Holvi Payment Services Ltd
Published: 8 May 2018
Last update: 9 February 2023
Holvi is a payment institution authorised and regulated by the Financial Supervisory Authority. With a business account, Holvi Business Mastercard®, invoicing and bookkeeping tools all in one place, Holvi eliminates the time-consuming distractions of financial admin, helping entrepreneurs to find balance in work life.
We use the latest tools and techniques to secure Holvi IT systems. This security, along with Holvi’s organisational processes, guarantees our customers’ funds and data are protected and secured at all times.
Customer privacy is important to us at Holvi, and maintaining customers’ trust and confidence is one of our highest priorities. Holvi respects the customer’s right to keep their personal data confidential and understands their desire to avoid unwanted solicitations.
In line with this policy, Holvi has implemented technical and organisational measures to ensure a complete protection of personal data processed in our company. Holvi has committed to processing personal data in line with the General Data Protection Regulation 2016/679 (“GDPR”).
2. Principles of securing the data
At Holvi personal data is processed in line with European privacy law. This means that personal data is processed in a lawful, fair and transparent way. Only the necessary and relevant personal data is processed for the purposes of providing the best possible services for Holvi customers and future customers. Holvi is committed to keeping the personal data accurate and updated, and the data will be secured by Holvi’s organisational and technical measures. This means, for example, that the registry permissions are granted and supervised by the person responsible for managing the register, the customer data is not kept as a hard copy, and that all customer data is deleted after Holvi no longer has a reason for processing it.
3. Name and address of the data controller
Holvi Payment Services Oy Business
Kaikukatu 2 C
3.2. The Data Protection Officer (DPO)
The Holvi Data Protection Officer can be contacted by email at firstname.lastname@example.org. For using the rights of the data subjects please use the online form in accordance with section 9.10.
4. The purpose of processing personal data
Holvi processes customer personal data mainly with the purpose of providing better payment services to its customers. In particular, Holvi uses customer personal data to:
- Create and manage the Holvi Account, i.e. verification process and completion of the Holvi Terms;
- Verify the identity of the customer;
- Process payments and provide Holvi Services;
- Collect fees, solve problems, and resolve disputes;
- Manage risk, or to detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities;
- Comply with regulatory requirements, such as payment institution and anti-money laundering legislation;
- Detect, prevent or remediate violations of policies or user agreements;
- Provide Holvi customer support services and handle customer requests;
- Measure the performance of the Holvi Services and improve Holvi content and layout;
- Manage and protect Holvi information technology infrastructure;
- Compare information for accuracy, and verify it with third parties;
- Ensure data quality.
Holvi processes customer personal data to:
- Improve Holvi Services by customising user experience;
- Provide targeted marketing and advertising, provide service updates, and deliver promotional offers.
In those cases, Holvi will ask for the consent of its customers.
5. Types of personal data and lawful bases of processing
5.1. Registration as Holvi user and provision of payment and accounting services
In connection with opening a Holvi account and using the Holvi Payment Services, customers are asked to provide identifying data (including e.g. contact details, identification information). Only necessary and relevant personal data is processed. Personal data is also obtained from third parties such as identity verification services.
Holvi processes this customer's personal data to provide payment services based on the contract between Holvi and the customer (legal basis: Art. 6 (1) (b) GDPR). This includes, for instance, administration of Holvi Services and customer payment account, identification of the customer and web shop merchant management.
Holvi also processes customer personal data to comply with legal obligations (legal basis: Art. 6 (1) (c) GDPR). This is the case where Holvi processes personal data for the purposes of preventing, detecting and investigating money laundering and terrorist financing or complying with the payment service legislation.
In addition to this, Holvi processes customer personal data based on Holvi's legitimate interest to prevent fraud, manage risk, develop Holvi products and services, manage and develop customer relationships and provide Holvi's existing customers with information on products and services they might be interested in (legal basis: Art. 6 (1) (f) GDPR). Only necessary and relevant personal data is processed in connection with these operations.
5.3. Payments by Holvi customers
Holvi customers may make payments through their Holvi account.
To enable these payments Holvi needs to process payment and transaction data of third parties, for instance, a party receiving a payment from a Holvi customer (who might be a natural person). Holvi processes this third party data based on Holvi's legitimate interest to provide its customers with payment services (legal basis: Art. 6 (1) (f) GDPR). Holvi also has a legal obligation to retain the data of the third party receiving the payment (legal basis: Art. 6 (1) (c) GDPR).
5.3. One-Time Payments via Holvi
Holvi's customers may use Holvi to enable their own users to pay purchases in the Holvi customer's webshop. When a user makes a payment in a Holvi customer's webshop, this user will become a customer of Holvi for the purposes of this payment. Holvi processes this customer's personal data to provide the payment service based on the contract between Holvi and the customer (legal basis: Art. 6 (1) (b) GDPR). Only necessary and relevant personal data is processed in connection with one-time payments via Holvi.
To comply with Holvi's legal obligations, Holvi processes payer name and email address to enable payments with card or through a bank account (legal basis: Art. 6 (1) (c) GDPR).
Holvi also processes payer contact information based on Holvi’s legitimate interest to develop the product, to ensure the security of the Holvi's website and to prevent fraud (legal basis: Art. 6 (1) (f) GDPR).
When a Holvi customer uses the 'Invite User’ function, the customer is responsible for obtaining the consent from the receiver of the invitation before sending the invitation.
5.4. Account information and payment initiation service provision
If Holvi’s customers ask Holvi to act as an account information service provider on behalf of the customer, Holvi will identify itself towards the account servicing payment service provider of the customer (third party) and securely communicate with the account servicing payment service provider.
In this regard Holvi only accesses information on payment accounts specified by customer and payment transactions relating thereto. Holvi only processes data for the purposes of the account information service explicitly requested by the customer (legal basis: Art. 6 (1) (b) GDPR). Holvi will not request sensitive payment data related to the payment accounts.
On the other hand, when Holvi acts as an account servicing payment service provider for customers, Holvi will also communicate securely with third party account information and payment initiation service providers (third party service providers) acting on behalf of Holvi’s customers. After the service providers have identified themselves towards Holvi, the service providers can process data for the purposes of the services explicitly requested by Holvi’s customers (legal basis: Art. 6 (1) (c) GDPR).
5.5. Customer Support
In Holvi customer support, necessary and relevant personal data is processed to solve issues and questions customers might have about Holvi Service. The questions and issues customers send through email, website, Facebook messenger or by telephone are saved for product development and customer success quality purposes. Every issue is given a unique number and the issues are connected to a possible customer account.
Customer support data is processed based on the legitimate interest of Holvi to develop the product, to help customers and to give information on Holvi products and services (legal basis: Art. 6 (1) (f) GDPR).
Holvi Customer Support may use customer email or phone number to contact customers for legal questions, service related queries and to offer help with onboarding issues. Holvi will never ask customers to give their passwords through email or phone.
5.6. Blog Updates
The Holvi Blog enables users to get notifications in their email when a new blog text is published. To get these updates, users are asked to enter their email address and order the updates email.
On the basis of user consent, processes through the blog update Holvi processes personal data that is needed to optimise the sending and the content of future newsletters (legal basis: Art. 6 (1) (a) GDPR). Users can at any time withdraw their consent and cancel the updates email. After withdrawing their consent on receiving the email, Holvi will mark the consent withdrawn and the user will no longer receive the updates.
5.7. Tips & Tricks newsletter
The newsletter contains tips & tricks on use of Holvi products, entrepreneurship and other issues that might interest our customers.
This newsletter is sent for Holvi customers who have given their consent (legal basis: Art. 6 (1) (a) GDPR). Through the newsletters Holvi processes personal data that is required to optimise the sending and the content of future newsletters. Customers can at any time withdraw their consent and cancel the newsletter. After withdrawing their consent on receiving the newsletter, Holvi will mark the consent withdrawn and the customer will no longer receive the newsletter.
5.8. Inbound marketing
Holvi will always ask for the data subject’s consent to send any marketing messages (legal basis: Art. 6 (1) (a) GDPR). On the basis of user consent, Holvi processes personal data necessary to optimise the sending and the content of future marketing. Users can at any time withdraw their consent and cancel the newsletter. After withdrawing their consent on receiving any marketing, Holvi will mark the consent as withdrawn and the user will no longer receive any messages.
5.9. Partner co-operation
Holvi customers are able to initiate the opening of a Holvi business account via selected Holvi partner applications.
Holvi will then securely contact the customer, and the customer is able to finish creating a Holvi account.
This processing is based on Holvi's legitimate interests to serve its customers (legal basis: Art. 6 (1) (f) GDPR). User consent is asked for sharing the user's name, email, country, and business type with Holvi (legal basis: Art. 6 (1) (a) GDPR).
5.10. Careers section
In the career section on the Holvi website, Holvi processes personal data it needs to find new Holvians.
Holvi processes personal data required for the job application process as well as preference data, such as contact data, data submitted by applicants and data connected with a particular posting.
This processing is based on Holvi's legitimate interest to find the best people to work with us (legal basis: Art. 6 (1) (f) GDPR).
To build a first line defence against fraud, to serve our customers better and to provide the best possible experience for everyone using our site and services, Holvi places small data files on your computer or other device. These data files may be cookies, pixel tags, "Flash cookies," or other local storage provided by your browser or associated applications (collectively "cookies"). Some of these cookies (Strictly Necessary Cookies) are necessary to provide and secure the Holvi website, and are used based on Holvi's legitimate interest (legal basis: Art. 6 (1) (f) GDPR). For other cookies we always ask separately for your consent (legal basis: Art. 6 (1) (a) GDPR).
A user can easily control their cookie settings through Holvi’s partner OneTrust. The user is able to accept all or only part of the optional cookies to be placed into their browser. The user is able to withdraw their consent at any time from each cookie group. Users that choose not to allow the setting of cookies are still able to use the Holvi website; some of the website features might be affected.
Below is a detailed list of the cookies Holvi uses on the website. Holvi website is scanned with the cookie scanning tool regularly to maintain a list as accurate as possible. Holvi classifies cookies in the following categories:
- Strictly Necessary Cookies
- Performance Cookies
- Functional Cookies
- Targeting Cookies
Please note that for Performance or Targeting Cookies data processing is often essentially carried out by the (third party) provider which uses the collected personal data also for own purposes (e.g. profiling, and combination with other user data such as search history, personal accounts, usage data from other devices and all other data that provider has already about the user). Please note that the collected personal data is also often transferred and stored in countries where local authorities may have access to the data (like in the U.S.).
5.12. Pilot users
To enter new market areas, Holvi provides a possibility to start using Holvi for early adopters as one of the first entrepreneurs in their country.
Based on Holvi's legitimate interest to select the most suitable pilot entrepreneurs to refine Holvi product for the new market, Holvi processes the prospective user's name, contact information, and financial information of their company (legal basis: Art. 6 (1) (f) GDPR).
If the entrepreneur is not selected, Holvi will erase the personal data immediately, unless the entrepreneur has not given separate consent to save the personal data to contact them later.
6. Sources of the personal data processed
Holvi mainly collects personal data from the customer itself. Additionally, Holvi obtains data from the following sources:
- Credit bureaus (e.g., Crif Bürgel GmbH, Schufa and Asiakastieto);
- Identity verification services;
- Correspondent institution for payment transactions;
- Third Party Providers (listed here)
7. Retention of personal data
Holvi retains personal data for the period of time Holvi has legal or regulatory obligations (legal basis: Art. 6 (1) (c) GDPR), has legitimate business purposes (legal basis: Art. 6 (1) (f) GDPR) or for the time of the contract with a customer (legal basis: Art. 6 (1) (b) GDPR). In cases where Holvi retains personal data for longer periods than prescribed by law, Holvi acquires customer consent to retain their data for longer (legal basis: Art. 6 (1) (a) GDPR).
Personal data is also used to prevent, detect and investigate money laundering and terrorist financing, and to investigate a crime in which the property or funds have been obtained. For these reasons, Holvi has a legal obligation to retain personal data (legal basis: Art. 6 (1) (c) GDPR). Holvi will also retain personal data for bookkeeping purposes as required by the applicable legislation (legal basis: Art. 6 (1) (c) GDPR).
Holvi retains personal data as follows:
- Customer data and customer support data are retained for ten years after the end of the customer relationship.
- Personal data collected for anti-money-laundering purposes are retained for five years after the end of the customer relationship.
- Payment data of Holvi customers are retained for ten years after the end of customer relationship. This includes information on the party receiving the payment.
- If a user creating a Holvi account stops the account creation process, personal data entered by the user are retained for 30 days.
- Job application data of successful candidates are retained for seven months after the application period.
- If the entrepreneur is selected as a pilot user, their personal data are retained for the piloting period up to a maximum period of one year from collection of the data.
8. Sharing of personal data with third parties
When a Holvi customer or user initiates a payment, Holvi shares the payment details of this customer or user with the party receiving the payment. This is required to provide the payment service under the contract between Holvi and its customer.
Holvi shares customer personal data with authorities in case of requests based on a lawsuit or prosecution and where Holvi is obliged by law to do so.
Holvi shares personal data under contract with third-party service providers who help with certain parts of Holvi business operations including payment, fraud prevention, validation of user credentials, secure data storage and other similar services. Holvi also shares personal data with payment Card Networks pursuant to the requirements of the network rules under the applicable payment facilitation contracts, and certain financial institutions and collaborators or their agents that Holvi works with to jointly create and offer certain products and services. Holvi ensures that these parties are properly informed of how to use Holvi data, and only use personal data in connection with the services they perform for Holvi.
For legal reasons the Holvi shop owner details are publicly available in the online shop so webshop customers can easily contact the webshop if needed.
For sharing data with third parties based outside of the EEA, Holvi will require appropriate safeguards as required by the GDPR. Holvi uses these safeguards in connection with any transfer of data to third countries. The safeguards Holvi uses are adequacy decisions from the European Commission, and European Commission Standard Contractual Clauses.
We share your personal data with fraud prevention agencies that will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services. Further details of how your personal data will be used by us and these fraud prevention agencies, and your data protection rights, can be found in the fraud prevention agencies’ website.
A list of third parties Holvi shares personal data which can be viewed at: Table of 3rd parties.
Holvi website includes links to third party sites such as the Facebook Like button and third party widgets, such as the ‘Share This’ button or interactive mini-programs that run on Holvi websites. If the user clicks a link to a third party site, the user will leave the Holvi website and go to the website they selected. These features collect the user's IP address, which page the user is visiting on the website, and set a cookie to enable the feature to function properly.
Being on Holvi website does not automatically result in sharing data on these social media networks. These plugins remain inactive until clicked. Once clicked, the user will be taken to the said social media site or 3rd party website with their own specific privacy policies that the user is recommended to consult. Holvi cannot control the activities of third parties, Holvi cannot accept responsibility for any use of user’s personal data by such third parties, and Holvi cannot guarantee that they will adhere to the same privacy practices as Holvi does.
9. Customer's rights as a data subject
9.1. The right to be informed (Art. 13 and 14 GDPR)
Holvi will always inform customers about the purposes and the lawful basis of processing their personal data, as well as the retention period of the data. Holvi will inform the customer about the sources from which Holvi obtains customer personal data, and the recipients of customer data. If customer data is processed based on consent, the customer has a right to withdraw their consent of sharing data at any time.
9.2. The right to access (Art. 15 GDPR)
Customers have the right to access their personal data that is stored in the Holvi database. Customers are able to see their basic information in their account. Customers are also able to submit a request to the Holvi Privacy Team and get a copy of their personal data. If the customer asks for a large amount of data, Holvi may ask the customer to specify their request to better serve the customer. Typically, Holvi will comply with customer requests without delay within one month. Requests are free of charge, unless the request is repetitive, unfound, or excessive. In that case, Holvi might have to ask customers for a reasonable administrative fee.
9.3. The right to data portability (Art. 20 GDPR)
Customers have under certain circumstances a right to data portability, which means that customers may ask Holvi to move, copy or transfer some of their data from the Holvi IT environment to another in a structured, commonly used and machine readable form. Holvi will respond to customer requests without delay within one month, unless the request is complex or Holvi has received an extensive number of requests. In this case, Holvi will inform customers of a reason why the request must be extended by two months.
9.4. The right to rectification (Art. 16 GDPR)
If a customer finds their personal data processed by Holvi as inaccurate or incomplete, the customer has a right to get their data rectified. Customers can either log into their Holvi account to review and modify their data or if a customer is unable to modify the data, they can request the rectification through a dedicated platform or by contacting Holvi support. Holvi will respond to customers within a month, and inform the third parties of the rectification where possible.
9.5. The right to be forgotten / the right to erasure (Art. 17 GDPR)
Customer has under certain circumstances a right to be forgotten, which means that the customer is able to ask for the deletion and removal of all personal data Holvi has on them. If Holvi has no compelling reason for continued processing or storage, Holvi will delete customer data. Retention requirements by applicable laws might form compelling reasons for Holvi to keep the customer data for longer, as may Holvi’s legitimate interest that overrides customer’s interest in data erasure. Holvi will respond to customer requests within a month.
9.6. The right to restrict processing (Art. 18 GDPR)
In case the customer is not entitled to get their data erased, the customer is still able to restrict the processing of the data. Customer has a right to restrict the processing of personal data, if 1) the accuracy of the data is contested; 2) customer thinks the processing is unlawful and requests restriction of the processing; 3) Holvi no longer needs the data for the original purpose, but customer data is still required to establish, exercise or defend legal claims; or 4) if the verification of overriding basis is pending, in the context of an erasure request.
9.7. The right to object processing (Art. 21 GDPR)
Customers have a right to object to processing of their personal data on grounds relating to their particular situation. If Holvi processes customer data for legitimate interests, Holvi will stop processing the personal data after the customer's request, unless Holvi can show compelling legitimate grounds for the processing. If Holvi processes customer data on the basis of customer consent, Holvi will stop processing customer data as soon as Holvi has received customer objections.
9.8. Rights related to automated decision making including profiling (Art. 22 GDPR)
Customers have rights related to automated individual decision-making - making a decision solely by automated means without any human involvement - and profiling. Holvi uses profiling to send the customer messages and marketing that is relevant to them. Holvi will inform customers separately if it uses automated decision making, and will give customers ways to request human intervention or challenge the automated decision.
9.9. Right to set guidelines on the fate of data after death
The Customer may provide Holvi with instructions on how his personal data will be stored, deleted and disclosed after his death.
9.10. Using your rights
Customers and other website users may use all of their rights e.g. through Holvi’s dedicated data privacy platform by filling in and submitting an online form (link to the Holvi data privacy platform). We will get back to you as soon as possible, but not later than within a month.
Customers also have a right to lodge a complaint with a supervisory authority. Contact details of the EU data protection authorities can be viewed at: DPA contacts list.
Holvi will update the third party list quarterly.