Policy regarding the processing of personal data

1.GENERAL PROVISIONS

      1.1. Nordic Fintech OÜ, registry code 14852907, located at Katusepapi 6-502, 11412 Tallinn, Estonia (Finreport.ai), collects, uses, and transmits personal and/or corporate credit and business information with the objective of aiding both entrepreneurs and private individuals in mitigating financial risks and/or assessing consumer creditworthiness and/or implementing principles of responsible lending.

      1.2 These Principles of Data Processing (the Principles) explain how Finreport.ai Processes Personal Data in its daily economic activities in the ways specified in Clause 1.5 and in other cases, acting as controller or processor according to Clause 1.5.

      1.3. For Finreport.ai, the protection of Personal Data is of utmost importance, thus it Processes Personal Data responsibly, adhering to applicable legal acts, good practice, and the interests, rights, and freedoms of Data Subjects.

      1.4 Finreport.ai has appointed a data protection officer whose contact details are: email address gdpr@finreport.ai; postal address Katusepapi 6-502, 11412 Tallinn, Estonia; phone +372 53666674. Roles of Finreport.ai when Processing Personal Data:

      1.5.1. In the Finreport.ai portal, Finreport.ai Processes Personal Data as an independent controller or as a processor (queries from third-party managed registers where Personal Data is transmitted directly to Finreport.ai following the Data Recipient’s instructions and Finreport.ai transmits them immediately to the Data Recipient, for example, partially from the Tax and Customs Board’s tax debt register).

      1.5.2. In the Finreport.ai portal, Finreport.ai Processes Personal Data according to the service content as an independent controller (Finreport.ai transmits Personal Data to the Data Recipient from its own managed register, e.g., processing of payment default information) or as a processor (queries from third-party managed registers where Personal Data is transmitted directly to Finreport.ai following the Data Recipient’s instructions and Finreport.ai transmits them immediately to the Data Recipient, for example, partially from the Tax and Customs Board’s tax debt register, land register).

      1.5.3. When collecting and mediating payment default information, Finreport.ai Processes Personal Data as an independent controller.

      1.5.4. When creating a credit score, Finreport.ai Processes Personal Data as an independent controller.

      1.5.5. In providing account information service, Finreport.ai Processes Personal Data together with the Data Recipient as joint controllers.

      1.5.6. In providing data transmission services, Finreport.ai Processes Personal Data as an independent controller (Finreport.ai transmits Personal Data from its own managed register to the Data Recipient) or as a processor (queries from third-party managed registers where Personal Data is transmitted directly to Finreport.ai following the Data Recipient’s instructions and Finreport.ai transmits them immediately to the Data Recipient, for example, population register, pension register, partially from the Tax and Customs Board’s tax debt register, land register).

      1.5.7. In recruitment process, Finreport.ai Processes Personal Data as an independent controller.

      1.6. Unless the context implies otherwise, the following apply in the Principles:

      1.6.1. a reference to a person also includes their legal successors and permitted authorised persons;

      1.6.2. a reference to singular words includes plural words and vice versa;

      1.6.3. a reference to a document, including a legal act or contract, also refers to that document’s versions as amended or supplemented over time;

      1.6.4. a reference to a specific Clause or Section refers to that specific clause or section of the Principles;

      1.6.5. a reference to a third party is a reference to any person who is not a Data Subject, Finreport.ai, or an employee of Finreport.ai;

      1.6.6. a reference to payment default information refers to any collection of Personal Dataconcerning an existing or concluded indebtedness (excluding tax debts) of the Data Subject, the conditions for publishing as payment default information have been met, and which Finreport.ai is capable of mediating to Data Recipients;

      1.6.7. a reference to public information refers to information recorded in any way and on any information carrier, obtained or created in the fulfilment of public duties specified in legislation or related legal acts.

      2. DEFINITIONS

      2.1. Unless explicitly stated otherwise in the Principles, the following terms shall have the designated meanings:

      2.1.1. “GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council, commonly known as the General Data Protection Regulation.

      2.1.2. “Data Subject” refers to any identified or identifiable natural person. An identifiable natural person is one who can be directly or indirectly identified, typically through identifiers such as a name, an identification number, location data, or through factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

      2.1.3. “Data Recipient” refers to any person to whom Finreport.ai transmits the Personal Data of a Data Subject, including those defined as Recipients under GDPR.

      2.1.4. “Personal Data” means any information relating to an identified or identifiable natural person (Data Subject).

      2.1.5. “Processing” refers to any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

        3. GENERAL PRINCIPLES

        3.1. Finreport.ai adheres to the Principles, the GDPR, data protection legislation, and other applicable data protection regulations, supervisory authority guidelines, as well as best practices and good business practices in Processing Personal Data.

        3.2. Finreport.ai ensures the integrity, availability, and confidentiality of Personal Data by implementing appropriate organisational and technical measures.

        3.3. Finreport.ai uses only those processors for the Processing of Personal Data who ensure the proper use of security measures and who Process Personal Data in accordance with Finreport.ai instructions and in compliance with legal requirements.

        3.4. Employees of Finreport.ai are required by law and pursuant to their employment or similar agreements to keep confidential any Personal Data they become aware of during the performance of their duties. This confidentiality obligation is indefinite, and employees are liable for breaching this duty. Finreport.ai ensures regular training for its employees on the requirements for Processing and protecting Personal Data.

        3.5. Finreport.ai expects that the Data Subject will also contribute to the secure Processing and protection of their Personal Data, for example, by keeping ID-card passwords confidential, ensuring that the computer used to access Finreport.ai services and products is secure, etc. Finreport.ai is not liable for any consequences if the Data Subject fails to protect their Personal Data diligently.

        3.6. Should the Processing of Personal Data occur based on legitimate interest, it is possible to get acquainted with the legitimate interest assessment by contacting the email address: gdpr@finreport.ai .

        3.7. The rules applicable to Finreport.ai cookies are available on Finreport.ai website.

        4. SOURCES AND TYPES OF PERSONAL DATA PROCESSED

        4.1. Finreport.ai collects Personal Data for specified legitimate purposes and Processes this data in a manner that is consistent with those purposes. The Processing of Personal Data occurs based on the legal basis specified in the GDPR or another basis pursuant to the Principles.

        4.2. The composition of the Personal Data Processed by Finreport.ai depends on the source from which the Personal Data is collected and the purpose for which it is collected, as specified below.

        5. PROCESSING OF PUBLICLY AVAILABLE PERSONAL DATA

        5.1. Finreport.ai receives Personal Data as public information from data providers, commercial register, population register, land register, Official Announcements, and the Tax and Customs Board.

        5.2. The types of Personal Data Processed as public information include:

        5.2.1. personal identification code, name, whether the individual has citizenship, residence permit, and its type and expiration date, the fact of the individual’s death, whether the individuaal is an e-resident;

        5.2.2. existing business and entrepreneurial prohibitions;

        5.2.3. affiliation with a legal entity or a foreign business branch in the following roles: person with the right of representation (e.g., board member, chairman of the board, procurator): role, date of commencement and termination of the role; owner of the legal entity (e.g., shareholder, general partner): role, country of location, date of commencement and termination of the role, type of ownership, size of ownership, and percentage of ownership; member of the supervisory board of the legal entity and chairman of the supervisory board: role, date of commencement and termination of the relationship; other role within a legal entity (e.g., founder, auditor): role, country of location, date of commencement and termination of the role, ultimate beneficial owners (start date, end date, country of location, method of control);

        5.2.4. media coverage about legal entities containing Personal Data;

        5.2.5. official announcements related to the individual: type of announcement, content, start date, end date;

        5.2.6. number of properties, data from the land register (divisions I-IV).

        5.3. Publicly available Personal Data is Processed by Finreport.ai for assessing the creditworthiness, financial reliability, or other trustworthiness (e.g., in a background check in an employment or cooperation relationship, or when applying the KYC principle) of Data Subjects and, in certain cases, related legal entities. The legal basis for Processing depends on the specific service, as detailed below.

        6. Finreport.ai

        6.1. In the Finreport.ai portal, Finreport.ai Processes publicly available Personal Data of Data Subjects and other Personal Data based on the legitimate interest of Data Recipients under GDPR Article 6(1)(f). The purpose of Processing Personal Data in the Finreport.ai portal is to offer Data Recipients the opportunity to assess the creditworthiness, payment ability (financial reliability), or other reliability of Data Subjects (e.g., in a background check in employment or cooperation relationships, or when applying the KYC principle). Data Recipients can use the Processed Personal Data through Finreport.ai to make informed credit and other decisions and to fulfil legal obligations such as consumer creditworthiness assessment and the implementation of responsible lending obligations, the KYC principle, and board members’ due diligence obligations. Finreport.ai has a right to manage such Personal Data and to transmit it to Data Recipients who have a legitimate need and corresponding legitimate interest or other legal basis for the purpose of Processing.

        6.2. Through the Finreport.ai portal, Finreport.ai transmits Personal Data of Data Subjects to Data Recipients in order to enable Data Recipients to assess the creditworthiness of the Data Subjects and/or assist creditor Data Recipients in assessing consumer creditworthiness and implementing obligations of responsible lending and/or for the fulfilment of a contract between the Data Recipient and the Data Subject or to take pre-contractual measures and/or to conduct background checks or apply KYC (Know Your Customer) principles.

        6.3. Types of Data Subjects whose Personal Data is Processed in the Finreport.ai portal:

        6.3.1. Finreport.ai clients who are natural persons and representatives of corporate clients, i.e. natural persons using the portal;

        6.3.2. natural persons whose Personal Data can be obtained by Finreport.ai as public information from public databases and similar sources;

        6.3.3. natural persons whose payment default information is mediated by Finreport.ai.

        6.4. The following Personal Data is Processed in the Finreport.ai portal:

        6.4.1. Personal Data which is Processed as public information as specified in Clause 5.2;

        6.4.2. contact details: email address and/or phone number;

        6.4.3. data related to services: data generated by the Data Subject’s use of the portal or related to such use, e.g., data concerning products and services purchased by the Data Subject, data on invoices issued to the Data Subject, and their content, requests, inquiries, and complaints submitted by the Data Subject;

        6.4.5. data related to payment default information specified in Clause 8.3;

        6.4.6. data associated with visiting the Finreport.ai portal, including data related to payment for services (payer’s name, account number and bank, email address for invoices and reports).

        6.5. In addition, Finreport.ai Processes data from satisfaction surveys of Data Subjects in the Finreport.ai portal both to fulfil contracts and based on legitimate interest. The purpose 4 of using satisfaction survey data is to improve the use of the Finreport.ai portal and the quality of products and services offered on the portal, as well as to develop new products and services.

        7. MEDIATING PAYMENT DEFAULT INFORMATION

        7.1. Finreport,ai Processes payment default information based on the legitimate interest of Data Recipients under GDPR Article 6(1)(f). The legitimate interest of Data Recipients is expressed in that they can assess the creditworthiness or payment ability (financial reliability) of a Data Subject based on payment default information, which helps Data Recipients make informed credit and other decisions and fulfil legal obligations such as assessing consumer creditworthiness and implementing responsible lending obligations. The purpose of Processing payment default information is to assess the creditworthiness of a Data Subject and/or assist creditors in fulfilling their consumer creditworthiness assessment and responsible lending obligations.

        7.2. Finreport,ai clients who have entered into a relevant agreement with Finreport,ai disclose payment defaults to Finreport,ai. Finreport,ai has the right to manage such payment defaults in the payment default register and transmit them to Data Recipients who have a justified need and legal basis to assess the creditworthiness or payment ability (financial reliability) of a Data Subject. If there is payment default information about a Data Subject, its mediation gives the Data Subject a chance not to overextend themselves financially (avoid bankruptcy) and to manage existing loan repayments.

        7.3. Finreport,ai mediates payment default information, please also refer to Clause 1.6.6. Payment default information contains the following Personal Data:

        7.3.1. the name, personal identification number or date of birth of the Data Subject related to the payment default;

        7.3.2. date of start and end and the range of amount of indebtedness underlying the payment default;

        7.3.3. information regarding the origin of the indebtedness.

        7.4. The Data Subject is shown a more detailed description of his/her payment default through the Finreport,ai portal, including the name of the Data Recipient and date of inquiries, the exact amount of the payment default (not range) and other information.

        7.5. Notifying the Data Subjects of information referred to in Article 14(1) and (2) of the GDPR, i.e. the Principles, is done via Finreport,ai website and generally also with payment default notification sent to the Data Subject or through terms and conditions of the agreement or similar Document signed between the creditor and the Data Subject.

        7.6. Payment default information can be mediated through data transmission service, Finreport,ai portal.

        7.7. Finreport,ai mediates payment default information for no more than five years after the breach of the debt obligation has ended.

        8. CREDIT RATING

        8.1. Finreport.ai Processes Personal Data when issuing credit ratings based on the legitimate interest of Data Recipients under GDPR Article 6(1)(f). Data Recipients use the credit rating to assess the creditworthiness or payment ability (financial reliability) or other reliability or insurance risks of a Data Subject, and the credit rating helps Data Recipients make informed credit and other decisions and fulfil legal obligations such as assessing insurance risks and consumer creditworthiness and implementing responsible lending obligations.

        8.2. The purpose of Processing Personal Data for a credit rating is to assess the creditworthiness or payment ability (financial reliability) or other reliability or insurance risks of a Data Subject and/or assist creditors in fulfilling their consumer creditworthiness assessment and responsible lending obligations.

        8.3. Finreport.ai clients who have entered into a relevant agreement with Finreport.ai, and who have a justified need and legal basis, submit requests to Finreport.ai to prepare a credit rating for a Data Subject, after which Finreport.ai Processes Personal Data to create a credit rating for the Data Subject, which Finreport.ai then issues to the Data Recipient. Finreport.ai does not retain the Data Subject’s credit rating as it is not necessary. Finreport.ai only keeps a log of which Data Recipient requested a credit rating for which Data Subject.

        8.4. Credit rating is an algorithm created as a result of statistical analysis aimed at assessing the probability of payment default associated with an individual. There exists a strong correlation between the occurrence of payment defaults and the realisation of insurance risks, hence the outputs of models predicting payment defaults are also used in managing insurance risks. Data which has been observed to have a statistical correlation with the occurrence of payment defaults is used for modelling the probability of payment default.

        8.5. The following Personal Data is Processed in the preparation of the credit rating:

        8.5.1. personal identification number;

        8.5.2. presence of citizenship;

        8.5.3. type and validity of residence permit or right;

        8.5.4. fact of death;

        8.5.5. e-residency;

        8.5.6. data from Official Announcements;

        8.5.7. business and entrepreneurial prohibitions;

        8.5.8. payment default information and claims from the Tax and Customs Board;

        8.5.9. inquiries about the Data Subject;

        8.5.10. related legal entities and the payment behaviour of such legal entities;

        8.5.11. number of properties;

        8.5.12. account information described in Clause

        9. ACCOUNT INFORMATION SERVICE

        9.1. Finreport.ai Processes Personal Data in providing account information service based on the consent of the Data Subject under GDPR Article 6(1)(a). Consent is given by the Data Subject to the Data Recipient via a technical widget of the account information service. The consent can be withdrawn at any time by sending a digitally signed notice to gdpr@finreport.ai. The consent expires when the Personal Data is transmitted to the Data Recipient. Withdrawing consent does not affect the lawfulness of Processing based on consent before its withdrawal. Data Recipients use the account information to assess the creditworthiness or payment ability (financial reliability) or other reliability of a Data Subject, and the account information helps Data Recipients make informed credit and other decisions and fulfil legal obligations such as assessing consumer creditworthiness and implementing responsible lending obligations.

        9.2. Finreport.ai clients, i.e. Data Recipients who have entered into an appropriate agreement with Finreport.ai, submit requests to Finreport.ai to categorise a Data Subject’s account information, after which the Data Recipient directs the Data Subject to give the corresponding consent to Finreport.ai. After such consent, the Data Subject is directed to their bank to give the corresponding consent for the transmission of the Data Subject’s account information to Finreport.ai. Then Finreport.ai categorises this account information and sends it to the Data Recipient.

        9.3. Data Recipients are required to ensure that Data Subjects are aware of their account information being transmitted to Finreport.ai. Data Recipients are obliged to inform Data Subjects about the Processing of their Personal Data by Finreport.ai before using the account information service.

        9.4. In providing the account information service, the Data Subjects whose Personal Data is Processed are Data Recipient’s potential and existing natural person clients who use or wish to use the services or products of the Data Recipient.

        9.5. The following Personal Data is Processed in providing the account information service:

        9.5.1. account information of the person: name and IBAN, type of account, account balance at the time of data retrieval, account currency, volume of transactions, supporting metadata;

        9.5.2. transaction information of the person: metadata of the transaction (type, status, duplicates), date of the transaction, amount of the transaction, currency of the transaction, explanation of the transaction, category of the transaction, accuracy percentage of the category, the other party of the transaction (and the name of the person) and their account information.

        10. OTHER INSTANCES OF PERSONAL DATA PROCESSING

        10.1. Finreport.ai Processes Personal Data also based on a contract, meaning that the Processing of Personal Data is necessary for the performance of a contract to which the Data Subject or another third party is a party, or for the taking steps at the request of the Data Subject or another third party prior to entering into a contract, within the scope of the rights and obligations arising from such a contract (e.g., a service provision contract between Finreport.ai and such other third party, where the Data Subject is a representative) according to GDPR Article 6(1)(b). For the performance or conclusion of a contract, Finreport.ai Processes the following Personal Data:

        10.2.1. personal identification number, name, country, relationship with a legal entity or foreign business entity branches in the following roles: person with representative rights (e.g., board member, chairman of the board, proxy, authorised person), role commencement;

        10.2.2. other Personal Data as per the content of the contract to be concluded or concluded.

        10.3. Finreport.ai also Processes Personal Data for pre-contractual negotiations with job applicants, for the conclusion or preparation of an employment contract, to ensure the suitability of the job applicant’s education, work experience, skills, and personal qualities, according to GDPR Article 6(1)(b).

        10.4. In the recruitment process, Finreport.ai Processes the following Personal Data:

        10.4.1. personal identification number, name, country;

        10.4.2. contact details: email address and/or phone number;

        10.4.3. CV (professional experience and educational path) and documents proving education;

        10.4.4. names, contact details of referees;

        10.4.5. criminal record extract with history (when making a job offer);

        10.4.6. personality tests;

        10.4.7. other Personal Data depending on the position or the individual applicant.

        10.5. Finreport.ai also Processes Personal Data based on legal obligations, i.e. to fulfil a legal obligation applicable on Finreport.ai (e.g., a request by the Data Subject to Finreport.ai regarding the Processing of Personal Data, to which Finreport.ai is legally obliged to respond) according to GDPR Article 6(1)(c). 11.6. In fulfilling a legal obligation, Finreport.ai Processes the following Personal Data:

        10.6.1. name, personal identification number or date of birth;

        10.6.2. contact details: email address and/or phone number;

        10.6.3. details of contracts between the person and Finreport.ai (concluded and terminated contracts, breaches of contract) and data on services used;

        10.6.4. other Personal Data as per the content of the legal obligation.

        10.7. Finreport.ai also Processes Personal Data in the context of other services (e.g., Target, KYC Utility) by transmitting Personal Data to Data Recipients. Such Processing occurs based on the legitimate interests of the Data Recipients according to GDPR Article 6(1)(f). Data Recipients can assess the creditworthiness or payment ability (financial reliability) or other reliability (e.g., applying KYC principles) of the Data Subject or associated company.

        10.8. In the transmission mentioned in Clause

        10.7, the following Personal Data is Processed:

        10.8.1. name, personal identification number or date of birth;

        10.8.2. relationship with a legal entity or foreign business entity branches in the following roles: person with representative rights (e.g., board member, chairman of the board, proxy): role, start date of the relationship, end date of the relationship; owner of a legal entity (e.g., shareholder, partner): role, country of location, start date of the relationship, end date of the relationship, type of ownership, size and percentage of ownership; member and chairperson of the board of a legal entity: role, start date of the relationship, end date of the relationship; other relationships with a legal entity (e.g., founder, auditor): role, country of location, start date of the relationship, end date of the relationship, actual beneficiaries (start date, end date, country of location, method of control).

        10.9. In addition to the above purposes, Finreport.ai Processes Personal Data for the protection of Finreport.ai violated or disputed rights, for the exercise of Finreport.ai rights in connection with legal claims, their proof, and defense in court or out of court. Processing occurs either based on Finreport.ai legitimate interest or for the performance of a contract with the Data Subject.

        10.10. For sending marketing offers and communications, including newsletters, Finreport.ai uses the email addresses and/or mobile phone numbers of Data Subjects, if the Data Subject has given consent under the conditions specified in the legislation pursuant to GDPR Article 6(1)(a). The Data Subject may withdraw consent at any time. Upon withdrawal of consent, Finreport.ai will cease using the Personal Data of the Data Subject for marketing purposes. The withdrawal of consent does not affect the lawfulness of the Processing of Personal Data based on consent before its withdrawal.

        11. PROFILING

        11.1. Profile analysis is automated Processing of Personal Data used to assess certain personal characteristics of the Data Subject. Finreport.ai profiles Data Subjects for the purposes of identifying actual beneficiaries and preparing credit ratings.

        11.2. For profiling, Finreport.ai uses the Personal Data indicated in Clauses 8.5 and 9.5, and the Personal Data of direct and indirect owners of legal entities mentioned in Clause 5.2.4. Such data Processing occurs based on Finreport.ai legitimate interest according to GDPR Article 6(1)(f), which is manifested in that Finreport.ai can provide its clients with the most accurate possible identification of actual beneficiaries and preparation of credit ratings.

        12. TRANSMISSION OF PERSONAL DATA BY FINREPORT.AI

        12.1. Finreport.ai transmits Personal Data:

        12.1.1. in response to inquiries and as part of reports to its clients – for use in assessing creditworthiness and other types of reliability;

        12.1.2. to public authorities and officials (e.g., law enforcement agencies, courts, regulatory bodies, enforcement officers, notary offices, tax administrators, bankruptcy administrators, etc.) – for the fulfilment of their legal obligations;

        12.1.3. in cases of assignment of claims to a new creditor;

        12.1.4. to Finreport.ai authorised processors.

        12.2. Finreport.ai authorised processors are Finreport.ai partners who provide services such as accounting and billing management, archiving services, auditing services, legal or financial consulting services, debt collection services, and IT support and maintenance. An authorised processor is entitled to carry out Processing operations only with respect to that Personal Data and to the extent that Finreport.ai has authorised the processor.

        12.3. Should the need arise to transmit data to third countries, Finreport.ai will adhere to the requirements set forth in the GDPR and other applicable legislation.

        13. RETENTION PERIOD FOR PERSONAL DATA

        13.1. Finreport.ai Processes Personal Data as long as it is necessary to achieve the Processing purposes and there is a legal basis for it. Data obtained from public registries are retained by Finreport.ai as long as this data is accessible from the public registry. Official Announcements are retained by Finreport.ai until they are archived in the Official Announcements portal.

        13.2. When data is no longer actively used, Finreport.ai retains them for an additional 3+1 years based on Finreport.ai legitimate interest, following the usual three-year statute of limitations for claims, plus an additional year to ensure the availability of data, as Finreport.ai may not immediately be aware of a claim being filed.

        13.3. Data Subjects can obtain additional information about the retention periods for their data by sending an inquiry to: gdpr@finreport.ai.

        14. DATA SUBJECT RIGHTS RELATED TO THE PROCESSING OF THEIR PERSONAL DATA

        14.1. The Data Subject has the right to:

        14.1.1. obtain information from Finreport.ai as to whether their Personal Data is being Processed, and if so, gain access to such Personal Data in accordance with the procedures and extents set forth in legislation and the Principles, including obtaining a copy of the Personal Data;

        14.1.2. request correction of their Personal Data if it is insufficient, incomplete, or incorrect;

        14.1.3. request deletion of their Personal Data in cases and extents specified in legislation and the Principles, for example, if Finreport.ai lacks legal basis to Process such Personal Data or if the Personal Data is Processed based on the Data Subject’s consent and the Data Subject has withdrawn their consent. This right does not apply if the Personal Data requested for deletion is also Processed on other legal bases, such as for contract performance. If Processing is based on legitimate interest, the Data Subject has the right to object, after which Finreport.ai will assess whether there is a legitimate reason for Processing or if such Personal Data must be deleted;

        14.1.4. restrict Processing of their Personal Data in the manner and extent prescribed by legislation, for example, while Finreport.ai assesses whether the Data Subject has a right to have their Personal Data deleted;

        14.1.5. receive their Personal Data, which the Data Subject has provided to Finreport.ai and which is Processed based on consent or for the performance of a contract, in a commonly used machine-readable format, and, if technically feasible, to have that Personal Data transmitted to another data controller (data portability);

        14.1.6. object to the Processing of their Personal Data, including to profiling, where Processing is based on legitimate interests. In such cases, Finreport.ai will cease Processing the Data Subject’s Personal Data, unless Finreport.ai legitimate interests override the potential infringement on the Data Subject’s interests, rights, and freedoms;

        14.1.7. demand cessation of their Personal Data Processing if such Processing is unlawful, meaning that Finreport.ai lacks a legal basis for Processing Personal Data;

        14.1.8. withdraw their consent for the Processing of their Personal Data;

        14.1.9. file a complaint with Finreport.ai about the Processing of Personal Data if the Data Subject believes that the Processing infringes their interests, fundamental rights, and freedoms;

        14.1.10. file a complaint regarding the Processing of Personal Data with the Data Protection Inspectorate (website: www.aki.ee) or approach a competent court if the Data Subject believes that the Processing of their Personal Data violates their rights and interests.

        14.2. To exercise their rights, the Data Subject may contact Finreport.ai by sending their inquiry, request, or complaint to the email address gdpr@finreport.ai in a manner that allows the Data Subject to be identified, or by using the Finreport.ai portal. Finreport.ai shall respond to the Data Subject without delay, but no later than one month from the receipt of the inquiry. If further verification or clarification of facts is needed before responding to the Data Subject, Finreport.ai may extend the response time, informing the Data Subject in advance.

        15. AMENDING THE PRINCIPLES

        15.1 Finreport.ai may unilaterally amend these Principles. Finreport.ai will notify Data Subjects and other persons of changes to the Principles via Finreport.ai website , where the new version of the Principles will be published. Finreport.ai does not provide advance notice of such amendments.