Apua Tietosuojaseloste

Privacy Policy

Holvi Payment Services

Published: May 8th, 2018

Last Update: April 23rd, 2020

Version 2.7

1. Introduction Holvi is a Payment Institution authorised and regulated by the Financial Supervisory Authority of Finland allowing entrepreneurs to concentrate on their business by providing business current accounts combining everything from traditional banking services to expense management and invoicing in one simple service. When providing this service, Holvi uses the latest tools and techniques to secure Holvi IT systems. This security with Holvi’s organisational processes guarantee that Holvi customers’ monies and information is always protected and secured.

Customer privacy is important to us in Holvi and maintaining customers’ trust and confidence is one of the highest priorities of the company. Holvi respects the customer’s right to keep their personal information confidential and understands their desire to avoid unwanted solicitations.

With these intentions Holvi has created this Privacy Policy; to inform customers and website users of the nature, scope, and purpose of the personal data Holvi collects, processes and stores. In addition, Holvi wishes to inform Holvi customers and website users of the rights to which they are entitled under the applicable data privacy regulations.

In line with this policy, Holvi has implemented technical and organisational measures to ensure a complete protection of personal data processed in our company. Holvi has committed to collecting, processing and storing personal data in line with the General Data Protection Regulation 2016/679 (“GDPR”).

1. Principles of securing the data At Holvi the personal data is processed in line with the privacy principles. This means that personal data is processed in a lawful, fair and transparent way. Only the necessary and relevant data is collected, processed and stored for the purposes of providing the best possible services for Holvi customers and future customers. Holvi is committed to keeping the personal data accurate and updated, and the data will be secured by Holvi’s organisational and technical measures. This means, for example, that the registry permissions are granted and supervised by the person responsible for managing the register, the customer data is not kept as a hard copy, and that all customer information is deleted after Holvi has no longer reason for processing it.

2. Name and address of the Controller 3.1. Controller Holvi Payment Services Oy

Business ID 2193756-4

Hämeentie 11

00530 Helsinki

Finland

3.2 Name and address of the Data Protection Officer (DPO) DPO: Tuomas Haavikko

Email: privacy@holvi.com

1. Data Holvi collects 4.1. Registration for Holvi User To open a Holvi account and to use the Holvi Payment Services, customer is asked to provide identifying, professional and financial data for the performance of contract between Holvi and the customer. Personal data may be obtained directly from Holvi customer or it may be obtained from third parties such as credit bureaus and identity verification services upon legal requirements.

Holvi uses customer personal information to provide banking services and accounting services, for legal requirements, to develop Holvi products and services, to manage and develop Holvi customer relationships and to provide information on the products and services the customer might be interested in. In addition, the information may be used to identify the customer and for webshop merchant management, risk management, legal compliance, and for administrative purposes. Holvi will also retain personal data for bookkeeping purposes.

Personal data may also be used to prevent, detect and investigate money laundering and terrorist financing, and to investigate a crime in which the property or funds have been obtained. For these reasons, Holvi has a legal obligation to collect and process data. Personal data collected for AML purposes must be retained five years after the end of the customer relationship.

4.2. Using Holvi for One-Time Payments Customers may use Holvi to pay purchases in a webshop of Holvi’s customer. Holvi collects, processes and stores payer name and email to enable payments with card or through a bank account because of legal requirements. Holvi may also collect payer contact information for Holvi customer to send the purchase and manage customer relationship, and for Holvi’s legitimate interest to develop the product, to keep Holvi website safe and to prevent fraud. This data is retained for five years after the end of customer relationship.

4.3. Customers’ customer data Holvi processes customers’ customer data to allow Holvi customers to send invoices and expense invites. Holvi stores this data for customers’ bookkeeping purposes on the basis of a contract with the customer. Customer may also make payments through their Holvi account. Holvi has a legal obligation to save the third party data when a customer makes payments. This data is retained in Holvi for legitimate interest of preventing fraud for 5 years after the end of customer relationship. When a customer uses the 'Invite User’ function, the customer is responsible for obtaining the consent from the receiver of the invite before sending the invite.

Holvi customers have a possibility to create customer relationship lists of their own customers. This customer’s customer data is only stored in Holvi database until the customer chooses to delete the list. All transactional data is part of customer bookkeeping records that will be retained for above mentioned period. When a user makes a payment in a webshop, the user will become a customer of Holvi for this payment. For this scenario, data processing is described above in “Using Holvi for One-Time Payments”.

4.4. Customer Support In Holvi customer support, the data is collected and used to solve issues and questions customers might have about Holvi service. The questions and issues customers send through email, website, Facebook messenger or by calling are saved for product development and customer success quality purposes. Every issue is given a unique number and the issues are connected to a possible customer account. Customer support data is retained and processed in legitimate business interest of Holvi to develop the product, to help customers and to give information on Holvi product and services. Customer support data will be deleted five years after the end of the customer relationship with other customer data.

Holvi Customer Support may use customer email or phone number to contact customer for legal questions, service related queries and to offer help with onboarding issues. Holvi will never ask customer to give their passwords through email or phone.

4.5. Blog Updates The Holvi Blog enables users to get notifications in their email when a new blog text is published. To get these updates, user is asked to input their email and order the updates email. On basis of user consent, Holvi collects and stores information through the blog update to optimize the sending and the content of future newsletters. User can at any time withdraw their consent and cancel the updates email. After withdrawing their consent on receiving the email, Holvi will mark the consent withdrawn and user will no longer receive the updates.

4.6. Tips & Tricks This newsletter is sent for Holvi customers that have given their consent during onboarding. The newsletter contains tips & tricks on use of Holvi product, entrepreneurship and other issues that might interest our customers. On basis of customer consent, Holvi collects and stores information through the newsletters to optimise the sending and the content of future newsletters. Customer can at any time withdraw their consent and cancel the newsletter. After withdrawing their consent on receiving newsletter, Holvi will mark the consent withdrawn and customer will no longer receive the newsletter.

4.7. Inbound marketing Holvi will always ask data subject’s consent to send any marketing messages. On basis of user consent, Holvi collects and stores information through the messages to optimize the sending and the content of future marketing. User can at any time withdraw their consent and cancel the newsletter. After withdrawing their consent on receiving any marketing, Holvi will mark the consent withdrawn and user will no longer receive any messages.

4.8. Partner co-operation Holvi customers are able to initiate the opening of Holvi business account via selected Holvi partner applications. In these applications, user consent is asked to share user’s name, email, country, and business type with Holvi. Holvi will then securely contact customer, and the customer is able to finish creating a Holvi account. If user never finishes the account creation, Holvi keeps user data for 30 days before deleting the information.

4.9. Careers section In the career section Holvi collects personal information to find new Holvians. Holvi collects historical, social, external and preference data for the necessity of findinding the best people to work with us. This job application data is processed and retained for the application period. Holvi has a legitimate employer interest of retaining applications for 12 months after the application period to ensure applicant funnel for future positions.

4.10. Cookies To build a first line defense against fraud, to serve our customers better and to provide the best possible experience for everyone using our site and services, Holvi may place small data files on your computer or other device. These data files may be cookies, pixel tags, "Flash cookies," or other local storage provided by your browser or associated applications (collectively "cookies"). Some of these cookies are necessary to secure our site and enable the use of Holvi site and for other cookies we always ask for your consent.

A user can easily control their cookie settings through Holvi’s partner Onetrust. The user is able to accept all or only part of the optional cookies to be placed into their browser. The user is able to withdraw their consent at any time from each cookie group. If the user chooses not to use cookies, they are still able to use Holvi website, but some of website features might be affected. User can see every cookie’s retention period from browser settings.

Below is a detailed list of the cookies Holvi uses on the website. Holvi website is scanned with the cookie scanning tool regularly to maintain a list as accurate as possible. Holvi classifies cookies in the following categories:

Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies

4.11. Research Holvi processes personal data for research purposes; to validate market assumptions, to develop new technologies and to foster innovation. All data that is collected from Holvi users and website visitors with other legal basis may also be used for the research purposes. Holvi may also collect data from users for primarily research purposes. Holvi will always use all available technical and organisational measures to secure the processing of research data. The research data is stored until the research objectives are achieved up to one year from starting the research. Holvi may not be able to erase the research data if the erasure is likely to render impossible or seriously impair the achievement of the research objectives. Holvi will make the results of the research objectives publicly available in the Holvi blog.

4.12. Piloting To enter new market areas, Holvi provides a possibility to start using Holvi for early adopters as one of the first entrepreneurs in their country. To select the most suitable piloting entrepreneurs to refine Holvi product for the new market, Holvi has a legitimate interest to ask possible users to provide name, contact information, and financial information on their company. If the entrepreneur is selected as a piloting user, Holvi will save the user data for the piloting period up to one year. If the entrepreneur is not selected, Holvi will erase the information immediately, if the entrepreneur has not given separate consent to save the information to contact them later.

1. Data Holvi retains Holvi retains personal data for the period of time Holvi has a legal or regulatory obligations, has legitimate business purposes or the time of the contract with a customer. Holvi may retain data for longer periods than required for law if it is in Holvi’s legitimate business interest and not prohibited by law or Holvi acquires customer consent to retain their data for longer.

Holvi will retain customer accounting records on behalf of the customer during the customer relationship with Holvi. When the customer relationship ends, Holvi provides customer with a link to download the accounting records for retention. Holvi is not responsible for retaining customer accounting data after the end of the relationship.

1. Purpose of processing personal data Holvi collects, stores and processes customer information with a primary purpose of providing better payment services. Holvi may use customer information to:

process payments and provide Holvi Services; verify customer identity; collect fees, solve problems, and resolve disputes; manage risk, or to detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities; detect, prevent or remediate violations of policies or user agreements; provide customer with Holvi customer support services; measure the performance of the Holvi Services and improve Holvi content and layout; manage and protect Holvi information technology infrastructure; compare information for accuracy, and verify it with third parties with customer consent:

improve Holvi Services by customising user experience; provide targeted marketing and advertising, provide service updates, and deliver promotional offers

1. Information shared with 3rd parties 7.1. Holvi may share customer information with official authorities in case of requests based on a lawsuit or prosecution.

7.2. Holvi may share personal information under contract with third-party service providers who help with certain parts of Holvi business operations including payment, fraud prevention, validation of user credentials, secure data storage and other similar services. Holvi may also share personal information with certain financial institutions and collaborators or their agents that Holvi works with to jointly create and offer certain products and services. Holvi ensures that these parties are properly informed of how to use Holvi data, and only use personal information in connection with the services they perform for Holvi.

7.3. For legal reasons the Holvi shop owner details are publicly available in the online shop so webshop customers can easily contact the webshop if needed.

7.4. For sharing data with third parties based outside of the EEA, Holvi will require additional safeguards approved by European Commission. Holvi uses these accepted safeguards in transferring data to third countries. Used safeguards are: EU-US Privacy Shield, adequacy decision from European Commission, and European Commission model contracts.

7.5. The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in the fraud prevention agencies’ website. See Table of 3rd parties.

Here is a list of third parties Holvi shares customer information with: Table of 3rd parties

7.6. Holvi websites include links to third party sites such as the Facebook Like button and third party widgets, such as the ‘Share This’ button or interactive mini-programs that run on Holvi websites. If the user clicks a link to a third party site, user will leave Holvi site and go to the site they selected. These features may collect user’s IP address, which page user is visiting on the website, and set a cookie to enable the feature to function properly.

Being on Holvi website does not automatically result in sharing data on these social media networks. These plugins remain inactive until clicked. Once clicked, the user will be taken to the said social media site or 3rd party website with their own specific privacy policies user is recommended to consult. Holvi cannot control the activities of third parties, Holvi cannot accept responsibility for any use of user’s personally identifiable information by such third parties, and Holvi cannot guarantee that they will adhere to the same privacy practices as Holvi does.

1. Customer rights as a data subject 8.1. The right to be informed Holvi will always inform customer about the purposes and the lawful basis of processing their information, as well as the retention period of processing information. Holvi will inform the customer about the sources from which Holvi obtains customer personal data, and the recipients of customer data. If customer data is processed based on consent, customer has a right to withdraw their consent of sharing data at any time. Customer also has a right to lodge a complaint with a supervisory authority.

8.2. The right to access Customer has right to access to their information that is stored in Holvi database. Customer is able to see their basic information in their account. Customer is also able to submit a request to Holvi DPO and get a copy of their personal information. If the customer asks for a large amount of data, Holvi may ask the customer to specify their request. Holvi will comply with customer request without delay within one month and free of charge, unless if the request is repetitive, unfound, or excessive, Holvi might have to ask customer for a reasonable administrative fee and/or extend the period of compliance for two months.

8.3. The right to data portability Customer has a right to data portability, which means that customer may ask Holvi to move, copy or transfer their data from Holvi IT environment to another in a structured, commonly used and machine readable form. Holvi will respond to customer request without delay within one month, unless the request is complex or Holvi has received an extensive number of requests. In this case, Holvi will inform customer of a reason why the request must be extended by two months.

8.4. The right to rectification If customer finds their information in Holvi as inaccurate or incomplete, customer has a right to get their data rectified. Customer can either log into their Holvi account to review and modify their data or if customer is unable to modify data theirself, they can request the rectification through a dedicated platform or by contacting Holvi support. Holvi will respond to customer within a month, and inform the third parties of the rectification where possible.

8.5. The right to be forgotten / the right to erasure Customer has a right to be forgotten, which means that customer is able to ask a deletion and removal of all personal data Holvi has on customer, if Holvi has no compelling reason for continued processing or storage, Holvi will delete customer data. Retention periods by applicable law might be a compelling reason for Holvi to keep customer data for longer, or a legitimate interest that overrides customer’s interest of data erasure. Holvi will respond to customer request within a month.

8.6. The right to restrict processing In cases the customer is not entitled to get their data erased, the customer is still able to restrict the processing of the data. Customer has a right to restrict the processing of personal data, if 1) the accuracy of the data is contested; 2) customer thinks the processing is unlawful and the requests restriction; 3) Holvi no longer needs the data for the original purpose, but customer data is still required to establish, exercise or defend legal rights; or 4) if the verification of overriding basis is pending, in the context of an erasure request.

8.7. The right to object processing Customer has a right to object to processing of their personal data on grounds relating to their particular situation. If Holvi processes customer data for legitimate interests, Holvi will stop processing the information after customer’s request, unless Holvi can show a compelling legitimate grounds for the processing. If Holvi processes customer data on the basis of customer consent, Holvi will stop processing customer data as soon as receiving customer objection.

8.8. Rights related to automated decision making including profiling Customer has rights related to automated individual decision-making - making a decision solely by automated means without any human involvement; and profiling. Holvi may use profiling to send the customer messages and marketing that is relevant to them. Holvi will inform customer separately if it uses automated decision making, and will give customer ways to request human intervention or challenge a decision.

8.9. Using your rights Customers and other website users may use all of their rights through Holvi’s dedicated data privacy platform an online form and sending it to Holvi. We will get back to you as soon as possible, but not later than within a month.

1. Data Processing Agreement 9.1. Scope Holvi processes customers’ customer data on behalf of the Holvi customer when making available certain related value added services such as invoicing, reporting, web shop platform and credit and savings products, which may be provided by Holvi or third party service providers.

9.2. Parties For the use of value added services Holvi acts as a data processor and the customer will act as a data controller.

9.3. Basis for processing Holvi will only process personal data in line with GDPR, other laws and the agreement between Holvi and the customer.

9.4. Categories of personal data processed Personal data categories processed on behalf of the customer are PII, contact information and financial information.

9.5. Security and confidentiality Holvians processing customer data are under a duty of confidence when processing the data, and Holvi has taken appropriate measures to ensure the security of processing.

9.6. Third parties To provide payment services and other value added services for customers, Holvi may engage sub-processors that will provide the same level of safeguards as Holvi acting as a main processor. Third parties that the data may be shared with are listed under here.

9.7. Co-operation Holvi will assist the customer by taking appropriate technical and organisational measures to ensure fulfilment of the controller's obligation to reply to requests by data subjects exercising their rights, and in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.

9.8. Other provisions If the customer chooses so, customer is able to delete, upload or transfer all personal data that is processed by Holvi. Holvi will maintain data that it processes as a controller and the data that EU or Member State law requires to be stored.

Holvi will make available to the customer all information necessary to demonstrate compliance with customer obligations and allow and cooperate fully with audits, including inspections, conducted by the controller or another person authorised to this end by the controller. Controller will bury the costs of these acts.

1. Holvi protects customer data To protect customers’ personal data from loss, misuse, unauthorised access, disclosure or alteration, Holvi sustains technical, physical and administrative measures designed for security. These security measures include, but are not limited to, data encryption, firewalls, physical access controls, and authorisation controls.

2. Changes to the Privacy Policy 11.1. Holvi will update this policy from time to time to reflect the changes in Holvi services or applicable laws.

11.2. Holvi will update the third party list quarterly.

You can download the Privacy Policy as a PDF from this link.

A list of Holvi´s third parties can be downloaded here.