohibit the use of the data for certain types of processing, such as direct marketing.

If the processing of personal data is based on consent provided by the data subject, the data subject shall have the right to withdraw their consent. In addition, the data subject shall have the right to withdraw their consent for electronic direct marketing. The withdrawal shall not affect processing preceding the withdrawal.

10.5 Implementation of the rights

Any requests concerning the rights of data subjects shall be made in connection with a personal visit, in writing or electronically and addressed to the controller specified in this privacy policy (contact information in section 2 of the privacy policy). Our newsletters and other potential electronic direct marketing messages contain a link for preventing direct marketing (unsubscribe).

Due to the obligation to verify identity before disclosing information, we may need to ask for more detailed information. The request shall be answered within a reasonable amount of time and, whenever possible, within one month of presenting the request and verifying the identity.

Should the Company be unable to agree to the data subject’s request, the data subject shall be informed of the refusal in writing. The Company may refuse a request (such as the erasure of data) due to a statutory obligation or a statutory right of the Company (such as obligation or claim related to our services).

10.6 Right to lodge a complaint with a supervisory authority

The data protection shall have the right to lodge a complaint with an authorised data protection authority if they find that their personal data has been processed in violation of valid legislation. However, we request that the issue be primarily discussed with the Company.

The contact information of the Finnish data protection authorities can be found here.

11 Amendments to the privacy policy

As we constantly develop our services, we may need to amend and update this privacy policy. The changes may also be based on amendments in legislation. We recommend regularly reviewing the contents of the privacy policy. Any amendments shall be announced on the Company website, and the data subjects shall be informed of any essential amendments, if necessary.

The privacy policy was updated on 17 May 2024.

11.1 Version history

Version	Date	Amendment
1.0	24 May 2018	Specification document created
1.1	29 March 2019	Specification document updated
1.2	25 June 2019	Specification document updated in terms of processors of personal data and cookies.
1.3	19 September 2019	Amended to cover the mentioned companies in the Innovestor Group.
1.4	14 January 2020	Amended use of cookies
1.5	19 October 2021	Added new group companies, corporate venturing services and legislation on protection for whistleblowers
1.6	1 March 2023	Change of controller’s address, completion of data sources and transfer of personal data outside the EU
1.7	17 May 2024	Complemented categories of personal data to be processed and primary sources of data

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
titles	1 year	No description

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_JD54S0ZW41	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gat_gtag_UA_50764934_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	No description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
DEVICE_INFO	5 months 27 days	No description
ln_or	1 day	No description

Privacy Policy