Privacy Policy

1. General

This privacy policy describes the personal data processing policies of Innovestor Oy (business ID: 2616018-4) and its Group companies Innovestor Ventures Oy (business ID: 2709716-4), Innovestor Life Science Oy (business ID: 3221413-4), Innovestor Ignite Oy (business ID: 2429459-2) and Innovestor Finance Oy (business ID: 2682277-4); the types of personal data collected by the companies, the purposes for collecting the personal data and the parties to which personal data can be disclosed. The privacy policy also describes the obligations followed by the companies when processing personal data. In this privacy policy, the aforementioned companies in the Innovestor Group shall be collectively referred to as “Innovestor” or “Company” unless the individual company referred to is expressly named using its official corporate name.

Personal data means any information relating to a natural person (“data subject”) and enabling direct or indirect identification of said person. Personal data, data subject, data controller, data processor and other key terminology are specified in the General Data Protection Regulation (2016/679) of the EU (“GDPR”) which the Company complies with in any processing of personal data, alongside other applicable data protection legislation (hereinafter collectively referred to as “data protection legislation”). Ensuring data protection is integrated into all of the business operations of Innovestor.

Innovestor Oy is an investment service firm monitored by the Finnish Financial Supervisory Authority, providing licensed issuance services, reception and transmission of orders and supplementary services. Innovestor Ventures Oy and Innovestor Life Science Oy are registered alternative investment funds managers monitored by the Finnish Financial Supervisory Authority, managing alternative investment funds under registration. Innovestor Ignite Oy builds and produces corporate venturing services. Innovestor Finance Oy provides financing and business management consulting and investment activities.

This privacy policy shall apply to any products and services provided by the Company as well as any related functions such as the website, marketing measures and social media. The privacy policy covers the processing of personal data acquired from the Company’s customers and potential customers (both consumers and businesses), cooperating partners, service providers and subcontractors. There is a separate privacy policy for the processing of employees’ personal data; however, this privacy policy covers the processing of personal data related to recruiting, in other words the personal data of job seekers and other individuals related to recruiting.

2. Controller

Controller: Innovestor Oy (business ID 2616018-4)
Address: Annankatu 12, FI-00120 Helsinki, Finland
E-mail:  compliance@innovestor.fi

The grounds and purposes of processing personal data include, but are not limited to, the following:

Purpose of the processing Legal basis
Purpose of the processing
Implementation of contracts concerning the services and products provided by Innovestor (e.g. mandatory customer information, fees, notifications, feedback, communications, appointments and customer service)
Contract or preparation thereof
Fulfilment of statutory obligations, such as obligations arising from the Finnish Act on Detecting and Preventing Money Laundering and Terrorist Financing, the Finnish Act on Investment Services, Act on Whistleblower Protection, and contracts concerning the exchange of taxation-related information Statutory obligation (especially concerning Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
Implementation of Innovestor’s projects and related obligations and duties Contract, statutory obligation, legitimate interest of the Company to engage in business operations in order to fulfil the needs of present and future customers and consent for participating in a specific project
Risk management, ensuring safety and security and prevention of malpractice Statutory obligation to ensure the security of data, prevent malpractice, etc. and legitimate interest to protect the Company’s property and the safety of the personnel
Maintenance, development, quality assurance and communication related to products and services
Planning and development of business operations
Targeted customer service regarding the Company’s services, customer communications, customer surveys and monitoring the use of services
Marketing and targeting of marketing to customers and potential customers as well as organisation and administration of campaigns
The Company’s legitimate interest to inform present and potential future customers of products and services, develop the quality of products and services and market them
Management of voluntary events and services
Electronic, personal direct marketing
Consent for participating in a certain event or certain type of marketing (e.g. electronic direct marketing)
The data subject has the right to withdraw their consent (see Section 10 Rights of data subjects below)
Recruitment The Company’s legitimate interest to recruit employees, offer work to the data subject and manage recruitment-related matters

Insofar as the processing of personal data is based on the legitimate interest of Innovestor or a third party, we have assessed that the rights and interests of the data subjects do not supersede said legitimate interest.

4. Categories of personal data to be processed, data contents and sources of data

We shall only collect such personal data of the data subjects that is relevant and necessary for the purposes described in this privacy policy.

4.1 Categories of personal data to be processed

The following data of the data subjects shall be processed:

Category of personal data Examples of data content
4.1 Contact information Name, address, telephone number, e-mail address
4.2 Identifying information Personal identification number, other similar national identifier, date of birth, copy of birth certificate (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
4.3 Customer identification information required by the Act on Detecting and Preventing Money Laundering and Terrorist Financing Personal data, information concerning financial status, information concerning the origin of assets, actual beneficiaries (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
4.4 Obligations concerning international exchange of taxation-related information Country of taxation, taxation identification numbers (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy)
4.5 Identification information collected based on the Act on Whistleblower Protection Name, e-mail address, telephone number
4.6 Customer transaction information and contractual information Personal data in the contract and other documentation between the Company and the data subject, communications between the data subject and the Company including recording electronic communication and video meetings (only Innovestor Oy), reclamations and other information on the use of services
4.7 Information related to the use of services Information concerning financial status, classification of the customer, appropriateness assessment, investment objects, subscription orders (only Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy), information concerning education and occupation, information on payment transactions
4.8 Technical behaviour information and identification information Monitoring the data subject’s online behaviour and use of the Company’s services with the use of cookies or similar technical identification information
The collected data may include the user’s IP address, visited sites, browser type, Internet address, time and duration of session, etc. (see Section 8 Cookies below)
4.9 Managing the rights of the data subject, such as contents and prohibitions Marketing bans and consents
Communications and measures related to the data subject’s rights (see Section 10 Rights of data subjects below)
4.10 Recruitment-related information Curriculum vitae and job application as well as other information on education, competence and job history
Results of potential aptitude tests, status inquiries and safety analysis reports
Information of references and other individuals participating in recruitment
4.11 Other voluntarily disclosed (additional) information Wishes and preferences related to the contract or marketing/marketing event
Other information disclosed during communication or meetings
Information in the curriculum vitae related to expert roles in various business programmes (only Innovestor Ignite Oy)

Disclosing the information mentioned in Sections 4.1–4.7 is essential for the management of the obligations based on legislation and the contract between the Company and the data subject as well as for the provision of the Company’s services. Should the data subject fail or refuse to disclose the necessary personal data, concluding or implementing the contract or managing the statutory obligations may be hindered.

The disclosure of information mentioned in Sections 4.8–4.11 is voluntary but necessary if the data subject wishes to use its rights or for us to serve the customer to the best of our ability. Failing or refusing to disclose recruitment-related information hinders the employee’s evaluation and may terminate their recruitment process.

4.2 Primary sources of data

The personal data is primarily collected from the data subject via telephone or e-mail or when meeting the data subject face to face or via video. In addition, data subjects disclose personal data either electronically or on paper through received subscription undertakings as well as investment service and subscription contracts. A representative authorised by the data subject may also disclose data on behalf of the data subject. In addition, the data subject may have disclosed data to the Company when visiting the Company, its website or social media or when participating in events. Data can also be collected in connection with marketing upon the individual’s permission.

4.3 Data collected from other sources

In its marketing activities, the Company may use external service providers that process data subjects’ contact information for marketing purposes.

Personal data can also be collected from a corporation on behalf of which the data subject is acting. In addition, data can be collected and updated in context allowed by legislation from data files maintained by third parties, such as the Finnish Patent and Registration Office or from other public sources and databases such as LinkedIn.

Subcontractors, cooperating partners and other stakeholders disclose personal data of data subjects when required by legislation and contractual obligations.

The Company can collect recruitment-related personal data in accordance with the prerequisites of legislation concerning data protection in working life from recruiting service providers and potential background surveys, such as status inquiries, and by contacting references.

5 Retention of personal data

We retain personal data for as long as is necessary for the purposes specified in the privacy policy unless legislation requires longer retention of personal data (obligations and liabilities related to special legislation, accounting obligations or reporting obligations, for example). Personal data can be retained for a longer period of time if required in order to submit a legal claim or defend against a legal claim or settle a similar conflict.

The retention period and criteria of personal data vary between categories of personal data according to the purpose and processing grounds of each category. When the processing of personal data is based on special legislation that is binding to Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy, the legislation also usually specifies the retention period of the data. The usual requirement is to retain personal data for the duration of the customer relationship and contractual relationship and for five years after the termination of said relationships (especially Innovestor Oy, Innovestor Ventures Oy and Innovestor Life Science Oy).

In terms of representatives of corporations, the retention of their personal data is also connected to the duration of their status as a representative with the Company.

Personal data required for marketing shall be retained for as long as the data subject is targeted by a specific marketing activity, in other words participates in an event or is contacted about certain services or products, if the data subject has not reported their objection to the use of personal data in direct marketing or, when the marketing is based on consent, has not withdrawn their consent.

The consents, prohibitions and restrictions for processing personal data shall also be retained for the duration of their validity.

Personal data related to recruitment shall be retained for the duration of the recruitment process and a maximum of six (6) months after the new employee starts their work (statutory maximum trial period). Open applications shall be retained for a maximum of six (6) months after receiving them unless the data subject joins the recruitment process of an open position during that time. Targeted applications shall be retained for a maximum of 24 months after receiving them. The Company can ask the data subject for permission to retain the recruitment data for a longer period of time for future open positions. Should the data subject be employed by the Company, the processing of personal data can be continued on the basis of the employment. This processing is described in a separate privacy policy for employees.

Once the personal data is no longer needed as specified above, the data shall be erased within a reasonable amount of time. The Company shall provide more detailed information on retention periods of personal data or the criteria concerning retention periods upon request.

6 Processors and other recipients of personal data

Personal data is transferred between the companies in the Innovestor Group for purposes related to marketing, customer service, other management of customer relationships and the risk management of the Group. The Companies shall process the personal data according to data protection legislation.

The Company may disclose personal data to third parties and utilise external processors, such as service providers, for processing personal data. Service providers supplying IT systems, financial administration services, legal services and other services as well as subcontractors, for example, may participate in the processing of personal data. The Company shall use sufficient contractual obligations to ensure that the processors of personal data process the data appropriately and according to legal requirements.

In addition, the Company may need to disclose personal data to contractual partners of the Company as well as other third parties due to the Company’s contractual obligations as well as statutory reporting and notification obligations.

The Company shall provide more detailed information on the processors and other recipients of personal data upon request.

The Company shall disclose personal data to the authorities in order to fulfil the legal information rights of said authorities. In addition, the Company may have to disclose personal data if the Company is involved in legal action or other arbitration proceedings. Should the Company become involved in a merger, business transaction or other corporate transaction, it may have to disclose personal data to third parties.

7 Transfer of personal data outside the European Union or the European Economic Area

The Company shall not transfer personal data outside the European Union (EU) or the European Economic Area (EEA). We use Google Analytics as a cookie-based tool to analyze the use of our website and services, as described in section 8 below. Personal data contained in Google Analytics may be transferred outside the EU or EEA and we cannot guarantee the adequacy of the transfer arrangements as required by the GDPR. We are following the guidance of the Finnish Data Protection Authority on this matter.

8 Cookies

A cookie is a small text file stored on your device (persistent cookie) or in the cache (session cookie). The network server of the website creates the cookie. The network server specifies the data contained by the cookie which can then be used when the user visits a website. This enables the storing of data such as the user’s settings and remembering their login information. Cookies provide us with information on the language selections of those visiting our website, the time zone of the used browser and the use of the pop-up form. The user can freely manage and remove cookies installed in their browser. However, prohibiting cookies may restrict the use of the website or services.

We use cookies to improve the quality of the customer experience, analyse user numbers and develop our products and services. Cookies enable us to track whether users arrive on our website through advertisement, therefore analysing the impact of our marketing activities. Automated and cookie-based tools (Meta and Google Analytics) help us analyse the use of our services and website. We analyse how you arrive on our website, how you navigate it and how long you spend in the various sections of our website. Your personal data may be shared with the aforesaid service providers. For more information on their cookie policies, please click on their names.

We can target online marketing based on your cookie settings. You can adjust your cookie settings in your browser settings and, if desired, prevent the use of cookies and targeted marketing. Cookie settings vary depending on your browser (e.g. Chrome, Explorer, Safari). Hence, check your cookie settings to make sure that cookies are used as you wish.

9 Principles of protecting personal data and security of processing

The Company processes personal data in a manner that ensures appropriate security and data protection of the personal data in all situations, including protection against unauthorised processing and against accidental loss, destruction or damage.

The Company uses appropriate technical and organisational protective measures to ensure the aforementioned, including the use of firewalls, encryption technology, secure facilities, appropriate access control and instructions for the employees and subcontractors participating in the processing of personal data.

Paper materials are stored in locked facilities only accessible for authorised individuals. The data is only printed out when necessary, and any paper printouts are destroyed in a secure manner.

Access rights are limited according to job descriptions. All the individuals processing personal data are bound by professional secrecy concerning matters related to the processing of personal data.

The Company may outsource the processing of personal data to service providers, whereupon the Company shall use sufficient contractual obligations to ensure that the personal data is processed appropriately and legally.

10 Rights of data subjects

The data subjects have rights guaranteed by data protection legislation.

10.1 Right to access and verify data

The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her is being processed.

The data subject shall have the right to verify and access the personal data concerning him or her and, upon request, receive the data in writing or in electronic format.

10.2 Right to rectification and erasure of data

The data subject shall have the right to obtain the rectification of inaccurate personal data. In addition, the data subject shall have the right to obtain the erasure of personal data concerning him or her in accordance with valid data protection legislation.

The Company shall also take initiative to erase, rectify and supplement personal data it has observed to be inaccurate, unnecessary, incomplete or outdated for the purposes of the processing.

10.3 Right to data portability, restriction of processing and the right to object to the processing

The data subject shall have the right to transmit the personal data concerning him or her to another controller in accordance with valid data protection legislation.

In addition, the data subject shall have the right to restrict the processing of personal data concerning him or her in accordance with the prerequisites specified by data protection legislation. In addition, in a situation where personal data suspected to be inaccurate cannot be rectified or erased or there is uncertainty concerning the request for erasure, the Company shall restrict access to the data.

The data subject shall have the right to object to the processing and to prohibit the use of the data for certain types of processing, such as direct marketing.

If the processing of personal data is based on consent provided by the data subject, the data subject shall have the right to withdraw their consent. In addition, the data subject shall have the right to withdraw their consent for electronic direct marketing. The withdrawal shall not affect processing preceding the withdrawal.

10.5 Implementation of the rights

Any requests concerning the rights of data subjects shall be made in connection with a personal visit, in writing or electronically and addressed to the controller specified in this privacy policy (contact information in section 2 of the privacy policy). Our newsletters and other potential electronic direct marketing messages contain a link for preventing direct marketing (unsubscribe).

Due to the obligation to verify identity before disclosing information, we may need to ask for more detailed information. The request shall be answered within a reasonable amount of time and, whenever possible, within one month of presenting the request and verifying the identity.

Should the Company be unable to agree to the data subject’s request, the data subject shall be informed of the refusal in writing. The Company may refuse a request (such as the erasure of data) due to a statutory obligation or a statutory right of the Company (such as obligation or claim related to our services).

10.6 Right to lodge a complaint with a supervisory authority

The data protection shall have the right to lodge a complaint with an authorised data protection authority if they find that their personal data has been processed in violation of valid legislation. However, we request that the issue be primarily discussed with the Company.

The contact information of the Finnish data protection authorities can be found here.

11 Amendments to the privacy policy

As we constantly develop our services, we may need to amend and update this privacy policy. The changes may also be based on amendments in legislation. We recommend regularly reviewing the contents of the privacy policy. Any amendments shall be announced on the Company website, and the data subjects shall be informed of any essential amendments, if necessary.

The privacy policy was updated on 17 May 2024.

11.1 Version history

Version Date Amendment
1.0 24 May 2018 Specification document created
1.1 29 March 2019 Specification document updated
1.2 25 June 2019 Specification document updated in terms of processors of personal data and cookies.
1.3 19 September 2019 Amended to cover the mentioned companies in the Innovestor Group.
1.4 14 January 2020 Amended use of cookies
1.5 19 October 2021 Added new group companies, corporate venturing services and legislation on protection for whistleblowers
1.6 1 March 2023 Change of controller’s address, completion of data sources and transfer of personal data outside the EU
1.7 17 May 2024 Complemented categories of personal data to be processed and primary sources of data