PRIVACY NOTICE FOR CUSTOMERS AND BUSINESS STAKEHOLDERS

26.6.2025

1 SCOPE AND PURPOSE

This Privacy Notice for Customers and Business Stakeholders (hereinafter referred to as the "Notice") applies to the processing of personal data conducted by Heeros Oyj or its subsidiary you are interacting with (hereinafter “Company”, “we”, “us”, “our”) in the following contexts:

Marketing and sales of services;
Customer agreements and customer management;
Provision and use of services from the Company;
Acquiring services, vendor agreements and vendor management;
Co-operation activities and stakeholder management;
Sales opportunities and management thereof; or
Events organised by the Company and management thereof.

The protection of the privacy and personal data of individuals whose data are being processed in connection with services by the Company ("Services"), is a top priority for us. In this Notice it is explained how we ensure that processing of personal data is performed in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and national laws implementing these instruments as and when applicable.

2 ROLES AND RESPONSIBILITIES

Company processes personal data in connection with its customers and other stakeholders both as a data controller and data processor. A data processor is the entity that processes personal data on behalf of a data controller. A data controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.1 Company as data processor

In the provision of Services to our customers, the Company primarily acts as data processor. In these cases, our customer determines the purposes and the means by which personal data is processed. This means that the customer is responsible for the lawfulness of the processing, including but not limited to the provision of transparent information on the processing as well as responding to the requests from individuals. Details of the processing are defined in a separate data processing agreement between us and our customer. As a data processor, the Company only processes personal data on behalf of the data controller and in accordance with the data controller's instructions.

2.2 Company as data controller

In some cases, the Company will on its own determine the purposes and means by which personal data related to customers and business stakeholders will be processed in connection with the Services. In these cases, we will act as data controller and ensure the lawfulness of processing your personal data. This Notice provides you information on the processing conducted as data controller.

3 PROCESSING OF PERSONAL DATA

3.1 Collection of personal data from different sources

We collect and process personal data, which:

is provided by you when you communicate or do business with us, e.g. in connection with entering into a contract or in the Know Your Customer (KYC) process, when you buy the Services or contact us for providing services or in connection with Service and support requests, when you visit our premises or participate in our marketing or social media campaigns or other events;
is generated in different contexts e.g., when using or logging into our Services, performing various transactions (e.g. paying bills), and making entries or participating an event organized by the Company;
is obtained from companies affiliated with the Company, publicly available sources, or third parties, where permitted by applicable laws, e.g. information obtained from the company you represent or with which you are otherwise connected to, from the Trade Register or other official registries, business information systems or other similar publicly available databases such as financial sanctions, and any asset freezing registers.

3.2 What personal data we process

The personal data we collect, and process includes the following categories of data:

basic information, such as name, title and your relation to a company you represent or are otherwise connected to, and contact details (email, address and phone), nationality, and language preferences;
information relating to our relationship, such as Service and order details, contract information, payment details, billing information, or information related to your visit at our premises (such as surveillance camera footage, vehicle license plate number);
information related to the KYC process as required by applicable legislation, such as identification information, information on right to represent the company, basic information about the customer and related representatives, responsible persons and actual beneficiaries (including their personal identity numbers), as well as information whether some of the above persons or any individual otherwise closely associated with is to be categorised as a politically exposed person and the basis thereto, and sanction register information;
marketing data, e.g. product preferences, marketing permissions and prohibitions;
your communication and interactions with us as well as generated records and material, such as correspondence, service requests, call recordings, your contribution to our campaigns (video, audio or other material e.g. content in social media) and events organised by us, as well as entries on the use of individual’s rights;
Service-related information, e.g. user IDs, passwords, and other authentication credentials as well as data or IT management details generated in connection with Service provision e.g., login information, and how Services are used.

3.3 Purpose and legal basis for processing personal data

Your personal data is processed for the following purposes and based on the legal basis as identified below:

(a) Sales, Service provision, and management of customer relationship: Data is processed for the purposes of selling, providing and delivering our Services and to manage the customer relationship between us and you, or between us and a company you represent, are employed in, or otherwise associated with. This includes e.g., customer support, handling service requests, fault repair, and invoicing. For this purpose, we process various categories of personal data, including but not limited to data in the following categories (as further described in the previous section):

(i) "basic information";
(ii) "information relating to our relationship";
(iii) "information relating to "Know Your Customer" obligations; and
(iv) "your communication and interactions with us"; and
(v) "Service-related information".

The legal basis of processing personal data for this purpose is the performance of contracts regarding our Services and our legitimate interests in managing the customer relationship.

(b) For communication, marketing, and related analytics: Data is processed for the purpose of informing you about the Services we are offering, producing material or content for marketing or social media campaigns, market research, and customer surveys.

For this purpose, we process various categories of personal data, including but not limited to data in the following categories (as further described in the previous section):
(i) "basic information";
(ii) "information relating to our relationship";
(iii) "marketing data";
(iv) "your communication and interactions with us"; and
(v) "Service-related information".

The legal basis for processing for this purpose is the performance of the contract regarding our Services or our legitimate interest in obtaining information to better understand our stakeholders, e.g. customers, and to promote our Services.

In addition to the above, the Company posts blogs about customer testimonials, news and posts on other social media outlets, available to users following Company’s blogs or social media channels or associated advertising tools. Such content may only include personal data concerning individuals who have freely consented thereto.

(c) Quality assurance, security, and development: Data is processed to analyse and develop our Services and operations, such as for creating new product features, automating operations, training artificial intelligence, improving processes, and for statistical purposes like managing our business. For this purpose, we may aggregate and pseudonymise "Service-related information" (as defined above), and store usage patterns to optimise further development of the Services and to give you as an individual user of our Services a greater user experience.

The legal basis is our legitimate interest in optimizing and developing the Services and to ensure that our Services have an adequate level of information security, and to assure competitiveness of Services and operations.

(d) To protect, defend, or enforce our legal rights or compliance with the law, as well as responding to requests from authorities. For this purpose, we may process all categories of personal data listed above in section 3.2 to the extent that necessary to comply with laws or protect our rights, for example in case we are part of a lawsuit.

The legal basis for processing for this purpose is our legal obligations or legitimate interest being able to demonstrate compliance of our operations and protect our rights in an appropriate manner.

4 NOTICE REGARDING USE OF THIRD-PARTY SERVICES

Our Services provided may include Application Programming Interfaces (APIs) enabling our customers and their representatives to use certain third-party services. Such use of third-party services may include data transfers and data processing that the Company is not involved in or responsible for. We are not responsible for any such third-party data collection, storage, operating procedures, support, customisation or development activities. We strongly advise individuals to seek information regarding such third-party processing activities from the relevant data controller or the relevant third parties.

5 DISCLOSURES AND TRANSFERS OF PERSONAL DATA

5.1 Disclosures to other companies affiliated with the Company

When we have a legitimate purpose and legal basis to do so, we may share personal data as mentioned in this Notice with other companies affiliated with us, as different companies in our group may be responsible for carrying out different tasks relating to sales, marketing or the provision of the Services. Such other companies may be acting as our data processors or as independent data controllers.

5.2 Disclosures to other third parties

Company may disclose personal data to external third parties who receive and process personal data as data processors or independent data controllers:

In case of a merger or an acquisition, it might be necessary to give third parties access to data containing some degree of personal information. Such information will only be accessed by parties who have signed an appropriate non-disclosure agreement or parties who are bound by confidentiality obligations by law. As these independent data controllers process personal data for their own purposes, they are responsible for the lawfulness of processing of personal data.

Company may also disclose personal data about customers and stakeholders to other third parties:

to business partners in order to fulfil the order and invoicing process in cases where you have purchased the Services through a partner. No other data will be shared.
when a government authority or law enforcement make a lawful request for personal data or any other data processed by the Company; or
when they are engaged for the provision of services to us or to assist in the operation of our business and website, such as IT hosting, cloud service providers, administrative services, payment processors, customer satisfaction surveys.

To ensure that your personal data is processed in line with data protection regulations, we always enter into the necessary data processing agreements (DPA) with all companies we engage to process personal data on behalf of us. If a third party that processes personal data uses your personal data for their own purposes, the service provider in question becomes responsible for the lawfulness of the processing. If possible, the Company will strive to ensure that further processing of your personal data is not incompatible with the original purposes which it was collected for.

5.3 Transfers of personal data outside the EEA

Your personal data is processed primarily in the European Economic Area (EEA). We may, however, transfer your personal data outside the EEA if our service provider or partner, who processes personal data, is located fully or partly (e.g., for technical administration) in a third country. Personal data may also be transferred to third countries, where this is required from the service provider under binding non-EU legislation.

To the extent that your personal data is transferred to countries outside the EU/EEA, we will put in place appropriate safeguards to ensure that the personal data are subject to an equivalent level of protection as within the EU/EEA, including by entering into agreements based on the European Commission's standard data protection clauses or other approved transfer mechanisms.

6 RETENTION OF PERSONAL DATA

We will process your personal data only for as long as it is necessary to fulfil the purposes defined in this Notice.
We have defined retention periods to all personal data we have on you. When defining such periods, we have considered various factors such as requirements for the statutory retention, the nature and sensitivity of personal data and the purposes the data is processed for.

Your personal data processed based on a contractual relationship with you, or a company you represent or are otherwise associated with, are stored, as a rule, for the duration of the contractual relationship or as long as the provision of the Services requires. After our relationship or Service provision has ended, we typically store personal data that are necessary to protect our legitimate interests e.g., enabling response on requests or claims under applicable provisions concerning statute of limitations, or we may store your personal data, to the extent necessary, in order to respect your request not to receive direct marketing from us.

If personal data is processed based on legal obligations, it is retained as long as required by law. Obligations to the storage of personal data are set, for example, by the Accounting and Anti-Money Laundering laws.

7 DATA SECURITY

We maintain security measures (including physical, technical, electronic, and administrative measures) that are appropriate to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, we limit access to personal data to those authorized employees and service providers who need to know the information in the course of their work tasks. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Please be aware that, although we endeavour to provide appropriate security measures for personal data, no security system can prevent all potential security breaches. If a security breach occurs, we will inform you in accordance with applicable laws.

8 YOUR RIGHTS AS A DATA SUBJECT

When we process your personal data, you have the following rights as a data subject:

Right of access and information: You can request a copy of all information about you in our registers, information about the purposes of the processing, where we have obtained the information from, disclosures of the information, retention period, and information about your rights as a data subject.
Right to rectification: If you believe the data we have registered is inaccurate or incomplete, you can request that it be corrected or supplemented.
Right to erasure: In certain cases, you can request that some information about you be deleted.
Right to restriction: In certain cases, you can request that we temporarily restrict the way we process your personal data.
Right to object: You can object to the processing of your data, if our processing of your personal data is based on our legitimate interest.
Right to data portability: You may request to receive data collected on the basis of consent or for the performance of a contract in a machine-readable and commonly used file format.
Right to withdraw consent: If our processing of your personal data is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of the processing that has already taken place.

Please note that the rights above are not absolute, and certain rights are subject to exceptions and conditions as set out in applicable data protection laws.

You always have the right to file a complaint with a supervisory authority if you believe your personal data has been processed in violation of applicable data protection laws.

National supervisory authorities are:

- In Finland: Tietosuojavaltuutettu
- In the Netherlands: The Autoriteit Persoonsgegevens

9 CHANGES TO THIS PRIVACY NOTICE

We will update this Notice as and when required to reflect any changes to our processing of personal data and/or changes to data protection regulations. You are encouraged to revisit this Notice from time to time.

10 CONTACT DETAILS

If you have any questions regarding this Notice, the personal data we process about you, or details of the data controller in your specific situation, please contact us at dpo@finago.com.

Products

Integrations

Services

About us

Investors

News and releases