GDPR

PRIVACY POLICY AND TERMS OF USE

1. Data Controller

Company: FSG Financial Services Group Oy

Business ID: 3476445-5

Address: Helsinki, Finland

Email: info@trustyfinance.fi

Phone: +358 40 042 9736

2. Contact Person for Data Protection Matters

Name: Alexander Laroma

Data Protection Officer (DPO)

Email: alexander.laroma@trustyfinance.fi

Phone: +358 40 042 9736

3. Register Names

  • FSG Financial Services Group Oy Customer Register
  • FSG Financial Services Group Oy Marketing and Communication Register
  • FSG Financial Services Group Oy Website User Register
  • FSG Financial Services Group Oy Partner and Contract Register
  • FSG Financial Services Group Oy Job Applicant Register
  • FSG Financial Services Group Oy Customer Service Register

4. Processing Purposes by Registry

Customer Register

  • Providing and intermediating financial services
  • Processing loan application processes
  • Creditworthiness assessment
  • Concluding and executing contracts
  • Processing payments and invoicing
  • Customer relationship management
  • Fulfilling statutory obligations

Marketing and Communication Register

  • Direct marketing (based on consent)
  • Sending newsletters
  • Customer communication and information
  • Service development
  • Customer satisfaction surveys
  • Targeting marketing campaigns

Website User Register

  • Ensuring website functionality
  • Improving user experience
  • Collecting visitor statistics
  • Analytics and reporting
  • Cookie management
  • Technical maintenance and security

Partner and Contract Register

  • Managing cooperation agreements
  • Maintaining partner network
  • Calculating and paying commissions
  • Developing cooperation
  • Quality control
  • Fulfilling statutory obligations

Job Applicant Register

  • Managing recruitment process
  • Processing job applications
  • Organizing interviews
  • Assessing suitability
  • Contacting applicants
  • Statistics and reporting

Customer Service Register

  • Providing customer service
  • Responding to contacts
  • Processing feedback
  • Handling complaints
  • Improving service quality
  • Training and development

5. Legal Bases for Processing Personal Data

Personal data is processed based on the following GDPR legal bases:

Contract (GDPR 6(1)(b))

Processing is necessary for the performance of a contract or for taking steps prior to entering into a contract.

Legal obligation (GDPR 6(1)(c))

Processing is necessary to comply with the controller's legal obligations, such as the Accounting Act, Anti-Money Laundering Act, and Credit Institutions Act.

Legitimate interest (GDPR 6(1)(f))

Processing is necessary for the legitimate interests of the controller or a third party, such as customer relationship management, fraud prevention, and conducting business operations.

Consent (GDPR 6(1)(a))

The data subject's explicit consent to process their personal data, particularly for marketing purposes. Consent can be withdrawn at any time.

6. Data Content by Registry

Customer Register

Basic Information

  • Name
  • Personal identity code
  • Date of birth
  • Nationality

Contact Information

  • Address
  • Phone number
  • Email address

Financial Information

  • Income information
  • Asset information
  • Debt information
  • Credit information
  • Payment behavior

Company Information

  • Company name and business ID
  • Position in company
  • Shareholding information

Contract History

  • Previous contracts
  • Service history
  • Loan decisions

Marketing and Communication Register

Basic Information

  • Name
  • Contact information

Consents

  • Marketing consents
  • Consent date
  • Consent withdrawals

Communication History

  • Sent messages
  • Open rates
  • Clicks
  • Interests

Website User Register

Technical Data

  • IP address
  • Cookies
  • Browser information
  • Device identifier
  • Operating system

Usage Data

  • Visited pages
  • Visit time
  • Clicks
  • Form submissions

Partner and Contract Register

Contact Person Information

  • Name
  • Position
  • Contact information

Contract Information

  • Contracts
  • Commissions
  • Billing information

Job Applicant Register

Basic Information

  • Name
  • Date of birth
  • Contact information

Application Information

  • CV
  • Cover letter
  • Certificates
  • References

Recruitment Process

  • Interview notes
  • Assessments
  • Tests

Customer Service Register

Contact Information

  • Name
  • Contact details
  • Customer number

Contact

  • Message content
  • Timestamp
  • Handler
  • Resolution

7. Regular Sources of Information by Registry

Customer Register

  • Information provided by the customer
  • Public registers (Trade Register, Population Information System)
  • Credit information registers
  • Financing partners
  • Website forms

Marketing and Communication Register

  • Information provided by the data subject
  • Subscription forms
  • Consent forms
  • Events and fairs

Website User Register

  • Cookies
  • Analytics tools (Google Analytics)
  • Server logs
  • Form submissions

Partner and Contract Register

  • Cooperation partners
  • Contracts
  • Business registers

Job Applicant Register

  • Information submitted by job applicant
  • Recruitment services
  • LinkedIn and other professional networks

Customer Service Register

  • Contact forms
  • Emails
  • Phone calls
  • Chat conversations

8. Regular Disclosure and Transfer of Personal Data

Personal data may be disclosed or transferred to the following parties:

Financial institutions and banks

Processing financial applications and making loan decisions

IT service providers

Cloud services, databases, email services (e.g., AWS, Microsoft Azure, Supabase)

Payment processing services

Payment processing and invoicing

Marketing and analytics services

Google Analytics, Meta Pixel, marketing automation

Credit information companies

Credit information verification (Suomen Asiakastieto, Bisnode)

Authorities

Fulfilling statutory obligations (e.g., Financial Supervisory Authority, police, tax authorities)

Auditors and lawyers

Audits and statutory obligations

8.5. Sharing Personal Identity Number (HETU) with Financing Partners

Trusty Finance shares the customer's personal identity number (HETU) with financing partners only with the customer's explicit consent. This section describes the process for sharing HETU data and data protection measures.

Consent Process

HETU data is shared with financing partners only if the customer has given explicit consent. Consent must be: explicit (separate consent form), informed (customer understands what data is shared and why), voluntary (customer can refuse without affecting other services), and revocable (customer can withdraw consent at any time).

Secure Link

HETU data is shared through a secure, time-limited link. The link contains a unique token (64-character random number), time limit (usually 7-30 days), download limit (usually 1-10 views), and optional IP restrictions. The link is practically impossible to guess (2^256 possibilities).

Data Encryption

HETU data is encrypted using AES-256-GCM encryption before sharing. Encryption uses a 256-bit key, random initialization vector (IV) for each encryption, and authentication tag to ensure data integrity. The encryption key is stored securely in environment variables and never in the database.

Access Control

Access to HETU data is restricted in the following ways: time limit (link expires after specified time), view limit (link can be used only a limited number of times), single-use (HETU data can be viewed only once, if set), and IP restrictions (optional). All access is logged in audit logs with IP addresses, timestamps, and user information.

Data Retention and Deletion

HETU data is automatically deleted after expiration. Data can be manually deleted upon customer request. Audit logs are retained in accordance with data protection law. The customer can request deletion of their HETU data at any time.

Legal Basis

Sharing HETU data is based on customer consent (GDPR art. 6(1)(a)). The customer can withdraw consent at any time, which will prevent new access.

Partner Obligations

Financing partners are obligated to use HETU data only for processing funding applications, comply with GDPR requirements, delete HETU data after processing, and immediately report any data breaches.

For more information about sharing HETU data, contact the Data Protection Officer: alexander.laroma@trustyfinance.fi

9. Data Retention Periods by Registry

Personal data is retained only as long as necessary to fulfill the purpose of processing or as required by law.

Customer Register

Customer data: Duration of customer relationship + 10 years after contract termination

Accounting Act, statute of limitations

Loan applications: 6-10 years from application submission

Statutory requirements, dispute resolution

Marketing and Communication Register

Marketing data: Until consent is valid or objection is made

Consent, legitimate interest

Website User Register

Cookies: 6-24 months

According to cookie policy

Analytics data: 14 months

Google Analytics settings

Anonymous onboarding user accounts: 7 days

Providing the ability to try the service without registration. Temporary accounts and associated data (company information, analysis results) are automatically deleted after 7 days unless the user registers as a permanent user.

Partner and Contract Register

Contract data: Duration of contract + 10 years

Accounting Act, statute of limitations

Job Applicant Register

Job applicant data: 2 years from application submission or until consent withdrawal

Possible future recruitments

Customer Service Register

Contacts: 3 years from last contact

Customer relationship management, quality control

10. Data Security and Protection Measures

Personal data is protected with appropriate technical and organizational measures against unauthorized access, alteration, disclosure, and destruction.

  • SSL/TLS encrypted data transmission (HTTPS)
  • Database encryption at rest and in transit
  • Firewalls and intrusion prevention systems
  • Regular security audits
  • Access control and restricted access rights (Role-Based Access Control)
  • Two-factor authentication in systems (2FA)
  • Backups (regular backup strategy)
  • Staff data protection training (annually)
  • Data breach preparedness (incident response plan)
  • Contracts with subcontractors (Data Processing Agreements)
  • Regular data protection audits
  • Log data monitoring and analysis
  • Data pseudonymization and anonymization
  • Data security policies and practices

A data breach will be reported to the data subject and supervisory authority within 72 hours if it poses a risk to the rights and freedoms of the data subject (GDPR Articles 33 and 34).

11. Rights of the Data Subject

The data subject has the following GDPR rights:

Right of access (GDPR 15)

Right to obtain information about whether personal data is being processed and to access that data. Right to receive a copy of personal data being processed.

Right to rectification (GDPR 16)

Right to request correction or completion of inaccurate or incomplete data without undue delay.

Right to erasure (GDPR 17)

Right to request deletion of personal data ('right to be forgotten') if there is no justified reason for processing or if consent has been withdrawn.

Right to restriction of processing (GDPR 18)

Right to request restriction of personal data processing in certain situations, e.g., when disputing the accuracy of data.

Right to object (GDPR 21)

Right to object to processing of personal data based on legitimate interest or public interest. There is always a right to object to direct marketing.

Right to data portability (GDPR 20)

Right to receive personal data in a structured, commonly used, and machine-readable format and transfer data to another controller.

Right to withdraw consent

If processing is based on consent, the data subject has the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to lodge a complaint with supervisory authority (GDPR 77)

Right to lodge a complaint with the Data Protection Ombudsman if the data subject believes that processing of their personal data violates GDPR.

Right not to be subject to automated decision-making (GDPR 22)

Right not to be subject to a decision based solely on automated processing that has legal effects.

12. Cookies and Tracking Technologies

Our website uses cookies to improve user experience, analyze traffic, and enable marketing.

A cookie is a small text file sent to the user's browser, usually containing an anonymous identifier. A cookie does not harm the device.

Essential cookies

Required to enable basic website functions such as session management, login, and security. These cookies do not require consent.

Preference cookies

Store user choices such as language settings, theme (dark/light), and other UI customizations.

Analytical cookies

Used to track website usage (e.g., Google Analytics, Matomo). We collect anonymized data on visitor numbers, usage time, and most popular pages. Consent required.

Marketing cookies

Used for targeted advertising and measuring advertising effectiveness (e.g., Meta Pixel, Google Ads). Consent required.

13. Profiling and Automated Decision-Making

We use partially automated decision-making in creditworthiness assessment and loan application processing.

14. Children's Personal Data

Our services are intended for adults (persons aged 18 and over). We do not knowingly collect personal data from persons under 18 without parental consent.

15. Changes to Privacy Policy

We reserve the right to update this privacy policy as necessary to reflect changes in legislation or our operations.

16. Contact Information

If you have questions about data protection or wish to exercise your rights, please contact:

Yhteystiedot

Data Protection Officer: Alexander Laroma

FSG Financial Services Group Oy, Helsinki, Finland

Sähköposti: alexander.laroma@trustyfinance.fi / info@trustyfinance.fi

Puhelin: +358 40 042 9736

We respond to data protection requests as a rule within one month of receiving the request. In complex cases, we may extend the deadline by two months.

Supervisory Authority in Finland:

Office of the Data Protection Ombudsman

Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki

Postal address: P.O. Box 800, 00521 Helsinki

Sähköposti: tietosuoja@om.fi

Puhelin: Switchboard: 029 566 6700

Verkkosivusto: www.tietosuoja.fi

17. Applicable Law and Dispute Resolution

This privacy policy and the processing of personal data are governed by Finnish law.

Possible disputes shall primarily be resolved through negotiation. If agreement cannot be reached, disputes shall be resolved in the District Court of Helsinki.

The data subject's rights are determined in accordance with the EU General Data Protection Regulation (GDPR).