Privacy Policy
Last updated: 8 February 2026
1. Data Controller
The data controller responsible for the processing of your personal data is AEGON SPA OÜ (hereinafter "AEGON," "we," "us," or "our"), a private limited company (osaühing) incorporated and registered under the laws of the Republic of Estonia, with its registered address at Trummi 25, Nõmme, Tallinn 11911, Republic of Estonia, registry code [to be assigned upon registration].
For all data protection inquiries, you may contact us at: [email protected]
2. Scope of This Policy
This Privacy Policy explains how AEGON collects, uses, stores, and protects your personal data when you visit our website (aegon.ee), submit interest forms, interact with our services, or otherwise communicate with us. This policy applies to all visitors, prospective investors, prospective members, and any other individuals whose personal data we process.
This policy is governed by Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, "PDPA"), which together form the applicable data protection framework.
3. Personal Data We Collect
We may collect and process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity Data | First name, last name, title |
| Contact Data | Email address, telephone number, postal address |
| Investment Interest Data | Investment amount range, note quantity preference, investor type (individual, institutional, family office), investment interest messages |
| Membership Interest Data | Programme preferences, membership tier interest |
| Technical Data | IP address, browser type and version, device type, operating system, time zone, language preference |
| Usage Data | Pages visited, time spent on pages, navigation paths, referral source |
| Authentication Data | Account credentials processed through our OAuth authentication provider |
4. Legal Basis for Processing
We process your personal data on the following legal bases under Article 6(1) GDPR:
| Purpose | Legal Basis |
|---|---|
| Processing interest form submissions | Consent (Art. 6(1)(a)) and pre-contractual measures (Art. 6(1)(b)) |
| Responding to your enquiries | Legitimate interest (Art. 6(1)(f)) |
| KYC/AML compliance for investors | Legal obligation (Art. 6(1)(c)) under Estonian AML Act |
| Sending project updates and materials | Consent (Art. 6(1)(a)) |
| Website analytics and improvement | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
We use your personal data to process and respond to your interest submissions regarding investment opportunities, membership programmes, and wellness services. When you submit an interest form, we use the information you provide to evaluate your enquiry, prepare relevant materials, and contact you with information about the AEGON project.
For investment-related enquiries, your data may be used in connection with Know Your Customer (KYC) and Anti-Money Laundering (AML) verification procedures as required by the Estonian Money Laundering and Terrorist Financing Prevention Act (Rahapesu ja terrorismi rahastamise tõkestamise seadus). These procedures are mandatory for all digital note investment transactions processed through our partner platform, Nestor.exchange.
We may also use anonymised and aggregated data for analytical purposes to improve our website, services, and marketing strategies. Such aggregated data does not identify any individual and is not considered personal data under the GDPR.
6. Data Sharing and Recipients
We may share your personal data with the following categories of recipients:
- Nestor.exchange — our partner platform for digital note issuance and investment processing, which may receive investor identity and contact data for KYC/AML purposes and transaction execution.
- Professional advisors — legal, financial, and tax advisors engaged by AEGON in connection with the project, who are bound by professional confidentiality obligations.
- Technology service providers — hosting providers, analytics services, and email service providers that process data on our behalf under data processing agreements compliant with Article 28 GDPR.
- Regulatory authorities — the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo), the Estonian Financial Supervision and Resolution Authority (Finantsinspektsioon), or other competent authorities where disclosure is required by law.
We do not sell your personal data to third parties. We do not share your data with third parties for their own marketing purposes without your explicit consent.
7. International Data Transfers
Your personal data is primarily processed within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries that have received an adequacy decision.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Interest form submissions are retained for a period of three (3) years from the date of submission, unless a contractual relationship is established, in which case retention periods are governed by the applicable contract and Estonian law.
Data processed for KYC/AML purposes is retained for five (5) years following the end of the business relationship, as required by the Estonian Money Laundering and Terrorist Financing Prevention Act. Financial records are retained for seven (7) years in accordance with the Estonian Accounting Act (Raamatupidamise seadus).
9. Your Rights Under GDPR
Under the GDPR and Estonian PDPA, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17 GDPR) — You may request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18 GDPR) — You may request that we limit the processing of your data in certain circumstances.
- Right to data portability (Art. 20 GDPR) — You may request to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one (1) month, as required by Article 12(3) GDPR.
10. Cookies and Tracking Technologies
Our website uses essential cookies that are strictly necessary for the operation of the website, including session management and authentication. We may also use analytics cookies to understand how visitors interact with our website. Analytics data is collected in anonymised form and does not identify individual users.
You may manage your cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the website.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include encrypted data transmission (TLS/SSL), access controls, secure hosting infrastructure, and regular security assessments.
12. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR or Estonian data protection law, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
Andmekaitse Inspektsioon
Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: [email protected]
Website: www.aki.ee
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Any material changes will be communicated through our website. We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when this policy was most recently revised.
14. Contact Us
For any questions or concerns regarding this Privacy Policy or our data processing practices, please contact: