Legal — Privacy Policy

Privacy Policy

Last updated: May 2025 · Electronic Finance OÜ (eFinance)

Contents

  1. Who We Are
  2. What Data We Collect
  3. How We Use Your Data
  4. Legal Basis for Processing
  5. Sharing with Third Parties
  6. Retention
  7. Your Rights (GDPR)
  8. Cookies
  9. Security
  10. Changes to This Policy
  11. Contact and DPO

1. Who We Are

Electronic Finance OÜ, trading as eFinance (registration no. 11254843, FIU licence FIU000311), is the data controller responsible for personal data collected through this website and in the course of providing our services. Our registered address is Tornimäe tn 5, 10145 Tallinn, Estonia.

This Privacy Policy explains how we collect, use, store and protect your personal data, and sets out your rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Estonian Personal Data Protection Act.

2. What Data We Collect

2.1 Data you provide directly

  • Identity data: full name, date of birth or personal identification code, nationality, copies of identity documents (required for KYC/AML compliance);
  • Contact data: email address, phone number, postal address;
  • Business data: company name, registration number, VAT number, business activity description;
  • Financial data: payment information, bank account details (where relevant to the service);
  • Communication data: correspondence, enquiries, and any other content you submit to us.

2.2 Data collected automatically

  • Log data: IP address, browser type and version, pages visited, timestamps, referral URL;
  • Device data: device type, operating system, unique device identifiers;
  • Cookie and usage data — see section 8.

3. How We Use Your Data

We use your personal data to:

  • Provide, manage and administer the services you have requested;
  • Carry out identity verification and due diligence as required by law;
  • Issue invoices and process payments;
  • Communicate with you about your account, services, or enquiries;
  • Send service-related updates and, where you have consented, our newsletter;
  • Comply with legal and regulatory obligations, including tax, AML and FIU reporting requirements;
  • Improve and develop our website and services (using anonymised or aggregated data where possible).

We process your personal data on the following legal bases under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide our services or to take pre-contractual steps at your request;
  • Legal obligation (Art. 6(1)(c)): processing required to comply with AML, tax, licensing or other statutory requirements;
  • Legitimate interests (Art. 6(1)(f)): improving our services, fraud prevention, and direct marketing to existing clients (with opt-out available);
  • Consent (Art. 6(1)(a)): newsletter subscription and non-essential cookies (where consent is obtained).

Where we process sensitive personal data (Art. 9 GDPR), we rely on explicit consent or a relevant legal obligation.

5. Sharing with Third Parties

We do not sell your personal data. We may share it with:

  • Service providers acting as data processors (e.g. cloud hosting, accounting software, email delivery) — bound by data processing agreements;
  • Regulatory authorities including the Estonian Financial Intelligence Unit (FIU), Tax and Customs Board (EMTA), and Business Register, where required by law;
  • Banks and payment processors in connection with account opening or payment processing assistance;
  • Professional advisers (lawyers, auditors) under confidentiality obligations;
  • Successors in the event of a merger, acquisition, or sale of assets — you will be notified in advance.

All personal data is stored and processed within the European Economic Area (EEA). Where any transfer outside the EEA is necessary, we ensure appropriate safeguards (e.g. Standard Contractual Clauses) are in place.

6. Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, and in any event for the minimum periods required by law:

  • Client and KYC records: 5 years after the end of the business relationship (AML Act requirement);
  • Accounting and tax records: 7 years (Estonian Accounting Act);
  • Contact and correspondence data: 3 years after last contact;
  • Newsletter subscription data: until you unsubscribe.

After the applicable retention period, data is securely deleted or anonymised.

7. Your Rights under GDPR

As a data subject, you have the following rights. You can exercise any of these by contacting us. We will respond within 30 days.

Right of accessRequest a copy of the personal data we hold about you (Art. 15 GDPR).
Right to rectificationAsk us to correct inaccurate or incomplete data (Art. 16 GDPR).
Right to erasureRequest deletion of your data where there is no lawful basis to retain it (Art. 17 GDPR).
Right to restrictionAsk us to restrict processing in certain circumstances (Art. 18 GDPR).
Right to portabilityReceive your data in a structured, machine-readable format (Art. 20 GDPR).
Right to objectObject to processing based on legitimate interests or for direct marketing (Art. 21 GDPR).
Withdraw consentWhere processing is based on consent, you may withdraw it at any time without affecting prior processing.
Right to complainLodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn.

8. Cookies

We use cookies and similar technologies to operate our website and understand how visitors use it. Cookies are small text files stored on your device.

We use the following categories of cookies:

  • Strictly necessary: required for the website to function (e.g. session management). These cannot be disabled.
  • Analytics: help us understand visitor behaviour (e.g. pages visited, time on site) using aggregated, anonymised data. These are only set with your consent.

You can control cookies through your browser settings. Disabling analytics cookies does not affect your use of the site.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or destruction. These include encrypted data transmission (HTTPS), access controls, and regular security reviews.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours and, where required, inform affected individuals without undue delay.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice on our website at least 14 days before the changes take effect. The current version is always available at this URL.

11. Contact and Data Protection Officer

For any questions about this Privacy Policy, to exercise your rights, or to report a concern, please contact us:

  • Contact: Send us a message
  • Address: Electronic Finance OÜ, Tornimäe tn 5, 10145 Tallinn, Estonia
  • Business hours: Monday–Friday, 09:00–17:00 (EET/EEST)

You also have the right to lodge a complaint with the supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate), Tatari 39, 10134 Tallinn.