Privacy Policy

How HM Kapital OÜ collects, processes, stores, and protects personal data under the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and applicable AML/CTF and DORA frameworks.

Effective Date: 14 May 2026 · Version: 1.0

1. Introduction and Scope

1.1 Purpose of this Policy

This Privacy Policy ("Policy") describes how HM KAPITAL OÜ ("HM Kapital", "we", "us", or "our") collects, processes, stores, transfers, and otherwise handles personal data of clients, prospective clients, website visitors, business counterparties, and other natural persons whose data is processed in the course of our business activities.

This Policy is issued in accordance with the transparency and information obligations set forth in Articles 12, 13, and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), and the Estonian Isikuandmete kaitse seadus (Personal Data Protection Act, 2018) ("IKS").

1.2 Applicability

This Policy applies to all personal data processing operations carried out by HM Kapital in the provision of:

Fintech advisory services;
Investment advisory services covering foreign exchange (FX), equities, fixed income, digital assets, and capital markets transactions;
Pre-contractual due diligence and onboarding;
B2B engagement with founders, investors, and financial enterprises across the European Union and the European Economic Area (EEA).

This Policy also applies to data collected via the website hmkapital.ee and any related digital communications.

2. Identity and Contact Details of the Controller

In accordance with Article 4(7) and Article 13(1)(a) GDPR, the data controller responsible for the processing of your personal data is:

Legal name: HM KAPITAL OÜ
Registration number: 11639834
Registered office: Veskiposti 2, 10138 Tallinn, Estonia
Telephone: +372 6415 000
Email: info@hmkapital.ee
Website: https://hmkapital.ee

2.1 Privacy Contact Point

HM Kapital has not formally designated a Data Protection Officer ("DPO") within the meaning of Article 37 GDPR, as our processing activities do not meet the mandatory designation thresholds set out therein. Nevertheless, we maintain a dedicated privacy contact point for all data protection matters:

Email for privacy queries: info@hmkapital.ee (subject line: "Data Protection")
Postal: HM KAPITAL OÜ — Data Protection, Veskiposti 2, 10138 Tallinn, Estonia

We will respond to all substantive privacy requests in accordance with the timelines prescribed in Article 12(3) GDPR.

3. Categories of Personal Data Processed

We process the following categories of personal data, classified by source pursuant to Articles 13 and 14 GDPR.

3.1 Data Collected Directly from the Data Subject

When you engage with us as a client, prospect, counterparty, or website user, we may collect:

Identification data: full name, date of birth, nationality, government-issued identification numbers (e.g., personal identification code, passport number);
Contact data: business and personal email addresses, telephone numbers, postal addresses;
Professional data: job title, employer, role within a legal entity, professional qualifications, ultimate beneficial ownership (UBO) status;
Financial and investment profile data: source of funds, source of wealth, investment objectives, risk tolerance, investor classification (retail, professional, eligible counterparty), portfolio composition;
Engagement data: correspondence, meeting notes, contract documentation, transaction instructions, advisory mandates;
Marketing preferences: consents granted or withdrawn, communication channel preferences.

3.2 Data Collected Automatically

When you access the website or our digital infrastructure, we automatically process certain technical data:

Device and connection data: IP address, device identifiers, browser type and version, operating system, screen resolution, language settings;
Usage data: pages visited, time and duration of visits, referring URLs, click paths, session identifiers;
Cookies and similar technologies: as further described in Section 16 and in our separate Cookies Policy.

3.3 Data Obtained from Third Parties

We may lawfully obtain personal data from third-party sources, including:

Public commercial and business registries (e.g., the Estonian Commercial Register / Äriregister, EU equivalents);
Sanctions, politically exposed person (PEP), and adverse media screening providers used for AML/CTF compliance;
Credit reference agencies and corporate due diligence databases;
Referrals from existing clients, intermediaries, or business partners;
Public sources such as LinkedIn or professional directories where you have made data publicly available.

3.4 Special Categories of Personal Data (Article 9 GDPR)

HM Kapital does not knowingly or deliberately collect special categories of personal data within the meaning of Article 9(1) GDPR (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning sex life or sexual orientation). Should any such data be incidentally disclosed to us, we will minimise its retention and processing in accordance with Article 5(1)(c) GDPR.

3.5 Data Relating to Criminal Convictions (Article 10 GDPR)

In the context of mandatory AML/CTF screening, we may process data concerning criminal convictions and offences solely to the extent strictly necessary to comply with our statutory obligations under the Rahapesu ja terrorismi rahastamise tõkestamise seadus (Money Laundering and Terrorist Financing Prevention Act, 2017) ("RahaPTS").

4. Purposes of Processing and Legal Bases

For each processing purpose, the corresponding legal basis under Article 6(1) GDPR is identified below.

4.1 Pre-Engagement Due Diligence and KYC

Purpose: identity verification, beneficial ownership determination, sanctions and PEP screening, source-of-funds and source-of-wealth assessment, and overall client risk classification prior to onboarding.
Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation, in particular obligations under the RahaPTS and applicable EU AML directives; and Article 6(1)(b) GDPR — processing necessary for the taking of steps at the request of the data subject prior to entering into a contract.

4.2 Performance of Advisory Engagements

Purpose: delivery of fintech and investment advisory services, contract administration, transaction execution support, reporting, billing, and ongoing client relationship management.
Legal basis: Article 6(1)(b) GDPR — performance of a contract to which the data subject is party. Where the contracting party is a legal entity, processing of personal data of its representatives is based on Article 6(1)(f) GDPR — legitimate interest in administering the contractual relationship.

4.3 Compliance with Statutory and Regulatory Obligations

Purpose: compliance with AML/CTF requirements, record-keeping obligations, regulatory reporting to competent authorities, response to lawful requests from supervisory authorities, courts, and law enforcement, and compliance with the Regulation (EU) 2022/2554 (Digital Operational Resilience Act, "DORA") in respect of ICT risk management and incident reporting, and, where applicable, Regulation (EU) 2023/1114 (Markets in Crypto-Assets Regulation, "MiCA").
Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation; in respect of Article 10 data, the additional condition under Estonian law permitting processing for AML purposes.

4.4 B2B Marketing, Outreach, and Business Development

Purpose: sending market commentary, advisory updates, invitations to events, and tailored business propositions to existing clients, prospective B2B contacts, and professional counterparties.
Legal basis:
- Article 6(1)(f) GDPR — legitimate interest in promoting our services to professional audiences within the financial sector, supported by a documented Legitimate Interest Assessment (LIA) weighing our commercial interest against the reasonable expectations and fundamental rights of recipients (purpose test, necessity test, balancing test). Where outreach concerns existing clients regarding similar services, this is further supported by the "soft opt-in" framework under the Estonian Elektroonilise side seadus (Electronic Communications Act) implementing Directive 2002/58/EC (ePrivacy Directive).
- Article 6(1)(a) GDPR — freely given, specific, informed, and unambiguous consent, in line with EDPB Guidelines 05/2020 on consent, where required (e.g., outreach to non-clients via electronic mail in certain Member States).

4.5 Website Operation, Security, and Analytics

Purpose: ensuring the availability, integrity, and security of the website; preventing fraud and unauthorised access; performing aggregated analytics to improve user experience.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in operating a secure and functional website; Article 6(1)(a) GDPR — consent for non-essential cookies and analytics in accordance with Article 5(3) of the ePrivacy Directive as transposed in Estonian law.

4.6 Establishment, Exercise, or Defence of Legal Claims

Purpose: management of disputes, litigation, regulatory investigations, and enforcement of contractual rights.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in protecting the legal position of HM Kapital and, where applicable, Article 9(2)(f) GDPR for any special category data necessarily involved.

5. Recipients and Categories of Recipients

Personal data may be disclosed to the following categories of recipients, each acting either as an independent controller, joint controller, or processor under Article 28 GDPR:

Group entities and authorised personnel of HM Kapital on a strict need-to-know basis;
Professional advisors — external legal counsel, auditors, tax advisors, compliance consultants;
IT and cloud infrastructure providers — hosting, email, collaboration, and document management services (e.g., productivity suites such as Google Workspace or Microsoft 365, where engaged);
Contact form delivery service: messages submitted through the contact form on hmkapital.ee are transmitted to us by FormSubmit (operated by FormSubmit Inc., United States) acting as a processor. Personal data transmitted (name, email, company, message content) is processed solely for the purpose of delivering the inquiry to info@hmkapital.ee. The transfer to the United States is performed under the EU–US Data Privacy Framework and, where applicable, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two), with supplementary measures detailed in Section 6.3 below;
Cybersecurity and monitoring providers — including in fulfilment of DORA Article 28 third-party ICT risk management obligations;
KYC/AML screening providers — sanctions list, PEP, and adverse media database operators;
Payment service providers and banks for the administration of fees and reimbursements;
Marketing technology providers — customer relationship management (CRM) and email delivery platforms;
Public authorities and supervisory bodies — including Andmekaitse Inspektsioon (AKI), the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo), the Estonian Financial Supervision Authority (Finantsinspektsioon), tax authorities, courts, and law enforcement, where disclosure is required by law;
Counterparties and intermediaries strictly within the scope of an advisory engagement and only where lawful and necessary.

All processors are bound by written data processing agreements ("DPAs") containing the obligations set out in Article 28(3) GDPR.

6. International Data Transfers

6.1 Principle

HM Kapital primarily processes personal data within the EEA. Where personal data is transferred to a third country or international organisation outside the EEA, such transfer is carried out in accordance with Chapter V of the GDPR (Articles 44–49).

6.2 Transfer Mechanisms

We rely on the following legal mechanisms, in order of preference:

Adequacy decisions of the European Commission pursuant to Article 45 GDPR — e.g., for transfers to the United Kingdom, Switzerland, Canada (commercial organisations), Japan, and other adequate jurisdictions;
EU-US Data Privacy Framework ("DPF") — for transfers to US-based recipients that are certified under the DPF, in accordance with the European Commission's adequacy decision of 10 July 2023;
Standard Contractual Clauses ("SCCs") adopted by the European Commission in Decision (EU) 2021/914, including the appropriate Module (Module 1 — controller-to-controller; Module 2 — controller-to-processor; Module 3 — processor-to-processor; Module 4 — processor-to-controller) corresponding to the transfer scenario;
Derogations for specific situations under Article 49 GDPR, used only on an exceptional and non-systematic basis.

6.3 Supplementary Measures (Schrems II)

In line with Court of Justice of the European Union judgment C-311/18 (Schrems II) and the EDPB Recommendations 01/2020, we conduct Transfer Impact Assessments ("TIAs") for transfers to third countries lacking an adequacy decision. Where necessary, we implement supplementary technical, contractual, and organisational measures, including:

End-to-end encryption and pseudonymisation in transit and at rest;
Strict access controls and key management retained within the EEA where feasible;
Contractual undertakings regarding government access requests, including transparency reporting and challenge obligations.

6.4 Likely Transfer Destinations

Given our reliance on widely used enterprise cloud and security providers, transfers may occur to the United States, United Kingdom, and other adequate jurisdictions. A current list of sub-processors and transfer destinations is available upon written request to info@hmkapital.ee.

7. Retention Periods

Personal data is retained only for as long as necessary for the purposes for which it was collected, in accordance with Article 5(1)(e) GDPR (storage limitation).

Category of Data	Retention Period	Legal Basis for Retention
KYC/AML records (identification, due diligence, transaction monitoring)	5 years from the end of the business relationship or completion of the occasional transaction, extendable to 7 years upon order of the Financial Intelligence Unit	RahaPTS § 47 (Estonian AML Act)
Contractual and engagement documentation	7 years from termination	Raamatupidamise seadus (Estonian Accounting Act) and limitation periods under the Law of Obligations Act
Accounting and tax records	7 years	Accounting Act § 12; Maksukorralduse seadus (Taxation Act)
Correspondence relating to advisory services	Up to 7 years	Legitimate interest in defence of legal claims; statutory limitation periods
Marketing data (B2B)	Until withdrawal of consent or objection, and no longer than 3 years of inactivity	Article 6(1)(a) or 6(1)(f) GDPR
Website logs and security data	Up to 12 months	Article 6(1)(f) GDPR — security
Cookie data	As specified in the Cookies Policy (typically up to 13 months)	Article 6(1)(a) GDPR; ePrivacy
Unsuccessful prospect data	Up to 24 months from last contact	Article 6(1)(f) GDPR

After the applicable retention period, personal data is securely deleted or irreversibly anonymised.

8. Data Subject Rights

Subject to the conditions and limitations set out in Articles 12 to 22 GDPR, you have the following rights in respect of your personal data:

8.1 Enumeration of Rights

Right of access (Article 15) — to obtain confirmation as to whether your personal data is being processed and, where applicable, a copy of the data and information about the processing;
Right to rectification (Article 16) — to have inaccurate personal data corrected and incomplete data completed;
Right to erasure / "right to be forgotten" (Article 17) — subject to applicable exceptions, in particular legal retention obligations under RahaPTS and accounting law;
Right to restriction of processing (Article 18);
Right to data portability (Article 20) — for data processed by automated means on the basis of consent or contract;
Right to object (Article 21) — including an absolute right to object to processing for direct marketing purposes;
Right not to be subject to automated individual decision-making, including profiling (Article 22);
Right to withdraw consent (Article 7(3)) — at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

8.2 Exercise of Rights

Requests may be submitted in writing to info@hmkapital.ee or to the postal address in Section 2. We will:

Respond without undue delay and in any event within one (1) month of receipt of the request, in accordance with Article 12(3) GDPR;
Where necessary, extend the response period by a further two (2) months, taking into account the complexity and number of requests, with notification of the extension and reasons within the initial one-month period;
Not charge a fee for handling requests, except where a request is manifestly unfounded or excessive, in particular because of its repetitive character, in which case a reasonable fee may be charged or the request refused, in accordance with Article 12(5) GDPR.

8.3 Identity Verification

To prevent unauthorised disclosure, we may require additional information reasonably necessary to confirm your identity before responding to a request, in accordance with Article 12(6) GDPR. Such information will be used solely for verification and deleted thereafter.

9. Right to Lodge a Complaint with the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right under Article 77 GDPR to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

The competent supervisory authority in Estonia is:

Andmekaitse Inspektsioon (AKI) — Estonian Data Protection Inspectorate

Address: Tatari 39, 10134 Tallinn, Estonia

Telephone: +372 627 4135

Email: info@aki.ee

Website: www.aki.ee

We encourage you to contact us first so that we may seek to resolve your concerns directly.

10. Profiling and Automated Decision-Making

HM Kapital does not carry out automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22(1) GDPR.

Certain limited automated tools may be used to assist human analysts in screening (e.g., AML sanctions list matching), but any decision with material consequences for an individual is subject to meaningful human review, intervention, and final decision-making.

11. Children's Data

Our services are directed exclusively at business clients, professional investors, and corporate counterparties. We do not knowingly process personal data of children. In accordance with Article 8 GDPR as transposed by Estonia, the age of digital consent for information society services in Estonia is 13 years; however, given the B2B nature of our services, we expect that all individuals interacting with us are at least 18 years old. If we become aware that we have inadvertently collected personal data from a minor without appropriate legal basis, we will delete such data without undue delay.

12. Security Measures (Article 32 GDPR)

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including, as appropriate:

12.1 Technical Measures

Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
Access controls based on the principles of least privilege, role-based access, and multi-factor authentication;
Endpoint protection, anti-malware, intrusion detection, and centralised logging;
Network segmentation, firewalls, and secure remote access;
Backup and disaster recovery procedures with regular testing;
Vulnerability management and timely patching of systems.

12.2 Organisational Measures

Information security policies approved by management and reviewed periodically;
Confidentiality obligations imposed on all personnel and contractors;
Staff training on data protection, AML, and information security;
Vendor due diligence and contractual safeguards under Article 28 GDPR;
ICT risk management framework aligned with DORA Articles 5–15, where applicable, including incident classification and reporting under DORA Article 19.

12.3 Continuous Improvement

We regularly review, test, and evaluate the effectiveness of these measures in accordance with Article 32(1)(d) GDPR.

13. Personal Data Breach Notification (Articles 33–34 GDPR)

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify Andmekaitse Inspektsioon (AKI) without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, in accordance with Article 33 GDPR.

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also communicate the breach to the affected data subjects without undue delay, in clear and plain language, in accordance with Article 34 GDPR.

We maintain an internal breach register documenting the facts, effects, and remedial actions taken, in compliance with Article 33(5) GDPR, and we coordinate financial-sector incident reporting with obligations under DORA.

14. Data Protection Impact Assessment (Article 35 GDPR)

Where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, HM Kapital conducts a Data Protection Impact Assessment ("DPIA") prior to the processing, in accordance with Article 35 GDPR and the AKI's list of processing operations subject to a mandatory DPIA. Where required, we consult AKI under Article 36 GDPR prior to commencing the processing.

15. Records of Processing Activities (Article 30 GDPR)

HM Kapital maintains a written Record of Processing Activities ("RoPA") in accordance with Article 30 GDPR, made available to AKI upon request.

16. Cookies and Similar Tracking Technologies

Our website uses cookies and similar technologies. Strictly necessary cookies are deployed on the basis of Article 6(1)(f) GDPR. All other categories — including analytics, functional, and marketing cookies — are deployed only with your prior, freely given, specific, informed, and unambiguous consent, obtained via our cookie consent banner in accordance with Article 5(3) of the ePrivacy Directive as transposed by the Estonian Elektroonilise side seadus (Electronic Communications Act), and consistent with EDPB Guidelines 05/2020 on consent.

You may withdraw your consent at any time by adjusting the cookie settings on the website. For full details, see our separate Cookies Policy.

17. Direct Marketing and the Right to Object

Pursuant to Article 21(2) GDPR, you have the right to object at any time to the processing of your personal data for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing. Upon exercise of this right, we will cease processing your personal data for such purposes without further justification required.

You may opt out at any time by:

Clicking the "unsubscribe" link in any marketing email;
Writing to info@hmkapital.ee with the subject line "Unsubscribe";
Contacting us via the postal address in Section 2.

18. Updates to this Policy

We may update this Policy from time to time to reflect changes in legal requirements, our services, or our processing practices. The most current version will always be published at hmkapital.ee with an updated effective date and version number.

Where changes are material, we will provide additional notice — for example, by email to clients and prospects whose contact details we hold, or via a prominent notice on the website. Continued use of our services or website following an update constitutes acknowledgement of the revised Policy, subject to any consents that may be required afresh.

19. Contact and Complaints Summary

Controller queries: HM KAPITAL OÜ, Veskiposti 2, 10138 Tallinn, Estonia | info@hmkapital.ee | +372 6415 000
Supervisory authority: Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, www.aki.ee

20. Governing Law and Venue

This Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Estonia, without prejudice to the mandatory protections afforded to data subjects under the GDPR and applicable EU law. The competent courts of Estonia, in particular Harju Maakohus (Harju County Court), shall have jurisdiction, without prejudice to the right of data subjects to bring proceedings in their country of habitual residence or to lodge complaints with their local supervisory authority pursuant to Articles 77 and 79 GDPR.

21. Effective Date and Version Log

Version	Effective Date	Summary of Changes
1.0	14 May 2026	Initial production release.