This Privacy notice is a guide for how we process and use your personal information.
Who are we and what do we do?
We are Hoist Finance S.à r.l. (Hoist Finance) a company based in Luxembourg, a subsidiary of Hoist Finance AB (publ), a publicly listed company based in Sweden. Hoist Finance is the Controller of the data we hold about you in relation to processing activities mentioned in the table below. All matters related to debt collection, debt administration and exercising the rights of the lender in relation to your account will continue to be managed by QQuant, who is a Controller for processing of your data related to debt collection.
What information do we hold, why do we process it, & how long do we keep it for?
This Privacy Notice outlines the different processing activities we as Controller perform with your personal data as part of our business. Hoist Finance uses your information only for the purposes holding and enforcing acquired claims as their beneficial owner and for processes associated with servicing credit. We will use the data in accordance with General Data Protection Regulation (GDPR), relevant data protection laws and good debt collection practice to gather and update documentation necessary for compliance with applicable laws such as Anti Money Laundering Law, Tax law, Accounting law etc.
To pursue the above purposes and to act lawfully, transparently and fairly, we process the following types of information, always under strict controls, such as encryption, internal access rights, and audits to keep your information safe:
|
Types of information |
Purpose(s) for processing |
Legal basis for processing |
How long we keep your information |
|
Contact and account information, such as your name, home address, date of birth, national identification number, phone number and details of previous communication with us, emails, and letters. |
We process this data to be able to liaise with our servicing partners and original creditor, to be able to contact you, to keep records of any previous conversations or correspondence, and in general keep a full and up to date picture of your circumstances and your dealings with us and our partners. This is necessary to handle your case fairly and in your best interests. |
The legal basis for processing this information is the original credit agreement to which you are a party (Article 6(1)(b) GDPR), legitimate interests of the Controller or third parties (Article 6(1)(f) GDPR), such as the creation of Analytical and Performance reports and employee education, or legal obligation which we need to fulfill, including Anti Money Laundering, Tax law, Accounting law etc. (Article 6(1)(c) GDPR). Once your account has been closed, we will hold your data to satisfy relevant regulations such as, Anti Money Laundering, Tax law, Accounting law etc (Article 6(1)(c) GDPR). Based on our legitimate interests (Article 6(1)(f) GDPR), we may also process your personal data for the establishment, exercise or defence of legal claims in relation to your debt. You may obtain further information about the balancing test we have carried out under Article 6(1)(f) GDPR upon request.”
|
The retention period is 5 years (AML legal requirements), 7 years (Tax obligations), 7 years + days left in the calendar year (Accounting obligations) from the moment the account is closed but in any case, no longer than 10 years (for AML legal requirements), at which point it will be deleted/irreversibly anonymized. |
|
Payment information, such as your bank account number, transaction history, financial data and other debt related data. |
To be able to provide Accounting, AML and Tax reports to relevant authorities and to fulfill our legal requirements. We also process this data to be able to create Analytical and Performance reports which are used to improve process how we deal with our customers and to educate our employees. |
Where do we get the information from?
We initially receive the information from the previous owner of the claim as part of its sale and transfer to us. We may also obtain information from third parties to increase the accuracy of the information we hold and/or to gain a better understanding of your circumstances. These third parties are credit reference agencies, public government records, and other organisations which provide services to improve the quality of the data we hold about you.
Disclosure of your information
We do not disclose your information except in the following limited circumstances:
We may share your personal information within the Hoist Finance group of companies, to which we belong. For example, our IT infrastructure is managed at Group level. This helps to keep our systems operational and secure allowing us to provide the best services to you that we can. Any personal data sharing is subject to security and privacy requirements set in the law and our internal governance documents. We may also share your personal data with carefully vetted organisations, who must comply with our strict contractual security and privacy requirements and follow our guidelines, for the following purposes:
- Your personal information may be disclosed to a third party, for the purpose of collecting or managing a debt. Finally, we may also disclose your personal information to third parties:
-In the event we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
-If we are under a duty to disclose or share your personal data to comply with any legal obligation or to enforce or apply our terms of use or to protect our rights, property or safety. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, or with authorities for the purposes of tax reporting or anti-money laundering.
Your information will generally be kept within the EU/EEA or in countries deemed by the European Commission to have an adequate level of protection; only for limited purposes and temporarily may data be transferred to other countries. This could for example be where the support teams of our service providers are located outside the EU/EEA. In all cases, however, we have technical, organisational, and contractual protections in place to keep the information safe and to ensure an adequate level of protection. Contractually, transfers outside the EU/EEA to countries without an adequacy decision by the European Commission will be based on standard data protection clauses adopted by the European Commission (Article 46 (2) (c) GDPR).
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our specific instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable authority of a suspected breach where we are legally required to do so.
Your statutory data protection rights
Right to access: You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all your personal information, please contact us. We will respond to your request within one month.
Right to rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. We may ask that you provide reasonable proof to verify your request.
Right to restrict processing: If you believe the personal information we hold is inaccurate, unlawful, or that we do not have a legitimate interest to process it, you can request that we restrict any processing until this is rectified.
Right to data portability: This right allows you to obtain in a structured, commonly used format, and to reuse the information you have provided to us for your own purpose and have it transmitted directly to different services. This applies only to information we use based on your consent or on a contractual basis.
We do not use any automated individual decision making.
Right to erasure (“right to be forgotten”): You may ask us to delete the information we hold on you where it is no longer necessary for the purpose for which it was collected; where you withdraw any consent you provided for its processing; where you object to our processing of it (see above); or where our processing is unlawful. Please note, however, that we are also subject to certain legal obligations that prevent us from immediately deleting all your information. For example, we are legally obliged to keep certain data for anti-money laundering purposes for at least five years. However, any data we are prohibited from deleting will be blocked and, when we are no longer obliged to keep it, erased.
Your Right to Object to Processing
You have the right to object at any time to the processing of your personal data where such processing is based on our legitimate interests or for the performance of a task carried out in the public interest. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
You may exercise your rights by sending an email at dpo_luxembourg@hoistfinance.com.
The above rights may be subject to limitations according to applicable laws. In some cases, we may be unable to comply with your request where an exemption permitted under the GDPR or Law 4624/2019 applies, for example where fulfilling the request would adversely affect the rights and freedoms of others, prevent us from complying with a legal obligation, or interfere with the establishment, exercise, or defence of legal claims. If we rely on such an exemption, we will inform you of the reasons.
Right to lodge a complaint with a supervisory authority
Finally, if you consider that the processing of personal data relating you infringes the GDPR, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement. The competent supervisory authority in Greece is the Hellenic Data Protection Authority: dpa.gr.
Changes to this Privacy Notice
This privacy policy was last updated: 16 December 2025.
How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you or the basis upon which we process such information:
Address: HOIST FINANCE S.à r.l.,
15, Boulevard F.W. Raiffeisen L-2411, Luxembourg, Grand Duchy of Luxembourg
Att: DPO Luxembourg
E-mail: dpo_luxembourg@hoistfinance.com