| Documentation Level | Policy |
| Classification | Public |
| Version | 1.1 / January 2026 |
| Owner | Head of Legal |
| Approved | Information Risk Committee, 23 January 2026 |
| Applies to | Allshares Oy and its subsidiaries, together referred to below as "Allshares" or the "Group". |
| Valid | From 23 January 2026 |
| Previous approved version | 1.0 |
| Distribution | Allshares website |
1. PURPOSE AND SCOPE
This Privacy Policy outlines how Allshares collect, use, and disclose Personal Data received from clients (or otherwise processed by Allshares as a processor) to provide Services.
It's important to note that this Policy does not supersede or amend the personal data protection terms and conditions found in Service Agreements (including data processing agreements) between Allshares and its clients, and such agreements prevail over this Policy.
For Personal Data collected, used, and processed through your use of Allshares websites (excluding dedicated web portals or mobile apps for Service access) and Publicly sourced Personal Data, please refer to the Allshares Public Privacy Policy, not this document.
2. DEFINITIONS
The capitalized words have the following meaning in this Policy:
- Allshares (we): Refers to the Allshares company that has entered into a Service Agreement with you, including its affiliates.
- Client (you): Refers to the legal entity that has executed a Service Agreement with Allshares.
- Personal Data: Refers to any information relating to an identified or identifiable natural person in the meaning of:
- For data subjects residing within the territory of the European Economic Area (EEA), the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
- For data subjects residing in Switzerland, the Swiss Federal Act on Data Protection and related ordinances;
- For data subjects residing in the United Kingdom, the UK Data Protection Act 2018 and the UK GDPR (GDPR as it forms part of the law of England, Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018)
- Publicly sourced Personal Data: Information gathered from company websites, minutes of general meetings, corporate governance notices, compensation policies, incentive reports, and annual reports.
- Service Agreement: The master service agreement established between Allshares and each of its Clients.
- Services: Encompasses cloud platform, software applications, maintenance and support, and other related training or consulting services as outlined in a Service Agreement.
3. SCOPE OF PROCESSING
3.1 Provision of Services
Personal Data may be accessed and used to perform the Services under your order for support, application, cloud or consulting services and to confirm your compliance with the terms of your order. This may include testing and applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; and resolving bugs and other issues you have reported to Allshares. Except replication for the agreed local or geo-redundancy purposes within the cloud infrastructure, any copies of Personal Data created for these purposes are only maintained for time periods relevant to those purposes.
Allshares may also collect information about the use of the Services through electronic communications protocols and cookies, and may automatically receive information as part of the communication connection itself, which often consists of network routing information (where connection came from), equipment information (browser type), IP address and date and time. Collecting this automatic information helps us customize the user experience and increase the Services' functionality. The use of cookies is and remains consistent with the purposes set out in the data processing agreement and/or the personal data protection provisions embedded in the Service Agreements or is derived from the legitimate interest of enabling you to use the Service. Details about cookies are stated in the Cookie Notice.
3.2 Legal Requirements
Allshares may be required to retain or provide access to Personal Data to comply with legally mandated reporting, disclosure or other legal process requirements.
Allshares does not use Personal Data except as stated above or in your order. Allshares may process Personal Data, but does not control your collection or use practices for such data.
If you provide any Personal Data to Allshares, you are responsible for providing any notices and/or obtaining any consent necessary for Allshares to access, use, retain and transfer Personal Data as specified in this Policy and your Service Agreement.
3.3 Subcontractors
When Allshares engages subcontractors to help provide services, their access to Personal Data will align with your Service Agreement and this Services Privacy Policy, as necessary. Allshares is responsible for ensuring these subcontractors adhere to the terms of both this Policy and your Service Agreement.
Our list of approved subprocessors is accessible here. This list may change over the duration of your Service Agreement, and you will be informed of any updates.
4. ACCESS CONTROL
Access to Personal Data within Allshares is governed by job role and responsibility. For data stored in Allshares-hosted systems, access is managed through an access control list and an account management framework. You are responsible for controlling your end users' access to Personal Data. End users and individuals whose Personal Data is processed using Allshares platform solutions should direct any requests regarding their Personal Data to you.
5. SECURITY CONTROLS
Allshares prioritizes the security and confidentiality of your Personal Data through robust technical and organizational measures, designed to prevent unauthorized access. These industry-leading security measures apply across all Services and to all Allshares employees.
We are dedicated to minimizing risks associated with human error, theft, fraud, and misuse of Allshares facilities. Our comprehensive approach includes background checks, ongoing security awareness programs, and employee training on security policies. All Allshares employees are contractually obligated through written confidentiality agreements to maintain the confidentiality of Personal Data and adhere to company policies concerning information protection.
Allshares promptly investigates and responds to any incidents raising suspicion of unauthorized Personal Data handling. Our Chief Privacy Officer and Legal team are informed of such incidents and define escalation paths and response teams as necessary. Should your Personal Data be misappropriated (even by an Allshares employee) or wrongly acquired by a third party, we will notify you in accordance with the provisions of the data processing agreement between you and Allshares.
Upon termination of your service order or expiry of the retention period agreed in the data processing agreement, and unless you instruct otherwise, Personal Data is permanently deleted from the Allshares system, including all cloud environments.
6. INTERNATIONAL TRANSFER
Except with your prior written consent, Allshares will not transfer any Personal Data received from you for the purpose of providing you the Services outside the territory of the Data Center Region you elected for database hosting or outside the territory where other services are to be performed by Allshares as expressly provided for under any contract between you and Allshares. If you have approved transfer of any Personal Data outside EEA, United Kingdom, Switzerland, or outside jurisdictions not benefitting from adequacy decisions issued by the EU, UK, respectively Swiss authorities, please refer to section 8 hereunder.
7. INFORMATION SHARING AND DISCLOSURE
We may share aggregated, non-identifying information and log data with third parties for analysis and other purposes. This information will not contain Personal Data.
Depending on the Services you choose, your Personal Data may be transferred to third parties for hosting or processing. These third parties include IT consulting companies, bound by a subcontracting agreement with Allshares, for the implementation and maintenance of Allshares software. We may also transfer your Personal Data to cloud infrastructure providers for hosting purposes, who are bound by a cloud provider agreement with Allshares.
Under certain circumstances, Allshares may be required to disclose Personal Data in response to valid requests from public authorities, including for national security or law enforcement requirements. Allshares may disclose Personal Data if legally required to do so, for example, in response to a subpoena or request from law enforcement, a court, or a government agency. Such disclosure may also occur if Allshares believes, in good faith, that it is necessary:
- To comply with a legal obligation.
- To protect or defend our rights, interests, or property, or those of third parties.
- To prevent or investigate possible wrongdoing in connection with the Services.
- To act in urgent circumstances to protect the personal safety of users of the Services or the public.
Regarding Personal Data, we will attempt to refer any request for disclosure by public authorities, including those for national security or law enforcement reasons, to our Clients. If legally obligated to do so, Allshares may disclose Personal Data to law enforcement or other government authorities. In such cases, Allshares will notify its Clients of the request unless prohibited by law.
8. CROSSBORDER TRANSFER
Allshares ensures the necessary level of protection for transferred Personal Data by:
- a. Entering into standard contractual clauses approved by the European Commission (for the EU), the UK Information Commissioner's Office (for the UK), and the Swiss Federal Data Protection and Information Commissioner (for Switzerland, for transborder outsourcing of personal data processing). Additionally, specific clauses for transfers from other jurisdictions are included as per the Service Agreement between you and Allshares.
- b. Relying on recognized effective certification mechanisms or an adequacy decision of the relevant authority prior to such transfers.
9. DATA PROCESSOR AND CH-UK REPRESENTATIVES
The data processor, and, to the extent Allshares collects Personal Data, the data controller, in the meaning of the legislation referred to in section 2 is Allshares Oy, a company incorporated under Finnish law, with a registered office at Aleksanterinkatu 13, 3rd floor, 00100 Helsinki, Finland, registered under No. 1882491-3 ("Allshares Oy").
For the purpose of Personal Data processing, Allshares Oy has appointed as its representatives:
- in CH, Allshares Switzerland SA, with offices at 5 Rue de Rive, 1260 Nyon, Switzerland, registered under No. CHE-428.659.231
- in the UK, Allshares UK Limited, with offices at 7 Savoy Court, WC2R 0EZ, Company No. 14692277
10. ACCEPTANCE OF THE POLICY
Allshares may amend this Services Privacy Policy as deemed necessary without prior notification to you. It is your responsibility to verify regularly this Policy to be informed of any changes. Your continued use of the Services after any such changes or after explicitly accepting the new Services Privacy Policy upon using the Services shall constitute your consent to such changes. Notwithstanding the foregoing, any changes to this Policy do not supersede or amend the personal data protection terms and conditions found in Service Agreements (including data processing agreements) between you and Allshares.
11. CONTACTING US
Allshares has appointed a Chief Privacy Officer. Clients who believe that their Personal Data have been used in a way that is not consistent with this Policy, or who have further questions regarding this Policy may contact the Chief Privacy Officer throughout the ticketing system on Allshares platform or send a request by email to privacy@allshares.com.
Data subjects' inquiries should initially be directed to their employer (the data controller). If Allshares' assistance is required to fulfill data subject requests, Clients should use the contact information provided above.
12. VALIDITY AND DOCUMENT MANAGEMENT
The current version of this document is effective as of the last update set out in the Change History.
The owner of this document is the Head of Legal, who checks and, if necessary, updates the document at least once a year.
13. CHANGE HISTORY
| Date | Version | Created by | Description of change |
|---|---|---|---|
| 9 January 2025 | 1.0 | Rosanna Bärnan, Hery Andrianjafy | Basic document outline |
| 23 January 2026 | 1.1 | Rosanna Bärnan, Hery Andrianjafy | Add reference to cookie usage |
