Siirry pääsisältöön

Privacy Notice

Privacy Notice

Privacy Notice

Holvi Payment Services Oy Published: 08 May 2018 

Last Update: 7 May 2026

Version 3.4

Introduction

Holvi Payment Services Oy ("Holvi") is a payment institution authorised and regulated by the Financial Supervisory Authority. With a business account, Holvi Business Mastercard®, invoicing and bookkeeping tools all in one place, Holvi eliminates the time-consuming distractions of financial admin, helping entrepreneurs to find balance in work life.

We use the latest tools and techniques to secure Holvi IT systems. This security, along with Holvi's organisational processes, guarantees our customers' funds and data are protected and secured at all times.

Your privacy is important to us at Holvi, and maintaining your trust and confidence is one of our highest priorities. Holvi respects your right to keep your personal data confidential and understands your desire to avoid unwanted solicitations.

With these intentions Holvi has created this Privacy Notice (also referred to as "Notice"); to inform you of the nature, scope, and purpose of the personal data Holvi processes. In addition, Holvi wishes to inform you of the rights to which they are entitled under the applicable data protection regulations.

In line with this Notice, Holvi has implemented technical and organisational measures to ensure a complete protection of personal data processed in our company. Holvi has committed to processing personal data in line with the General Data Protection Regulation 2016/679 ("GDPR").

Holvi acts as a data controller for the processing of personal data as described in this Privacy Notice. Holvi acts as a data processor to the extent it processes personal data on your behalf when making available certain related value added services such as invoicing, reporting, and the online store platform. The obligations of Holvi as a data processor are set forth in the Holvi Data Processing Agreement.

Principles of securing your data

At Holvi personal data is processed in line with European data protection law. This means that personal data is processed in a lawful, fair and transparent way. Only the necessary and relevant personal data is processed for the purposes of providing the best possible services for you. Holvi is committed to keeping your personal data accurate and updated, and your data will be secured by Holvi's organisational and technical measures. This means, for example, that the registry permissions are granted and supervised by the person responsible for managing the register, your data is not kept as a hard copy, and that all of your data is deleted after Holvi no longer has a reason for processing it.

Name and address of the data controller

Controller

Holvi Payment Services Oy Business ID 2193756-4 Kaikukatu 2 C 00530 Helsinki Finland

The Data Protection Officer (DPO)

The Holvi Data Protection Officer can be contacted by email at privacy@holvi.com. For information on how to use your rights please use the online form in accordance with Section 11.

Purposes of using your personal data

Holvi processes your personal data mainly for the purpose of providing better payment services to you. In particular, Holvi uses your personal data to:

  • Create and manage the Holvi Account, i.e. verification process and completion of the Holvi Terms
  • Verify your identity
  • Process payments and provide Holvi products and services, including services that rely on account and transaction data obtained via Open Banking where you have provided consent
  • Collect fees, solve problems, and resolve disputes
  • Manage risk, or to detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities
  • Comply with regulatory requirements, such as payment institution and anti-money laundering legislation
  • Detect, prevent or remediate violations of policies or user agreements
  • Provide Holvi customer support services and handle customer requests
  • Measure the performance of Holvi products and services and improve Holvi content and layout
  • Improve Holvi products and services
  • Manage and protect Holvi information technology infrastructure
  • Compare information for accuracy, and verify it with third parties, including verification of data obtained via Open Banking sources
  • Ensure data quality
  • Facilitate voluntary participation in anonymised academic research with your consent

In cases where Holvi provides targeted marketing and advertising, communicates service updates, and delivers promotional offers, Holvi will ask for your consent as required by law.

What personal data we collect about you

  • Personal details like your name, email address, date and place of birth
  • Contact details like your email address, physical address, and phone number
  • Information about your identity like your passport or national identity card
  • Tax information like your tax residency and tax identification number
  • Correspondence records between you and Holvi, including for example email, chat, and phone call recordings
  • Identity verification media like video selfies or images of you
  • Credit information like repayment history and details, including where relevant information derived from Open Banking data
  • Information about your company's stakeholders like shareholders, directors, and partners. If you or your company share personal information of other individuals, it is your responsibility to ensure that they understand how Holvi will process their information
  • Information from third parties such as credit bureaus, identity verification services, official registers and databases, financial crime prevention service providers, commercial information providers, correspondent institutions for payment transactions, Open Banking service providers, and other third party providers listed here, who provide information like credit reports, such as relates to verifying your identity, and those related to Holvi fulfilling its legal obligations
  • Information published on websites, social media, or by publicly available sources like media reports and online directories
  • Payment and transaction data of third parties, for instance, a party receiving a payment from a Holvi account
  • Online store customer payer names and contact information
  • Information required to enable open banking functionality from accounts you or your company have or otherwise maintain
  • Receipt and invoice data submitted via email to your dedicated receipt inbox or otherwise
  • Survey responses and opinions you share when voluntarily participating in Holvi customer surveys
  • Analytics information about how you interact with Holvi products and services such as technical details like your IP address and device information, financial details like incoming and outgoing payment information, account numbers and balances, and card related information, information stored on your device when you give Holvi permission to access such, including analytics derived from Open Banking-enabled services, and derived indicators such as product eligibility signals inferred from your activity

If you are an authorised cardholder, the company that owns the Holvi account being used is considered the primary controller of your personal data. You should contact that company directly if you have any questions about how they process your personal data through Holvi. In certain situations, Holvi may also act as a controller of your data such as when sending you direct marketing communications or requesting information for due diligence checks.

We may obtain information about you from credit reference agencies or other providers of credit information for the purposes of assessing and monitoring credit risk, managing our relationship with you, and complying with legal and regulatory obligations. These credit checks may be carried out at the start of our relationship and periodically during its term. This processing is necessary to enter into or perform a contract with you, to comply with applicable laws, and, where appropriate, with your consent where such is required by law.

How we use your personal data

In order to fulfil our contract with you:

  • Manage and deliver our financial services and other related offerings, including services that rely on account and transaction data accessed via Open Banking where you have provided consent
  • Design and ensure a superior user experience

To fulfil our legal obligations:

  • Confirm your identity during the Holvi account application process
  • Screen applications against fraud prevention and sanctions databases
  • Apply measures to detect and prevent financial crime
  • Make informed and responsible lending decisions, including by using financial and transactional information obtained via Open Banking

Where it is in our legitimate interests:

  • Manage and develop customer relationships and provide you with information on products, services, and promotions you might be interested in
  • Enrich company profiles with business information from commercial information providers to tailor our communications to your business needs
  • Evaluate the impact of our marketing efforts and deliver advertising tailored to your interests
  • Enable you to initiate the opening of a Holvi business account via selected Holvi partner applications.
  • Provide customer support services to develop the Holvi product and assist you
  • Improve and develop the quality of our services
  • Develop and improve our financial crime reduction efforts
  • Maintain and enhance the safety, security, and reliability of our Website ("Holvi Website") and the Holvi App
  • Select suitable pilot entrepreneurs to refine Holvi product for new markets as early adopters
  • Conduct voluntary customer surveys to understand business needs and prioritise product and integration development
  • Protect or defend against legal claims that may arise

With your consent:

  • Optimise the sending and the content of future newsletters, including blog updates and tips & tricks newsletters
  • Send you marketing messages where your consent is required
  • For partner applications to share your name, email, country, and business type with Holvi
  • To deliver performance, functional, and targeting cookies
  • Access, collect, and use your account and transaction data through Open Banking services for the purposes described above, where you have provided your explicit consent
  • Use your survey responses to send you personalised product recommendations where you have given separate consent for this purpose.
  • Contact you with invitations to participate in anonymised academic research conducted by independent third-party researchers, where you have opted in

Automated Decision-Making

In certain circumstances, Holvi may make decisions about you using solely automated means, including the use of algorithms and artificial intelligence, without any human involvement. These decisions involve the automated assessment of aspects of your personal and financial circumstances and may have legal or similarly significant effects, such as whether we approve or decline an application for credit, determine credit limits, or set the terms on which financial services are provided.

Such automated decision-making (sometimes referred to as profiling) is used to assess eligibility, suitability and risk in a manner that is consistent, fair and informed by reliable information. In particular, Holvi may make automated decisions in relation to carrying out credit checks, assessing credit and affordability eligibility, approving or declining credit applications, granting or adjusting credit limits and opening or maintaining accounts where this involves financial crime or credit risk assessment.

In connection with these activities, we may obtain information about you from credit reference agencies or other providers of credit information, both at the time of application and on an ongoing basis during the term of our relationship, in order to assess your creditworthiness and monitor risk.

In making these decisions, we may take into account a range of factors, including:

  • Information obtained from credit reference agencies or other providers of credit information;
  • Your account, transaction, and repayment history with us, as well as information obtained from your connected bank accounts or other financial institutions through Open Banking services, where you have provided consent;
  • Information you provide during onboarding or application processes; and
  • Indicators of financial crime risk or credit risk.

Such factors are evaluated together to assess the likelihood that providing or continuing to provide services to you would be consistent with our credit, risk and compliance policies. Certain factors, such as adverse credit history or indicators of elevated risk, may increase the likelihood of a negative outcome, while positive indicators may improve the outcome.

We make such decisions where it is necessary to enter into or perform a contract with you, where it is required or authorized by law, with your consent where such is required by law, or in our legitimate interests in preventing financial crime and providing efficient and effective financial services, and we apply appropriate safeguards to protect your rights and freedoms.

You have the right to request human intervention in relation to an automated decision, express your point of view, obtain an explanation of the decision, and challenge the decision and request that it be reviewed. For more information on your rights related to automated decision making, please see Section 11 below.

Artificial Intelligence

Holvi uses artificial intelligence (AI) systems in certain parts of its services to improve efficiency, security, and user experience. Our use of AI is limited to clearly defined purposes, such as assisting with customer service queries, detecting and monitoring fraudulent or unlawful activities, supporting business decision-making, or improving the quality and relevance of our offerings. All AI functionalities are designed and implemented with transparency, fairness, and accountability in mind, and are subject to appropriate technical and organisational safeguards, including human oversight where required. Any personal data processed through AI is handled responsibly, with safeguards in place to ensure it is used only for its intended purposes and never in ways that produce significant effects about you without meaningful human involvement, and we continuously monitor and assess our AI systems to ensure they remain safe, reliable, and respectful of your rights.

To provide you with an enhanced level of customer support, Holvi offers an artificial intelligence (AI) driven customer service solution. We only collect personal data or content that is specifically and voluntarily provided by you to our automated ticketing and messaging service. It is possible for you to share sensitive personal data through the service and Holvi asks that you not provide such, however if you do, Holvi accepts your explicit consent to use that personal data in the ways described in this Notice or as described at the point where you choose to provide us with such data. The personal data that we collect through our customer service solution is only used for the specific purposes for which it was provided. Every issue is given a unique number and the issues are connected to a possible Holvi account. If you believe Holvi has collected excessive personal data about yourself or to otherwise exercise your rights, we encourage you to contact us as described in Section 11 below.

Holvi also offers various artificial intelligence-based functionalities within its platform that use Azure Document Intelligence, language models licensed from Microsoft's Azure AI Foundry, AWS, and Google Vertex AI services. These services improve the efficiency and quality of our offerings. None of your data processed by our AI functionalities is used to improve Amazon, Azure, or Google products, nor is it accessed by Amazon, Microsoft, or Google, with the limited exception of abuse monitoring. You can find more information on data privacy and security for these services on the AWS, Azure AI Foundry and Google Vertex AI websites. Such functionalities may process your personal data depending on the data uploaded, and in this context, Holvi does not process any special category data. The personal data we collect through our AI functionalities is only used for the specific purposes for which it was collected, and we have contractual agreements with Amazon, Microsoft, and Google to protect your personal data.

Who we share your personal data with

For Service Provision

  • Payment Services: Payment details with the receiving party to fulfill service contracts, including information obtained through Open Banking services where you have provided consent
  • Third-Party Service Providers: Data with providers assisting with payment processing, fraud prevention, identity verification, customer support provision, bookkeeping, investment offerings, credit decisioning, credit bureaus, email processing, artificial intelligence, data storage, legal services, IT service provision, and other similar services
  • Card Networks and Partners: Data with payment card networks, financial institutions, and banking and financial services partners and collaborators under facilitation contracts and joint service agreements in order to ensure proper use of data solely for relevant services, including data obtained via Open Banking connections

For Legal Compliance

  • Authorities: Data with authorities upon lawful requests tied to lawsuits or prosecutions
  • Online store Contact Information: Publicly share shop owner details in online shops for customer contact purposes

For Fraud Prevention

Data with fraud prevention agencies to prevent fraud and money laundering, and verify identity. If fraud is detected, certain services may be refused to you. Further details of how your personal data will be used by us and these fraud prevention agencies, and your data protection rights, can be found in the fraud prevention agencies' website.

For Collaborations and Financial Institutions

Personal data with payment card networks, financial institutions, and partners under joint product and service agreements, including data accessed via Open Banking channels where you have provided consent

For Data Transfers Outside EEA

Holvi uses appropriate safeguards required under the GDPR for data transfers outside of the EEA, such as:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses from the European Commission
  • EU-US Data Privacy Framework (DPF), UK Extension to the EU-US DPF, and Swiss-US DPF

For Third-Party Integrations

Website Links and Plugins: Links to third-party sites (i.e. Facebook Like button, third-party widgets such as the 'Share This' button or interactive mini-programs that run on Holvi Websites). Clicking links may share IP addresses, which page the user is visiting on the Website, and cookies with third parties.

Being on the Holvi Website does not automatically result in sharing data on these social media networks. These plugins remain inactive until clicked. Once clicked, you will be taken to the said social media site or third party website with their own specific privacy policies that you are recommended to consult. Holvi cannot control the activities of third parties, Holvi cannot accept responsibility for any use of your personal data by such third parties, and Holvi cannot guarantee that they will adhere to the same privacy practices as Holvi does.

For Marketing and Advertising

To make our marketing as relevant and effective as possible, we may share certain contact details with social media and online advertising platforms, such as Meta and Google. This allows us to show Holvi adverts to existing customers who we think might be interested in a new product or feature, avoid showing adverts for products you already use, and reach new potential customers who have a similar profile to our existing ones.

When we do this, your contact information (such as your email address or name) is hashed (converted into an unreadable format) before it is shared. The advertising platform uses this only to match against their own user base and cannot use it for any other purpose.

Our legal basis for this processing is our legitimate interests in ensuring our advertising reaches the right people efficiently and cost-effectively. We have assessed that this processing does not override your interests or fundamental rights, given the limited nature of the data shared and the technical safeguards applied.

If you would prefer that we do not share your contact details with advertising platforms for these purposes, you can opt out at any time by contacting our Data Protection Officer at privacy@holvi.com.

For Academic Research

Contact details and limited business profile information with academic researchers, solely where you have consented. The researcher and their university are independent controllers for the research.

Additional Resources

A list of third parties Holvi shares personal data which can be viewed here.

How long we keep your data

Holvi retains personal data for the period of time Holvi has legal or regulatory obligations (legal basis: Art. 6 (1) (c) GDPR), has legitimate business purposes (legal basis: Art. 6 (1) (f) GDPR) or for the time of the contract with a customer (legal basis: Art. 6 (1) (b) GDPR). In cases where Holvi retains personal data for longer periods than prescribed by law, Holvi acquires customer consent to retain their data for longer (legal basis: Art. 6 (1) (a) GDPR). This includes personal data obtained through Open Banking services where you have provided your explicit consent.

Personal data is also used to prevent, detect and investigate money laundering and terrorist financing, and to investigate a crime in which the property or funds have been obtained. For these reasons, Holvi has a legal obligation to retain personal data (legal basis: Art. 6 (1) (c) GDPR). Holvi will also retain personal data for bookkeeping purposes as required by the applicable legislation (legal basis: Art. 6 (1) (c) GDPR). This may include relevant financial and transaction data accessed via Open Banking.

Holvi retains personal data as follows:

  • Customer data and customer support data are usually retained for ten years after the end of the customer relationship, including customer data obtained via Open Banking connections
  • Business profile information obtained from commercial information providers is retained for as long as there is a legitimate commercial interest in doing so
  • Personal data collected for anti-money laundering purposes are retained for up to ten years after the end of the customer relationship
  • Payment data of Holvi customers are retained for ten years after the end of customer relationship. This includes information on the party receiving the payment and, where applicable, payment and account information obtained through Open Banking services
  • If a user creating a Holvi account stops the account creation process, personal data entered by the user are retained for up to one month
  • Job application data of successful candidates are retained for six months after the application period
  • If the entrepreneur is selected as a pilot user, their personal data are retained for the piloting period up to a maximum period of one year from collection of the data
  • Survey responses are retained for three years from submission, or until you close your account, whichever is earlier.
  • Contact details shared with academic researchers are deleted within 30 days of the study closing

Please note that if you do not complete onboarding and become a Holvi customer, your personal data is deleted in line with applicable data protection laws and we may not be able to respond to any requests related to it thereafter.

Cookies

To build a first line defence against fraud, to serve you better and to provide the best possible experience for everyone using our site and services, Holvi places small data files on your computer or other device. These data files may be cookies, pixel tags, "Flash cookies," or other local storage provided by your browser or associated applications (collectively "Cookies"). Some of these Cookies (Strictly Necessary Cookies) are necessary to provide and secure the Holvi Website, and are used based on Holvi's legitimate interest (legal basis: Art. 6 (1) (f) GDPR). For other Cookies we always ask separately for your consent (legal basis: Art. 6 (1) (a) GDPR).

You can easily control their Cookie settings through Holvi's partner OneTrust. You are able to accept all or only part of the optional Cookies to be placed into their browser. You are able to withdraw your consent at any time from each Cookie group. If you choose not to allow the setting of Cookies you are still able to use the Holvi Website; some of the Website features might be affected.

Below is a detailed list of the Cookies Holvi uses on its Website. Holvi Website is scanned with the Cookie scanning tool regularly to maintain a list as accurate as possible. Holvi classifies Cookies in the following categories:

  • Strictly Necessary Cookies
  • Performance Cookies
  • Functional Cookies
  • Targeting Cookies

Please note that for Performance or Targeting Cookies data processing is often essentially carried out by the (third party) provider which uses the collected personal data also for their own purposes (i.e. profiling, and combination with other user data such as search history, personal accounts, usage data from other devices and all other data that provider has already about the user). Please note that the collected personal data is also often transferred and stored in countries where local authorities may have access to the data (like in the U.S.).

Holvi's Cookie Policy can be found at https://www.holvi.com/cookie-policy/.

Your rights as a data subject

The right to be informed (Art. 13 and 14 GDPR)

Holvi will inform you about the purpose, lawful basis, and retention period of your personal data, as well as the sources and recipients of the data. If data is processed based on consent, you can withdraw their consent at any time.

The right to access (Art. 15 GDPR)

You can access your personal data stored in Holvi's systems through your account or by requesting a copy from the Holvi Privacy Team. If the request is large, Holvi may ask for clarification or further specification. Requests are typically fulfilled within one month and are free, unless they are repetitive, unfounded, or excessive, in which case a reasonable administrative fee may apply.

The right to data portability (Art. 20 GDPR)

You have the right to data portability in certain circumstances, allowing you to request the transfer of your data to another system in a structured, commonly used, and machine-readable format. Holvi will respond within one month, unless the request is complex or there are high request volumes, in which case you will be informed of a two-month extension and the reasons for such.

The right to rectification (Art. 16 GDPR)

If you find your personal data to be inaccurate or incomplete, you can request for it to be rectified. You can modify your data via your account, requesting rectification via a dedicated platform, or by contacting Holvi support. Holvi will respond within a month and inform third parties of the rectification when possible.

The right to be forgotten / the right to erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data under certain circumstances. If there are no compelling reasons to retain the data, Holvi will delete it. However, legal retention requirements or legitimate interests may justify keeping the data longer. Holvi will respond to requests within a month, informing of any such justifications.

The right to restrict processing (Art. 18 GDPR)

If you are not entitled to have your data erased, you can still restrict its processing. This applies if: 1) the accuracy of the data is disputed; 2) you believe the processing is unlawful; 3) the data is no longer needed by Holvi for its original purpose, but is required for legal claims; or 4) the verification of an overriding basis is pending in relation to an erasure request.

The right to object processing (Art. 21 GDPR)

You can object to the processing of your personal data based on your specific situation. If processing is based on legitimate interests, Holvi will stop the processing unless compelling grounds exist. If processing is based on consent, Holvi will cease the processing upon receipt of customer objection.

Rights related to automated decision making including profiling (Art. 22 GDPR)

You have rights related to automated individual decision-making - making a decision solely by automated means without any human involvement - and profiling. If automated decision-making is used, you may request human intervention in relation to an automated decision, express your point of view, obtain an explanation of the decision, and challenge the decision and request that it be reviewed by contacting privacy@holvi.com.

Using your rights

You may use all of your rights e.g. through Holvi's dedicated data privacy platform by filling in and submitting an online form here. We will get back to you as soon as possible, but not later than within a month.

You also have a right to lodge a complaint with a supervisory authority. Contact details of the EU data protection authorities can be viewed at the DPA contacts list.

Changes to the Privacy Notice

Holvi will publish the newest version of the Privacy Notice on the Holvi Website and will also inform the customers on the Website about material changes to the Notice.

  • Päivitetty

Aiheeseen liittyvät artikkelit