This privacy notice covers how personal data of clients is processed within Tesseract group. The purpose of this privacy notice is to inform data subjects of the nature, scope, and purpose of personal data processing and rights available for data subjects. Tesseract’s clients include retail customers and business partners.
Protection of our clients’ personal data is a priority to us at Tesseract. The processing of personal data shall always comply with the European Union’s General Data Protection Regulation (EU) 2016/679 (the “GDPR”), the United Kingdom’s Data Protection Act 2018, and other applicable data protection regulations.
We update this privacy notice regularly. If the changes are significant, we will inform the data subjects directly about them via email or another suitable way. The current version of the notice is always available on our website. The privacy notice has been last updated in June 2025.
The following Tesseract Group companies may act as the data controller for the processing of Tesseract’s clients’ personal data:
Tesseract Group Oy
Fredrikinkatu 47 A, 00100 Helsinki, Finland
Tesseract UK Access I and II Ltd
7a Abbey Business Park, Monks Walk, Farnham, Surrey, England, GU9 8HT
Tesseract Holding Oy
Fredrikinkatu 47, 00100 Helsinki, Finland
privacy@tesseractinvestment.com
|
Purpose of processing |
Processed data types |
Applicable legal basis |
Retention time |
|
Delivering our products and services to retail customers |
The customer’s basic information and contact details, including: - Name, email address and phone number - Date of birth, social security number or personal ID number (if available), - Residential address, tax residency, nationality Information on the use of our services, including: - Cryptocurrency transaction information - Information relating to the customer’s Tesseract Group account (e.g. generated yield, preferred risk level for generating yield, information on your loans, interest rates and collaterals) |
Contract |
5 years from the end of the customer relationship |
|
Delivering our products and services to business partners |
The representative’s basic information and contact details, including: - Name, email address, phone number, - Date of birth, social security number or personal ID number (if available), - Residential address, nationality, - Name and business identification number (or equivalent number) of the legal entity represented, position at the legal entity |
Contract |
5 years from the end of the customer relationship |
|
Know Your Customer (KYC) obligations, including detecting money laundering, terrorist financing and other financial crimes |
Know Your Customer (KYC) information, including: - Basic information and contact details (see previous sections for details), - Type, number and issuer of identification document, a copy of the identification document, photo, - Proof of residency, proof of occupation, information on the purpose of the account, information on cryptocurrency addresses and transactions, financial information - Information regarding the status as a politically exposed person (PEP screening) Information regarding a legal entity’s beneficial owners and board of directors,including: - Name, date of birth, residential address and nationality of directors and beneficial owners - Information regarding the status as a politically exposed person (PEP screening) |
Complying with a legal obligation (KYC obligations)
|
5 years from the end of the customer relationship |
|
Suitability assessment for portfolio management services |
Information on the client’s suitability for the service, including: - The client’s knowledge, experience, and investment objectives (including risk tolerance), - Financial situation (including ability to bear losses) |
Complying with a legal obligation
|
5 years from the end of the customer relationship |
|
Customer service and customer relationship management |
Basic information and contact details (see details in lists above), Information on the use of our services (see details in lists above); Information regarding the management of the customer relationship, including: - Past and current contracts, information related to events organized by us, - Correspondence with us |
Our legitimate interests |
5 years from the end of the customer relationship |
|
Recording communication regarding transactions |
Information regarding correspondence, including: - Contact details, - Contents of the communication |
Legal obligation |
5 to 7 years, depending on the competent authority |
|
Accounting |
Any personal data contained in accounting materials, including: - Client’s name, transaction details |
Complying with a legal obligation |
5 to 7 years, depending on the competent authority
|
|
Direct marketing |
Basic information and contact details (see details in lists above). |
Our legitimate interests |
1 year |
We receive personal data directly from our consumer customers and business partners when offering our services and onboarding new clients. Personal data may be transferred within Tesseract Group. We also collect personal data from external sources, including service providers with whom Tesseract Group has entered into a partnership agreement (mainly crypto asset exchanges or brokers).
Personal data may be disclosed within Tesseract Group for the purposes described in this privacy notice and to enable group-wide reporting and the use of centralized data systems. Personal data may be disclosed to authorities as required by applicable legislation. In certain very limited cases, we may disclose your personal data to banks, payment service providers, and crypto custodians.
We use subcontractors in the processing of personal data. Our subcontractors process personal data on our behalf and only for the purposes described in this privacy notice. We ensure that our subcontractors ensure the security and confidentiality of personal data, and all subcontractors are contractually required to comply with strict data protection requirements. Personal data is shared with subcontractors only to the extent required for the purpose of processing.
We use subcontractors for the following purposes:
We may transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we ensure that an applicable transfer mechanism exists (such as the EU Commission’s Standard Contractual Clauses) and that the recipient of personal data commits to data confidentiality and data protection.
Access to personal data is restricted with role-based access rights. All Tesseract employees are bound by confidentiality. Systems and databases are protected by adequate technical measures. We collect log data on the processing of critical data to monitor and detect any misuse of the data. Access to all premises is controlled and monitored to ensure physical safety of personal data and any assets used for personal data processing.
Profiling means gathering information about a data subject or a group of data subjects and evaluating their characteristics or behavior for the purpose of placing them in a certain category or group. Tesseract Group performs profiling for the purposes of preventing fraud, money laundering and terrorism, and for suitability assessment when providing portfolio management services.
Profiling is used as a preparatory measure for the above-mentioned purposes. Profiling information is not used for automated decision-making without human participation.
All requests concerning the rights mentioned below should be made in writing to privacy@tesseractinvestment.com. The requests should include the data subject’s name and contact details. We may ask the data subject to provide additional information for identification. This information is not used for any other purposes and is deleted after identification.
Requests regarding data subject rights will be answered within one month of receiving the request. If the request is complex, the time limit can be extended by two months. If this is the case, we will inform the data subject about the extension and its reasoning within one month of receiving the request.
Data subject rights are not absolute, and their applicability may depend, for example, on the legal basis of processing. If a data subject request is declined, we will provide the data subject with an explanation of the grounds for the decision.
Data subjects always have the right to lodge a complaint with the competent authority. In Finland, the data protection authority is the Office of the Data Protection Ombudsman.
|
Right to be informed |
Data subjects have a right to be informed about personal data processing. This privacy notice provides information on how we process personal data. For any additional questions, data subjects can contact privacy@tesseractinvestment.com. |
|
Right to access |
Data subjects have the right to access the personal data regarding them. The right to access can be implemented, for example, by sending a copy of the personal data. |
|
Right to rectification |
Data subjects have the right to rectify any inaccurate or outdated personal data. The right may be limited if the data cannot be modified due to its form or legal/contractual obligations. |
|
Right to erasure |
Data subjects have the right to have all their personal data deleted. The right may be limited, for example, if a legal obligation requires us to retain the data. |
|
Right to restrict processing |
Data subjects have the right to request the restriction of processing personal data. Restriction of processing entails that the data will be stored, but other processing will be halted. If the processing of personal data is restricted, it can be processed only based on the data subject’s consent, for a legal request, for protecting the rights of another person, or for an important reason related to the common interests of the EU or a Member State. The restriction of processing can apply, for example, if the legality of personal data processing has been disputed. The restriction is usually a temporary measure and the restriction is lifted, when the main request is solved. |
|
Right to data portability |
Data subjects have the right to request the transfer of personal data from one system to another. The right is applicable when the personal data has been collected directly from the data subject and the processing is based on a contract or the data subject’s consent. |
|
Right to object processing |
Data subjects have the right to object to personal data processing based on a personal reason when the legal basis for the processing is legitimate interest, public interest or exercise of official authority. The objection is valid, unless the data controller’s interests override the data subject’s personal reason. |
|
Right not to be subject to an automated decision |
The data subject has the right not to be subject to decision-making based solely on automated processing which results in legal effects or other significant effects to the data subject. The data subject has the right to request that a human reviews any decisions based solely on automated means. |
