Cookie Notice
By accepting all cookies, you ensure the best possible user experience. Read more about cookies and their use, or change your cookie settings.
SettingsRejectAccept
Truster Terms of Service

Terms

Last updated
February 18, 2026

Privacy policy

The original text is in Finnish and is therefore an automatic translation. In case of discrepancies between the language versions, the Finnish version is authentic.

General

This Privacy Notice provides information on the processing of personal data required by the EU General Data Protection Regulation to data subjects, such as customers or staff of the controller, and to the supervisory authority.

Controller and contact details of the controller

Truster Limited liability company

Postal address: P.O. Box 313, 00101, Helsinki, Finland

Visiting address: Mikonkatu 13, 00100 Helsinki, Finland

Contact person of the controller: data protection officer

Phone number: 050 1856

E-mail address:truster

Contact details of the Data Protection Officer

Truster Oy's Data Protection Officer

Truster Limited liability company

Postal address: P.O. Box 313, 00101, Helsinki, Finland

E-mail address:truster

Registered at

This is the customer register of Truster Oy. The data subjects of the register are the users of the services of Truster Oy and its subsidiaries.

Purposes of the processing of personal data

The purposes for which personal data are processed are

  • customer relationship management and development and customer service
  • customer communication 
  • provision and development of services
  • business development 
  • monitoring the use of products and services and ensuring their quality
  • direct marketing and direct mail
  • targeting of marketing and advertising
  • risk management
  • preventing and detecting irregularities
  • fulfilment of legal and regulatory obligations
  • Implementation of account information service (AIS). The Service may offer a product where the user connects their bank and/or payment account to the Service via a secure connection using the account information service. In this case, personal data (including account transaction data and balance data) is processed for the purpose of providing the Service, for example for accounting, reconciliation, identification and allocation of business transactions, and reporting.

Knowing your customer and preventing money laundering and terrorist financing

The data subject's identifying information and personal data may be used for the prevention, detection and investigation of money laundering and terrorist financing and for other purposes required by money laundering legislation. The aim is to know the customer and to prevent money laundering, terrorist financing and abuse. 

The personal data of the data subject may also be used to determine whether the data subject is subject to international sanctions imposed by the controller.

Legal grounds for processing personal data

Truster personal data in order to fulfill its legal and contractual obligations. The processing of personal data may be based on a contractual relationship or measures prior to entering into a contract, the controller's legal obligation, the data subject's consent, or the controller's legitimate interest. Truster personal data in order to fulfill its legal and contractual obligations. The processing of personal data may be based on a contractual relationship or measures prior to entering into a contract, the controller's legal obligation, the data subject's consent, or the controller's legitimate interest.

Personal data groups

Basic information

  • Name, personal identification number and account number of the data subject
  • Contact details of the data subject, such as address, email address, telephone number

Contact details

  • Customer identification information, such as a copy of your ID card, the method and date of identification, IP address, video recording or photograph and the date of the video recording or photograph.
  • Whether the customer is a politically influential person, i.e. a PEP, or whether PEPs are part of his or her immediate family.

Consents

  • Consents and prohibitions to the processing of personal data given by the data subject

Contact details

  • Data relating to the contracts and services of the data subject
  • Information relating to communications between the customer and the controller

Monitoring data

  • The data subject's online behaviour and use of services is monitored, for example, by means of cookies. The information collected may include the page the user browses, device model, unique device and/or cookie identifier, channel such as an app, mobile browser or internet browser, browser version, IP address, session ID, session time and duration, screen resolution and operating system.

Location information

  • The location of the registered device and the trip data added to the app, such as the starting and stopping points of trips and GPS coordinates.

Account information (AIS / account information service)

  • If the data subject connects their bank and/or payment account to the Service using the account information service, the following data may be processed to the extent that it is provided by the account manager: basic account information (e.g., account number/IBAN, bank/account manager, and currency), balance information (account balance and balance date), and account transaction information (transaction date and/or entry date, amount, reference and message details, payment type, payer or payee name and account identifier to the extent that the information is available, unique transaction identifier, and other transaction details provided by the accountant).

Sources and updating of personal data

The controller collects data primarily from the data subject. Personal data may also be collected when the data subject uses services provided by the controller, such as online services.

To the extent permitted by law, personal data may also be collected and updated from third party registers, such as:

  • from registers maintained by public authorities, such as the National Board of Digital and Population Information, the Tax Administration and the registers maintained by the PRH.
  • information necessary to investigate political influence or international financial sanctions from the operators of such databases.
  • Account information can be obtained from the bank selected by the registered user or from another account manager via the account information service when the registered user connects their account to the service.

Disclosure of personal data

To the extent permitted by law, the data subject's data may be disclosed to Truster's subsidiaries for purposes such as customer service, customer relationship management and marketing. 

Within the limits permitted by law, the data of the data subject may be disclosed to other data controllers, for example.

  • authorities such as the Tax Administration, the PRH and the Enforcement, Enforcement and Supervision Authority
  • to another controller where it is part of a service or product being provided 
  • In order to implement the account information service, personal data may be processed by a service provider acting on behalf of Truster. In addition, banks and other account managers submit account information to the service via the technical interfaces of the account information service based on the connection made by the data subject.

The controller uses subcontractors and partners to produce and provide services. For example, your personal data may be transferred to partners, service providers and IT system providers for processing on behalf of the controller. The controller will ensure through contractual and other arrangements that subcontractors and service providers protect the personal data processed in an appropriate manner and in accordance with the requirements set by the controller, in compliance with good data processing practices.

Transfer of personal data and international data transfers

The controller processes personal data mainly in Finland and the EEA. Where the controller transfers or discloses personal data outside the EEA, such as to the United States, it will ensure an adequate level of protection of personal data as required by law and will use data transfer mechanisms approved by the European Commission.

Rights of the data subject

Right to be informed about the processing of personal data

Data subjects have the right to be informed about the collection and processing of their personal data.

Right of access to data

The data subject has the right to obtain confirmation from the controller as to whether the controller is processing personal data concerning him or her. If the data subject's data are processed, the controller shall, upon request, provide the data subject with a copy of the personal data processed. If the data subject makes a request by electronic means, the data shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The controller may charge the data subject a reasonable fee, corresponding to the administrative costs of responding to the request, if the data subject requests more than one copy of the data.

Right to rectify information

The data subject has the right to request that the controller rectify inaccurate or erroneous personal data concerning him or her. The data subject also has the right to have incomplete personal data completed.

Right to request deletion of data

In certain situations, the data subject has the right to have the controller delete data concerning him or her. However, the controller is not obliged to delete personal data if the processing of the data is still necessary, for example, to fulfill the controller's legal obligations or to handle legal claims. If the data subject has linked their account to the service using the account information service, the account information link can be deleted in the service or using the methods provided by the account manager. Removing or expiring the connection may affect the functionality of the service to the extent that account information is needed to provide the service. In certain situations, the data subject may also request the controller to restrict the processing of personal data concerning him or her.

Data retention period or criteria for determining the retention period

The controller processes personal data for the duration of the contract and customer relationship. Personal data is stored for a maximum of 5 years from the last customer transaction. After the storage period has expired, the data is deleted or anonymized in accordance with the deletion process followed by the controller. The controller processes personal data for the duration of the contract and customer relationship. Personal data is stored for a maximum of 10 years from the last customer event. After the storage period has expired, the data is deleted or anonymized in accordance with the deletion process followed by the controller.

Protecting your data

The controller has appropriate technical, organisational and administrative security procedures in place to protect all data in its possession against loss, misuse, unauthorised access, disclosure, alteration and destruction.

The controller has put in place appropriate technical and organisational measures to protect the data. The means used to protect the register include:

  • hardware and file protection
  • identification of users
  • access rights
  • registration of use events
  • guidance and supervision of processing

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Change your privacy preferences →