Privacy Policy - App
Last updated: 07 February 2025
Privacy Policy - App
Last updated: February 07, 2025
1. Introduction
This privacy policy (hereinafter “Privacy Policy”) describes how Vestlane GmbH (hereinafter “Vestlane”) and its related and/or affiliated entities (the “Company,” “Vestlane,” “us,” “our,” “its,” or “we”) collects, uses, discloses, and shares Personal Data (defined below) of customers, investors and other users of this platform (https://app.vestlane.com), any subdomain or other top-level domains of Vestlane (“Platform”).
This Privacy Policy also applies to any Vestlane services, tools or platforms, mobile or desktop applications and other interactions (such as contact forms, chat, email, customer service inquiries, conferences, etc.) you may have with us, , unless a specific privacy policy has been published for that service. If you do not agree with the terms, do not access or use the Platform, Services, websites or any other aspect of Vestlane’s business.
Please note that when you are provided with access to our Platform by any of our customers (e.g. fund managers, fund administrators, law firms, tax advisors, etc.) for their fundraising or operational purposes, Vestlane will be the processor of the Personal Data you provide on the Platform for that customer’s fundraising or operational purposes.
This means that we will only process such Personal Data on the instructions of that customer, e.g. for the customer’s fundraising or operational purposes and that customer will be responsible for your Personal Data. You should refer to that customer’s privacy policy to contact them or exercise your rights. In the event that you, as an investor, maintain a pre-existing profile on our Platform and opt to utilize this profile for a new investment involving a distinct customer, our role extends beyond merely processing data for said customer. We will also assume the role of a controller for the Personal Data that you have elected to reuse. Consequently, the stipulations outlined in our Privacy Policy will be applicable to such information.
We inform you about the processing of your Personal Data and the rights to which you are entitled under the European General Data Protection Regulation (GDPR) and any other applicable legal data protection laws and regulations. “Personal Data” means any information that we process about you that relates to you or that can be used to identify you as a natural person (“Data Subject”) directly or indirectly, for example your name, email address, address, order data, payment details, vehicle data or any user profile related content. You have provided or may need to provide personal data to us by virtue of requesting information about Vestlane, becoming a Vestlane customer, using the Vestlane Platform available at https://app.vestlane.com or any of its subdomains. Furthermore, this includes information that necessarily arises in the course of the investment relationship, such as banking details of the investor, invested amount and holdings in a fund or vehicle.
In this Privacy Policy, we use various other terms as defined by the GDPR. These include terms such as processing, profiling, pseudonymization, controller, processor, recipient, third party, consent, supervisory authority and international organization. You can find the corresponding definitions for these terms in Article 4 of the GDPR.
2. Who is Responsible for the Data Processing
The Entity Responsible for the Collection and Processing of Personal Data Is:
Vestlane GmbH
Kurfürstendamm 12,
10719 Berlin, Germany
Contact Details of the Appointed External Data Protection Officer:
SECJUR GmbH
Steinhöft 9,
20459 Hamburg
Phone: +49 40 228 599 520
Email: [email protected];
3. Data We Collect from You
3.1 Information You Provide Us
As the case may be we collect your name, address, email address, phone number, username, password (encrypted), demographic information (e.g. your birth date, occupation, etc.), banking information, as well as other information you directly give us on our Platform, and, in the course of our business relationship via email or other means of data exchange.
3.2. Automatically Collected Information
When you access our Platform, we collect the following access data, which is technically necessary for us to present our Platform to you and to ensure stability and security. The access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific website accessed), access status/HTTP status code, amount of data transferred in each case, referrer URL (previously visited page), operating system and its interface, language and version as well as type of browser software and notification of successful retrieval.
3.3 Investor/User Information
If you are an investor/user or potential investor/user at Vestlane we collect certain information about you to allow you to participate in our customers’ fundraising or other workflows for operational purposes. The information we collect varies based on the fund or vehicle and specific workflow, in addition to the information you give us, especially if you undergo certain verification checks and submit identity information such as your identity card or passport, we process your personal data contained in these documents. Additionally we might collect and process information about your social security number, tax identification numbers, other government identification documents like driver’s licenses, or bank statements, proof of address, your accreditation/qualification status as investor, the amount and source of the capital you intend to invest to a fund or vehicle, and/or contact information of any third party involved in an investment process such as joint signatories, beneficial owners, partners, etc.
3.4 Information We Get From Others
We may get information about you from other sources. We may add this to information you provide through our Platform. For example, if you are an investor, we may receive Investor Information from our customers, or their service providers (e.g. lawyers, fund administrators, tax advisors, etc.).
3.5 Cookies
We use cookies on our platform. These are text files that your browser automatically creates and that are stored on your IT system when you visit our site. Certain information flows to the site setting the cookie through the cookies. It is not possible to execute programs or transfer viruses to your end device by using cookies. If you do not want cookies to be used, you can disable them in the settings.
• Essential Cookies We use essential cookies. These are cookies that are technically necessary to provide all the functions of our platform. The legal basis for the data processing is our legitimate interest within the meaning of Art. 6 para. 1, sentence 1 lit. f GDPR. We have an overriding legitimate interest in being able to provide our services in a technically flawless manner. The legal basis for the use of cookies in relation to our contractual partners, who make use of the services we provide through our website, is Art. 6 (1) (b) GDPR, namely the provision of our contractual services.
• Non-essential Cookies We also use non-essential cookies (e.g. analysis and marketing cookies). These are cookies that are not technically necessary. We use them to understand your behavior on our platform and to improve our services. The legal basis for the data processing is your consent in accordance with Art. 6 (1) 1 lit. a GDPR. The cookies are only set after you have given your consent via our “cookie banner”.
With regard to the storage period, the following types of cookies are distinguished:
• Temporary cookies (also: session or session cookies) Temporary cookies are deleted at the latest after a user has left an online offer and closed his terminal device (e.g. browser or mobile application).
• Permanent cookies Permanent cookies remain stored even after the end device has been closed. This means, for example, that the login status can be stored or preferred content can be displayed directly when the user visits a website again. Likewise, the user data collected with the help of cookies can be used to measure reach. Unless we provide users with explicit information about the type and duration of storage of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.
For more information, please refer to the information we provide in the cookie banner.
3.6 Analytics and other external online services or products
a. Google Analytics
Our web application uses features of the web analytics service Google Analytics from Google LLC, 1600 Amphitheater Parkway, Mountain View, California 94043, USA; (Google). In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland; (Google). We use Google Analytics to analyze your user behavior in order to make decisions regarding product and marketing optimization based on the results. The personal data we process using Google Analytics includes the following:
• Time of request
• IP addresses
• Online identifiers
• Device identifiers
• Technical characteristics of users (e.g. browser type and version, device type, operating system)
• Measurement of usage behavior (e.g. views of individual pages/content, views of content from different areas, session duration/length of stay, bounce rate
• Use of individual web application functionalities (e.g. search queries, downloads)
• eCommerce activity (e.g. products purchased, sales)
• Referrer URL (the previously visited page)
The legal basis for the use of the service is Art. 6 para. 1 (a) GDPR and § 25 para. 1 TDDDG, i.e. the integration only takes place with your consent. You can revoke your consent at any time by changing the corresponding cookie settings in your browser or cookie banner or by deleting the cookies.
As an extension to Google Analytics 4, Google Signals can be used on this web application to generate cross-device reports. If you have activated personalized ads and linked your devices to your Google account, Google may, subject to your consent to the use of Google Analytics in accordance with Art. 6 para. 1 (a) GDPR, analyze your usage behavior across devices and create database models, including for cross-device conversions. We do not receive any personal data from Google, only statistics. If you wish to stop the cross-device analysis, you can disable the “Personalized Advertising” feature in your Google Account settings. To do so, follow the instructions on this page: https://support.google.com/ads/answer/2662922?hl=de.
Further information about Google Signals can be found at the following link: https://support.google.com/analytics/answer/7532985?hl=de By integrating this service on our websites, data is transmitted to the above-mentioned recipients and processed there for as long as is necessary to achieve the stated purposes.
We have concluded a data processing agreement (DPA) for the use of Google Analytics. This is a contract that is required under data protection law and ensures that Google only processes your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable safeguards with the data recipients within the meaning of Art. 44 et seq. GDPR. Unless otherwise indicated, these are standard contractual clauses (SCCs) of the European Commission in accordance with the implementing decision (EU) 2021/914 of June 4, 2021. These clauses ensure an adequate level of data protection when your data is transferred. A copy of these standard contractual clauses can be found at: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE.
Personal data is also transmitted to the United States. The European Commission has issued an adequacy decision in accordance with Art. 45 (3) of the GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the United States that are certified accordingly are permissible. Google is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search.
Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/?hl=de.
b. Calendy
We use Calendly, a service provided by Calendly, Inc., 115 E Main St., Ste A1B Buford, GA 30518, USA; (Calendly), on our web application. Calendly is a scheduling tool that allows us to quickly and easily set up appointments for meetings and events. We connect Calendly to a calendar such as Google, Office 365 or Outlook for this purpose. Users can then see when we are available for a meeting and choose their preferred appointment.
The legal basis for the use of the service is Art. 6 para. 1 (a) GDPR and § 25 para. 1 TDDDG, i.e. the integration only takes place with your consent. You can revoke your consent at any time by changing the corresponding cookie settings in your browser or cookie banner or by deleting the cookies.
By integrating the services on our web application, data is transmitted to the above-mentioned recipients and processed there for as long as is necessary to achieve the stated purposes.
We have concluded a data processing agreement (DPA) for the use of Calendy. This is a contract required by data protection law that ensures that they only process your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR. Unless otherwise indicated, these are standard contractual clauses of the European Commission in accordance with the implementing decision (EU) 2021/914 of June 4, 2021. A copy of these standard contractual clauses can be found at: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE.
Since personal data is transferred to Calendly, which is based in the United States, further protective mechanisms are required to ensure the level of data protection provided by the GDPR. The EU Commission has issued an adequacy decision for the United States in accordance with Art. 45 (1) GDPR with regard to companies certified under the EU-U.S. Data Privacy Framework. Calendly is certified according to the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search.
Further information can be found at: https://calendly.com/legal/privacy-notice.
c. Sentry
We use Sentry Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA; (Sentry) to continuously maintain the operational security of our services. Sentry helps us to identify and analyze errors and problems within our web application in real time. This enables us to react quickly to crashes, performance problems or other irregularities and thus ensure the stability and reliability of the web application.
As part of the use of Sentry, we process the following data, taking into account data protection-friendly default settings: • Error details: Information about the error itself, including the type of error and the error message, as well as the context in which the error occurred. • System information: Browser version, device type, operating system and other relevant information about the system on which the error occurred. • Usage data: Information about how the application was used at the time of the error, including specific user actions that may have led to the error. Personal data is anonymized or masked as far as possible. • Network information: IP address (in anonymized form, if possible), as well as request details that may clarify the context of the error.
The primary purpose of using Sentry is to analyze errors. By collecting error reports and performance data, we can understand the causes of problems and take targeted action to fix them. This significantly contributes to security by quickly addressing security vulnerabilities and increasing the efficiency of our services.
The processing of personal data in the context of error analysis with Sentry is based on our legitimate interest in accordance with Art. 6 para. 1 (f) DSGVO. Our legitimate interest lies in ensuring the security and functionality of the website / web application, which is also in the interest of our users.
The data collected by Sentry as part of the error analysis is only stored for as long as is necessary to analyze and rectify the problems identified. The data is then deleted or anonymized so that it can no longer be traced back to an identified or identifiable person. The maximum storage period is usually 90 days.
We have concluded a data processing agreement (DPA) for the use of Sentry. This is a contract prescribed by data protection law that ensures that Sentry processes your personal data only in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable safeguards with the data recipients within the meaning of Art. 44 et seq. GDPR.
Personal data is also transferred to the United States. The European Commission has issued an adequacy decision in accordance with Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the United States that are certified accordingly are permissible. Sentry is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search
Further information on data use by Sentry can be found at: https://sentry.io/privacy.
d. Usersnap
We provide you a widget on our web application for feedback so that we can improve our website and our services. To do this, we use the interactive feedback tool from the external service provider Usersnap GmbH, Industriezeile 35, 4020 Linz, Austria; (Usersnap). To do this, you are shown a widget that can be used to voluntarily submit a rating and suggestions for improvement. When you submit feedback to us, we collect the information provided and the technical data collected, such as IP-Address, browser data, operating system, screen size, time stamp and page access data. We use this data exclusively for processing the feedback and to improve our services.
Participation in this tool is voluntary and is based on the legal basis of Art. 6 para. 1 (a) GDPR. You can revoke your consent to this processing at any time without giving reasons by informing us of their decision via the above e-mail contact address.
We store the feedback we receive, as well as any feedback we may send, until the respective feedback item has been dealt with. After that, your feedback data will be deleted or anonymized. The Usersnap software and all its services are hosted and managed within the European secure data centers.
We have concluded a data processing agreement (DPA) for the use of Sentry. This is a contract prescribed by data protection law that ensures that Usersnap processes your personal data only in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable safeguards with the data recipients within the meaning of Art. 44 et seq. GDPR.
Further information on data protection at Usersnap can be found in the provider's privacy policy: https://usersnap.com/privacy-policy. e. Quill JS We use the Quill JS text editor on our web application. Quill JS allows us to integrate rich text editing capabilities into our web application.
When you access this content, you establish a connection to Quill JS servers, whereby your IP address, referrer URL, request headers and browser data such as your user agent are transmitted. These data are processed solely for the purposes mentioned above and to maintain the security and functionality of Quill JS. No sensitive or personal data entered to the Quill JS editor is transferred to the third-parties, as Quill JS itself does not interact with the data being edited – it only provides the styling and functionality.
The use of Quill JS is based on our legitimate interests, i.e. interest in a secure and efficient provision and the optimization of our online offer in accordance with Art. 6 para. 1 (f) DSGVO.
The transmission and processing of personal data takes place exclusively on servers in the European Union.
Your personal data will be stored as long as it is necessary to fulfill the purposes of the processing.
4. Purposes and Legal Grounds of Data Processing
We process personal data in accordance with the provisions of the European Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016, the "GDPR") and the German Federal Data Protection Act ("BDSG") (or, in other jurisdictions, in accordance with the legislation set out in the corresponding sections at the end of this Privacy Policy) for the following purposes and on the basis of the following legal grounds. Where there are references to the GDPR, BDSG and other legislation in this section, these should be construed as referring to the equivalent legislation in force in the relevant jurisdiction in relation to personal data collected and processed in such other jurisdiction.
Purpose: If you have given us consent to process personal data for certain purposes, in particular for contacting you (e.g. sending newsletters, announce new product features, promotional communications, advertising by telephone, e-mail, SMS, or in relation to the creation of a user account), this processing is lawful on the basis of your permission.
Legal ground: Consent, Art. 6 para 1(a) of the GDPR
Purpose: When contacting us (via contact form, chat or e-mail), your data will be processed for the purpose of handling the contact request and its processing, especially to respond to comments, requests and questions, to verify permission access, and to provide overall customer service and support.
Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR
Purpose: Insofar as required for the participation of the investor in a fund, vehicle or other related workflow, and we process Personal Data in particular to support our customers with regard to the acceptance of the investor as limited partner, including the investor’s capital contribution, handling of communication processes, internally and externally (e.g. correspondence), administrative tasks such as drawdown and distribution notices, general investor relations, tax and regulatory filings/reports and adjacent workflows.
Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR
Purpose: In order to prevent and detect money laundering and the financing of terrorism and to comply with any other regulations relating to sanctions and embargoes through our Know Your Customer (KYC) process, we might process general personal data, bank data and metadata, including to help identifying you, verifying your identity, screening your details against lists and databases of politically exposed persons (PEP), sanctions, high risk countries and adverse media and determining your (risk) profile. Please note that such services might also be carried out by third party service providers.
Legal ground: Compliance with a legal obligation, Art. 6 para. 1(c) of the GDPR
Purpose: An identification process compliant with local financial authorities might include the storage (on behalf of our customers as the case may be) of audio and video recordings of the identification process, of the identified person itself and the identification document, images of the identified person, of the front and (if available) back of the identified person's identification document, personal data such as first name, name, street, house number, postal code, place of residence, date of birth, place of birth, nationality, email, mobile phone number, ID card / passport data such as type of ID card, ID card number, Issuing country, Date of issue, Validity date, Issuing authority, etc. (“Identification Data”). Please note that such services might also be carried out by third party service providers. As a rule, we will store such Identification Data on behalf of and in the account of the obliged customer that initially identified the respective person. To comply with certain regulations we provide immediate access to such Identification Data. In order to avoid repeat video identifications of users (following the principle of data minimization), an obliged customer may access Identification Data initially retrieved by another customer, if the accessing customer is legally obliged to identify the respective investor (e.g. due to AML regulation). In such a case, we may act as a technical messenger between those customers and will grant the accessing customer access to the Identification Data. This applies in particular to cases where European Anti-Money Laundering regulation allows the transmission of an investor’s Identification Data between so-called obligated parties that have to fulfill KYC/AML requirements (e.g. funds, fund managers). The processing generally serves the purpose of complying with official control and information obligations.
Legal ground: Compliance with a legal obligation, Art. 6 para. 1(c) of the GDPR
Purpose: To facilitate further investments or operational workflows of a user with other customers of ours, we offer to save and process Personal Data submitted to permit investors/users to use their verified data also for potential future investments or workflows or other activities on Vestlane. Without consent of the respective user, the user’s Personal Data will not be provided to any other party. The user can revoke such consent at any time. This does not affect the legality of the processing carried out on the basis of the consent until the revocation.
Legal ground: Consent, Art. 6 para 1(a) of the GDPR
Purpose: Sending emails and other communications regarding our Service necessary for technical or administrative purposes, such as confirmations, invoices and billing, technical notices, updates, security alerts, and support and administrative messages, as well as messages, and other types of essential communications. These communications are considered part of the Service and you may not opt-out of them.
Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR
Purpose: Additionally we process Personal Data for operational service recording and evaluation, internal communication, ensuring operational safety, accommodate inquiries from public authorities, assertion of legal claims, development and provision of search, learning and productivity tools and additional features.
Legal ground: Purpose of legitimate interests, Art. 6 para. 1 (f) of the GDPR
Purpose: To contact you and to manage our relationship with you and/or your company where you are a supplier/partner or the representative of a customer/supplier/partner with whom we have a business relationship.
Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR
Purpose: We process your Platform access data to safeguard our legitimate interests or those of third parties. In particular, we pursue the following legitimate interests:
- Ensuring IT security, in particular the security of our Platform; we also store the IP address in the event that someone leaves behind illegal content using the comment function (insults, prohibited propaganda, etc.) and we must be able to determine the author’s identity for our own legal protection;
- Monitoring and improving our relationships with customers, investors and other users;
- Asserting legal claims and conducting our defense in case of legal disputes.
In any case, our legitimate interest remains proportionate and we verify according to a balancing test that your interests or fundamental rights are preserved.
Legal ground: Purpose of legitimate interests, Art. 6 para. 1 (f) of the GDPR
Purpose: We process data:
- when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding. The Personal Data shared may be shared with counterparties and others assisting with the deal.
- We may share information with those who need it to do work for us. This includes granting Vestlane employees and service providers the necessary access in order to perform their duties.
- We may share aggregated or anonymized data. This includes for marketing, analytics, or research purposes.
Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR
Granting consent - where we process your personal data based on consent - is voluntary. You are entitled to withdraw your consent(s) for the future at any time, without specifying any reasons and by sending an informal email via the above contact details or via [email protected]. Please note that the withdrawal is only effective from the date on which you notify us of such withdrawal. Processing that took place before the withdrawal is therefore not affected, but you are entitled to request that we provide you with details of, or that we delete, the personal data that we hold about you. Please be aware that any processing on other legal grounds than consent may remain unaffected.
5. Information Choices and Changes
You can opt-out of receiving Vestlane’s marketing emails at any time by selecting the unsubscribe link in any marketing email we send you, or by contacting us. If you opt out, we may still send you non-marketing emails. Non-marketing emails are service focused and so will generally include emails about your accounts and our business dealings with you. Vestlane strives to provide you the tools to update your Personal Data. If you are unable to correct inaccurate information on your own, you may request our assistance to update such information by contacting [email protected].
6. Data Access
Within Vestlane, departments that need to know your data to fulfill our contractual and regulatory obligations can access your data.
In addition, processors (Art. 28 GDPR) engaged by us may also obtain access to data for the above-mentioned purposes. These may be, for example, our IT service providers, hosting provider, background and/or credit reference check providers or third parties that provide printing services, telecommunications, sales and marketing services. If we use processors to provide our services, we will take appropriate legal precautions as well as the relevant contractual, technical and organizational measures to protect personal data in accordance with applicable law.
Any transfer of data to third parties will be made only within the scope of legal requirements. We will disclose your data to third parties only if this is required, for example, under Art. 6 para. 1 (b) GDPR for contractual purposes or based on legitimate interests pursuant to Art. 6 para 1 (f) GDPR in the economic and effective operation of our business or if you have consented to the transfer of data. Recipients of such data may be customers of us to perform a contract or execute pre-contractual measures with you, and other service providers and delegates employed and/or retained by them, professional partners such as private banks, family offices, fund managers, law firms and other service providers, and public authorities.
In the case of purely informational use of the Platform, we do not pass on any data to third parties.
The following is a list of the processors we engage:
Processor: Amazon Web Services EMEA SARL, Avenue John F. Kennedy 38, 1855 Luxembourg, Luxemburg
Function: Operation of the Platform
Data Processing: Personal master data, Address data, Contact details, Payment/bank data, Technical data, Tracking data, Log files, device information (browser to web server), Image and sound recordings
Processing location: Europe
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://aws.amazon.com/privacy/?nc1=f_pr
Processor: Google Workspace, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Function: Internal organisation of the work process
Data Processing: Personal master data, Address data, Contact details, Payment/bank data
Processing location: Europe
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://policies.google.com/privacy?hl=en
Processor: Azure, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Function: Operation of the Platform
Data Processing: Personal master data, Address data, Contact details, Payment/bank data, Technical data, Tracking data, Log files, device information (browser to web server), Image and sound recordings
Processing location: Europe (mainly Germany)
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://privacy.microsoft.com/en-us/privacystatement
Processor: Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland.
Function: Internal communication
Data Processing: Personal master data, Address data, Contact data
Processing location: USA
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://slack.com/intl/en-gb/trust/privacy/privacy-policy
Processor: IDNow GmbH, Auenstraße 100, 80469 München, Deutschland
Function: Costumer identification tool
Data Processing: Personal master data, Address data, contact data, Image and sound recordings
Processing location: Europe, predominantly Germany
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://www.idnow.io/privacy/
Processor: Comply Advantage
Function: AML risk detection
Data Processing: Name, date of birth, address data
Processing location: Europe and outside of the EEA on the basis of Art. 46 para 2 (c) GDPR
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://complyadvantage.com/privacy-notice/
Processor: DocuSign
Function: Electronic signing of documents
Data Processing: Contact details (name, email address, address, phone numbers), Job information (title, place of work), Signatures, IP addresses, other unique device identifiers and geolocation information
Processing location: Europe
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://www.docusign.com/privacy
Processor: NorthData
Function: Database for European companies information
Data Processing: Company information (name, address, structure)
Processing location: Europe (Germany)
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://www.northdata.com/\_privacy
Processor: Klippa
Function: Costumer identification tool
Data Processing: Personal master data, Address data, contact data, Image and sound recordings
Processing location: Europe
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://www.klippa.com/wp-content/uploads/2023/09/Klippa-Privacy-Statement-Website-2023.pdf
Processor: Veriff
Function: Costumer identification tool
Data Processing: Personal master data, Address data, contact data, Image and sound recording
Processing location: Europe
Legal basis: Art. 6 para. 1 (f) of the GDPR
Privacy Policy of Processor for further information: https://www.veriff.com/privacy-notice
7. Data Retention
We generally retain your Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy.
When determining the relevant retention periods for your Personal Data, we take into account the following factors: (a) consent you give us with regards to your Personal Data; (b) our contractual obligations and rights in relation to the Personal Data involved; (c) our legal obligation(s) under relevant laws to retain data for a certain period of time; (d) our legitimate business and commercial interests; (e) whether retention is advisable in light of our legal position (such as with regard to applicable statute of limitations, investigations, litigation, and other potential and actual disputes); and (f) any guidelines issued by relevant data protection authorities.
For security reasons (e.g. to clarify acts of abuse or fraud), log file information is stored for a maximum of 90 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
As far as necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation of a contract via contact form or by e-mail.
In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods specified are six and ten years respectively.
Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are usually 3 years, but in certain cases can be up to thirty years.
If you exercise your rights as a data subject, we will store the information provided to you in this regard until the expiry of the statutory limitation period pursuant to Section 31 para 2 no 1 OWiG, Section 41 para 1 BDSG, Article 83 para 5 (b) GDPR for 3 years. This period may be extended if the statutory limitation period is extended due to interruptions of the limitation period (e.g. in the context of inquiries by the supervisory authorities).
The retention period for identification data extends beyond the end of your contractual relationship with us. Customers of ours might be subject to AML regulation, especially according to §§ 8, 10 GwG, or mutatis mutandis according to other European or international AML regulation. To support them in their compliance, we store identification data for at least five years. This retention obligation only begins at the end of the calendar year in which our customer relationship with you or the customer relationship between you and one of our customer’s is terminated. The total retention period can therefore be longer than five years after the end of the contract, as the case may be.
Please note that local data retention obligations may apply to our subsidiaries, which may differ from the time periods mentioned above. For further information please contact us at the contact details given above.
8. Transfers to Third Countries
Personal Data is primarily processed in EU/EEA. If we process data in a third country (i.e., outside the European Union (EU), the United Kingdom (UK) or the European Economic Area (EEA) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this will only be done in accordance with the requirements of the GDPR.
Please note that the US or other third countries may have data protection laws less stringent than or otherwise different from the laws in effect in your country. Possible risks of this data transfer are that access by state authorities, such as security authorities and/or intelligence services, cannot be ruled out and your data could be processed by them, possibly without you being informed separately and without enforceable rights and effective legal remedies being available to you, for reasons of national security, law enforcement or for other purposes in the public interest of the USA.
To ensure appropriate safeguards for the protection of the transfer and processing of personal data outside the EU/UK/EEA, the transfer of data to and processing of data is based on appropriate safeguards pursuant to Art. 46 et seq. GDPR, in particular by concluding so-called standard data protection clauses pursuant to Art. 46 (2) (c) GDPR.
If you are located in the United Kingdom (UK) or European Economic Area (EEA), and we share your Personal Data to parties in the US or any other countries not recognized as adequate for the transfer of your Personal Data, to the extent a safeguard is required under law for such transfers of your Personal Data, we have put in place the UK government approved international data transfer agreement/addendum (for UK transfers) and Standard Contractual Clauses approved by the EU Commission (for EEA transfers). Please contact us for further details on the safeguards in place and how to obtain a copy.
The data collected by the products listed within the scope of this declaration from US providers or their affiliated companies, may be stored and processed by them in the USA, among other places. We have no influence on further data processing by the US service providers. For a data transfer to a third country, i.e. a country outside the EU or the EEA, appropriate guarantees for the protection of your personal data are generally required.
9. Data Subject Rights
You have specific rights concerning your Personal Data and can exercise these rights by contacting us.
Right to information: You have the right to obtain information about the Personal Data that we store about you. In case of an information request, we will provide you with the stored personal data. You also have the right to the information specified in detail in Art. 15 para 1 GDPR. However, the aforementioned right is not unlimited; the right to obtain a copy of your personal data shall not adversely affect the rights and freedoms of others under Art. 15 para 4 GDPR.
Right to rectification and erasure: You may request the correction of incorrect Personal Data and – insofar as the legal requirements are met – the erasure of your Personal Data in accordance with Art. 16, Art. 17 GDPR. The right to erasure (“right to be forgotten”) is not unrestricted. In particular, erasure cannot be demanded, if we need to process your personal data further in order to perform our contract, to fulfil a legal obligation or to assert, exercise or defend legal claims. The requirements and restrictions of the right to deletion are set out in detail in Art. 17 GDPR.
Restriction of processing: As far as the legal requirements are met, you may request that we restrict the processing of your Personal Data. In this case, we may continue to store this data, but may process it only under strict conditions. The conditions and restrictions of the right to restrict processing are set out in detail in Art. 18 GDPR.
Data portability: You may request to receive Personal Data provided by you, which we process in an automated process, on the basis of the contract existing between us, or your consent, in a structured, common and machine-readable format. In addition, you may request us to transmit this data directly to another responsible party, insofar as this is technically feasible. The requirements and restrictions of the aforementioned rights can be found in detail in Art. 20 para 3 and 4 GDPR.
Objection to data processing: You may object to the processing of your Personal Data at any time if there is a legitimate interest of you arising from your particular situation. In such case, we will stop the processing of your Personal Data, unless we can – in accordance with the legal requirements – prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves the purposes of asserting, exercising or defending legal claims.
Revocation of consent: If you have consented to the processing of your Personal Data, e.g. for direct marketing purposes, you can revoke your consent at any time with effect for the future. The lawfulness of the processing of your Personal Data prior to the revocation remains unaffected.
Right to complain to the supervisory authority: You can file a complaint with the competent supervisory authority if you believe that the processing of your Personal Data violates applicable law. You can contact the data protection authority which is responsible for your place of residence or your country or the data protection authority responsible for us.
Contact: Furthermore, you can contact us free of charge with any questions about the processing of your Personal Data, your rights as a data subject and any consent you have given under the contact information given above. If you want to revoke your consent, you can choose the same channel which you used when you submitted the consent.
Automated individual decision-making, including profiling: In the context of accessing our Platform or in the context of contacting us by form or e-mail, we do not use any fully automated decision-making pursuant to Article 22 GDPR. Should we use these procedures in individual cases, we will inform you about this separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).
10. Contact
Furthermore, you can contact us free of charge with any questions about the processing of your Personal Data, your rights as a data subject and any consent you have given under the contact information given above. If you want to revoke your consent, you can choose the same channel which you used when you submitted the consent.
11. Automated individual decision-making, including profiling
In the context of accessing our Platform or in the context of contacting us by form or e-mail, we do not use any fully automated decision-making pursuant to Article 22 GDPR. Should we use these procedures in individual cases, we will inform you about this separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).
12. Changes to this Privacy Policy
We may periodically make changes to this Privacy Policy. We will notify you of any significant changes where we have a relationship with you and otherwise post updated versions here. We recommend that you revisit this Privacy Policy regularly.