PRIVACY POLICY
Name of the document |
3stepIT Privacy Policy |
Scope |
This privacy policy applies to personal data that you give us when visiting our website, using our Asset Management services, using our other services and/or portals, reporting suspected misconduct, interacting with us in meetings, social medial, emails and other means of communication. |
Purpose |
The purpose of this privacy policy is to inform you about:
|
Classification |
Public |
Version |
2.0 |
Last Updated |
10.6.2025 |
Review Schedule |
When required by the Data Protection Legislation. Furthermore, due to changes in our operations or the technology used, we may need to update our privacy policy from time to time. When this happens, we will revise this privacy policy and refresh it on our website. |
The protection of your personal data is important to 3Step IT Group Oy and its affiliated companies, hereinafter referred to as “3stepIT” or “we”.
3Step IT Group Oy (business ID 2087590-4), Limited Liability Company registered in Finland acts as a contact point for all 3Step IT Group companies in privacy related requests:
Office address: Mechelininkatu 1A Helsinki 00180, Finland
The general phone number: +358 10 525 3200
Data Protection Officer: dpo(at)3stepit.com
If you have any questions relating to our use of your personal data under this privacy policy, please contact our Data Protection Officer at the contact details provided above, or use the contact form provided on our website: tell us a bit about your enquiry and we will pass it to the right expert and controller, if need be.
The contact details of all 3Step IT Group Oy's affiliated companies can be found below:
3Step IT Oy Business ID 2161942-7 Mechelininkatu 1A 00180 Helsinki Registered in Finland |
3 Step IT A/S Business ID 26106427 Vandtårnsvej 62 2860 Søborg Registered in Denmark |
3 Step IT AS Business ID 878703812 Wergelandsveien 7 0167 Oslo Registered in Norway |
3 Step IT Sweden AB Business ID 556488-0218 Box 1556 581 15 Linköping Registered in Sweden |
3 Step IT Trading AB Business ID 559267-1738 Drottninggatan 19 582 25 Linköping Registered in Sweden |
LeaseCloud AB Business ID 559089-4308 Erik Dahlbergsgatan 12, 115 32 Registered in Stockholm |
3 Step IT SIA Business ID 40003717838 Vilandes iela 3 LV-1010 Riga Registered in Latvia |
UAB 3Step IT Business ID 300059934 Vito Gerulaičio g. 10-101 Vilnius Registered in Lithuania |
3Step IT OÜ Business ID 10731756 Narva mnt 7d Tallinn 10117 Registered in Estonia |
3 Step IT Services Limited Business ID 13762523 100 Liverpool Street EC2M 2AT London Registered in United Kingdom |
LeaseCloud AS Business ID 921 671 644 Holmaveien 20, 1339, Voyenenga Registered in Norway |
3 Step IT Inc. Business ID 10047902 2521 Golden Bear Drive – Suite 120, Carrollton Registered in Texas, USA |
3 Step IT Corp. Business ID 72786 9224 181 University Ave, Suite 2100, Toronto Registered in Ontario, Canada |
The data controller for your personal data may be either 3Step IT Group Oy or any of its affiliated companies, depending which company has a contractual or other relationship with you.
We may also act as a data processor and in that role process personal data on behalf of our contractual parties. Please note that this privacy policy does not cover personal data subject to processing activities we conduct as a processor, such as customer data processed when using our Asset Management systems. In cases where 3stepIT acts as a processor, we kindly advise you to contact the data controller (e.g., your organization) for further information on the collection and processing of that specific data.
Please note that if you interact with 3stepIT either through, or on behalf of your organization, then certain personal data may be subject to your organization’s privacy policy.
1. WHAT PERSONAL DATA DO WE COLLECT?
We collect and use your personal data to the extent necessary to carry out our operations and provide our services as well as to comply with any regulatory obligations in our activities. These purposes and collected personal data are defined in more detail below.
CUSTOMERS, Suppliers AND MARKETING
In connection with our operations and during the lifecycle of business relationship with our customers, we collect various types of personal data, meaning any information that identifies or allows to identify you.
The provision of the personal data is a requirement necessary to enter into a contract with the customer and in order to use the service portal. You are not obliged to provide personal data in connection with marketing or when communicating with us, however, the provision of personal data might be a prerequisite for the use of 3stepIT’s services or products, and participation to certain events and communication related to such matters.
As for Know Your Customer / Customer Due Diligence data, the provision of the personal data is a requirement necessary to enter into a contract with the customer or to pursue such customer relationship.
Purpose of processing |
Legal Basis |
Personal Data |
To fulfil regulations and legal requirements relating to:
|
Legal obligation |
|
To market our products and services (e.g. sending newsletters), communicate with you and develop our customer relationships
|
Legitimate interest of the data controller |
|
To provide the service portal to the customers |
Legitimate interest of the data controller
|
|
To provide and deliver our products and services to you |
Performance of a contract |
|
To manage and develop the supplier relationship, such as business partner management To manage contracts |
Legitimate interest of the data controller
|
|
Source of personal data
We collect data of the following data subjects in connection with our operations:
- Contact persons or other representatives of our customers or customer prospects;
- Ultimate beneficial owners of our customers and their next of kins, significant owners;
- Users of our products and services;
- Participants to our webinars and events;
- Contact persons or other representatives of our suppliers.
- Our customers;
- Our business partners;
- Public sources (e.g., company registers, LinkedIn, company websites, press);
- Third parties such as data brokers or databases (e.g., databases used in marketing, KYC or sanction screening).
Retention periods
The personal data will be retained as long as required by applicable laws and regulations. The personal data relating to customers or suppliers will be retained as long as the business relationship with the customer or supplier is active. Currently the retention period is five years after the end of the contractual relationship with the customer.
The personal data related to KYC data will be retained five years after the end of the contractual relationship. We retain certain personal data after the termination of the customer or supplier relationship based on statutory requirements for the period required by accounting or other applicable mandatory laws.
We retain data on our potential customers and their representatives for five years. The personal data related to marketing is retained for five years.
In addition, data may be retained for the time necessary for the preparation, presentation or defence of a legal claim.
WEBSITE VISITORS
3stepIT processes the personal data of website (including our service portals) visitors and the persons who visit our social media pages and personal data that we have obtained through cookies, events, newsletter sign up and contact forms on our website.
You are not obliged to provide us with your personal data, however, the provision of personal data might be a prerequisite for the use of 3stepIT’s services or products.
Purpose of processing |
Legal Basis |
Personal Data |
To improve the website performance, functionalities, and user experience and to analyse the website traffic |
Consent prior placing other than strictly necessary cookies Legitimate interest of the controller when retrieving the data through the cookies |
|
To target ads |
Consent prior placing other than strictly necessary cookies
|
|
To communicate with you (e.g., sending newsletters and information on products and services) |
Legitimate interests of the data controller
|
|
Sources of personal data
The personal data we process is obtained directly from you in connection with the use of our website (including our service portals) and social media pages and the sending of newsletters or other communications.
The personal data is also collected through cookies and similar tracking technologies that are placed on our website (including our service portals). Cookies are pieces of data that websites store on your browser when you visit them. Cookies are used because they can give you a more personalised web experience. We use cookies on our website to target content and adverts, and to understand how people use our site. Where we use cookies which collect your personal data, such collection is covered by this privacy policy.
By allowing all cookies, we can enhance your experience. This means helping you find the right information quickly and tailoring content to your needs. By default, we enable only strictly necessary cookies required for the website to function and cannot be switched off. They are set in response to actions made by you such as setting your privacy preferences and to also help keep the website secure. These cookies do not store any personally identifiable information.
Because we respect your right to privacy, you can choose to allow performance, advertisement and functional types of cookies. Click ‘Manage preferences’ on the main cookies policy provided to you when landing to our website for more information on the data collected by our cookies and to adjust your preferences regarding the cookies used. You can use your browser settings to delete cookies that have already been set at any time.
In addition, 3stepIT processes personal data from a data subject's social media account when interacting with our social media pages. Each social media provider processes personal data in accordance with its own privacy policy.
Retention Periods
The personal data will be retained as long as required by applicable laws and regulations.
Personal data retrieved through cookies will be stored for 5 years. The personal data related to marketing is retained for 5 years.
In addition, data may be retained for the time necessary for the preparation, presentation or defence of a legal claim.
2. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
Sharing of information within 3stepIT
We share personal data within 3stepIT for the purposes set out above, so e.g., for the purposes of complying with legal obligations or the purposes of marketing or providing our services to our customers.
Disclosing information outside 3stepIT
To fulfil some of the purposes described in this policy, we may disclose your personal data outside 3stepIT from time to time to:
- Service providers which perform services on our behalf (e.g., IT services, logistics, marketing, telecommunication, advisory and consulting);
- Our commercial partners, including our financing partners;
- Authorities or other public bodies if we are required by law to disclose such data;
- KYC: In connection with assigning concluded lease agreements to its refinancing partners, 3stepIT transfers personal data to the selected refinancing partner, who process personal data as data controller in accordance with its own privacy policy. 3stepIT will deliver a copy of the refinancing partner’s privacy policy upon request.
- Certain regulated professionals such as lawyers or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchaser of the companies or businesses of the 3stepIT.
- If 3stepIT is involved in a corporate transaction personal data may be disclosed to third parties in relation to such transaction in accordance with the applicable data protection laws.
3. INTERNATIONAL TRANSFERS OF PERSONAL DATA
As some of our affiliates, service providers, and partners are located outside the European Economic Area, we may need to transfer personal data outside the European Economic Area to carry out our operations. Transfers of this kind are done according to the requirements of the applicable laws, and by following the applicable safeguards for the transfers, e.g., based on adequacy decisions adopted by European Commission, or using standard contractual clauses approved by European Commission.
4. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
In addition to the above-mentioned data specific retention periods, personal data is deleted or returned once it is no longer needed for its purpose. The retention periods are defined based on e.g., the following factors:
- Requirements set forth in applicable laws and regulations; and
- Other requirements related to the purpose of the processing in question, e.g., operational requirements, such as proper account maintenance and management, security reasons, or responding to legal claims or regulatory requests.
5. HOW DO WE SECURE YOUR DATA?
We apply appropriate technical and organizational measures to keep your personal data secure. We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data. Your data can only be accessed by persons for whom it is necessary in relation to their work.
We may outsource our processing of personal data to external service providers. In such events we enter into appropriate agreements with the providers to ensure that your personal data is processed in accordance with this privacy policy and any applicable laws.
6. YOUR RIGHTS AS A DATA SUBJECT
In accordance with applicable regulations and where applicable, you have the following rights:
Rights of the data subject |
|
Right of access to your data |
You can obtain information relating to the processing of your personal data and request a copy of such personal data. If you make your request electronically and have not requested another form of delivery, the data will be provided in the commonly used electronic format. |
Right to rectify your data |
Where you consider that your personal data is inaccurate or incomplete, you can request that such personal data is modified accordingly. |
Right to have your data erased |
You can require the deletion of your personal data, to the extent permitted by law. However, a request to delete personal data cannot be implemented if the personal data is stored, for example, to comply with a legal obligation. |
Right to restrict the processing of your data |
In certain cases, you have the right to request the restriction of the processing of your data.
|
Right to object to the processing of your data
|
You can object to the processing of your personal data, on grounds relating to your situation. You have the right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. 3stepIT may refuse a request if the processing is necessary for the legitimate interests of 3stepIT or a third party. |
Right to withdraw your consent |
Where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time. With every newsletter, we provide a way for you to request to revoke your consent at any time when you do not wish to subscribe to and receive our newsletters anymore. |
Right to transfer data from one system to another |
Where legally applicable, you have the right to have the personal data you have provided to us to be returned to you or, where technically feasible, transferred to a third party. To the extent that we process your data on a contractual basis and the processing is carried out automatically, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and the right to transfer that data to another controller. |
Right to lodge a complaint with a supervisory authority |
You have the right to lodge a complaint with the competent supervisory authority if you consider that data protection legislation has not been respected in the processing of your personal data. |
If you wish to exercise the rights listed above, please send your request to our Data Protection Officer, the contact information of which is provided at the beginning of this policy.
We may need to request specific information (such as copy of identification) from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.