Fyyra logo

Privacy policy

Fyyra Corporate Finance Oy Date: 9 February 2026 Version: v1.0

1. Data Controller

Fyyra Corporate Finance Oy Business ID: 3561607-5 Address: Ohjelmakaari 10, 40500 Jyväskylä, Finland Contact person for data protection matters: Tuomas Laukkala, CEO Email: tuomas.laukkala@fyyra.fi Phone: +358 40 5764 631

2. Data Subjects and General Description of Processing

Fyyra Corporate Finance Oy processes personal data for the purposes of providing M&A advisory services, managing client relationships, and conducting business-to-business marketing. Personal data is processed in respect of the following categories of data subjects:

  • representatives of prospective client companies
  • shareholders and contact persons of client companies

3. Personal Data Processed

3.1 Prospective client companies

Personal data is collected from public sources (e.g. company websites, business registers).

Data processed:

  • name
  • phone number
  • email address
  • position or role within the company

3.2 Client companies (engagements)

The data processed may include:

  • Shareholder remuneration data: information on salaries and benefits that is necessary for carrying out engagements (e.g. assessing the market conformity of salaries and adjusting the company’s profitability)
  • Identification and contact details of shareholders and contact persons:
    • name
    • address
    • phone number
    • email address
    • date of birth

Personal identity codes (henkilötunnus) are not requested. If a personal identity code is inadvertently submitted as part of the material, it is redacted and not stored.

4. Purposes of Processing

Personal data is processed for the following purposes:

  • providing M&A advisory services and carrying out engagements
  • managing client relationships and communications
  • B2B marketing to prospective client companies (by email and phone)

5. Legal Bases for Processing

The processing of personal data is based on:

  • the performance of a contract or pre-contractual measures
  • the legitimate interest of the controller (managing client relationships and B2B marketing)
  • a statutory obligation (e.g. customer identification and anti-money laundering legislation)

6. Sources of Data

Personal data is obtained from:

  • the data subjects themselves
  • client companies in connection with engagements
  • public sources (e.g. business registers, websites)

When personal data is collected from public sources (e.g. company websites, business registers), the data subject is informed of this privacy policy at the latest at the time of the first contact.

7. Recipients and Disclosures of Personal Data

Personal data is processed by:

  • the personnel of Fyyra Corporate Finance Oy to the extent required by their duties
  • service providers used by the company (e.g. payroll and occupational health services) that process the data on behalf of the company, and
  • the company’s IT and system suppliers as well as cloud service providers (e.g. email, file management, and customer relationship management systems)

Data is not disclosed to third parties unless there is a statutory obligation to do so.

8. Transfers of Data Outside the EU/EEA

Personal data is not transferred outside the EU or EEA without the safeguards required by law.

9. Retention Periods

Retention periods by category:

  • Contact details of representatives of prospective client companies are retained for as long as marketing is relevant, however no longer than 3 years from the most recent contact, unless the data subject objects to processing earlier.
  • Personal data and materials relating to engagements are retained for the duration of the engagement and thereafter for 5 years following the conclusion of the engagement (e.g. to address contractual liabilities and any complaints), and longer if required by law.

Personal data is retained only for as long as is necessary to fulfil the purposes of processing or to comply with statutory obligations. Thereafter, the data is deleted or anonymised.

10. Rights of the Data Subject

The data subject has the right to:

  • access the personal data concerning them
  • request the rectification of inaccurate data
  • request the erasure of data in accordance with applicable law
  • object to processing based on the controller’s legitimate interest (e.g. B2B marketing)
  • request restriction of processing
  • lodge a complaint with the Office of the Data Protection Ombudsman, and
  • request the transfer of data concerning them from one system to another, insofar as the processing is based on a contract and is automated.

Requests should be addressed to the controller using the contact details set out in Section 1.

11. Data Security

Personal data is protected by appropriate technical and organisational measures. Access to the data is restricted to those persons and service providers who are entitled to it on the basis of their duties.

12. Automated Decision-Making and Profiling

Data subjects are not subject to automated decision-making or profiling within the meaning of the GDPR.

13. Provision of Data and Possible Consequences

The data requested for the performance of client engagements is largely necessary for the performance of the contract. If the required data is not provided, the engagement may not be feasible or may be delayed.