Fundis Application Oy


This privacy policy describes how Fundis Application Oy (“Fundis” or “controller”) processes personal data. The privacy policy applies to our portal, websites, marketing, customer relationship management, as well as the processing of personal data related to the products and services we offer. Users of the Fundis application are subject to their own privacy policy.

We comply with applicable data protection legislation in all processing of personal data. Data protection legislation refers to the current data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Terms related to data protection that are not defined in this privacy policy shall be interpreted in accordance with data protection legislation.

Our services and website may contain links to external websites and services operated by other organizations. This privacy policy does not apply to their use, so we encourage you to review their privacy policies separately.

“Personal data” refers to all information concerning natural persons (“data subject”), by which a person can be directly or indirectly identified, as defined more precisely in the data protection regulation.



Controller: Fundis Application Oy Business

Business ID: 3193666-1

Address: Maria 01, Lapinlahdenkatu 16, 00180, HELSINKI

Email address:


Contact details of the Data Protection Officer:



The purposes (and legal bases in parentheses) for processing personal data are:

  • Delivery of products and services and making customer agreements (contractual relationship or its preparation)
  • Customer service and communication, including customer satisfaction surveys (legitimate interest)
  • Invoicing (contractual relationship or its preparation)
  • Marketing, including market research, other marketing promotion and analysis, as well as producing statistics and measuring marketing effectiveness (legitimate interest)
  • Direct marketing, including electronic direct marketing and telemarketing, as well as planning advertising and marketing and measuring their effectiveness, and combining and updating personal data for direct marketing purposes (legitimate interest, consent)
  • Development of products and services (legitimate interest)
  • Managing stakeholder relations and cooperation with subcontractors and service providers (legitimate interest, contractual relationship or its preparation)
  • Improving user experience on our website and other services, and tracking user traffic (consent)
  • Internal reporting and other administrative measures (compliance with legal obligations)
  • Handling warranty matters, processing complaints, and managing legal and administrative proceedings (legitimate interest, compliance with legal obligations)
  • Prevention and investigation of misconduct, as well as ensuring the security of information, individuals, and property (legitimate interest)
  • Fulfillment of other legal obligations (e.g., actions related to accounting and taxation) and reporting obligations (compliance with legal obligations)

When processing personal data based on legitimate interest, we assess the benefits and potential risks to the data subject and have evaluated that the rights and interests of the data subjects do not override the legitimate interest. Upon request, we provide additional information regarding the processing of personal data based on legitimate interest.



Data Group Examples of Data Content
Identification and Contact Information Merchant: company name*, marketing name, business ID*, email address*, company address*, contact person’s name* and position in the company, as well as phone number*.


Identification and Contact Information Beneficiary: name*, Business ID, email address*, address*, and phone number* as well as contact person’s name*, email address*, and phone number*.
Information regarding products and services, orders, and customer Information regarding products and services, orders, and customer communication information about ordered products and services*, as well as information related to agreements*, customer communication, and complaints*, and information about amounts to be invoiced*
The information related to marketing (including direct marketing) and events, as well as consents and prohibitions provided by the data subject. Contact information for marketing purposes, as well as information collected in connection with events and gatherings. Consents and prohibitions regarding direct marketing.
Information concerning the use of websites and other electronic services. IP address, electronic communication identification data, search and browsing history, browser and operating system information, as well as registration data.

*The marked information is necessary.

We collect personal data directly from the data subject, for example, in connection with transactions, or when the data subject purchases or orders our products or services either themselves or on behalf of the organization they represent, or in connection with registration when the data subject visits our website or other electronic services, subscribes to our newsletter, responds to customer satisfaction surveys, or otherwise contacts us.

We also receive personal data from other external sources, such as private registry services and registries maintained by authorities.

  1. Retention of personal data

We retain personal data for as long as necessary to fulfill the purposes defined in the privacy policy and always for the period required by law.

  • Registration information for the service: duration of the customer relationship + two years  (2)

The customer relationship is considered terminated, and the customer account is automatically deleted unless the customer logs into their account at least every two years. When the customer account is closed, all associated data will be deleted or anonymized.

  • Login log data for the service: six months
  • Service and business execution: current year + five years
  • Customer service and communication: current year + 3 years
  • Development of services and products (including profiling): current year + five years
  • Information related to accounting obligations: current year + six years
  • Marketing and profiling data: current year + five years
  • Sending electronic direct marketing: validity of consent and one year after withdrawal of consent
  • Identification, prevention, and investigation of misuse suspicions: current year + five years

Upon request, we provide additional information about the retention practices of personal data.


Various service providers and other third parties, such as providers of technical solutions or server space, or accounting and financial management service providers, may be used in the processing of personal data. We ensure that the parties we use in the processing of personal data comply with the contractual requirements of data protection legislation.


Personal data may be disclosed to third parties in situations required by legislation or authorities, or for the investigation of misuse, as well as to ensure security. Additionally, personal data may need to be disclosed in connection with legal proceedings or similar legal procedures.


If the data controller is involved in a merger, business acquisition, or other corporate transaction, personal data may be disclosed to the parties involved in the transaction or to parties assisting in the transaction.


Upon request, we provide additional information about the recipients of personal data


  1. Transfer of personal data outside the European Economic Area

When data is transferred outside the European Union or the European Economic Area, the company will ensure an adequate level of protection of personal data, including by agreeing on the issues related to the processing of personal data as required by data protection law, such as using standard contractual clauses adopted by the European Commission or on the basis of a European Commission adequacy decision. Data may be transferred to the following recipients:

  • Stripe Payments Europe, Limited (“SPEL”) ([A1]

Upon request, we will provide further information on the transfers of personal data and the safeguards used.


We do not use automated decision-making.

Profiling is aimed at enhancing the experiences of our registrants with our products and services and improving our operations. This allows us to provide more personalized service and predict the desires of our customers for our services.

Information collected through profiling is also used for the development of our business, sales analysis, and management of products and services.

Various calculation models are used in creating profiles, which may be based on either simple rules or more complex calculation models. Calculation models are based, for example, on the location of the merchant’s place of business, purchase amounts, and beneficiary information. Data may also be collected through surveys and statistics. With the collected data, we aim to optimize the benefits received by beneficiaries and merchant customers from our services.


Data security and the protection of personal information are of paramount importance to us. We employ appropriate technical and organizational measures to safeguard personal data. We also ensure the fault tolerance of our systems and the possibility of data recovery. Access to personal data is restricted to authorized parties only. Those handling personal data are bound by confidentiality obligations regarding the processing of personal data.


Data subjects have rights over their personal data according to data protection legislation. However, the application of these rights in each individual situation depends on the purpose and circumstances of the use of personal data.

  • Right to access personal data. Data subjects have the right to obtain confirmation of whether their personal data is being processed and other information required by data protection legislation regarding the processing of personal data. Data subjects have the right to obtain a copy of their personal data.
  • Right to rectification of personal data. Data subjects have the right, subject to certain limitations, to request the correction or deletion of inaccurate or incomplete information.
  • Right to erasure of personal data. Data subjects have the right, in accordance with the requirements of data protection legislation, to request the erasure of their personal data. Upon request, we will delete personal data unless legislation or another applicable exception under data protection legislation requires us to retain personal data.
  • Right to restriction of processing. Data subjects have the right, in accordance with the requirements of data protection legislation, to request the restriction of processing of personal data in certain situations.
  • Right to data portability. Data subjects have the right to request the transfer of their personal data to another data controller. The right to portability generally applies to personal data provided by the data subject to the data controller in a structured, commonly used, and machine-readable format, and processed based on the data subject’s consent or contract, and/or processed automatically.
  • Right to object to processing. Data subjects have the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if processing is necessary for the data controller’s or a third party’s compelling legitimate interests. However, data subjects always have the right to object to the processing of personal data for direct marketing purposes and related profiling.
  • Right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw consent for the processing of their personal data. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Exercising Your Rights

We encourage you to contact us if you have any questions regarding the processing of your personal data.

You can submit a request concerning the data subject’s rights by mail or email using the contact information provided in this privacy policy.

The identity of the requester may be verified before processing the request. Requests will be responded to in a timely manner and, in principle, within one month of receiving the request and verifying the identity. If the request cannot be granted, refusal will be notified separately.


Data subjects have the right to lodge a complaint with the competent data protection authority if they believe that their personal data has been processed unlawfully under data protection legislation.

You can find the contact information for the Finnish Data Protection Authority here.


This privacy policy may be subject to occasional changes. Changes may also be based on changes in data protection legislation. Therefore, we encourage you to regularly check the privacy policy for any updates. The latest version is available on our website.

This privacy policy was last updated on 19.4.2024.