Privacy Policy for Clients, Suppliers and Business PartnerS
We are committed to protecting the personal information we hold and to being transparent about how and why we use it. This Privacy Policy explains how ESOX Group (“we”, “us”, or “our”) processes personal data in accordance with applicable data protection and privacy legislation, including, where applicable, the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).
Given ESOX Group’s defencefocused, B2B operating model, we primarily process personal data relating to business contacts at customers, partners, suppliers, and other organisations in the defence ecosystem. We apply appropriate safeguards to protect confidentiality and security in line with the nature of our operations.
Our registered office is at c/o Roschier Asianajotoimisto Oy Kasarmikatu 21 A, 00130 Helsinki (Y-tunnus 3541835-1). If you have any questions about this policy or wish to exercise your rights in relation to your personal data, please contact us at
Categories of Personal Data
The personal information we hold varies depending on your relationship with us. In relation to business contacts, customers, and prospective customers, we may hold the name, job title, employer, and professional contact details of individual representatives, as well as records of communications, meetings, and commercial discussions, and information relating to contract negotiation and performance.
In relation to suppliers and business partners, we may hold the name, job title, and contact details of individual representatives, records of communications and contract-related correspondence, and where applicable, payment and invoicing information relating to those individuals.
In relation to shareholders and investors, we may hold name, contact details, and shareholding information, together with communications relating to corporate governance matters.
What Personal Data we process
The personal information we hold varies depending on your relationship with us. We operate on a strictly business-to-business (B2B) basis and do not sell products or services directly to consumers.
In relation to business contacts, customers, and prospective customers, we may hold the name, job title, employer, and professional contact details of individual representatives, as well as records of communications, meetings, and commercial discussions, and information relating to contract negotiation and performance.
In relation to suppliers and business partners, we may hold the name, job title, and contact details of individual representatives, records of communications and contract-related correspondence, and where applicable, payment and invoicing information relating to those individuals.
In relation to shareholders and investors, we may hold name, contact details, and
shareholding information, together with communications relating to corporate governance matters.
How We Obtain Personal Data
We obtain personal data in several ways. In many cases, we receive it directly from you, when you contact us, enter into a contract with us, or communicate with us in a business context. We may also obtain personal data from third parties, such as company registries, publicly available business directories, and due diligence providers. Additionally, personal data may come to us while performing contracts, through correspondence, meetings, and other business interactions.
Why We Use Your Personal Data and Our Legal Basis for Doing So
We only process personal data where we have a lawful basis to do so under applicable data protection legislation. The following sets out our main purposes and the legal basis we rely on for each.
We process personal data for the purpose of managing and performing contracts with customers, suppliers, and business partners, including corresponding with individual representatives and administering contractual obligations. The legal basis for this processing is contractual necessity.
We maintain business contact records and conduct business development activities, such as keeping records of meetings, communications, and commercial relationships. The legal basis for this processing is our legitimate interests. We have a legitimate interest in managing and developing our business relationships in a professional B2B context, and we consider that this processing does not disproportionately affect the rights and interests of the individuals concerned.
We process personal data to comply with regulatory obligations, and to share information with government bodies as required by law or contract. The legal basis for this processing is legal obligation and, where relevant, contractual necessity.
We process personal data for the purpose of managing shareholder and investor relations, including maintaining statutory records and communicating on corporate governance matters. The legal basis is legal obligation and, where applicable, our legitimate interests in managing our corporate affairs effectively.
We process personal data to protect the security of our people, facilities, and information. The legal basis for this processing is our legitimate interests. We have a legitimate interest in safeguarding our staff, premises, and confidential business information, and we consider that this interest is proportionate in the context of our operations.
Sharing Your Personal DatA
We use third-party service providers to process personal data on our behalf and ensure that all such processing is governed by a written data processing agreement in accordance with applicable data protection law.
Where we share personal data with service providers, technology partners, or other organisations, some of those recipients may be located outside the United Kingdom or the European Economic Area (EEA). Transfers of personal data to countries outside these territories are subject to specific restrictions under UK GDPR and EU GDPR under the UK GDPR and the EU GDPR, as applicable, and we only carry out such transfers where an appropriate safeguard or transfer mechanism is in place.
For transfers where applicable under the EU GDPR, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission, or on transfers to countries that benefit from an adequacy decision issued by the European Commission under Article 45 of the EU GDPR.
For transfers where applicable under the UK GDPR, we rely on the International Data Transfer Agreement (IDTA) or on transfers to countries that benefit from UK adequacy regulations, where it has been determined that the recipient country provides an adequate level of protection for personal data.
Where we rely on contractual safeguards such as the IDTA or SCCs, these instruments impose binding obligations on the recipient to protect personal data to a standard equivalent to that required under UK or EU law. We carry out appropriate due diligence on our international recipients and, where required, conduct transfer impact assessments to ensure that the rights of data subjects are effectively protected in practice.
Automated Decision-Making and Artificial Intelligence
We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects on individuals.
We may use artificial intelligence tools to support our commercial and business development activities, including the analysis of business contact data and customer relationship information. AI is used solely as a decisionsupport tool to assist our staff in identifying business opportunities, prioritising contacts, and improving the quality of our services, and does not replace human judgement in any decision affecting individuals. Such use is limited to lowrisk, internal business functions and does not involve the evaluation, scoring, or categorisation of individuals in a way that would produce legal or similarly significant effects. The legal basis for this processing is our legitimate interests, and we consider this use of AI to be proportionate and not to disproportionately affect the rights and interests of individuals in the strictly B2B context in which we operate.
We keep our use of AI tools under review and will update this policy if necessary.
How Long We Keep Your Personal Data
We retain personal data only for as long as necessary for the purposes for which it was collected, in line with applicable data protection law.
Accounting records and financial documentation are retained for as long as required by applicable accounting and tax legislation in the relevant jurisdiction. Customer and supplier records, including contracts, are retained for as long as necessary to manage the contractual relationship and to comply with applicable legal obligations, including any applicable limitation periods in the relevant jurisdiction.
Where personal data is no longer required, it is securely deleted or anonymised in accordance with our internal procedures.
Your Rights
Individuals whose personal data we hold have certain rights under applicable data protection laws.
- The right of access entitles you to request confirmation of whether we are processing your personal data and, where we are, to obtain a copy of it.
- The right to rectification allows you to ask us to correct any personal data that is inaccurate or incomplete.
- The right to erasure, sometimes referred to as the right to be forgotten, enables you to request the deletion of your personal data in certain circumstances.
- The right to restriction of processing allows you to ask us to limit the way in which we use your personal data in certain circumstances.
- The right to object enables you to object to the processing of your personal data where we rely on legitimate interests as our legal basis for doing so.
- The right to data portability entitles you, in certain circumstances, to receive your personal data in a structured, commonly used and machine-readable format and to have it transferred to another controller.
To exercise any of these rights, please contact us at . We will respond to your request without undue delay and in any event within one month of receipt.
Complaints
If you are located in the European Union, you have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, which can be contacted at:
Lintulahdenkuja 4, 00530 Helsinki, Finland
P.O. Box 800, 00531 Helsinki, Finland
Phone: +358 29 566 6700
Email:
Website: https://www.tietosuoja.fi
We would, however, welcome the opportunity to address your concerns directly before you contact the supervisory authority.
Changes to This Policy
We may update this Privacy Policy from time to time. The most current version will always be available on our website. Where changes are material, we will take reasonable steps to bring them to your attention.
Last updated: 28 April 2026
The personal information we hold varies depending on your relationship with us. In relation to business contacts, customers, and prospective customers, we may hold the name, job title, employer, and professional contact details of individual representatives, as well as records of communications, meetings, and commercial discussions, and information relating to contract negotiation and performance.
In relation to suppliers and business partners, we may hold the name, job title, and contact details of individual representatives, records of communications and contract-related correspondence, and where applicable, payment and invoicing information relating to those individuals.
In relation to shareholders and investors, we may hold name, contact details, and shareholding information, together with communications relating to corporate governance matters.
ESOX delivers the integrated power, propulsion, and energy storage that autonomous platforms demand, enabling extended operational range and mission persistence across every environment.
The personal information we hold varies depending on your relationship with us. We operate on a strictly business-to-business (B2B) basis and do not sell products or services directly to consumers.
In relation to business contacts, customers, and prospective customers, we may hold the name, job title, employer, and professional contact details of individual representatives, as well as records of communications, meetings, and commercial discussions, and information relating to contract negotiation and performance.
In relation to suppliers and business partners, we may hold the name, job title, and contact details of individual representatives, records of communications and contract-related correspondence, and where applicable, payment and invoicing information relating to those individuals.
In relation to shareholders and investors, we may hold name, contact details, and
shareholding information, together with communications relating to corporate governance matters.
We obtain personal data in several ways. In many cases, we receive it directly from you, when you contact us, enter into a contract with us, or communicate with us in a business context. We may also obtain personal data from third parties, such as company registries, publicly available business directories, and due diligence providers. Additionally, personal data may come to us while performing contracts, through correspondence, meetings, and other business interactions.
We only process personal data where we have a lawful basis to do so under applicable data protection legislation. The following sets out our main purposes and the legal basis we rely on for each.
We process personal data for the purpose of managing and performing contracts with customers, suppliers, and business partners, including corresponding with individual representatives and administering contractual obligations. The legal basis for this processing is contractual necessity.
We maintain business contact records and conduct business development activities, such as keeping records of meetings, communications, and commercial relationships. The legal basis for this processing is our legitimate interests. We have a legitimate interest in managing and developing our business relationships in a professional B2B context, and we consider that this processing does not disproportionately affect the rights and interests of the individuals concerned.
We process personal data to comply with regulatory obligations, and to share information with government bodies as required by law or contract. The legal basis for this processing is legal obligation and, where relevant, contractual necessity.
We process personal data for the purpose of managing shareholder and investor relations, including maintaining statutory records and communicating on corporate governance matters. The legal basis is legal obligation and, where applicable, our legitimate interests in managing our corporate affairs effectively.
We process personal data to protect the security of our people, facilities, and information. The legal basis for this processing is our legitimate interests. We have a legitimate interest in safeguarding our staff, premises, and confidential business information, and we consider that this interest is proportionate in the context of our operations.
We use third-party service providers to process personal data on our behalf and ensure that all such processing is governed by a written data processing agreement in accordance with applicable data protection law.
Where we share personal data with service providers, technology partners, or other organisations, some of those recipients may be located outside the United Kingdom or the European Economic Area (EEA). Transfers of personal data to countries outside these territories are subject to specific restrictions under UK GDPR and EU GDPR under the UK GDPR and the EU GDPR, as applicable, and we only carry out such transfers where an appropriate safeguard or transfer mechanism is in place.
For transfers where applicable under the EU GDPR, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission, or on transfers to countries that benefit from an adequacy decision issued by the European Commission under Article 45 of the EU GDPR.
For transfers where applicable under the UK GDPR, we rely on the International Data Transfer Agreement (IDTA) or on transfers to countries that benefit from UK adequacy regulations, where it has been determined that the recipient country provides an adequate level of protection for personal data.
Where we rely on contractual safeguards such as the IDTA or SCCs, these instruments impose binding obligations on the recipient to protect personal data to a standard equivalent to that required under UK or EU law. We carry out appropriate due diligence on our international recipients and, where required, conduct transfer impact assessments to ensure that the rights of data subjects are effectively protected in practice.
We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects on individuals.
We may use artificial intelligence tools to support our commercial and business development activities, including the analysis of business contact data and customer relationship information. AI is used solely as a decisionsupport tool to assist our staff in identifying business opportunities, prioritising contacts, and improving the quality of our services, and does not replace human judgement in any decision affecting individuals. Such use is limited to lowrisk, internal business functions and does not involve the evaluation, scoring, or categorisation of individuals in a way that would produce legal or similarly significant effects. The legal basis for this processing is our legitimate interests, and we consider this use of AI to be proportionate and not to disproportionately affect the rights and interests of individuals in the strictly B2B context in which we operate.
We keep our use of AI tools under review and will update this policy if necessary.
We retain personal data only for as long as necessary for the purposes for which it was collected, in line with applicable data protection law.
Accounting records and financial documentation are retained for as long as required by applicable accounting and tax legislation in the relevant jurisdiction. Customer and supplier records, including contracts, are retained for as long as necessary to manage the contractual relationship and to comply with applicable legal obligations, including any applicable limitation periods in the relevant jurisdiction.
Where personal data is no longer required, it is securely deleted or anonymised in accordance with our internal procedures.
Individuals whose personal data we hold have certain rights under applicable data protection laws.
- The right of access entitles you to request confirmation of whether we are processing your personal data and, where we are, to obtain a copy of it.
- The right to rectification allows you to ask us to correct any personal data that is inaccurate or incomplete.
- The right to erasure, sometimes referred to as the right to be forgotten, enables you to request the deletion of your personal data in certain circumstances.
- The right to restriction of processing allows you to ask us to limit the way in which we use your personal data in certain circumstances.
- The right to object enables you to object to the processing of your personal data where we rely on legitimate interests as our legal basis for doing so.
- The right to data portability entitles you, in certain circumstances, to receive your personal data in a structured, commonly used and machine-readable format and to have it transferred to another controller.
To exercise any of these rights, please contact us at . We will respond to your request without undue delay and in any event within one month of receipt.
If you are located in the European Union, you have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, which can be contacted at:
Lintulahdenkuja 4, 00530 Helsinki, Finland
P.O. Box 800, 00531 Helsinki, Finland
Phone: +358 29 566 6700
Email:
Website: https://www.tietosuoja.fi
We would, however, welcome the opportunity to address your concerns directly before you contact the supervisory authority.
We may update this Privacy Policy from time to time. The most current version will always be available on our website. Where changes are material, we will take reasonable steps to bring them to your attention.
Last updated: 28 April 2026
