Privacy policy

Processing of personal data
River Oak Capital AB (“ROC”) is responsible for the personal data we receive in connection with you being a shareholder in ROC and/or in connection with you receiving newsletters from ROC.

We process the information to carry out administration of your shareholding or potential shareholding in ROC, to safeguard your interests, for accounting and corporate purposes or for marketing/newsletter purposes. The information is processed on the basis of a contract and/or an explicit approval.

We will not disclose personal information to third parties except in cases where (i) it has been specifically agreed between us and you, (ii) when it is necessary to safeguard your rights, (iii) if it is necessary for us to fulfill a statutory obligation or comply with government decisions or court decisions, or (iv) in the event that we hire outside service providers who perform assignments on our behalf. The information may be disclosed to courts, authorities, counterparties and counterparty agents if necessary to safeguard your rights.

The personal data is stored safely and securely in accordance with legal requirements.

You have the right to request information free of charge from us about the processing of the personal data concerning you. We will, at your request or on your own initiative, correct or delete information that is incorrect or limit the processing of such information. You also have the right to receive your personal information in a machine-readable format or to have the information transferred to a third party that you instruct. If you are dissatisfied with our processing, you can submit a complaint to the Swedish Privacy Protection Authority (IMY) ( You can also contact the supervisory authority of the country where you live or work.

Your personal data is transferred to third countries only if you live outside the EU / EEA area. In this case, we transfer your personal data to third countries because the transfer is necessary in relation to your shareholding or to complete an agreement between you and us or to carry out actions that precede such an agreement at your request. Contact us at [email protected] if you have any questions regarding our personal data processing.

The entity responsible for personal data is:
River Oak Capital AB
Organization number: 559099-7028
Address: Eklundshovsvägen 5, 752 37 Uppsala, Sweden
Website address:
Email address: [email protected]

The above covers the most important aspects of our privacy policy. If you want to get a more comprehensive overview of our privacy policy, continue reading below.

On May 25, 2018, the General Data Protection Regulation (GDPR) started to apply in Sweden. The regulation applies as law in all EU member states and aims to improve the protection of the individual in the processing of personal data. It contains, inter alia, rules about what rights to information and access to personal data you have, rules about correcting incorrect personal data and in some cases the ability to limit the processing of personal data. River Oak Capital (“Company”) has a personal data protection policy (“Policy”) that is updated as a result of GDPR. Below we describe the main features of such Policy.

Principles for collecting personal data
The Company is a private investment company. We will only process personal data as part of running our normal day-to-day operations.

The Company is responsible for personal data, and we ensure the protection of your individual rights and personal data. We process personal data in a legal, accurate and transparent manner. The requirement that the processing of personal data be legal implies, among other things, that there must be a legal basis for every action taken. That personal data should be processed in an open manner means, among other things, that it should be clear how personal data is collected and otherwise processed.

Personal data must only be collected for special, explicit and justified purposes. This means that we must have the objectives clear to us even before the collection of personal data begins. The personal data must then not be processed in a manner incompatible with these purposes.

We must follow the principle of data minimization, which means that personal data must be adequate, relevant and not too comprehensive in relation to the purposes for which they are processed. In other words, we do not collect personal information for indefinite future needs. Furthermore, personal data collected may not be processed if, for example, the data is so old that it is no longer relevant for the original purposes.

The personal data must be accurate and up to date. We take all reasonable steps to ensure that erroneous personal data is erased or rectified without delay. In addition, if required for the purposes, the personal data must be updated.

We must adhere to the principle of storage minimization, which means that personal data must not be stored, i.e. stored in a form that enables identification, for a longer period of time than is necessary for the purposes for which the personal data is processed. When the personal data is no longer needed for these purposes, it must be deleted or de-identified.

According to the principle of privacy and confidentiality, personal data must be protected, among other things, against unauthorized processing and against loss, destruction or by accident.

We have a responsibility to comply with the principles of personal data processing. We should be able to show how the principles are followed. For our part, this is primarily done through the Policy and the measures taken based on the Policy.

Categories of personal data and how the data is collected
Processing of personal data should primarily be done with regard to shareholders, potential shareholders and persons interested in getting our newsletters, including representatives and real principals, and representatives of companies and organizations with whom we have or may have a business relationship, as well as authorities.

The personal data we process can be divided into the following categories:

As a starting point, personal data should be collected directly from you or generated by your activities with us. As a new shareholder, for example, we ask among other things for personal information such as name, social security number, e-mail address and telephone number. If you send e-mails to us, it may contain personal data that we process in such cases. Sometimes information is required from a third party. For example, information may need to be collected to keep data up-to-date or to verify the information we have collected from the data subject. These may be public or other externally available sources in the form of registers kept by authorities.

Purpose and legal basis for processing personal data
We will use your personal information to fulfill legal and contractual obligations, as well as to provide you with information, offers and other services.

The legal bases for our processing of personal data are as follows:

Change of purpose
We will only use your personal information for the uses and purposes set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original uses and purposes. If we need to use your personal information for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.

Information shared
Except with your consent as described above, we will not provide any of your personal information to any other third parties not listed below without your specific consent. Information collected may be shared with our staff, partners, affiliates, attorneys, third party service providers and where applicable accountants and auditors and as otherwise required or permitted by law.

How we protect your information
We understand the importance of appropriately safeguarding information you provide to us. It is our practice to protect the confidentiality of this information, limit access to this information to those with a business need, and not disclose this information unless required or permitted by law.

We have security practices and procedures in place to protect data entrusted to us. These procedures and related standards include limiting access to data and regularly overseeing our security practices and technologies.

Ultimately, no website, mobile application, database or system is completely secure or “hacker proof”. While no one can guarantee that your personal information will not be disclosed, misused or lost by accident or by the unauthorized acts of others, we continuously review and make enhancements to how we protect your information. Further, we cannot control dissemination of personal information you post on or through our website using any social networking tools we may provide and you should have no expectation of privacy in respect of such information.

Retention of data
It may not always be possible to completely remove or delete all of your information from our databases without some residual data because of backups and other reasons. We will retain your information for as long as your information is necessary for the purposes for which it was collected. For example, we may retain your personal data if it is reasonably necessary to comply with any legal obligations, meet any regulatory requirements, resolve any disputes or litigation, or as otherwise needed to enforce the Policy and prevent fraud and abuse. If requested by a law enforcement authority, we may also be required to retain your personal data for a period of time.

Your legal rights
Under certain circumstances, you have rights under EU data protection laws in relation to your personal information:

Data Transfers
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission website: “Adequacy of the protection of personal data in non-EU countries”.

Personal data breach
A personal data breach is a security incident that results in accidental or unlawful destruction, loss or alteration or unauthorized disclosure of or unauthorized access to the personal data that has been transferred, stored or otherwise processed.

In the case of a personal data breach, we shall, without undue delay, and, if possible, not later than 72 hours after knowing about it, report the personal data incident to Datainspektionen, unless it is unlikely that the personal data breach involves a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it must be accompanied by a reason for the delay.

If the personal data breach is likely to lead to a high risk for the rights and freedoms of natural persons, we shall also inform the data subject of the personal data breach without undue delay.

Personal Data Record
The company has a register of its processing of personal data. What is included in the register is explicitly stated in the GDPR, for example the purposes of the processing, description of the categories of data subjects and categories of personal data, any external recipients of the personal data and whether data is transferred to a third country.

Obligation to report under contract or law
The personal data collected from you are in many cases partly those required by law, partly those that are contractual requirements and partly those that are necessary to conclude an agreement. This means that we may be prevented from entering into an agreement with you if information is not provided.

Effective date and changes to the Policy
The Policy is effective as from May 25, 2018. We are continually improving and adding to the features and functionality of our website and the services we offer. As a result of these changes (or changes in the law), we may need to update or revise the Policy. Accordingly, we reserve the right to update or modify the Policy at any time, without prior notice.

Contact us
If you have any questions about the Policy or if you would like to exercise any rights you may have in relation to your personal information, please contact: [email protected]

The right to make a complaint to IMY
You can also file a complaint or contact Integritetsskyddsmyndigheten IMY at

Information about cookies

Our website,, uses cookies. A cookie is a small data file that is sent from our website and is stored on your computer.

We use cookies to track how our visitors interact with our website in order to improve it and make it more visitor friendly. These cookies are in no way related to any personal information of our visitors. We also use a cookie so that you can elect to remain logged in to our website so that you don't have to re-enter your credentials every time you visit our website.

You can turn off the use of cookies through the settings menu in your web browser. If you do this, some functions that improve user experience can stop working.

By remaining on our website you accept our use of cookies.