Ongoing Investor Onboarding for Private Funds

Privacy Policy - App

Last updated: February 07, 2025

1. Introduction

This privacy policy (hereinafter “Privacy Policy”) describes how Vestlane GmbH (hereinafter “Vestlane”) and its related and/or affiliated entities (the “Company,” “Vestlane,” “us,” “our,” “its,” or “we”) collects, uses, discloses, and shares Personal Data (defined below) of customers, investors and other users of this platform (https://app.vestlane.com), any subdomain or other top-level domains of Vestlane (“Platform”).

This Privacy Policy also applies to any Vestlane services, tools or platforms, mobile or desktop applications and other interactions (such as contact forms, chat, email, customer service inquiries, conferences, etc.) you may have with us, , unless a specific privacy policy has been published for that service. If you do not agree with the terms, do not access or use the Platform, Services, websites or any other aspect of Vestlane’s business.

Please note that when you are provided with access to our Platform by any of our customers (e.g. fund managers, fund administrators, law firms, tax advisors, etc.) for their fundraising or operational purposes, Vestlane will be the processor of the Personal Data you provide on the Platform for that customer’s fundraising or operational purposes.

This means that we will only process such Personal Data on the instructions of that customer, e.g. for the customer’s fundraising or operational purposes and that customer will be responsible for your Personal Data. You should refer to that customer’s privacy policy to contact them or exercise your rights. In the event that you, as an investor, maintain a pre-existing profile on our Platform and opt to utilize this profile for a new investment involving a distinct customer, our role extends beyond merely processing data for said customer. We will also assume the role of a controller for the Personal Data that you have elected to reuse. Consequently, the stipulations outlined in our Privacy Policy will be applicable to such information.

We inform you about the processing of your Personal Data and the rights to which you are entitled under the European General Data Protection Regulation (GDPR) and any other applicable legal data protection laws and regulations. “Personal Data” means any information that we process about you that relates to you or that can be used to identify you as a natural person (“Data Subject”) directly or indirectly, for example your name, email address, address, order data, payment details, vehicle data or any user profile related content. You have provided or may need to provide personal data to us by virtue of requesting information about Vestlane, becoming a Vestlane customer, using the Vestlane Platform available at https://app.vestlane.com or any of its subdomains. Furthermore, this includes information that necessarily arises in the course of the investment relationship, such as banking details of the investor, invested amount and holdings in a fund or vehicle.

In this Privacy Policy, we use various other terms as defined by the GDPR. These include terms such as processing, profiling, pseudonymization, controller, processor, recipient, third party, consent, supervisory authority and international organization. You can find the corresponding definitions for these terms in Article 4 of the GDPR.

2. Who is Responsible for the Data Processing

The Entity Responsible for the Collection and Processing of Personal Data Is:

Vestlane GmbH

Kurfürstendamm 12,

10719 Berlin, Germany

[email protected]

www.vestlane.com

Contact Details of the Appointed External Data Protection Officer:

SECJUR GmbH

Steinhöft 9,

20459 Hamburg

Phone: +49 40 228 599 520

Email: [email protected];

3. Data We Collect from You

3.1 Information You Provide Us

As the case may be we collect your name, address, email address, phone number, username, password (encrypted), demographic information (e.g. your birth date, occupation, etc.), banking information, as well as other information you directly give us on our Platform, and, in the course of our business relationship via email or other means of data exchange.

3.2. Automatically Collected Information

When you access our Platform, we collect the following access data, which is technically necessary for us to present our Platform to you and to ensure stability and security. The access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific website accessed), access status/HTTP status code, amount of data transferred in each case, referrer URL (previously visited page), operating system and its interface, language and version as well as type of browser software and notification of successful retrieval.

3.3 Investor/User Information

If you are an investor/user or potential investor/user at Vestlane we collect certain information about you to allow you to participate in our customers’ fundraising or other workflows for operational purposes. The information we collect varies based on the fund or vehicle and specific workflow, in addition to the information you give us, especially if you undergo certain verification checks and submit identity information such as your identity card or passport, we process your personal data contained in these documents. Additionally we might collect and process information about your social security number, tax identification numbers, other government identification documents like driver’s licenses, or bank statements, proof of address, your accreditation/qualification status as investor, the amount and source of the capital you intend to invest to a fund or vehicle, and/or contact information of any third party involved in an investment process such as joint signatories, beneficial owners, partners, etc.

3.4 Information We Get From Others

We may get information about you from other sources. We may add this to information you provide through our Platform. For example, if you are an investor, we may receive Investor Information from our customers, or their service providers (e.g. lawyers, fund administrators, tax advisors, etc.).

3.5 ‍Cookies

We use cookies on our platform. These are text files that your browser automatically creates and that are stored on your IT system when you visit our site. Certain information flows to the site setting the cookie through the cookies. It is not possible to execute programs or transfer viruses to your end device by using cookies. If you do not want cookies to be used, you can disable them in the settings.

• Essential Cookies We use essential cookies. These are cookies that are technically necessary to provide all the functions of our platform. The legal basis for the data processing is our legitimate interest within the meaning of Art. 6 para. 1, sentence 1 lit. f GDPR. We have an overriding legitimate interest in being able to provide our services in a technically flawless manner. The legal basis for the use of cookies in relation to our contractual partners, who make use of the services we provide through our website, is Art. 6 (1) (b) GDPR, namely the provision of our contractual services.

• Non-essential Cookies We also use non-essential cookies (e.g. analysis and marketing cookies). These are cookies that are not technically necessary. We use them to understand your behavior on our platform and to improve our services. The legal basis for the data processing is your consent in accordance with Art. 6 (1) 1 lit. a GDPR. The cookies are only set after you have given your consent via our “cookie banner”.

With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session or session cookies) Temporary cookies are deleted at the latest after a user has left an online offer and closed his terminal device (e.g. browser or mobile application).

• Permanent cookies Permanent cookies remain stored even after the end device has been closed. This means, for example, that the login status can be stored or preferred content can be displayed directly when the user visits a website again. Likewise, the user data collected with the help of cookies can be used to measure reach. Unless we provide users with explicit information about the type and duration of storage of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.

For more information, please refer to the information we provide in the cookie banner.

3.6 ‍Analytics and other external online services or products

a. Google Analytics

Our web application uses features of the web analytics service Google Analytics from Google LLC, 1600 Amphitheater Parkway, Mountain View, California 94043, USA; (Google). In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland; (Google). We use Google Analytics to analyze your user behavior in order to make decisions regarding product and marketing optimization based on the results. The personal data we process using Google Analytics includes the following:

• Time of request

• IP addresses

• Online identifiers

• Device identifiers

• Technical characteristics of users (e.g. browser type and version, device type, operating system)

• Measurement of usage behavior (e.g. views of individual pages/content, views of content from different areas, session duration/length of stay, bounce rate

• Use of individual web application functionalities (e.g. search queries, downloads)

• eCommerce activity (e.g. products purchased, sales)

• Referrer URL (the previously visited page)

The legal basis for the use of the service is Art. 6 para. 1 (a) GDPR and § 25 para. 1 TDDDG, i.e. the integration only takes place with your consent. You can revoke your consent at any time by changing the corresponding cookie settings in your browser or cookie banner or by deleting the cookies.

As an extension to Google Analytics 4, Google Signals can be used on this web application to generate cross-device reports. If you have activated personalized ads and linked your devices to your Google account, Google may, subject to your consent to the use of Google Analytics in accordance with Art. 6 para. 1 (a) GDPR, analyze your usage behavior across devices and create database models, including for cross-device conversions. We do not receive any personal data from Google, only statistics. If you wish to stop the cross-device analysis, you can disable the “Personalized Advertising” feature in your Google Account settings. To do so, follow the instructions on this page: https://support.google.com/ads/answer/2662922?hl=de.

Further information about Google Signals can be found at the following link: https://support.google.com/analytics/answer/7532985?hl=de By integrating this service on our websites, data is transmitted to the above-mentioned recipients and processed there for as long as is necessary to achieve the stated purposes.

We have concluded a data processing agreement (DPA) for the use of Google Analytics. This is a contract that is required under data protection law and ensures that Google only processes your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable safeguards with the data recipients within the meaning of Art. 44 et seq. GDPR. Unless otherwise indicated, these are standard contractual clauses (SCCs) of the European Commission in accordance with the implementing decision (EU) 2021/914 of June 4, 2021. These clauses ensure an adequate level of data protection when your data is transferred. A copy of these standard contractual clauses can be found at: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE.

Personal data is also transmitted to the United States. The European Commission has issued an adequacy decision in accordance with Art. 45 (3) of the GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the United States that are certified accordingly are permissible. Google is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search.

Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/?hl=de.

b. Calendy

We use Calendly, a service provided by Calendly, Inc., 115 E Main St., Ste A1B Buford, GA 30518, USA; (Calendly), on our web application. Calendly is a scheduling tool that allows us to quickly and easily set up appointments for meetings and events. We connect Calendly to a calendar such as Google, Office 365 or Outlook for this purpose. Users can then see when we are available for a meeting and choose their preferred appointment.

By integrating the services on our web application, data is transmitted to the above-mentioned recipients and processed there for as long as is necessary to achieve the stated purposes.

We have concluded a data processing agreement (DPA) for the use of Calendy. This is a contract required by data protection law that ensures that they only process your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR. Unless otherwise indicated, these are standard contractual clauses of the European Commission in accordance with the implementing decision (EU) 2021/914 of June 4, 2021. A copy of these standard contractual clauses can be found at: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE.

Since personal data is transferred to Calendly, which is based in the United States, further protective mechanisms are required to ensure the level of data protection provided by the GDPR. The EU Commission has issued an adequacy decision for the United States in accordance with Art. 45 (1) GDPR with regard to companies certified under the EU-U.S. Data Privacy Framework. Calendly is certified according to the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search.

Further information can be found at: https://calendly.com/legal/privacy-notice.

c. Sentry

We use Sentry Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA; (Sentry) to continuously maintain the operational security of our services. Sentry helps us to identify and analyze errors and problems within our web application in real time. This enables us to react quickly to crashes, performance problems or other irregularities and thus ensure the stability and reliability of the web application.

As part of the use of Sentry, we process the following data, taking into account data protection-friendly default settings: • Error details: Information about the error itself, including the type of error and the error message, as well as the context in which the error occurred. • System information: Browser version, device type, operating system and other relevant information about the system on which the error occurred. • Usage data: Information about how the application was used at the time of the error, including specific user actions that may have led to the error. Personal data is anonymized or masked as far as possible. • Network information: IP address (in anonymized form, if possible), as well as request details that may clarify the context of the error.

The primary purpose of using Sentry is to analyze errors. By collecting error reports and performance data, we can understand the causes of problems and take targeted action to fix them. This significantly contributes to security by quickly addressing security vulnerabilities and increasing the efficiency of our services.

The processing of personal data in the context of error analysis with Sentry is based on our legitimate interest in accordance with Art. 6 para. 1 (f) DSGVO. Our legitimate interest lies in ensuring the security and functionality of the website / web application, which is also in the interest of our users.

The data collected by Sentry as part of the error analysis is only stored for as long as is necessary to analyze and rectify the problems identified. The data is then deleted or anonymized so that it can no longer be traced back to an identified or identifiable person. The maximum storage period is usually 90 days.

We have concluded a data processing agreement (DPA) for the use of Sentry. This is a contract prescribed by data protection law that ensures that Sentry processes your personal data only in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable safeguards with the data recipients within the meaning of Art. 44 et seq. GDPR.

Personal data is also transferred to the United States. The European Commission has issued an adequacy decision in accordance with Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the United States that are certified accordingly are permissible. Sentry is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search

Further information on data use by Sentry can be found at: https://sentry.io/privacy.

d. Usersnap

We provide you a widget on our web application for feedback so that we can improve our website and our services. To do this, we use the interactive feedback tool from the external service provider Usersnap GmbH, Industriezeile 35, 4020 Linz, Austria; (Usersnap). To do this, you are shown a widget that can be used to voluntarily submit a rating and suggestions for improvement. When you submit feedback to us, we collect the information provided and the technical data collected, such as IP-Address, browser data, operating system, screen size, time stamp and page access data. We use this data exclusively for processing the feedback and to improve our services.

Participation in this tool is voluntary and is based on the legal basis of Art. 6 para. 1 (a) GDPR. You can revoke your consent to this processing at any time without giving reasons by informing us of their decision via the above e-mail contact address.

We store the feedback we receive, as well as any feedback we may send, until the respective feedback item has been dealt with. After that, your feedback data will be deleted or anonymized. The Usersnap software and all its services are hosted and managed within the European secure data centers.

We have concluded a data processing agreement (DPA) for the use of Sentry. This is a contract prescribed by data protection law that ensures that Usersnap processes your personal data only in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable safeguards with the data recipients within the meaning of Art. 44 et seq. GDPR.

Further information on data protection at Usersnap can be found in the provider's privacy policy: https://usersnap.com/privacy-policy. e. Quill JS We use the Quill JS text editor on our web application. Quill JS allows us to integrate rich text editing capabilities into our web application.

When you access this content, you establish a connection to Quill JS servers, whereby your IP address, referrer URL, request headers and browser data such as your user agent are transmitted. These data are processed solely for the purposes mentioned above and to maintain the security and functionality of Quill JS. No sensitive or personal data entered to the Quill JS editor is transferred to the third-parties, as Quill JS itself does not interact with the data being edited – it only provides the styling and functionality.

The use of Quill JS is based on our legitimate interests, i.e. interest in a secure and efficient provision and the optimization of our online offer in accordance with Art. 6 para. 1 (f) DSGVO.

The transmission and processing of personal data takes place exclusively on servers in the European Union.

Your personal data will be stored as long as it is necessary to fulfill the purposes of the processing.

4. Purposes and Legal Grounds of Data Processing

We process personal data in accordance with the provisions of the European Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016, the "GDPR") and the German Federal Data Protection Act ("BDSG") (or, in other jurisdictions, in accordance with the legislation set out in the corresponding sections at the end of this Privacy Policy) for the following purposes and on the basis of the following legal grounds. Where there are references to the GDPR, BDSG and other legislation in this section, these should be construed as referring to the equivalent legislation in force in the relevant jurisdiction in relation to personal data collected and processed in such other jurisdiction.

Purpose: If you have given us consent to process personal data for certain purposes, in particular for contacting you (e.g. sending newsletters, announce new product features, promotional communications, advertising by telephone, e-mail, SMS, or in relation to the creation of a user account), this processing is lawful on the basis of your permission.

Legal ground: Consent, Art. 6 para 1(a) of the GDPR

Purpose: When contacting us (via contact form, chat or e-mail), your data will be processed for the purpose of handling the contact request and its processing, especially to respond to comments, requests and questions, to verify permission access, and to provide overall customer service and support.

Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR

Purpose: Insofar as required for the participation of the investor in a fund, vehicle or other related workflow, and we process Personal Data in particular to support our customers with regard to the acceptance of the investor as limited partner, including the investor’s capital contribution, handling of communication processes, internally and externally (e.g. correspondence), administrative tasks such as drawdown and distribution notices, general investor relations, tax and regulatory filings/reports and adjacent workflows.

Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR

Purpose: In order to prevent and detect money laundering and the financing of terrorism and to comply with any other regulations relating to sanctions and embargoes through our Know Your Customer (KYC) process, we might process general personal data, bank data and metadata, including to help identifying you, verifying your identity, screening your details against lists and databases of politically exposed persons (PEP), sanctions, high risk countries and adverse media and determining your (risk) profile. Please note that such services might also be carried out by third party service providers.

Legal ground: Compliance with a legal obligation, Art. 6 para. 1(c) of the GDPR

Purpose: An identification process compliant with local financial authorities might include the storage (on behalf of our customers as the case may be) of audio and video recordings of the identification process, of the identified person itself and the identification document, images of the identified person, of the front and (if available) back of the identified person's identification document, personal data such as first name, name, street, house number, postal code, place of residence, date of birth, place of birth, nationality, email, mobile phone number, ID card / passport data such as type of ID card, ID card number, Issuing country, Date of issue, Validity date, Issuing authority, etc. (“Identification Data”). Please note that such services might also be carried out by third party service providers. As a rule, we will store such Identification Data on behalf of and in the account of the obliged customer that initially identified the respective person. To comply with certain regulations we provide immediate access to such Identification Data. In order to avoid repeat video identifications of users (following the principle of data minimization), an obliged customer may access Identification Data initially retrieved by another customer, if the accessing customer is legally obliged to identify the respective investor (e.g. due to AML regulation). In such a case, we may act as a technical messenger between those customers and will grant the accessing customer access to the Identification Data. This applies in particular to cases where European Anti-Money Laundering regulation allows the transmission of an investor’s Identification Data between so-called obligated parties that have to fulfill KYC/AML requirements (e.g. funds, fund managers). The processing generally serves the purpose of complying with official control and information obligations.

Legal ground: Compliance with a legal obligation, Art. 6 para. 1(c) of the GDPR

Purpose: To facilitate further investments or operational workflows of a user with other customers of ours, we offer to save and process Personal Data submitted to permit investors/users to use their verified data also for potential future investments or workflows or other activities on Vestlane. Without consent of the respective user, the user’s Personal Data will not be provided to any other party. The user can revoke such consent at any time. This does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Legal ground: Consent, Art. 6 para 1(a) of the GDPR

Purpose: Sending emails and other communications regarding our Service necessary for technical or administrative purposes, such as confirmations, invoices and billing, technical notices, updates, security alerts, and support and administrative messages, as well as messages, and other types of essential communications. These communications are considered part of the Service and you may not opt-out of them.

Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR

Purpose: Additionally we process Personal Data for operational service recording and evaluation, internal communication, ensuring operational safety, accommodate inquiries from public authorities, assertion of legal claims, development and provision of search, learning and productivity tools and additional features.

Legal ground: Purpose of legitimate interests, Art. 6 para. 1 (f) of the GDPR

Purpose: To contact you and to manage our relationship with you and/or your company where you are a supplier/partner or the representative of a customer/supplier/partner with whom we have a business relationship.

Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR

Purpose: We process your Platform access data to safeguard our legitimate interests or those of third parties. In particular, we pursue the following legitimate interests:

Ensuring IT security, in particular the security of our Platform; we also store the IP address in the event that someone leaves behind illegal content using the comment function (insults, prohibited propaganda, etc.) and we must be able to determine the author’s identity for our own legal protection;
Monitoring and improving our relationships with customers, investors and other users;
Asserting legal claims and conducting our defense in case of legal disputes.

In any case, our legitimate interest remains proportionate and we verify according to a balancing test that your interests or fundamental rights are preserved.

Legal ground: Purpose of legitimate interests, Art. 6 para. 1 (f) of the GDPR

Purpose: We process data:

when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding. The Personal Data shared may be shared with counterparties and others assisting with the deal.
We may share information with those who need it to do work for us. This includes granting Vestlane employees and service providers the necessary access in order to perform their duties.
We may share aggregated or anonymized data. This includes for marketing, analytics, or research purposes.

Legal ground: Performance of a contract or execution of pre-contractual measures upon request of the person, Art. 6 para 1 (b) of the GDPR

Granting consent - where we process your personal data based on consent - is voluntary. You are entitled to withdraw your consent(s) for the future at any time, without specifying any reasons and by sending an informal email via the above contact details or via [email protected]. Please note that the withdrawal is only effective from the date on which you notify us of such withdrawal. Processing that took place before the withdrawal is therefore not affected, but you are entitled to request that we provide you with details of, or that we delete, the personal data that we hold about you. Please be aware that any processing on other legal grounds than consent may remain unaffected.

5. Information Choices and Changes

You can opt-out of receiving Vestlane’s marketing emails at any time by selecting the unsubscribe link in any marketing email we send you, or by contacting us. If you opt out, we may still send you non-marketing emails. Non-marketing emails are service focused and so will generally include emails about your accounts and our business dealings with you. Vestlane strives to provide you the tools to update your Personal Data. If you are unable to correct inaccurate information on your own, you may request our assistance to update such information by contacting [email protected].

6. Data Access

Within Vestlane, departments that need to know your data to fulfill our contractual and regulatory obligations can access your data.

In addition, processors (Art. 28 GDPR) engaged by us may also obtain access to data for the above-mentioned purposes. These may be, for example, our IT service providers, hosting provider, background and/or credit reference check providers or third parties that provide printing services, telecommunications, sales and marketing services. If we use processors to provide our services, we will take appropriate legal precautions as well as the relevant contractual, technical and organizational measures to protect personal data in accordance with applicable law.

Any transfer of data to third parties will be made only within the scope of legal requirements. We will disclose your data to third parties only if this is required, for example, under Art. 6 para. 1 (b) GDPR for contractual purposes or based on legitimate interests pursuant to Art. 6 para 1 (f) GDPR in the economic and effective operation of our business or if you have consented to the transfer of data. Recipients of such data may be customers of us to perform a contract or execute pre-contractual measures with you, and other service providers and delegates employed and/or retained by them, professional partners such as private banks, family offices, fund managers, law firms and other service providers, and public authorities.

In the case of purely informational use of the Platform, we do not pass on any data to third parties.

The following is a list of the processors we engage:

Processor: Amazon Web Services EMEA SARL, Avenue John F. Kennedy 38, 1855 Luxembourg, Luxemburg

Function: Operation of the Platform

Data Processing: Personal master data, Address data, Contact details, Payment/bank data, Technical data, Tracking data, Log files, device information (browser to web server), Image and sound recordings

Processing location: Europe