Last updated: October 2022
This Privacy Notice covers the processing of personal data of Tesseract Group Oy’s (business identity code: 2876803-8) and its subsidiaries’ (together hereinafter referred to as “Tesseract Group”, “we” or “us”) customers and representative’s of customers (“customer”, “you” or “data subject”). Personal data refers to all data that relates to an identifiable individual such as the name, address, e-mail address, telephone number, or identification documents of a data subject.
Safety of the personal data of our customers is a priority to us at Tesseract Group. The processing of personal data shall always be in line with the European Union’s General Data Protection Regulation (EU) 2016/679 (the “GDPR”), the United Kingdom’s Data Protection Act 2018, and other country-specific data protection regulations applicable to Tesseract Group. By means of this privacy notice, we would like to inform you about the nature, scope, and purpose of the personal data we collect, use and process as well as your rights as a data subject.
Depending on the type of Tesseract Group’s service you are using, more than one entity belonging to the Tesseract Group may be involved in the provision of the services. Data may need to be transferred between the entities to conduct business operations, business development and internal administration as well as to fulfil regulatory requirements.
To ensure uniform group-wide data protection, Tesseract Group Oy, as the ultimate parent company, acts as the central point of contact for all data protection related matters within Tesseract Group. Any references to Tesseract Group Oy in this Privacy Notice also refer to its wholly owned subsidiaries (“Group Companies”). By using the services and interacting with Tesseract Group Oy, you understand that your Personal Data may be processed by one or more of those subsidiaries.
Generally, regarding the processing of customer’s personal data each company of Tesseract Group is a controller and/or joint controller in the meaning of Article 4(7) of the GDPR as well as the UK’s Data Protection Act 2018, and therefore responsible for the processing of personal data in connection with the services provided by the specific company.
If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact us at:
Tesseract Group Oy
Porkkalankatu 22 A
|For what purpose do we process your personal data?||What types of data do we process?||What is the legal basis* for processing?|
|Delivering our products and services to our customers as well as developing our products and services||Your and your representative’s basic information
and contact details such
your full name, date of birth, social security number or personal ID number (if available) residential address, nationality, email address, phone number etc.;
representative’s full name, date of birth, social security number or personal ID number (if available), resiential address, nationality, name and business identification number (or equivalent number) of the legal entity represented, position at the legal entity, email address, phone number etc;
Information collected when you use our services such as:
information on which of our services you have used and your transaction and commercial information such as cryptocurrency transaction information (type of cryptocurrency, cryptocurrency wallet address, timestamps currency amounts), information relating to your Tesseract Group account (e.g. information on generated yield, your preferred risk level for generating yield, information on your loans, interest rates and collaterals) and related information for deposits or withdrawals etc;
Information collected from other sources such as:
information collected from your company’s website and/or social media profiles and/or as rating companies and/or publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations etc.
|Our legitimate interests, art. 6(1)(f) GDPR; without the necessary information we are not able to provide our service.|
|Preventing and detecting money laundering, terrorist financing and/or other financial crimes as well as ensuring that our customers are not included in any sanctions lists applicable to our services||Basic information and contact details
(see details in lists
Know your customer information which means:
information needed to identify you and source of your funds and/or wealth as well as verify your identity and source of funds and/or wealth such as number of your identification document, name of your identification document, issuer (country) of your identification document, copy of your identification document, photo of you etc;
proof of your residency; information on source of your funds and/or wealth and proof of source of funds and/or wealth, information on and proof of your occupation, information on the purpose of the account, information on your cryptocurrency addresses and transactions, your financial information etc;
details of the legal entity you are representing such as branch of industry, registration details, extract from the legal entity’s commercial register, financial information regarding the legal entity, extract from the beneficial owner register, information on the beneficial owners and members of the board of directors of the legal entity such as name, date of birth, residential address and nationality of said directors and beneficial owners etc;
information about your, your representative’s or legal entity’s shareholders status as a politically exposed person etc.
Know your customer information collected from other sources such as:
by using services for screening sanctions and politically exposed person (information we receive include for example, sanctions screening result, PEP screening result etc.) and by using blockchain analytics tools (information we receive include for example, your cryptocurrency addresses and transactions) and/or information collected from publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations etc.
We may also receive know your customer information from other virtual asset service providers (“VASPs”, meaning the Financial Action Task Force classified any entity that exchanges, holds, safe-keeps, converts or sells virtual assets) with whom Tesseract Group has entered into a partnership agreement for offering its services to or in cooperation with other VASPs (mainly virtual currency exchanges and brokers).
|Complying with a legal obligation, art. 6(1)(c) GDPR|
|Customer service and customer relationship management||Basic information and contact details
(see details in lists
Information collected when you use our services (see details in lists above);
Information regarding the management of the customer relationship such as:
past and current contracts with you, maintaining documentation on customers, information related to events organized by us etc.;
Information collected from our correspondence with you such as:
your name, email address, phone number, detail about your account at Tesseract Group etc.
|Our legitimate interests, art. 6(1)(f) GDPR; without this information our ability to offer our service safely and sustainably to our customers would be severely hampered.|
|Ensuring the security of our services as well as preventing, detecting and investigating abuses and potentially unlawful activities or any activity that violates or may violate our Terms of Service||Basic information and contact details
(see details in lists
Information collected when you use our services (see details in lists above);
Information collected from other sources (see details in lists above);
Information regarding the management of the customer relationship (see details in lists above);
Information collected from our correspondence with you (see details in lists above).
|Our legitimate interests, art. 6(1)(f) GDPR; without this information our ability to offer our service safely and sustainably to our customers as well as our ability to monitor compliance with our Terms of Service would be severely hampered.|
|Processing and storage of personal data for accounting purposes and in order to comply with other legal obligations||Any personal data contained in our accounting material (e.g. your name, transaction details)||Complying with a legal obligation, art. 6(1)(c) GDPR|
If we offer you a service that involves making a decision on whether to grant you credit in virtual currencies or rejecting your virtual currency credit application, the processing of personal data may also include profiling. Profiling only concerns our legal entity customers and their representatives and directors.
In general, profiling means gathering information about a data subject or a group of data subjects and evaluating their characteristics or behavior for the purpose of placing them in a certain category or group. The profiling we perform is essential for us providing our services regarding virtual currency loans, it is conducted in order to assess your creditworthiness and to conclude a credit decision and contract with you.
Information describing your solvency can be used to support automatic decision-making, such as information about the applied credit, information provided by you as a credit applicant during the credit application process, information obtained from the survey systems of Suomen Asiakastieto Oy and the Digital and Population Data Services Agency, as well as Group Companies’ internal payment history and credit information, as well as other information needed for conducting the assessment of accepting/rejecting credit application.
The consequences of automatic processing and profiling for the data subject are the automatic approval or rejection of the applied virtual currency credit. OR: Information we receive from profiling has a substantial impact on our decision to grant you / not to grant you a virtual currency credit but the loan application is always processed and the decision made by a natural person. As a result of profiling, the terms of the loan contract can also be defined, such as the interest rate on the loan. A negative credit decision can be the consequence of, for example, insufficient ability to pay, a credit default entry, the amount of credit liabilities, or neglecting to repay a previously granted loan.
We receive personal data from:
Personal data may be disclosed to our Group Companies for the purposes described in this Privacy Notice and in order to enable group-wide reporting and use of centralized data systems.
In order to carry out processing described in this Privacy Notice and to help us run our service, we use subcontractors that process personal data on our behalf. We ensure that our subcontractors ensure the security and integrity of the personal data by using non-disclosure and data processing agreements as well as strict information security requirements.
We may disclose your personal data to the following types of subcontractors (please note that even though we strive to keep the list of subcontractor categories up-to-date, that may not always be the case):
The list and categorization above are illustrative and non-exhaustive. The extend to which your personal data is disclosed to the above-listed categories of subcontractors varies depending on the type of Tesseract Group service that you are a customer of. The personal data shared is also limited to what is necessary in relation to the purposes for which it is processed.
In addition to the above-listed subcontractor categories, we may need to disclose your personal data also to:
We may transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the recipient of personal data outside the EU/EEA has committed to use the EU Commission’s standard contractual clauses or that another lawful ground for data transfer exists.
We commit to ensuring that we and our subcontractors process personal data in a manner that ensures its security, integrity and confidentiality.
Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the systems containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures. For the most critical data, we will log the activity of those employees (whose number is limited due to security reasons) who have access to the data. The databases and their backup copies are physically stored at locked premises and can only be accessed by certain pre-designated persons. The persons processing data are bound by professional secrecy.
We store the personal data of our existing customers for the duration of our business relationship and for 5 years after the end of the business relationship. Certain information may be stored for longer periods in accordance with statutory requirements or for purposes of legal claims. In addition, we take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.
You always have the right to:
Additionally, subject to certain conditions (left column), you may have the following rights:
|You have contested the accuracy of personal data, or if any other of the conditions listed in art. 18 GDPR are met||You have the right to have the processing of your personal data restricted e.g. while your requests related to your personal data are investigated and resolved.|
|When the processing is based on our legitimate interest in accordance with art. 6(1)(f) GDPR||You have the right to object to processing of your personal data on grounds relating to your particular situation.|
All contacts and requests concerning the rights mentioned above should be made in writing to the contact person mentioned in the section 2 of this Privacy Notice. Your request should include your name and contact details. Please note that when submitting a request concerning your rights, we may ask you to provide additional information in order to verify your identity – this information is not used for any other purposes and is deleted after identification.
We may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject makes the request electronically and has not requested another form of delivery, the information will be delivered in a commonly used electronic format, provided that the information can be delivered in a secure manner.
We will answer your contacts and requests related to your rights as a data subject within one month. We may extend the period by a further two months where requests are complex or numerous. If this is the case, we will inform you about this within one month of the receipt of the request and explain why the extension is necessary.
If we change this Privacy Notice and those changes are significant, we will inform you about them via email and / or in other proper ways such as informing about the changes on our website. The current version of the policy is always found on our website.
All contacts and requests concerning this Privacy Notice shall be submitted in writing as defined above in section 2 of this Privacy Notice.