Privacy Policy

This is how your information transmitted through visits to our site is processed.

Customer and Investor Register

Data controller

Helmet Capital Oy Ab (1535827-5)              
Fredrikinkatu 48 A
00100 Helsinki
sanna.hautala@helmetcapital.fi     

Contact person for matters concerning the register

Sanna Hautala
sanna.hautala@helmetcapital.fi

Registry

Customer and investor register

Preparation date

2025-09-03

Legal basis for processing

Legitimate Interest

Purpose of processing personal data

The purpose of the register is to manage investor and customer relationships, comply with legislation, risk management and sustainable investing.

The data may be used to develop our operations, for statistical purposes and to produce more personalized content on our online services. Personal data is processed within the limits permitted and required by the General Data Protection Regulation.

The data is processed solely for the purpose of maintaining customer relations through technical interfaces.

The processing of personal data is primarily based on legitimate interest.

In addition, the processing of personal data is necessary for compliance with legal obligations.

If necessary, personal data may also be processed based on the consent given by the data subject, for example for sending newsletters or marketing emails.

Basis of legitimate interest

The controller’s legitimate interest in processing the personal data collected and used is based in part on the freedom to conduct business. The controller must process personal data in order to perform tasks related to its business. In this context, the processing of personal data cannot necessarily be justified based on a legal obligation or an agreement with the individual.

In the balancing test, the controller has determined that legitimate interest is the most appropriate basis for processing, given the nature and scope of the processing and the rights and freedoms of the data subjects.

The controller has assessed that the activities carried out in accordance with the legitimate interest do not seriously prejudice the rights and freedoms of the individuals concerned (data subjects).

Personal data categories concerned

Personal data of data subjects representing companies

Personal data of data subjects representing private persons

Recipients and recipient groups

The controller’s personnel and outsourcing partners (financial administration and IT systems) where applicable.

Consent

Consent is not used as a basis for processing in customer relationship management.

If processing is based on consent, consent can be withdrawn at any time by contacting the controller or the contact person for the register.

Data content of the register

The personal register contains the following information:

  1. Basic information about customers and investor partners:
    • First and last name
    • Address and contact details (phone number, email address)
    • Information related to work or representative duties, if applicable (e.g. company, position, role as an investor or partner)
  2. Contract and customer information:
    • Start and validity dates of the customer or investment relationship
    • Content and terms of contracts and investment arrangements
    • Information on investments made and payment transactions
  3. Information required by law and regulations (if necessary)
    • Identification and KYC information
    • Identification and KYC information
    • Possible politically exposed person (PEP) status and risk assessment information
  4. Communication and conversations
    • Communication history and customer contact information
    • Event and contact information
    • Video or still image in connection with any online meetings (if necessary).

Regulatory data sources

Information is obtained from registrations made by the customer and from notifications made by the customer during the customer relationship.

Updates to name and contact information are also obtained from companies and authorities that provide update services.

Information may also be obtained from subcontractors involved in the use or production of the service. Information about customers’ other activities in the digital environment may be obtained from partners’ websites, information systems, or other digital sources that are accessed via electronic invitation, cookies, or customer IDs.

The information in the customer register is only used by the organization, except when using an external service provider to produce value-added services or to support credit decisions.

The data will not be disclosed outside the organization or to its partners, except in matters related to credit applications, debt collection, or invoicing, and when required by law. The personal data of registered persons will be destroyed at the user’s request, unless legislation, open invoices, or collection measures prevent the deletion of the data.

Personal data retention period

10 years from the end of the customer relationship.

Regulatory data transfers

The customer register data is only used by the organization, except when using an external service provider to produce value-added services or to support credit decisions.

The data will not be disclosed outside the controller or to its partners, except in matters related to credit applications, debt collection or invoicing, and when required by law.

The personal data of registered persons will be destroyed at the user’s request, unless legislation, open invoices or collection measures prevent the deletion of the data.

Transfer of data outside the EU or EEA

The data in the register is not regularly transferred outside the EU or EEA. However, it is possible that service providers outside the EU/EEA are used in the processing or that the service providers’ cloud services are located outside the EU/EEA, in which case SCC standard clauses will be used as the basis for data transfer, and additional protective measures will be implemented for data transfers, such as internal guidelines (on pseudonymization of personal data and similar) and, if necessary, a TIA analysis.

When an organization processing personal data has committed to the EU-US Data Protection Framework (DPF), it is used as the basis for transfer during its period of validity.

Principles of register protection A: Manual data

Contact details collected during customer meetings and other documents containing manually processed customer data are stored in locked and fireproof storage facilities after initial processing.

Only designated employees who have signed a confidentiality agreement are authorized to process manually stored customer data.

The protection and processing of data in the register is carried out in accordance with the provisions and principles of the Data Protection Act, the regulations of the authorities, and good data processing practices.

Principles of register protection B: Electronic material

Only designated employees of the organization and companies acting on its behalf have the right to use the customer owner and customer register and maintain its data. Each designated user has their own personal user ID and password.

Each user has signed a confidentiality agreement. The system is protected by a firewall that is protected against external connections to the system.

The protection and processing of the data in the register complies with the provisions and principles of the Data Protection Act, the regulations of the authorities, and good data processing practices.

Cookies

We use cookies on our website. A cookie is a small text file that is sent to and stored on the user’s computer. Cookies do not harm users’ computers or files. The primary purpose of using cookies is to improve and customize the visitor’s experience on the website and to analyze and improve the functionality and content of the website.

The information collected through cookies can also be used to target communications and marketing and to optimize marketing measures. Visitors cannot be identified solely by cookies. However, information obtained through cookies may be linked to information obtained from the user in other contexts, such as when the user fills out a form on our website.

Cookies are used to collect the following types of information:

  • the visitor’s IP address
  • the time of the visit
  • the pages viewed and the time spent viewing them
  • the visitor’s browser

Your rights

Users visiting our website can block the use of cookies at any time by changing their settings in the cookie banner. Some browsers also allow you to disable cookies and delete cookies that have already been stored.

Disabling cookies may affect the functionality of the website.

Automatic processing and profiling

No profiling or automatic processing is applied to the personal data being processed.

Right of inspection, i.e. the right to access personal data

The data subject has the right to check what information about them is stored in the register. A request for inspection must be made by contacting the controller’s contact person. The request for inspection must be sent from a verifiable email address.

The data subject has the right to prohibit the processing and disclosure of their data for direct advertising, distance selling, and direct marketing, as well as for market and opinion surveys, by contacting the controller’s contact person.

The right to transfer data from one system to another

The data subject has the right to transfer their data from one system to another.

The transfer request can be addressed to the controller’s contact person.

The right to demand correction of information

Personal data in the register that is incorrect, unnecessary, incomplete, or outdated for the purpose of processing must be corrected, deleted, or supplemented.

The request for correction must be made from a verifiable email address to the controller’s contact person.

The request must specify what information is to be corrected and on what basis. The correction shall be made without delay.

The person from whom the incorrect information was obtained or to whom the information was disclosed shall be notified of the correction. If the request for correction is denied, the person responsible for the register will provide a written statement explaining the reasons for the denial. The person concerned may refer the denial to the Data Protection Ombudsman for resolution.

Right to restriction

The data subject has the right to request the restriction of data processing, for example, if the personal data in the register is incorrect. Contacts must be made from a verifiable email address to the controller’s contact person.

Right to object

The data subject has the right to request personal data concerning him or her, and the data subject has the right to request the rectification or deletion of personal data. Requests must be made from a verifiable email address to the controller’s contact point.

If you act as a contact person for a company or organization, your data cannot be deleted during this period.

Right to lodge a complaint to a supervisory authority

If you believe that the processing of your personal data violates the General Data Protection Regulation, you have the right to lodge a complaint with a supervisory authority.

You can also lodge a complaint in the Member State where you have your permanent residence or workplace.

The contact details of the national supervisory authority in Finland are:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PO Box 800, 00531 Helsinki
Switchboard: 029 566 6700
Registry: 029 566 6768
tietosuoja@om.fi
www.tietosuoja.fi

Other rights related to the processing of personal data

The data subject has the right to prohibit the disclosure and processing of their data for direct marketing and other marketing purposes, to request the anonymization of their data where applicable, and to be completely forgotten.

Contact person

Sanna Hautala
M.Sc. (Econ.), Investment Analyst & Compliance Manager
+358 9 6869 2245
sanna.hautala@helmetcapital.fi

© 2025 Helmet Capital | Accessibility | Privacy Policy | Sustainability Policy