Tuleva Privacy Policy
This Privacy Policy describes how Tulundusühistu Tuleva (registry code 14041764, address Telliskivi 60, 10412 Tallinn; hereinafter the Association) and its wholly-owned subsidiary Tuleva Fondid AS (registry code 14118923, address Telliskivi 60, 10412 Tallinn; hereinafter the Management Company) process your personal data.
Please note that in most cases, the Management Company and the Association process your personal data as joint controllers. Accordingly, the Management Company and the Association will hereinafter be collectively referred to as Tuleva in this Privacy Policy. In some cases, the Management Company and the Association may process your personal data as independent controllers.
We are glad that you are interested in our services. Protecting your personal data is extremely important to us, and we take it very seriously. When processing your personal data, we comply with applicable legislation of the European Union and the Republic of Estonia and adhere to the principles of secure processing of personal data. In particular, Tuleva processes your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the GDPR).
Tuleva collects and processes your personal data primarily for the purposes of establishing customer relationships, offering the Management Company’s services, performing statutory due diligence, enhancing the customer experience, managing the Management Company’s business risks, as well as improving, developing and maintaining its web applications and technical systems.
How does Tuleva process personal data?
Managing customer relationships, delivering services and involving members
Tuleva mainly collects and processes data of persons who have entered into or have expressed an intention to enter into a contractual relationship with Tuleva (members of the Association, unitholders of Tuleva funds) and/or use the web application pension.tuleva.ee.
- the person’s pension account number;
- the pension fund to which the person makes mandatory funded pension contributions;
- a balance statement of the person’s pension account;
- an account statement of the person’s pension account;
- a list of applications submitted to the Funded Pension Registry.
In addition, Tuleva collects data related to the fact of logging in to the web application (the person’s first name and surname, personal identification code, time of login, telephone number, email address). When a person accesses the web application via Coop Pank, the fact of that login is also recorded. When a person logs in via Coop Pank, Coop Pank transmits the person’s first name and surname, personal identification code, the country that issued the personal identification code and authentication data to Tuleva with the person’s consent. The legal basis for processing personal data is Article 6(1)(b) of the GDPR.
The customer’s first name, surname and personal identification code are used for identification purposes. The legal basis for processing personal data is Article 6(1)(c) of the GDPR.
The person’s contact details (email address and telephone number) are used to send them the applications they have completed in the web application or, if necessary, to
contact them regarding any issues related to the use of the web application. The legal basis for the processing of personal data is Article 6(1)(b) of the GDPR.
Based on the above information, Tuleva displays the details of the pension account of the person who has logged in to the web application. If a person wishes to submit an application for the selection of a pension fund and/or an application for the exchange of pension fund units, this can be done in the web application, and Tuleva will send the digitally signed application(s) directly to the pension registrar. The legal basis for processing personal data is Article 6(1)(b) of the GDPR.
When a person accesses the web application via Coop Pank, we also process the fact of this login method to manage our cooperative relationship with Coop Pank. In this case, we process data regarding the login method in conjunction with Coop Pank as joint controllers, based on our legitimate interest (Article 6(1)(f) of the GDPR) in establishing the fact of this login method to manage our cooperative relationship. Tuleva remains the person’s primary point of contact.
Tuleva uses a person’s contact details (email address and telephone number) to provide information that is essential for offering the financial service and to share relevant updates about the fund. The legal basis for processing personal data is Article 6(1)(b) of the GDPR.
The Association uses the contact details of its members to keep them informed of the activities and performance of the Association and, where appropriate, to involve members in the activities of the Association. The legal basis for processing personal data is Article 6(1)(f) of the GDPR (the Association’s legitimate interest in ensuring that its members are informed of, and involved in, the activities of the Association).
Compliance with legal obligations
The fact of logging in to the web application and the data of the person logging in (first name, surname and personal identification code) are used to determine whether the person is a unitholder of any pension funds managed by the Management Company. The legal basis for processing personal data is Article 6(1)(c) of the GDPR.
The Management Company maintains a register of the unitholders of the pension funds it manages, and obtains the relevant data from the Estonian Funded Pension Registry maintained by Pensionikeskus AS (registry code 14282597, address Tartu mnt 2, 10145 Tallinn). The legal basis for processing personal data is Article 6(1)(c) of the GDPR.
The Management Company’s register also contains information from the Association’s register of members. The categories of personal data that the Management Company collects and processes include (but are not limited to) the following:
- the person’s first name, surname and personal identification code;
- the person’s contact details (email address and telephone number);
- financial data, including transactions with units of the Management Company’s funds.
The Management Company processes the data that enable the Management Company to fulfil its due diligence obligations in relation to the prevention of money laundering and terrorist financing and to ensure compliance with international sanctions, including establishing whether a customer is a politically exposed person. The legal basis for processing personal data is either Article 6(1)(c) or Article 6(1)(f) of the GDPR (Tuleva’s legitimate interest in fulfilling its obligations under the Estonian Money Laundering and Terrorist Financing Prevention Act and the directives of the supervisory authorities).
To fulfil its legal obligations, the Association maintains a register of members that includes the following personal data:
- first name and surname;
- personal identification code;
- email address;
- telephone number;
- contribution to the initial capital of the Association;
- share in the Association’s share capital.
Records are also maintained for admissions to, and withdrawals or expulsions from, the Association where applicable. The legal basis for processing personal data is Article 6(1)(c) of the GDPR.
According to the Association’s Articles of Association, members of the Association must direct their mandatory or voluntary pension contributions to a pension fund managed by the Management Company, except during the period when the Management Company has no registered mandatory or voluntary pension funds. To verify compliance with this obligation, the Management Company, based on the Association’s legitimate interest (Article 6(1)(f) of the GDPR) and its mandate, regularly compares the Association’s register of members with the list of unitholders for the funds managed by the Management Company, obtained from the Estonian Funded Pension Registry. As a result of this comparison, the Management Company provides the Association with a list of members who, during the previous period, have either exchanged funds managed by the Management Company or transferred their contributions to another fund, based on their applications for exchanging units or selecting different pension fund.
Communication activities
When a person signs and submits an application for selecting a pension fund and/or exchanging fund units via the web application, their contact details are also used to send general announcements and news from the Management Company, as well as to offer financial services. The legal basis for processing personal data in this context is either the consent of the data subject (Section 103¹ (1) of the Estonian Electronic Communications Act, Article 6(1)(a) of the GDPR) or Section 103¹ (3) of the Estonian Electronic Communications Act, depending on the circumstances.
Tuleva conducts its communication activities via email. Tuleva is dedicated to providing relevant information tailored to the saver’s profile and interests; therefore, it engages in profiling its savers. The legal basis for profiling is Article 6(1)(f) of the GDPR (Tuleva’s legitimate interest in segmenting its savers to identify the appropriate target group for specific communications).
Tuleva processes personal data by sending surveys to its savers and/or members about their saving habits and/or preferences. To prepare the surveys, Tuleva analyses previously collected information about the data subjects (Tuleva’s legitimate interest under Article 6(1)(f) of the GDPR in preparing surveys to gather insights for planning its business strategy). The legal basis for conducting Tuleva’s surveys is Section 103¹ (3) of the Estonian Electronic Communications Act. Tuleva stores the results of the surveys (Tuleva’s legitimate interest in planning its product development and preparing personalised communications and offers to the respondents).
Tuleva also processes personal data when sending out its newsletters. Tuleva sends its newsletters to the data subject’s email address if they have provided it to Tuleva and consented to receive Tuleva’s newsletters at that email address. The legal basis for processing personal data is Article 6(1)(a) of the GDPR.
Other activities
Tuleva processes the following personal data for statistical and analytical purposes, log keeping, and for developing, maintaining and troubleshooting its web application:
- the fact of logging in to the web application;
- the first name and surname of the person logging in;
- the person’s personal identification code.
The legal basis for processing personal data is Article 6(1)(f) of the GDPR (Tuleva’s legitimate interest in ensuring the web application’s functionality and promptly detecting errors).
Who do we share your personal data with?
We disclose your personal data to third parties only when strictly necessary for providing our services and only to the extent required for the specific purposes of processing. This means we engage partners (such as customer support service providers) to whom we disclose your personal data for purposes related to the activities and services of the Association or the Management Company and/or our communication activities. Your personal data are not shared with third parties for any other purposes. Any third party with whom we share your personal data may use and process these data only for the purposes and in the manner specified in this Privacy Policy.
As a general rule, personal data are processed within the countries of the European Union or the European Economic Area. To communicate announcements and news related to the Association and the Management Company, we share email addresses with our partner MailChimp (The Rocket Science Group LLC d/b/a MailChimp), which stores the data on its servers in the United States. The security of the personal data processed by MailChimp in the United States is ensured by the EU-U.S. Data Privacy Framework.
In addition to the above, we may transfer your personal data to third parties if this is necessary to fulfil our legal obligations or exercise our legal rights.
When are personal data deleted?
The personal data of Association members are processed until a member withdraws or is expelled from the Association.
After that, a record will be kept of the fact and duration of the person’s membership in the Association. The register data for the unitholders of the pension funds managed by the Management Company are updated weekly. The Management Company retains the personal data of unitholders only as long as necessary to fulfil the purpose for which the data are processed, unless the Management Company is required by law to adhere to a different retention period.
How can you exercise your rights in relation to the processing of your personal data?
If you wish to:
- access your personal data that the Association and/or the Management Company processes in the context of their activities;
- have any inaccurate and/or outdated personal data rectified and/or completed;
- have your personal data deleted and/or their processing restricted or terminated, and any disclosed personal data deleted if further processing is not permitted under applicable law, or object to the processing of your personal data;
- withdraw your consent for the processing of your personal data (without affecting the lawfulness of processing based on consent prior to withdrawal);
- request that your data be transferred to another controller in accordance with applicable law;
- object to our processing of your personal data;
- or if you have any other requests or concerns regarding the processing of your personal data or if you require further information in this regard,
please contact us by email at [email protected].
If you believe that we have processed your personal data unlawfully or violated your rights concerning their processing, please let us know at the email address indicated above. We aim to resolve disputes about the processing of personal data in the first instance through negotiation. In addition, you have the right to file a complaint with the Estonian Data Protection Inspectorate (website: www.aki.ee).
How do we ensure the security of your personal data?
The Association and the Management Company store and process your personal data on digitally and physically secure servers. Access to all personal data processed by us and our partners is restricted to our employees and those of our partners who need the data to perform their duties related to the purposes outlined in this Privacy Policy. These individuals are obliged to comply with the requirements set out in the relevant personal data protection legislation and the terms of this Privacy Policy when processing data.
Terms of Use of Tuleva Website
By using the Tuleva website, you confirm that you have read, understood and accepted these Terms of Use.
Information published on the website
We make every effort to ensure that the information published on the website is accurate and complete. The reviews, comments, opinions and analyses published on the website contain our subjective opinions and do not constitute investment recommendations. If you would like any clarification on the information published, please contact us.
Intellectual property
All information contained on the Tuleva website, including rights related to its design and software, is the property of the Association and the Management Company. Reproduction of the information contained on this website, including texts, logos, photographs, etc., in any manner whatsoever without our prior written permission is prohibited. You may use the information on this website for non-commercial purposes.
How do we use cookies?
Please note that we use cookies on the Tuleva website based on our legitimate interests. A cookie is a small text file that a website saves on your computer or mobile device when you visit a website. Cookies provide us with statistical information that helps us analyse the behavioural patterns of our website visitors, which we use for our communication activities.
The following cookies are used on the website:
| Name | Purpose |
|---|---|
| Google Analytics | An analytical cookie that collects analytical data about website visitors. The data may also be used to target advertising in the Google advertising network. |
| Google Tag Manager | A cookie that manages the cookies installed on the website. |
| Facebook Pixel | A cookie for targeting ads and tracking results on Facebook. |
Necessary
Necessary cookies are essential for the basic functions of the website and without them the website will not function as intended.
These cookies do not store any personal data.
| Cookie | Duration | Description |
|---|---|---|
| cookieyes-consent | 1 year | CookieYes sets this cookie to remember users’ consent preferences so that their preferences are respected on their subsequent visits to this site. It does not collect or store any personal information of the site visitors. |
| JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
Functional
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
| Cookie | Duration | Description |
|---|---|---|
| __cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, traffic source, etc.
| Cookie | Duration | Description |
|---|---|---|
| _ga | 1 year 1 month 4 days | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
| _gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website’s performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
| _ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
| vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website. |
| _gat_UA-* | 1 minute | Google Analytics sets this cookie for user behaviour tracking. |
| _gcl_au | 3 months | Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services. |
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website, which helps in delivering a better user experience for the visitors.
| Cookie | Duration | Description |
|---|---|---|
| _gat | 1 minute | This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites. |
Advertisement
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
| Cookie | Duration | Description |
|---|---|---|
| test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user’s browser supports cookies. |
| _fbp | 3 months | This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website. |
| IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
Changes to the Privacy Policy and Terms of Use
This Privacy Policy and Terms of Use are published on the Tuleva website and are effective from 21 October 2024.
