Fundis Application Oy

General information

This privacy statement describes how Fundis Application Oy (“company”, or “we”) processes personal data; what kinds of personal data the company collects, for which purposes the data is used and to which parties the data can be disclosed.

Personal data refers to any information relating to a natural person (“data subject”) that can identify him/ her directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). The company complies with the GDPR in all processing of personal data in conjunction with other applicable national data protection legislation (data protection legislation).

Controller

Controller: Fundis Application Oy (Business ID: 3193666-1)

Address: C/O MOW Mothership, Pieni Roobertinkatu 9, 00130 Helsinki, Finland

Telephone: +358 40 142 5595

Email: partners@fundis.fi

Purposes and legal basis for processing personal data

Personal data will be processed for the following purposes:

Managing and analyzing the customer relationship (contract or its preparation, legitimate interest)
Providing products and services (contract or its preparation, legitimate interest)
Developing services (consent).
Direct marketing based on company’s legitimate interest to send you promotional material about products and services you might be interested in. The data subject has the right to refuse personal data being used for direct marketing and may at any time recall prior consent.
Fulfilment of statutory obligations, such as obligations under tax and accounting legislation (statutory obligation)
Ensuring security of our products and services and preventing abuses (statutory obligation, legitimate interest)

For processing activities that are based on a legitimate interest, we have carefully balanced such legitimate interest with the data subjects right to privacy and concluded that our interest outweighs the data subjects’ rights and freedoms.

What personal data is collected, stored and processed?

The company collects only such personal data from the data subject that is relevant and necessary for the purposes described in this privacy statement.

The following personal data from the data subjects will be processed:

Name and contact information, such as email address and phone number;
Payment card information;
The details of the beneficiary/beneficiaries to which part of the payment is directed;
Username and password;
Location data^[a] based on user’s consent;
Other information necessary for maintaining the business relationship, such as, feedback, other message history and marketing preferences;
Electronic identification and behavior data such as IP address. ^[b]

Data sources

The personal data is mainly collected directly from the data subjects themselves, for example, in connection with preparing or signing of a contract, or during a customer relationship.

The personal data may also be collected automatically when the data subject uses our products and services e.g when using our Fundis Application and visiting our website.

In addition, and with the permission of the data subject, data may be collected in other ways in a marketing context.

Personal data may be updated and supplemented by collecting data from private and public sources.

Retention of personal data

Personal data collected in connection with our services shall be retained as long as need for the purposes defined in this privacy policy and as required by the law, unless such data is replaced through regular updates or otherwise. The periods vary greatly from one type of processing to another.

Detailed retention times can be provided upon requests.

We evaluate the necessity and accuracy of the personal data on a regular basis and endeavor to ensure that the incorrect and unnecessary personal data are corrected or deleted.

Who has access to the personal data?

For the purposes stated in this privacy statement, the personal data may be disclosed, when necessary, to authorities, and to other third parties, such as third-party service providers (such as our IT vendors and marketing agencies conducting marketing on our behalf etc.). In such case, the personal data will only be disclosed for purposes defined above.

List of the processors and other recipients can be provided upon a request.

In addition, the company may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.

The personal data is also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the products and services as well as to guarantee the safety of the products and services.

Is data transferred outside the European Union or the European Economic Area

Our application and related servers and data are hosted within the European Union (EU). In case personal data is exceptionally transferred outside EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as standard data protection clauses adopted or otherwise approved by the EU Commission or competent data protection authority in accordance with the GDPR.

The following recipients may process personal data outside the EU/ EEA:

Stripe Payments Europe, Limited (“SPEL”); Stripe Technology Europe, Limited (“Stripe PSP”) (https://stripe.com/en-fi/privacy)^[c]^[d]
Apple App Store (https://www.apple.com/legal/privacy/en-ww/)
Google Play (https://policies.google.com/privacy?hl=en)

These services are maintained by a third party and governed by the privacy policy of the company providing the service.

How is the data protected?

Securing the integrity and confidentiality of personal data is important to us. We have taken adequate technical and organizational measures in order to keep personal data safe and to secure it against unauthorized access, loss, misuse or alteration by third parties, such as by encryption, access controls and firewalls. Nevertheless, considering the cyber threats in modern day online environment, we cannot give full guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to personal data or absolute security of the personal data during its transmission or storage on our systems.

Rights of data subjects

The data subject has a number of rights under applicable data protection laws.

Right of access and right of inspection

The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her is being processed.

The data subject has the right to inspect and view data concerning him or her and, upon a request, the right to obtain the data in a written or electric form. This applies to information that the data subject has provided to the company insofar the processing is based on a contract/consent.

Exercising this right is generally free of charge.

Right to rectification and right to erasure

The data subject has the right to require us to delete or stop processing the data subject’s personal data, for example where the data is no longer necessary for the purposes of processing.

However, please note that certain personal data is strictly necessary in order to achieve the purposes defined in this privacy statement and may also be required to be retained by applicable laws.

Right to data portability

The data subject has the right to receive the personal data that he or she has provided to us in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller.

Right to restriction of processing

The data subject has the right, under conditions defined by data protection legislation, to request the restriction of processing of his/ her personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, the company will limit the access to such data.

Right to object to processing

The data subject has the right to object to the processing of data where we are relying on its legitimate interests as the legal ground for processing. For example, the data subject may object to his/her personal data being used for marketing purposes.

Right to withdraw consent

In cases where the processing is based on the data subjects’ consent, he/she has the right to withdraw his/her consent to such processing at any time.

Exercising rights

Requests regarding the rights of data subjects shall be made in written or in electronic form, and the request shall be addressed to the controller mentioned on this privacy policy.

If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. The company may refuse a request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services.

The data subject may exercise the aforementioned rights by sending a written request to partners@fundis.fi.

If you have any questions relating to our data protection policies or wish to exercise your rights, please do not hesitate to contact us.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a competent data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current legislation.

However, we request that the matter be deal with the company in the first instance.

The relevant authority in Finland is the Data Protection Ombudsman (www.tietosuoja.fi).

Changes to the privacy statement

Fundis Application Oy may make changes to this privacy policy at any time by giving a notice on the website and/or by other applicable means. The data subjects are highly recommended to review the privacy policy on our website every now and then. If the data subject objects to any of the changes to this privacy policy, the data subject should cease using the services, where applicable, and he/she can request that we remove the personal data, unless applicable laws require us to retain such personal data. Unless stated otherwise, the then-current privacy policy applies to all personal data we process at the time.

This privacy statement has been published on 23 December 2023, version 1.0