Privacy Notice

Privacy Notice for Customer Personal Data

Last updated: August 2024


This Privacy Notice covers the processing of personal data of Tesseract Group Oy’s (business identity code: 2876803-8) and its subsidiaries’ (together hereinafter referred to as “Tesseract Group”, “we” or “us”) customers and representative’s of customers (“customer”, “you” or “data subject”). Personal data refers to all data that relates to an identifiable individual such as the name, address, e-mail address, telephone number, or identification documents of a data subject.

Safety of the personal data of our customers is a priority to us at Tesseract Group. The processing of personal data shall always be in line with the European Union’s General Data Protection Regulation (EU) 2016/679 (the “GDPR”), the United Kingdom’s Data Protection Act 2018, and other country-specific data protection regulations applicable to Tesseract Group. By means of this privacy notice, we would like to inform you about the nature, scope, and purpose of the personal data we collect, use and process as well as your rights as a data subject.

1. Controller

Depending on the type of Tesseract Group’s service you are using, more than one entity belonging to the Tesseract Group may be involved in the provision of the services. Data may need to be transferred between the entities to conduct business operations, business development and internal administration as well as to fulfil regulatory requirements.

To ensure uniform group-wide data protection, Tesseract Group Oy, as the ultimate parent company, acts as the central point of contact for all data protection related matters within Tesseract Group. Any references to Tesseract Group Oy in this Privacy Notice also refer to its wholly owned subsidiaries (“Group Companies”). By using the services and interacting with Tesseract Group Oy, you understand that your Personal Data may be processed by one or more of those subsidiaries.

Generally, regarding the processing of customer’s personal data each company of Tesseract Group is a controller and/or joint controller in the meaning of Article 4(7) of the GDPR as well as the UK’s Data Protection Act 2018, and therefore responsible for the processing of personal data in connection with the services provided by the specific company.

2. Contact Information

If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact us at:

Tesseract Group Oy
Fredrikinkatu 47
00100 Helsinki
Finland
Email: privacy@tesseractinvestment.com

3. How do we process your personal data?

For what purpose do we process your personal data? What types of data do we process? What is the legal basis* for processing?
Delivering our products and services to our customers as well as developing our products and services Your and your representative’s basic information and contact details such as:
your full name, date of birth, social security number or personal ID number (if available) residential address, nationality, email address, phone number etc.;
representative’s full name, date of birth, social security number or personal ID number (if available), resiential address, nationality, name and business identification number (or equivalent number) of the legal entity represented, position at the legal entity, email address, phone number etc;

Information collected when you use our services such as:
information on which of our services you have used and your transaction and commercial information such as cryptocurrency transaction information (type of cryptocurrency, cryptocurrency wallet address, timestamps currency amounts), information relating to your Tesseract Group account (e.g. information on generated yield, your preferred risk level for generating yield, information on your loans, interest rates and collaterals) and related information for deposits or withdrawals etc;

Information collected from other sources such as:
information collected from your company’s website and/or social media profiles and/or as rating companies and/or publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations etc.
Our legitimate interests, art. 6(1)(f) GDPR; without the necessary information we are not able to provide our service.
Preventing and detecting money laundering, terrorist financing and/or other financial crimes as well as ensuring that our customers are not included in any sanctions lists applicable to our services Basic information and contact details (see details in lists above);

Know your customer information which means:
information needed to identify you and source of your funds and/or wealth as well as verify your identity and source of funds and/or wealth such as number of your identification document, name of your identification document, issuer (country) of your identification document, copy of your identification document, photo of you etc;

proof of your residency; information on source of your funds and/or wealth and proof of source of funds and/or wealth, information on and proof of your occupation, information on the purpose of the account, information on your cryptocurrency addresses and transactions, your financial information etc;

details of the legal entity you are representing such as branch of industry, registration details, extract from the legal entity’s commercial register, financial information regarding the legal entity, extract from the beneficial owner register, information on the beneficial owners and members of the board of directors of the legal entity such as name, date of birth, residential address and nationality of said directors and beneficial owners etc;

information about your, your representative’s or legal entity’s shareholders status as a politically exposed person etc.

Know your customer information collected from other sources such as:
by using services for screening sanctions and politically exposed person (information we receive include for example, sanctions screening result, PEP screening result etc.) and by using blockchain analytics tools (information we receive include for example, your cryptocurrency addresses and transactions) and/or information collected from publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations etc.
We may also receive know your customer information from other virtual asset service providers (“VASPs”, meaning the Financial Action Task Force classified any entity that exchanges, holds, safe-keeps, converts or sells virtual assets) with whom Tesseract Group has entered into a partnership agreement for offering its services to or in cooperation with other VASPs (mainly virtual currency exchanges and brokers).
Complying with a legal obligation, art. 6(1)(c) GDPR
Customer service and customer relationship management Basic information and contact details (see details in lists above);

Information collected when you use our services (see details in lists above);

Information regarding the management of the customer relationship such as:
past and current contracts with you, maintaining documentation on customers, information related to events organized by us etc.;

Information collected from our correspondence with you such as:
your name, email address, phone number, detail about your account at Tesseract Group etc.
Our legitimate interests, art. 6(1)(f) GDPR; without this information our ability to offer our service safely and sustainably to our customers would be severely hampered.
Ensuring the security of our services as well as preventing, detecting and investigating abuses and potentially unlawful activities or any activity that violates or may violate our Terms of Service Basic information and contact details (see details in lists above);

Information collected when you use our services (see details in lists above);

Information collected from other sources (see details in lists above);

Information regarding the management of the customer relationship (see details in lists above);

Information collected from our correspondence with you (see details in lists above).
Our legitimate interests, art. 6(1)(f) GDPR; without this information our ability to offer our service safely and sustainably to our customers as well as our ability to monitor compliance with our Terms of Service would be severely hampered.
Processing and storage of personal data for accounting purposes and in order to comply with other legal obligations Any personal data contained in our accounting material (e.g. your name, transaction details) Complying with a legal obligation, art. 6(1)(c) GDPR
*The legal basis for processing affects what kind of rights you have as a data subject, as certain rights are only applicable to processing based on certain legal bases. For additional information, see section 8 below.

4. From where do we receive your personal data?

We receive personal data from:

  • you when we offer our services directly to our customers and onboard new customers,
  • external sources as defined and listed in section 3 above (see “information collected from other sources” and “know your customer information collected from other sources”) which also includes other VASPs with whom Tesseract Group has entered into a partnership agreement for offering its services (mainly virtual currency exchanges or brokers),
  • our Group Companies.

5. To whom do we disclose personal data, and do we transfer data outside the EU or the EEA?

In order to carry out processing described in this Privacy Notice and to help us run our service, we use subcontractors that process personal data on our behalf. We ensure that our subcontractors ensure the security and integrity of the personal data by using non-disclosure and data processing agreements as well as strict information security requirements.

We may disclose your personal data to the following types of subcontractors (please note that even though we strive to keep the list of subcontractor categories up-to-date, that may not always be the case):

  • our accountants and auditors;
  • third-party e-mail service that we use for customer communication;
  • third-party on-demand cloud computing and cloud storage service;
  • third-party service for sales and customer relationship management;
  • we may use a third-party ID service providers to verify the identity of our customers as required by applicable law (these companies verify the identity based on formal identification proof, such as a passport);
  • we may use a third-party service for online form building and online surveys;
  • we also use a third-party messaging app for our internal communications as well as third-party cloud service for preparing, managing and archiving documents where we may occasionally also process personal data of our customers;
  • in certain very limited cases, we may also disclose your personal data to banks, payment service providers and crypto custodians.

The list and categorization above are illustrative and non-exhaustive. The extend to which your personal data is disclosed to the above-listed categories of subcontractors varies depending on the type of Tesseract Group service that you are a customer of. The personal data shared is also limited to what is necessary in relation to the purposes for which it is processed.
In addition to the above-listed subcontractor categories, we may need to disclose your personal data also to:

  • authorities (such as courts or law enforcement authorities) or other third parties in order to detect and investigate unlawful activities or to respond to legal proceedings or a lawful data request or when we are otherwise obligated to do so under applicable legislation;
  • external financial or legal advisors, in which case we will take care of confidentiality obligations as required.

We may transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the recipient of personal data outside the EU/EEA has committed to use the EU Commission’s standard contractual clauses or that another lawful ground for data transfer exists.

6. How do we protect the data and how long do we store them?

We commit to ensuring that we and our subcontractors process personal data in a manner that ensures its security, integrity and confidentiality.

Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the systems containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures. For the most critical data, we will log the activity of those employees (whose number is limited due to security reasons) who have access to the data. The databases and their backup copies are physically stored at locked premises and can only be accessed by certain pre-designated persons. The persons processing data are bound by professional secrecy.

We store the personal data of our existing customers for the duration of our business relationship and for 5 years after the end of the business relationship. Certain information may be stored for longer periods in accordance with statutory requirements or for purposes of legal claims. In addition, we take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.

7. What are your rights as a data subject?

You always have the right to:

  • access the personal data stored by us concerning yourself,
  • demand rectification of inaccurate or outdated data (in some cases, you can update your information yourself), and
  • lodge a complaint with the supervisory authority.

Additionally, subject to certain conditions (left column), you may have the following rights:

You have contested the accuracy of personal data, or if any other of the conditions listed in art. 18 GDPR are metYou have the right to have the processing of your personal data restricted e.g. while your requests related to your personal data are investigated and resolved.
When the processing is based on our legitimate interest in accordance with art. 6(1)(f) GDPRYou have the right to object to processing of your personal data on grounds relating to your particular situation.

How to use your rights:

All contacts and requests concerning the rights mentioned above should be made in writing to the contact person mentioned in the section 2 of this Privacy Notice. Your request should include your name and contact details. Please note that when submitting a request concerning your rights, we may ask you to provide additional information in order to verify your identity – this information is not used for any other purposes and is deleted after identification. 

We may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject makes the request electronically and has not requested another form of delivery, the information will be delivered in a commonly used electronic format, provided that the information can be delivered in a secure manner.

We will answer your contacts and requests related to your rights as a data subject within one month. We may extend the period by a further two months where requests are complex or numerous. If this is the case, we will inform you about this within one month of the receipt of the request and explain why the extension is necessary. 

8. Updates to this Privacy Notice

If we change this Privacy Notice and those changes are significant, we will inform you about them via email and / or in other proper ways such as informing about the changes on our website. The current version of the policy is always found on our website.

9. Who can you be in contact with?

All contacts and requests concerning this Privacy Notice shall be submitted in writing as defined above in section 2 of this Privacy Notice.