PRIVACY NOTICE FOR CUSTOMERS AND BUSINESS STAKEHOLDERS

26.6.2025

This Privacy Notice for Customers and Business Stakeholders (hereinafter referred to as the "Notice") applies to the processing of personal data conducted by Heeros Oyj or its subsidiary you are interacting with (hereinafter “Company”, “we”, “us”, “our”) in the following contexts:

• Marketing and sales of services;
• Customer agreements and customer management;
• Provision and use of services from the Company;
• Acquiring services, vendor agreements and vendor management;
• Co-operation activities and stakeholder management;
• Sales opportunities and management thereof; or
• Events organised by the Company and management thereof.

The protection of the privacy and personal data of individuals whose data are being processed in connection with services by the Company ("Services"), is a top priority for us. In this Notice it is explained how we ensure that processing of personal data is performed in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and national laws implementing these instruments as and when applicable.

2. Roles and responsibilities

Company processes personal data in connection with its customers and other stakeholders both as a data controller and data processor. A data processor is the entity that processes personal data on behalf of a data controller. A data controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.1 Company as data processor

In the provision of Services to our customers, the Company primarily acts as data processor. In these cases, our customer determines the purposes and the means by which personal data is processed. This means that the customer is responsible for the lawfulness of the processing, including but not limited to the provision of transparent information on the processing as well as responding to the requests from individuals. Details of the processing are defined in a separate data processing agreement between us and our customer. As a data processor, the Company only processes personal data on behalf of the data controller and in accordance with the data controller's instructions.

2.2 Company as data controller

In some cases, the Company will on its own determine the purposes and means by which personal data related to customers and business stakeholders will be processed in connection with the Services. In these cases, we will act as data controller and ensure the lawfulness of processing your personal data. This Notice provides you information on the processing conducted as data controller.

3 processing of personal data

3.1 Collection of personal data from different sources

We collect and process personal data, which:

• is provided by you when you communicate or do business with us, e.g. in connection with entering into a contract or in the Know Your Customer (KYC) process, when you buy the Services or contact us for providing services or in connection with Service and support requests, when you visit our premises or participate in our marketing or social media campaigns or other events;
• is generated in different contextsg., when using or logging into our Services, performing various transactions (e.g. paying bills), and making entries or participating an event organized by the Company;
• is obtained from companies affiliated with the Company, publicly available sources, or third parties, where permitted by applicable laws, e.g. information obtained from the company you represent or with which you are otherwise connected to, from the Trade Register or other official registries, business information systems or other similar publicly available databases such as financial sanctions, and any asset freezing registers.

3.2 What personal data we process

The personal data we collect, and process includes the following categories of data:

• basic information, such as name, title and your relation to a company you represent or are otherwise connected to, and contact details (email, address and phone), nationality, and language preferences;
• information relating to our relationship, such as Service and order details, contract information, payment details, billing information, or information related to your visit at our premises (such as surveillance camera footage, vehicle license plate number);
• information related to the KYC process as required by applicable legislation, such as identification information, information on right to represent the company, basic information about the customer and related representatives, responsible persons and actual beneficiaries (including their personal identity numbers), as well as information whether some of the above persons or any individual otherwise closely associated with is to be categorised as a politically exposed person and the basis thereto, and sanction register information;
• marketing data, e.g. product preferences, marketing permissions and prohibitions;
• your communication and interactions with us as well as generated records and material, such as correspondence, service requests, call recordings, your contribution to our campaigns (video, audio or other material e.g. content in social media) and events organised by us, as well as entries on the use of individual’s rights;
• Service-related information, e.g. user IDs, passwords, and other authentication credentials as well as data or IT management details generated in connection with Service provision e.g., login information, and how Services are used.

3.3 Purpose and legal basis for processing personal data

Your personal data is processed for the following purposes and based on the legal basis as identified below:

• Sales, Service provision, and management of customer relationship: Data is processed for the purposes of selling, providing and delivering our Services and to manage the customer relationship between us and you, or between us and a company you represent, are employed in, or otherwise associated with. This includes e.g., customer support, handling service requests, fault repair, and invoicing. For this purpose, we process various categories of personal data, including but not limited to data in the following categories (as further described in the previous section):
  • "basic information";
  • "information relating to our relationship";
  • "information relating to "Know Your Customer" obligations; and
  • "your communication and interactions with us"; and
  • "Service-related information".
    
    

The legal basis of processing personal data for this purpose is the performance of contracts regarding our Services and our legitimate interests in managing the customer relationship.

• For communication, marketing, and related analytics: Data is processed for the purpose of informing you about the Services we are offering, producing material or content for marketing or social media campaigns, market research, and customer surveys.
  
  For this purpose, we process various categories of personal data, including but not limited to data in the following categories (as further described in the previous section):
  • "basic information";
  • "information relating to our relationship";
  • "marketing data";
  • "your communication and interactions with us"; and
  • "Service-related information".

The legal basis for processing for this purpose is the performance of the contract regarding our Services or our legitimate interest in obtaining information to better understand our stakeholders, e.g. customers, and to promote our Services.

In addition to the above, the Company posts blogs about customer testimonials, news and posts on other social media outlets, available to users following Company’s blogs or social media channels or associated advertising tools. Such content may only include personal data concerning individuals who have freely consented thereto.

• Quality assurance, security, and development: Data is processed to analyse and develop our Services and operations, such as for creating new product features, automating operations, training artificial intelligence, improving processes, and for statistical purposes like managing our business. For this purpose, we may aggregate and pseudonymise "Service-related information" (as defined above), and store usage patterns to optimise further development of the Services and to give you as an individual user of our Services a greater user experience.

The legal basis is our legitimate interest in optimizing and developing the Services and to ensure that our Services have an adequate level of information security, and to assure competitiveness of Services and operations.

• To protect, defend, or enforce our legal rights or compliance with the law, as well as responding to requests from authorities. For this purpose, we may process all categories of personal data listed above in section 3.2 to the extent that necessary to comply with laws or protect our rights, for example in case we are part of a lawsuit.

The legal basis for processing for this purpose is our legal obligations or legitimate interest being able to demonstrate compliance of our operations and protect our rights in an appropriate manner.

4 Notice regarding Use of THIRD-PARTY services

Our Services provided may include Application Programming Interfaces (APIs) enabling our customers and their representatives to use certain third-party services. Such use of third-party services may include data transfers and data processing that the Company is not involved in or responsible for. We are not responsible for any such third-party data collection, storage, operating procedures, support, customisation or development activities. We strongly advise individuals to seek information regarding such third-party processing activities from the relevant data controller or the relevant third parties.

5 disclosures and transfers of personal data

5.1 Disclosures to other companies affiliated with the Company

When we have a legitimate purpose and legal basis to do so, we may share personal data as mentioned in this Notice with other companies affiliated with us, as different companies in our group may be responsible for carrying out different tasks relating to sales, marketing or the provision of the Services. Such other companies may be acting as our data processors or as independent data controllers.

5.2 Disclosures to other third parties

Company may disclose personal data to external third parties who receive and process personal data as data processors or independent data controllers:

In case of a merger or an acquisition, it might be necessary to give third parties access to data containing some degree of personal information. Such information will only be accessed by parties who have signed an appropriate non-disclosure agreement or parties who are bound by confidentiality obligations by law. As these independent data controllers process personal data for their own purposes, they are responsible for the lawfulness of processing of personal data.

Company may also disclose personal data about customers and stakeholders to other third parties:

• to business partners in order to fulfil the order and invoicing process in cases where you have purchased the Services through a partner. No other data will be shared.
• when a government authority or law enforcement make a lawful request for personal data or any other data processed by the Company; or
• when they are engaged for the provision of services to us or to assist in the operation of our business and website, such as IT hosting, cloud service providers, administrative services, payment processors, customer satisfaction surveys.

To ensure that your personal data is processed in line with data protection regulations, we always enter into the necessary data processing agreements (DPA) with all companies we engage to process personal data on behalf of us. If a third party that processes personal data uses your personal data for their own purposes, the service provider in question becomes responsible for the lawfulness of the processing. If possible, the Company will strive to ensure that further processing of your personal data is not incompatible with the original purposes which it was collected for.

5.3 Transfers of personal data outside the EEA

Your personal data is processed primarily in the European Economic Area (EEA). We may, however, transfer your personal data outside the EEA if our service provider or partner, who processes personal data, is located fully or partly (e.g., for technical administration) in a third country. Personal data may also be transferred to third countries, where this is required from the service provider under binding non-EU legislation.

To the extent that your personal data is transferred to countries outside the EU/EEA, we will put in place appropriate safeguards to ensure that the personal data are subject to an equivalent level of protection as within the EU/EEA, including by entering into agreements based on the European Commission's standard data protection clauses or other approved transfer mechanisms.

6 Retention of personal data

We will process your personal data only for as long as it is necessary to fulfil the purposes defined in this Notice.

We have defined retention periods to all personal data we have on you. When defining such periods, we have considered various factors such as requirements for the statutory retention, the nature and sensitivity of personal data and the purposes the data is processed for. 

Your personal data processed based on a contractual relationship with you, or a company you represent or are otherwise associated with, are stored, as a rule, for the duration of the contractual relationship or as long as the provision of the Services requires. After our relationship or Service provision has ended, we typically store personal data that are necessary to protect our legitimate interests e.g., enabling response on requests or claims under applicable provisions concerning statute of limitations, or we may store your personal data, to the extent necessary, in order to respect your request not to receive direct marketing from us. 

If personal data is processed based on legal obligations, it is retained as long as required by law. Obligations to the storage of personal data are set, for example, by the Accounting and Anti-Money Laundering laws. 

7 Data security

We maintain security measures (including physical, technical, electronic, and administrative measures) that are appropriate to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, we limit access to personal data to those authorized employees and service providers who need to know the information in the course of their work tasks. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. 

Please be aware that, although we endeavour to provide appropriate security measures for personal data, no security system can prevent all potential security breaches. If a security breach occurs, we will inform you in accordance with applicable laws. 

8 Your rights as a data subject

When we process your personal data, you have the following rights as a data subject:

• Right of access and information: You can request a copy of all information about you in our registers, information about the purposes of the processing, where we have obtained the information from, disclosures of the information, retention period, and information about your rights as a data subject.
• Right to rectification: If you believe the data we have registered is inaccurate or incomplete, you can request that it be corrected or supplemented.
• Right to erasure: In certain cases, you can request that some information about you be deleted.
• Right to restriction: In certain cases, you can request that we temporarily restrict the way we process your personal data.
• Right to object: You can object to the processing of your data, if our processing of your personal data is based on our legitimate interest.
• Right to data portability: You may request to receive data collected on the basis of consent or for the performance of a contract in a machine-readable and commonly used file format.
• Right to withdraw consent: If our processing of your personal data is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of the processing that has already taken place.

Please note that the rights above are not absolute, and certain rights are subject to exceptions and conditions as set out in applicable data protection laws.

You always have the right to file a complaint with a supervisory authority if you believe your personal data has been processed in violation of applicable data protection laws.

National supervisory authorities are:

• In Finland:                       Tietosuojavaltuutettu
• In the Netherlands: The Autoriteit Persoonsgegevens               

9 Changes to this privacy notice

We will update this Notice as and when required to reflect any changes to our processing of personal data and/or changes to data protection regulations. You are encouraged to revisit this Notice from time to time.

10 Contact details

If you have any questions regarding this Notice, the personal data we process about you, or details of the data controller in your specific situation, please contact us at dpo@finago.com.

Website privacy policy

1. Data controller

2. Contact person regarding the privacy policy

All inquiries regarding this Privacy Policy should be directed to CEO Mikko Soirola +358 40 703 0553, mikko.soirola@finago.com.

3. Name of the policy

Privacy policy for Heeros Oyj’s digital assets known now or after, including but not limited to i) www.heeros.com ii) psahelpcenter.heeros.com and helpcenter.heeros.com, and iii) its own social media channels including LinkedIn, Facebook, Instagram, YouTube etc.

4. Purpose of and grounds for processing personal data

The processing of personal data is primarily based on the legitimate interest of Heeros Oyj to ensure the functionality and security of our website, and to provide information and services required by data subjects visiting the digital assets listed above. Personal data are also processed in order to develop and customize the website content for parties who are interested in our products and services. We also process personal data to monitor the number of website visitors and to compile statistics concerning the use of the website.

The Heeros Oyj uses the collected data for user profiling such as understanding the most popular pages for our visitors and users, visitor’s interests, and the similar to tailor our marketing activities such as email marketing, sales automation, advertising and remarketing, and customer support. Keeping this information is essential to the Heeros Oyj’s operation and marketing activities and helps us to improve our website and services.

Through this website, we also collect contact details from potential clients, including representatives of corporate clients, through forms, which can be filled in, in order to receive further information about our products and services.

In addition, we collect content of chat discussions through our chat service, which is designed to provide customer service and information to website visitors. When you use our chat service, we may process your personal data to manage the chat feature. In addition, we record our conversations to verify events and safeguard the rights of the parties involved. Records can also be used to train our staff and to ensure and improve the quality of our services.

Through this website and its integration with a 3rd party Job Application Management system, we also collect job applicants’ personal data, which are used for making recruitment decisions. Our recruitment privacy policy is available in Finnish at heeros.com/rekrytointiseloste.

5. Data content

Certain identification data of the data subject can be stored through our website. These include the following:

Browser and website usage information:

• Technical, Usage and Location Information
• Cookie information
• Content of forms, chat, and email conversations

Technical, Usage and Location Information

We automatically collect information on how our users and visitors interact with the Heeros Oyj’s digital assets, such as the IP address, date and time, browser, operating system, device, pages viewed, items hovered or clicked (sometimes called events), and location information.

How cookie information is used

The Heeros Oyj uses 3rd Party Cookies on its digital assets explained above to collect information such as the number of visitors to the site, the most popular pages, visitor’s interests, and the similar to tailor our marketing activities such as email marketing, sales automation, advertising and remarketing, and customer support. Keeping these cookies enabled is essential and helps us to improve our website and services.

Information collected through web contact forms, chat and email conversations

• Contact details. Your name, email address, telephone number, interest in our solutions, and your role in the company you work.
• Company-related data. This information is regarding the company you work for, including the company’s name, business ID, company’s address(s), company’s industry, and size of the company.

6. Storage period of personal data

We keep the data we have collected from our data subjects for different periods of time depending on many factors such as what it is, the source of information, how we use it, and how they have been configured by our data subjects:

• Immediate deletion.Some of the data can be deleted whenever our data subjects decide and will be deleted immediately (and gradually in back ups). These include; content you have created or uploaded to our digital assets e.g. images or customer data you have added to the system yourself.
• Automatic deletion or anonymization.Some of the data we have collected is deleted or anonymized automatically upon a set period of time, such as browser and website usage information, advertising data, analytic data, or cookies. This process is set by 3rd party systems we use and may take up to 18 months.
• Manual Op out.For business related purposes we have to keep some data until you opt out manually from our digital assets or send a request to us for such deletion. These include your contact details you have provided when filling up a form on our digital assets, company information, or chat history with our support team.

7. Regular sources of data

Visitors: our visitors are the primary source of the personal, company, and technical information we collect, including the registration, contact Information, etc. that they provide us through the Heeros Oyj’s digital assets or otherwise.

From other sources. We collect personal, company, and technical information from other sources, including but not limited to:

• Referrals, people who recommend other people and their friends to us.
• 3rd Party Platforms, these include advertising platforms, content on third-party sites or platforms, and social networks.
• 3rd party data providers, including information services and data licensors.

From automatic collection. We and our service providers may automatically collect information about our visitors, their devices, their activity on our digital assets, and other sites and online services.

8. Regular disclosures of data and categories of recipients

We disclose personal data to the service providers of the analytics tools, our partners, and affiliates, and 3rd party marketing agencies that we use their services on our digital assets from time to time. This may occasionally include sending the data to digital platforms like LinkedIn and Google Ads.

In addition, processing of personal data may be outsourced to service providers, partners, affiliates, and 3rd party marketing agencies in accordance with data protection legislation and the limits set therein. We use agreements to ensure that the service providers acting on our behalf process personal data in compliance with our instructions and this privacy policy.

9. Transfer of data outside the EU or the EEA

We may transfer our visitors and users’ personal, company or technical information to other countries outside the EU or the EEA and make it accessible to our partners, sub-processors, affiliates and third party service providers internationally, from time to time. However, at all times, we will take measures to safeguard the information in accordance with this Privacy Policy wherever it is processed.

10. Right of the data subject to object to direct marketing

By using our digital assets, our visitors give their explicit consent to Heeros Oyj to do direct marketing at Heeros Oyj’s sole discretion. However, the data subjects can prohibit direct marketing from the data controller separately for each marketing channel, including in relation to profiling for marketing, sales, or customer support purposes.

11. Other rights of the data subject

Right of the data subject to access the data

The data subjects have a right of access to their data in the register. The access request must be made in accordance with the instructions given in this privacy policy. The right of access can be refused on the grounds set out in law. Exercising the right of access is generally free of charge, except if doing so would require a disproportionate effort from our technical staff. The data subjects may access, review, correct, update, change or delete their information at any time. To do so, they must contact us in accordance with section 12 of this privacy policy with their name and the information requested to be accessed, corrected or removed.

In the following cases we may decline exercising the right to process requests that are unreasonably repetitive, systematic, would require disproportionate technical effort, conflict with privacy of others, would be extremely impractical, or for which access is not otherwise required.

We may retain data subject’s information as necessary to comply with legal obligations, resolve disputes, or in backup disks.

Right of the data subject to request rectification, erasure or restriction of processing of personal data

If the data subjects become aware of or observe an error in the data, which they cannot rectify on their own, they can request the data controller to rectify the data in accordance with section 12 of this privacy policy. The data subjects may also request the data controller to erase or supplement any data contained in the register that conflicts with the purpose of the register or is incorrect, unnecessary, incomplete or outdated.

The data subjects also have the right to demand that the data controller restricts the processing of their personal data, e.g. while the data subject is waiting for the data controller’s response to a request for the rectification or erasure of the data.

Right of the data subject to object to processing of personal data

The data subjects have the right to object to processing of their personal data by the data controller on grounds related to their particular situation if the processing is based on the data controller’s legitimate interest.

The data subjects can make their objection in accordance with section 12 of this privacy policy. When presenting their request, the data subjects must specify the particular situation based on which they are objecting to processing. The data controller can refuse to comply with the objection on the grounds set out in law.

Right of the data subject to data portability

If the data subjects have provided data for the register themselves and such data are processed based on the data subject’s consent, the data subjects generally have the right to receive the data in a machine-readable format and to transmit them to another data controller.

Right of the data subject to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data controller has not complied with the data protection regulations applicable to its operations.

Right to withdraw consent

If personal data are processed based on the data subject’s consent, the data subjects have the right to withdraw their consent by giving a notice to the data controller in accordance with section 12 of this privacy policy.

12. Contacts

In case of questions related to the processing of personal data and situations related to the exercise of their rights, the data subjects should contact the data controller. The data subjects can use their rights by sending an email message to Heeros CEO Mikko Soirola at mikko.soirola@finago.com.

13. Changes to the policy

Heeros Oyj can make changes to this privacy policy in case of changes to the methods or purposes of the processing of personal data.