Privacy Policy
Last updated: January 3, 2026

1. Data Controller

Fidemus Oy
Business ID: 2866937-1
Address: Helsinki, Finland
Email: privacy@fidemus.fi
Website: www.fidemus.fi

Fidemus Oy (“we”, “us”, or “our”) is committed to protecting your personal data and respecting your privacy rights in accordance with the EU General Data Protection Regulation (GDPR) 2016/679 and the Finnish Data Protection Act (1050/2018).

2. Scope and Principles

This privacy policy explains how we collect, process, store, and protect personal data when you use our services, visit our website, or communicate with us. We process all personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation and data minimization
  • Accuracy and storage limitation
  • Integrity and confidentiality
  • Accountability

3. Personal Data We Collect

We collect and process the following categories of personal data:

Contact Information:

  • Name, email address, phone number, company name, job title
  • Professional contact details provided voluntarily through website forms or email communication

Technical Data:

  • IP addresses, browser type, device information, and usage data collected automatically through website analytics
  • Cookies and similar technologies (see Section 9)

Communication Data:

  • Content of email correspondence, meeting notes, and service-related communications
  • Feedback and inquiries submitted through contact forms

Service Delivery Data:

  • Project-specific information necessary for AI advisory, GDPR compliance consulting, or developer resource services
  • Documentation and deliverables created during service engagement

Referral and Partner Network Data:

  • Contact information and business context when referring clients to partner service providers
  • Project requirements and scope information necessary for partner matching and service delivery assessment

We do not collect special categories of personal data (sensitive data concerning health, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation) unless explicitly required for specific service delivery and with your explicit consent.

4. Legal Basis and Purpose of Processing

We process personal data on the following legal grounds under Article 6(1) GDPR:

PurposeLegal Basis
Responding to inquiries and service requestsLegitimate interest (Article 6(1)(f))
Contract negotiation and service deliveryContract performance (Article 6(1)(b))
Client relationship managementLegitimate interest (Article 6(1)(f))
Legal and regulatory complianceLegal obligation (Article 6(1)(c))
Website analytics and improvementLegitimate interest (Article 6(1)(f)) with consent for non-essential cookies
Marketing communicationsConsent (Article 6(1)(a)) or legitimate interest for existing clients
Partner referrals and lead sharingConsent (Article 6(1)(a)) or legitimate interest with transparency (Article 6(1)(f))

5. Data Sources

Personal data is collected from the following sources:

  • Directly from you: Through website contact forms, email communication, phone calls, meetings, and service engagements
  • Automatically: Through website analytics tools and cookies when you visit our website
  • Third parties: Business partners or referral sources who introduce you to our services (with appropriate consent mechanisms)

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law:

  • Active client data: Duration of service engagement plus 6 years for accounting and tax compliance purposes
  • Inquiry and contact data: 24 months from last contact, unless converted to client relationship
  • Marketing consent data: Until consent is withdrawn or 3 years of inactivity
  • Partner referral data: 12 months from referral date or until project completion
  • Website analytics data: 26 months maximum
  • Legal obligations: As required by Finnish accounting, tax, and other applicable legislation

Data is securely deleted or anonymized after the retention period expires.

7. Data Recipients and Transfers

We may share your personal data with the following categories of recipients, where necessary:

Service Providers:

  • Cloud hosting providers (EU-based servers)
  • Email service providers and communication platforms
  • Analytics and website optimization tools
  • Payment processors (for invoicing and transactions)

Business Partners and Subcontractors:

  • Trusted partner network and subcontractors who deliver services on our behalf or to whom we refer clients based on your specific needs
  • Partners receive only data necessary for service delivery evaluation and engagement
  • All partners are vetted and bound by appropriate Data Processing Agreements (Article 28 GDPR)
  • Your explicit consent is obtained before sharing your data with specific partners
  • We maintain a record of all data transfers to partners

Legal Requirements:

  • Public authorities, regulators, or law enforcement when required by law

Professional Advisors:

  • Legal counsel, auditors, and insurance providers under confidentiality obligations

We do not sell or rent your personal data to third parties. When engaging service providers or partners, we ensure appropriate data processing agreements are in place in accordance with Article 28 GDPR.

International Transfers:

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards through one or more of the following mechanisms:

  • EU-US Data Privacy Framework (Privacy Shield 2.0): For transfers to certified US organizations
  • Standard Contractual Clauses (SCCs): EU Commission approved clauses adopted on June 4, 2021, ensuring GDPR-level protection
  • Transfer Impact Assessment (TIA): Case-by-case assessment of the recipient country’s data protection laws and additional safeguards as required by the Schrems II judgment
  • Adequacy Decisions: Transfers to countries with EU Commission adequacy decisions

Specific US Partner Transfers:
One of our trusted partners is located in the United States. For data transfers to this partner:

  • We utilize EU-US Data Privacy Framework and/or Standard Contractual Clauses (2021 version)
  • We have conducted Transfer Impact Assessments to ensure adequate protection level
  • We implement supplementary measures where necessary to address potential risks
  • Your explicit consent is obtained before any data transfer occurs
  • You have the right to refuse or withdraw consent for such transfers

8. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Staff training on data protection obligations
  • Incident response and breach notification procedures
  • Secure data transfer protocols for partner communications

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. Essential cookies are necessary for website functionality, while non-essential cookies (analytics, marketing) require your consent.

You can manage cookie preferences through our cookie banner or browser settings. For detailed information, please see our separate Cookie Policy.

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request confirmation and copies of personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Article 17): Request deletion of your data under certain circumstances (“right to be forgotten”)
  • Right to restriction (Article 18): Request limitation of processing in specific situations
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent, including consent for partner data sharing
  • Right to lodge a complaint: File a complaint with the Finnish Data Protection Ombudsman

To exercise your rights, please contact us at privacy@fidemus.fi. We will respond to your request within one month.

11. Automated Decision-Making

We do not use automated profiling that produces legal effects or similarly significantly affects you in any cases.

12. Changes to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices or legal requirements. The “Last updated” date at the top indicates when changes were last made. Significant changes will be communicated via email or website notice.

13. Supervisory Authority

Finnish Data Protection Ombudsman (Tietosuojavaltuutettu)
Office of the Data Protection Ombudsman
P.O. Box 800, FI-00531 Helsinki, Finland
Email: tietosuoja@om.fi
Website: https://tietosuoja.fi

14. Contact Us

For questions, concerns, or requests regarding this privacy policy or our data processing practices, please contact:

Fidemus Oy
Email: privacy@fidemus.fi

We are committed to resolving privacy concerns promptly and transparently.

Scroll to Top