Introduction

The purpose of this Privacy Notice is to inform how and why Verso Capital Oy (later the “Controller”, “we”, ”our”, or “us”) collect, store and process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Finnish Data Protection Act (tietosuojalaki) 1050/2018. Personal data refers to any information relating to a natural person (“data subject”), which allows a person to be directly or indirectly identified, as defined in the General Data Protection Regulation (EU 2016/679).

We are committed to safeguarding the privacy of the representatives of our investors, portfolio companies, and prospects, as well as business partners, employees, and all other individuals whose personal data we process.

1. Controller and contact information

Verso Capital Oy (Business ID 2477697-0)
Registered office: Mikonkatu 6 C, 00180 Helsinki, Finland
Contact: Compliance Officer Mika Suomela, mika.suomela@versocapital.com

2. Legal basis and purposes of processing

The processing of personal data is based on the following legal bases:

• Legitimate interest of the Controller or a third party (such as current or future clients or business partners of the Controller); the legitimate interest being e.g. the performance of an agreement between the entity represented by the data subject and the Controller, or another relevant connection between the data subject and the Controller, as well as other legitimate interests of the Controller as further specified below;

• Compliance with a statutory obligation to which the Controller is subject, such as accounting and tax related obligations including obligations arising from the Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017, as amended) and from the Finnish Act on Alternative Investment Funds Managers (162/2014, as amended);

• Consent of the data subject.

We process personal data for the following purposes:

• Investment and fundraising activities: managing and developing investor relations and other relevant connections with the business partner or representatives of investors, including business communication and marketing, processing investments, and conducting due diligence. In case of representatives of investors, processing subscriptions of interests, drawdown notices and payments of distributions to the holders of interests and more generally fulfilling the obligations under the fund agreement and providing services in relation to the investor’s investment.
• Regulatory compliance: fulfilling obligations under anti-money laundering (AML), know-your-customer (KYC), tax, and financial regulations. As applicable, preventing, revealing and investigating money-laundering and terrorist financing as well as for the purposes of bringing under the relevant authorities’ investigation money laundering, terrorist financing and/or criminal acts (by which the assets or benefit of crime have been received) and complying with other applicable laws and regulations (including obligations to report to tax authorities).
• Contractual performance: entering into and performing contracts with investors, portfolio companies, targets, and service providers
• Business communication: responding to inquiries, sending updates, and maintaining relationships
• Recruitment and HR: processing job applications and managing employment relationships

The provision of personal data and the processing thereof for the purposes set out above is in most cases necessary for both statutory and contractual reasons. Should the representative(s) of the clients, the business partner or the investors fail to provide the required personal data, we may not be able to fulfil our statutory or contractual obligations and thus we may not be able to enter into or continue the business relation between us and the relevant client, business partner or investor.

3. Categories of personal data and sources of data

We only collect personal data relevant and necessary for the purposes outlined in this Privacy Notice. Such personal data includes in particular the following data:

• Identification data: name, date of birth
• Contact data: email address, phone number, postal address
• Financial data: bank account information, investment records, transaction details
• Professional data: job title, employer, business background
• Compliance data: KYC/AML information, copies of relevant documents
• Technical data: IP address, device and browser information (when using our website)
• AML/KYC data: As applicable, social security numbers / dates of birth / personal identity codes / tax identification numbers, nationalities and photos (in passports or identity documents).

The personal data is mainly collected from the data subjects themselves, for example, in connection with entering into agreements and completing forms and questionnaires in that connection, in connection of business communications and marketing as well as otherwise during the contractual relationship. In case of representatives of investors, we may collect personal data also from documents and information supplied by the investor and its representatives in connection or as supplements to the forms and questionnaires attached as appendices to the relevant agreements or any later updates or amendments to such information. Where required or permitted by the law, we may collect data also from other sources.

4. Retention of personal data

The retention time of the collected personal data is subject to the legal basis and purpose of processing. In general, all collected personal data will be retained at least for the term of the relevant agreement, unless a longer retention period is required by law (for example regarding obligations and responsibilities related to accountancy or reporting) or unless the data is needed for drafting or presenting a claim or for a legal defence or for resolving any disputes.

Where the personal data is collected on the basis of an obligation based on applicable law, the retention of the personal data may also be subject to explicit statutory requirement. For example, “know your customer” (KYC) information will be retained in compliance with the Act on Detecting and Preventing Money Laundering and Terrorist Financing for at least five (5) years after the end of the customer relationship.

When the personal data is no longer needed as defined above, data is deleted within a reasonable time.

5. Transfers and disclosures of personal data

We utilise service providers and third parties to carry out our business and delegate some of our operations to our service providers, and we transfer personal data to such service providers for processing. For example, we use IT service providers e.g. to deliver office and communications software and equipment, and providers of administration services. We also use marketing, legal, accounting and other service providers, to which we may transfer or disclose personal data.

We may disclose personal data within the limits permitted or required by applicable legislation from time to time, for example to competent authorities when required to do so under applicable laws (for example to tax authorities in Finland and other countries in which we are required to fulfil statutory obligations), or to prepare for legal proceedings or to defend a claim. In addition, we may disclose personal data to financial service providers, such as banks and custodians, or to a debt collection agency for purposes of debt collection, or to other service providers, but only to the extent that the fulfilment of their tasks require the disclosure of personal data. We may also have to disclose a data subjects’ personal data in case of emergencies or in other unexpected situations to protect health and property.

In case of representatives of investors, personal data may also be disclosed to other limited partners (and as applicable, their general partners and/or managers). List of the applicable recipients of personal data will be provided upon request.

In addition, we may share personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.

Where personal data is transferred outside the European Union or the European Economic Area, we ensure by contractual or other applicable measures that the transfers are subject to appropriate safeguards. More information on cross border transfers of the personal data and on the appropriate safeguards applied thereto from time to time is available upon request.

6. Cookies

Our website uses cookies to ensure proper functionality and to enhance your user experience. We may also use cookies for website analytics, all of which are anonymized and aggregated. The user may manage, restrict, or disable cookies at any time through their browser settings. However, by continuing to use this website without modifying such settings, the user is deemed to have consented to the use of cookies.

7. Data security

We implement technical and organisational measures to protect personal data from unauthorised access, loss, misuse, or disclosure. Access to personal data is restricted to authorised personnel only.

8. Rights of the data subject

Under the GDPR, the data subject has the right to:

• Right of access: The data subject has the right to obtain a confirmation whether his or her personal data is processed, and to access the personal data about himself/herself and to request to receive the data in a paper copy or in an electronic form.
• Right to rectification and erasure: The data subject has the right to demand the Controller to correct any incorrect or incomplete personal data and under certain conditions, the right to request the erasure of his/her personal data.

• Right to restriction of processing: The Controller may be obliged to restrict the processing of personal data in accordance with the conditions set out in the General Data Protection Regulation.

• Right to object to processing: In certain cases, the data subject may have the right to object to processing of personal data concerning him or her. The data subject always has the right to object the use of his/her personal data for purposes of direct marketing.

The data subject can use these rights by submitting a request to us by using the contact information mentioned in the beginning of this Privacy Notice.

After receiving all the required information to complete the request, including confirmation of identity, we will start the processing of the request. We will contact the data subject at the latest within a period of one month. If the request is denied, the data subject will be informed about the refusal in writing. We may refuse the request (such as erasure of the data) due to a statutory obligation or right.

In case the data subject considers our processing activities of personal data to be inconsistent with the applicable data protection legislation, the data subject has the right to lodge a complaint with the competent data protection supervisory authority; Finnish Data Protection Ombudsman:

Home | Data Protection Ombudsman’s Office

Tietosuojavaltuutetun toimisto: Tietosuojavaltuutetun toimisto | Tietosuojavaltuutetun toimisto

To exercise your rights, please contact us at mika.suomela@versocapital.com

9. Data breaches and notification obligations

In case of a personal data breach, we will notify the competent supervisory authority within 72 hours and affected data subjects where required by law. We maintain internal procedures to detect, report, and investigate personal data breaches to ensure compliance with applicable data protection laws.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in legal, regulatory, or business requirements. All changes will be made available on our website or otherwise.