The Data Controller within the meaning of the General Data Protection Regulation ("GDPR") is Scalable Capital GmbH, Seitzstraße 8e, 80538 Munich, Germany (hereinafter "Scalable Capital" or "we"). In the following, we would like to inform you about the collection and processing of your personal data in connection with your use of our website as well as our web application and our mobile app (hereinafter the last two collectively referred to as "app") within the scope of our duty to inform you in accordance with Art. 13 GDPR.
Further information on Scalable Capital can be found in the imprint.
In general, you decide which personal data you provide to us. Within the scope of the business relationship, you are required to provide the personal data that is necessary for the initiation, implementation and termination of a business relationship and which we are legally obliged to collect and process, e.g. in accordance with anti-money laundering regulations. Without this data, we are not able to provide you with our services or functions.
Insofar as service providers process personal data on our behalf, we have concluded a data processing agreement with these service providers and agreed on appropriate guarantees to ensure the protection of personal data. We carefully select our service providers. Service providers may comprise third parties or entities affiliated with Scalable Capital within the group. In addition, these service providers process personal data exclusively for the performance of their tasks and are contractually bound to our instructions, have appropriate technical and organisational measures in place to protect personal data and are regularly audited by us. Where relevant, appropriate EU standard contractual clauses have been concluded for the transfer of personal data to processors in third countries (as an appropriate guarantee for data processing in non-European countries). You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.
The transfer of personal data to certain third countries, such as Switzerland, is based on an adequacy decision. According to the EU Commission, such countries have an "adequate level of protection" and a data transfer does not require any special authorisation. An overview of the countries with an adequacy decision can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
For hosting the database and web content, we use Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg ("AWS"), a subsidiary of Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA, as an order processor. The data is stored exclusively in a German data centre (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018 as well as PCI DSS Level 1 and accordingly meets the highest security standards. In addition, we have agreed on corresponding EU standard contractual clauses with Amazon Web Services, Inc. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914. In conjunction with additional technical and organisational measures to ensure an adequate level of protection, it is guaranteed that the EU data protection requirements can also be met when processing data in the USA.
When you visit our website, we process access data that is stored in so-called log files. The following personal data is processed automatically in the log files:
The processing of this data is carried out in accordance with Art. 6 (1) (f) GDPR due to our legitimate interest in being able to properly display the website to you as well as to defend against attacks and for the purpose of the security of our systems. The log files are deleted or anonymised immediately after they are no longer required to achieve the aforementioned purposes, but at the latest after 14 days.
We use AWS as a processor for hosting the website.
In order to be able to display content such as your country and language settings as desired, we use session-based or persistent cookies. Your country settings are deleted as soon as your browser session ends, your language settings are stored for a maximum of one year. The legal basis for the processing of these cookies is §25 (2) Telecommunications and Telemedia Data Protection Act (TTDSG) so that we can provide the telemedia service expressly requested by the user. The legal basis for the further processing of this technically necessary personal data is Article 6 (1) (f) GDPR.
We use DataDog, Inc. 620 8th Avenue, 45th Floor New York, NY 10018, USA ("DataDog") as a data processor to collect information about the performance of our website and any technical malfunctions that may occur. For this purpose, DataDog sets up a cookie for the browser session and collects geolocation, device, and operating system data of the user of our website and apps. We process the aforementioned data in accordance with § 25 para. 2 TDDDG in conjunction with Art. 6 (1) (f) GDPR in order to ensure the security of our platform for the provision of our services and to minimise a possible risk of damage. Your personal data will be deleted after 15 days. For analysis purposes, we collect and process additional usage data on the basis of your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps. Corresponding EU standard contractual clauses were concluded in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as an appropriate guarantee for data processing in non-European countries. You can view this implementing decision (EU) 2021/914, including the EU standard contractual clauses used, via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.
We use DataDog as a processor to collect information for the purpose of detecting cybersecurity incidents, or any cybersecurity malfunctions that may occur and respond to the said incident. For this purpose, we process login data incl. email address, IP address, device information, geolocation data derived from IP address of the user when accessing our apps. We process the above data on the basis of our legitimate interest to ensure and maintain IT security in accordance with Art. 6 (1) (f) in conjunction with Art. 32 GDPR. Your data will be deleted after 15 days unless it is required for forensic analysis and investigations.
In order to use our services (wealth management, brokerage), you must first register and create a user account ("registration"). For this purpose, we collect your private contact and identification data (e.g. title, first and last name, address, email address, telephone number, date, place and country of birth as well as nationality), certain tax data (e.g. tax number, tax residency) as well as your reference account (e.g. IBAN). As part of the registration process, you will also set a password for your personal access. In addition, depending on the services you use, we may collect information about your knowledge and experience of dealing in certain types of financial instruments or investment services, your investment objectives, including your risk tolerance, and your financial circumstances, including your ability to bear losses. We process this data in order to be able to recommend a suitable investment strategy to you or to assess the appropriateness of certain financial instruments (Art. 6 (1) (b) GDPR).
Please note that in order to use our services it is necessary to open a custody account with a custodian bank cooperating with us.
At present, we cooperate with Baader Bank Aktiengesellschaft, Weihenstephaner Str. 4, 85716 Unterschleißheim, Germany ("Baader Bank") and ING-DiBa AG, Theodor-Heuss-Allee 2, 60486 Frankfurt am Main, Germany ("ING"). The custodian banks process your data under their own responsibility. Information on how the custodian banks process your data can be found following https://www.baaderbank.de/Data+Protection+Declaration-436 for Baader Bank and https://www.ing.de/datenschutz/ for ING.
To enable you to use our services securely and to facilitate a secure log-in, we rely on Auth0 Inc, 10800 NE 8th Street, Ste. 600, Bellevue, WA, 98004, USA ("Auth0") as a processor. For this purpose, Auth0 processes your user name or email address and password together with your IP address, geolocation data derived from IP address, and device information in accordance with Art. 6 (1) (b) GDPR. Your data is encrypted at all times and processed exclusively within the European Union. In individual cases, however, a transient processing of data in the USA cannot be ruled out.
To further protect the access to your account from criminal activities and access by third parties, we implement various measures. In the course of the login process, we analyse the IP address, the location of the requesting device as well as metadata of the access (e.g. date and time of the request, information about the device, action executed, etc.). In addition, we use the functions of Auth0 to monitor at regular intervals whether your login credentials have been part of published third-party security breaches. We immediately notify you in case of any suspicion or in case your access data was part of such a security breach to assist you in changing your login credentials. The aforementioned purposes constitute our legitimate interest in processing the data on the basis of Art. 6 (1) lit. f GDPR.
Auth0 does not have access to any other personal data at any time. We have concluded the EU standard contractual clauses as appropriate safeguarding measures. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.
As part of the use of our digital offer, we use Futurae Technologies AG, Eichstrasse 23, 8045 Zurich, Switzerland ("Futurae") as a processor for the two-factor authentication. For the activation of the two-factor authentication on the mobile device, data (e.g. IP address, device/browser information) is processed by Futurae. The transfer of the aforementioned data to Switzerland is based on the adequacy decision of the European Commission according to Art. 45 GDPR.
After your cancellation, you can still log in to your personal area and retrieve documents in your mailbox. You will continue to receive important documents there, such as your annual tax certificate. Your account will be deactivated no later than two years after the end of your contract. If required, access to your personal area can also be deactivated immediately after the end of the contract. To do so, please contact us using the contact options mentioned below under “Points of contact”.
For the purpose of identification, we process the private contact and identification data provided by you (e.g. your name, nationality, date and place of birth, address, email address, telephone number). Pursuant to the German Anti-Money Laundering Law, we are legally obliged to verify your identity by means of a valid identification document as part of the account opening process, to store the required information and a copy of the identification document as well as a visual and acoustic recording of the identification process carried out with us. The legal basis for the data processing is Art. 6 (1) (b) GDPR in connection with Art. 6 (1) (c) GDPR (contractual and legal obligation) in conjunction with the German Anti-Money Laundering Law.
For the purpose of identification, we use Deutsche Post AG ("Deutsche Post"), Charles-de-Gaulle-Straße 20 in 53113 Bonn, Germany, as data processor. For this purpose, we use the POSTIDENT process which, in addition to identification by means of the online ID function ("eID"), also enables identification by video chat or at a post office branch. After completion of the process, Deutsche Post AG transmits to us your identification data, a copy of the identification document and a visual and acoustic recording of the identification process that has taken place, which are processed exclusively for the purpose of fulfilling the statutory obligations under German Anti-Money Laundering Law. Further information on the data processing within the POSTIDENT process by Deutsche Post AG can be found here: https://www.deutschepost.de/de/p/postident/postident-datenschutzhinweise.html
We reserve the right to transfer your personal contact and identification data (such as your first and last name, address and date of birth) to our data processor Fourthline B.V., Tesselschadestraat 12, 1054 ET, Amsterdam, The Netherlands (“Fourthline”) for the purpose of checking against sanctions lists and whether our customers are so-called politically exposed persons (“PEP”) at regular intervals. We process this data for the purpose of complying with legal and regulatory obligations.
For Brokerage clients residing in Spain, Italy, The Netherlands and France, the identification process is usually carried out by Fourthline. In order to comply with regulatory requirements, it is necessary to accept Fourthline's Terms and Conditions, which do not impose any obligations on you as a customer other than verifying your identity. Once you have gone through the identification process, Fourthline will send the results to us. We process this data for the purpose of complying with legal and regulatory obligations.
For Fourthline privacy notices, please visit https://fourthline.com/privacy-statement.
If you opt for identification via video chat ("video identification"), the provider is obliged to ensure the authenticity of your identification document (e.g. ID card or passport). At the beginning of the video identification, your explicit consent is obtained in accordance with Art. 6 (1) (a) GDPR to take the photos and record the conversation. You can object to this processing at any time by cancelling the video identification process and choosing an alternative method of identification.
We process this above-mentioned data for as long as is necessary for the aforementioned purpose and generally delete it immediately after the legal basis ceases to apply. According to §§ 8, 10 GwG we are obliged to keep your private identification and contact data as well as the results of the check against PEP and sanctions lists for at least five years.
In order to be able to provide our services and in particular to enable the transmission of trading orders to the custodian banks and securities trading to the custodian banks, we process the personal data mentioned in section 3 Use of our Services. This includes, in particular, the transmission of orders (together with the corresponding personal data) to the custodian bank. The legal basis of the processing is Art. 6 (1) (b) GDPR (fulfilment of contractual obligations). The data is processed in our hosting databases provided by AWS.
For brokerage clients residing outside of Germany the overview of the taxes to be paid is prepared by KPMG AG, Badenerstrasse 172, CH-8036 Zurich, Switzerland ("KPMG"). For this purpose, we forward your internal user-ID and financial transaction data (e.g. portfolio ID, security number, type of order, time of execution) to KPMG. The legal basis for processing the aforementioned data is Art. 6 (1) (b) GDPR (fulfilment of contractual obligations). The transfer of the aforementioned data to Switzerland is based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR. You can find further information here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518
Please note that KPMG processes your data under its own responsibility. For more information, please see KPMG's privacy notice at: https://home.kpmg/ch/de/home/misc/privacy.html.
We process the personal data collected when initiating the contract or during the contractual relationship, for the purposes of fraud and money laundering prevention as well as for risk management purposes in order to identify and assess the financial risks arising for the institution and to counteract them appropriately. In the event of suspicious cases, we may collect further information from publicly available sources and take this into consideration in the decision-making process for blocking/ unblocking suspicious transactions. The processing is carried out on the basis of our legitimate interest in averting damage to Scalable Capital pursuant to Art. 6 (1) (f) GDPR in conjunction with the relevant legal obligation pursuant to Art. 6 (1) (c) GDPR. At the same time, these measures also serve to protect clients from possible unauthorised dispositions by third parties.
To process and coordinate cases of suspicion, we are using a ticketing system provided by Atlassian. Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia ("Atlassian") as a data processor. We have entered into a processing agreement with Atlassian. In addition, we have concluded appropriate EU standard contractual clauses with Atlassian based in Australia. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.
We process personal data that we collect as part of the contract initiation or contractual relationship with you, as well as usage data of our products and services, as part of our legitimate interest according to Art. 6 (1) (f) GDPR, to provide you with personal analyses, evaluations and statistics (e.g. year-end recap) and for the purpose of analysing our current client base. We also process this data to create anonymous statistical data sets. This processing is based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR to prepare forecasts and reports and to evaluate and optimise the performance of the company and product quality. These anonymised data sets are not personal data.
To inform you about the processes related to your use of our products and services, we use emails, SMS, letters and push notifications as well as other communication channels within our apps as part of the fulfilment of our contractual obligations pursuant to Art. 6 (1) (b) GDPR. We use the following data processors for this purpose. Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany ("Salesforce") for sending emails and push notifications, Sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, Germany ("Sipgate") for sending text messages and Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany ("Deutsche Post") and Deutsche Post E-POST Solutions GmbH, Vorgebirgsstraße 49, 53119 Bonn, Germany ("Deutsche Post E-POST Solutions") for sending letters.
We store and process your personal data for the duration of the contractual relationship with you. We delete your data after completion and settlement of the legal relationship with you, at the earliest, however, after expiry of the statutory, regulatory and/or other sovereign retention periods and insofar as the data is no longer required for the assertion, exercise and/or defence of legal claims.
As a regulated company, we are subject to various statutory recording and storage obligations, which stem primarily from the German Banking Act (KWG), the German Securities Trading Act (WpHG), the German Anti-Money Laundering Law (GwG), the German Commercial Code (HGB) and the German Fiscal Code (AO). These statutory obligations to retain data and records require us to store information for at least two years and up to ten years, depending on the regulation. These obligations also apply to processes that enable the initiation of a contractual relationship or the conclusion of a contract. The legal basis for the storage of personal data for these purposes is Art. 6 (1) (c) GDPR (legal obligations).
In addition, the retention periods under civil law are also relevant to determine the duration of the data storage. These limitation periods can be up to 30 years according to the regulations in the German Civil Code (BGB), however, the regular limitation period is three years.
Furthermore, we may be required to disclose personal data processed in connection with the provision of our services to public authorities and institutions such as the German Federal Bank (Deutsche Bundesbank), the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin), European banking supervisory authorities, the European Central Bank (ECB) and financial authorities.
You can contact us via our service hotline, the contact form, the chat as well as by email and send us a request. In this context, we process the information and data you provide (including personal data such as first name, last name, email address and telephone number) and, if applicable, the time and duration of your call in a ticket in order to contact you and process your request (Art. 6 (1) (b) GDPR). When using the chat, the chat log, your usage data (e.g. start and end time of request, duration of interaction, IP address), device identification data (e.g. type of operating system, device model) as well as event data are stored and, if applicable, assigned to your account. In order to efficiently respond to your requests and to ensure a high level of service, user input may be viewed by our staff during the current request ("session") in the context of the live chat. We delete your data as soon as we have answered your inquiry to your satisfaction, provided that no other retention periods (e.g. tax retention periods) are opposed.
We are supported in processing your requests by Sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, Germany ("Sipgate"), Aircall.io, Inc, 11 Rue Saint-Georges, 75009 Paris, France ("Aircall"), Teleperformance A.E., 330 Thisseos Avenue, 17675 Kallithea, Greece ("Teleperformance"), TELUS International Services Limited, Point Village, East Wall Road, Dublin 1, Ireland (“Telus International”) and Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany ("Salesforce") as data processors. In addition, we have agreed to appropriate EU standard contractual clauses with Salesforce.com Inc. based in the US. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.
When you contact us via phone or take part in satisfaction surveys over the phone, before the conversation begins, we ask you for your consent to record the call for quality assurance purposes and to derive and implement measures to enhance our Client Success experience as well as products and services (Art. 6 (1) (a) GDPR). You can revoke your consent to the recording of the conversation at any time by informing the agent during the conversation or by contacting us using the contact details mentioned below under “Points of contact”.
If you have given us your express consent to record one or more conversations, we will record your conversation and link the recording to the existing history of previous conversations. Call recordings and client interactions will be used to assist in the quality assurance of agent performance, investigating and resolving complaints, identifying training needs and ensuring Client Success quality standards, improving our Client Support as well as our products and services. We delete the recording after 30 days if the deletion is not contrary to any other retention obligations.
To provide more insights about us and our services, we offer on-site events, webinars and information sessions. You can register for all information events at https://de.scalable.capital/events. For the implementation of webinars, events and information sessions, we process your private contact and identification data that you have provided to us, e.g. by means of a registration form (e.g. first and last name, email address, telephone number) (pursuant to Art. 6 (1) (b) GDPR).
In the course of conducting webinars, we use the GoToWebinar webinar software of GoTo Technologies Ireland Unlimited Company, The Reflector, 10 Hanover Quay, Dublin 2, D02R573, Ireland ("GoToWebinar"), which we use as a processor. In the course of conducting webinars, personal data may be processed, e.g. your IP address, your email address and, if applicable, your first and last name. After the webinar has been held, we receive from GoToWebinar the information as to whether a user has attended the webinar, the registration date as well as the user's registration time and the duration of participation.
The integration of GoToWebinar is based on our legitimate interest (Art. 6 (1) (f) GDPR) to facilitate a technically flawless execution of the webinar with professional tools.
We use the Youtube.com platform of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to conduct online live seminars. Further information on the processing of your data can be found in our data protection information on social networks.
The collection and processing of your personal data is based on the contract initiation or contract performance with regard to the implementation of an online webinar in accordance with Art. 6 (1) (b) GDPR. After participation in a webinar, your data will be stored for a maximum of 12 months.
To conduct market research, facilitate product improvements and to send out personalised marketing content of us and affiliated third parties, we ask for your consent when opening an account or when signing up for the newsletter on our website. To ensure that you receive personalised information that is relevant to you and matches your personal interests, we review and analyse your user behaviour (e.g. recent transactions, participation in events and webinars) and use this information for some marketing emails. In addition, we have embedded so-called pixels in our newsletter to better understand your interaction with our newsletter and content. The processing is based on your consent (Art. 6 (1) (a) GDPR). You may revoke your consent at any time with effect for the future by clicking the “unsubscribe” link at the bottom of each marketing email or by contacting us using the contact options mentioned below under “Points of contact”. The revocation of consent does not invalidate the lawfulness of the processing carried out on the basis of the consent until revocation.
To ensure that no one can register with a third-party email address, we have implemented the so-called double opt-in procedure. This means that you will receive an email after registration asking you to confirm your registration. The confirmation of the subscription to the newsletter is logged in order to be able to prove the subscription process in accordance with the legal requirements. For this purpose, we process the IP address, date and time of access in accordance with Art. 6 (1) (f) GDPR.
To facilitate marketing communication, we rely on Salesforce as a data processor. Appropriate EU standard contractual clauses have been concluded in order to adequately protect your personal data. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.
To receive current press releases by email, you can be added to our distribution list. To do so, please send us your email address and your first and last name by email to presse@scalable.capital. We process your data exclusively to inform you about the current developments of our company and to send press releases. We cooperate with Finsbury Glover Hering Europe GmbH, Berliner Allee 44, 40212 Düsseldorf, Germany, as a consulting firm for strategic communication for the management of press releases. You can object to the processing at any time by sending an email to presse@scalable.capital or by using the contact details mentioned below under “Points of contact” and revoke your consent. The revocation of consent does not invalidate the lawfulness of the processing carried out on the basis of the consent until revocation.
If you become a customer of ours as part of a promotion or raffle (the respective conditions of participation apply), we process your personal data such as first and last name, email address, and user ID, to determine the prize pursuant to Art. 6 (1) (b) GDPR. Depending on the respective promotion or sweepstakes, we additionally process the data listed in the corresponding conditions of participation.
We delete personal data as soon as the promotion or the competition has ended and the data is no longer required for the fulfilment of the aforementioned purposes and unless there is another legal basis (e.g. commercial and tax retention periods).
To test certain new features, you have the option of signing up for participation in the test phase via a sign-up page provided for the respective feature. For this purpose, we collect your email address based on your consent in accordance with Art. 6 (1) (a) GDPR to enable you to try the feature and for us to contact you by email in the event of further inquiries. You can revoke your consent at any time free of charge with effect for the future. To do so, please contact us using the contact options mentioned below under “Points of contact”.
To provide the sign-up page, we rely on Salesforce as a data processor. We will delete your information after the beta test phase has been completed at the latest or if you have revoked your consent. The revocation of consent does not invalidate the lawfulness of the processing carried out on the basis of the consent until revocation.
We use cookies and similar technologies, such as pixels, on our website. Cookies are small text files that are stored on your end device and process device-specific information. There are session-based and persistent cookies. While session-based cookies are deleted immediately at the end of a browser session, persistent cookies enable the settings you have selected to be saved for a longer period of time. Persistent cookies are used to provide you with the most pleasant user experience possible. We use our own code in our apps and also utilise software development kits ("SDKs"). An SDK is provided by our partners and contains code parts that execute certain functions.
The storage and reading (so-called "tracking") of information, e.g. through the setting of cookies or the integration of SDKs on users' end devices, is only permitted on the basis of legal requirements with the express consent of the user (Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR). Insofar as the storage and processing is absolutely necessary for the performance of our services, no consent is required in accordance with Section 25 (2) TDDDG. The further processing takes place in each case according to Art. 6 (1) (f) GDPR for purposes that outweigh the protection of your data or are in your interest, such as fraud prevention, improving IT security and improving our digital services. If the processing of the following services is based on your consent, you can withdraw your consent at any time with effect for the future and manage and adjust this in the data protection settings.
For further general information on the cookies, tracking technologies and SDKs used, please refer to the Cookie Policy. You can also manage your consent and settings there.
On our website and in our apps, we use the Consent Management Service of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany ("Usercentrics") to inform you about cookies, similar technologies and SDKs used by us and to ensure that these are only set or activated in accordance with applicable law and, if necessary, only with your consent. In connection with the collection of your consent, we process your IP address, opt-in and opt-out data, referrer URL, user agent, user preferences, consent ID, time of consent, consent type, template version and banner language. Your consent is stored in relation to a Usercentrics Consent ID. The use of Usercentrics is necessary so that we can comply with the legal requirements for the setting of cookies and in particular the applicable requirements for the documentation of consent. The data is processed on the basis of § 25 (2) no. 2 TDDDG in conjunction with Art. 6 (1) (c) GDPR.
Further information on data protection when using Usercentrics can be found here https://usercentrics.com/privacy-policy/.
We use the "Friendly Captcha" service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany, to prevent the use of our website and apps by automated programmes and scripts (so-called "bots"). For this purpose, a program code from Friendly Captcha has been integrated in order to pose a calculation task to the respective device of the visitor. Depending on the result of the calculation, the respective request such as the client login or newsletter sign- up process, will be processed or rejected. Friendly Captcha does not set or read any cookies on the visitor's end device. Collected IP addresses are processed in hashed (one-way encrypted) form.
This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 para. 1 lit. f GDPR to ensure the security and reliability of the website and apps and to protect them from abusive access by bots, i.e. spam protection and attacks (e.g. through mass requests). If personal data is stored, this data is deleted within 30 days.
Further information on data protection when using Friendly Captcha can be found at https://friendlycaptcha.com/legal/privacy-end-users/.
We use push notifications to inform you, for example, about the successful execution of orders, when price alerts have been reached or when your deposit has been received. For this purpose, a device token from Apple or a registration ID from Google is assigned. These are encrypted, anonymised device IDs. The sole purpose of their use is to provide push services. For this purpose, we use the "Simple Notification Service" from AWS as well as the Firebase Cloud Messaging Service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for devices with an Android operating system. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR in order to be able to display informative push notifications on your device. You can activate and deactivate this function at any time in your device settings.
Using "Phrase over the Air", we can update notices and information texts in our apps automatically and in real time. The updates are transferred to the apps without the need to update to a new app version. In this context, we process device identification data and the version of the installed app. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR to ensure that the information and information texts in disclaimers, FAQs or information boxes are correct and up-to-date.
We use "Google Firebase Crashlytics" to ensure the stability of the apps and to make improvements. Information about the device used and the use of our apps, such as user ID, device model, operating system version, app version, timestamp of the message, is collected and processed. This generates so-called "crash reports", which contain information about problems and crashes. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR to provide you with functional apps and to fix stability problems.
The "Google Firebase Remote Config" service enables us to activate new features in our apps and configure content without having to download the apps again from the respective app stores. In this context, we process the device identification data, such as the version and type of operating system or the device model. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR to ensure the stable and secure operation of our apps.
We use “Google Tag Manager” as a tag management platform that enables us to manage and trigger tracking services and customised tracking tags based on the consent given. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR.
We use the "Google Firebase Performance Monitoring" service to collect performance data in our apps and then check and analyse it. The service helps us to understand in real time where the performance of our apps can be improved. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
We use "Google Analytics" to analyse the use of our website and apps. For this purpose, cookies are set in the browser or the "Google Analytics for Firebase" service is used in our apps to collect and analyse information about the use of and interactions with our website and apps and to compile reports on the corresponding activities. We use this data to make user-orientated improvements, among other things. The data processing is based on a pseudonymous identification number. In addition, the following metadata is derived from IP addresses: City including the derived latitude and longitude of the city, continent, country, region and subcontinent. For access originating from the European Union (EU), IP address data is only used to derive location data and then deleted immediately. It is not logged, accessible, or used for any additional use cases. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
In order to check the effectiveness of our adverts placed via “Google Ads”, we use conversion tracking on our website. When you click on an ad placed by Google, a cookie for conversion tracking is set on your device. These conversion-cookies lose their validity after 30 days and do not allow any direct conclusions to be drawn about an individual user. As long as the cookie is valid, we can track whether a person has clicked on an advert placed via Google Ads to reach our website. We can use conversion cookies to measure the effectiveness of our advertising measures. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
The use of “Google Maps” allows us to provide users with suggestions and functions for automatically completing the form when they enter address information, thereby improving user-friendliness in the registration process and when changing personal information. By using Google Maps, your location data and IP address will be forwarded to Google, and this data will be collected and processed exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
The service “Google Firebase A/B Testing” allows us to test changes to the user interface of our apps, features or engagement campaigns before we fully roll out changes. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
We have embedded videos on our website via “YouTube”, which is provided by Google. After clicking on a video, device information, IP address and the information that you have watched the video are transmitted to YouTube. If you are logged in to YouTube, this information is also assigned to your user account with YouTube. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
You can find more details on the processing of your personal data by YouTube in YouTube's data protection information at https://policies.google.com/privacy. You can find a general option to object to the processing of your data by Google here: https://tools.google.com/dlpage/gaoptout?hl=en.
We cooperate with FinanceAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany ("FinanceAds") and NetSlave GmbH, Simon-Dach-Str. 12, 10245 Berlin, Germany ("NetSlave") in order to reach new clients through advertising partners. FinanceAds and NetSlave are affiliate networks, which enable commercial operators of websites to display advertisements, which are usually remunerated via click or completion fees, on websites of third parties (so-called affiliates). Via the affiliate network, an advertising medium, e.g. an advertising banner or text link, is made available, which can be integrated by an affiliate on its own internet pages. We use the "Scalable Capital - Marketing" cookie on our websites to measure the effectiveness of the advertising material and to process the remuneration of affiliates. In this way, we record the time at which a specific advertising medium was clicked on from a terminal device and process additional device information. In addition, an individual sequence of numbers is stored, which cannot be assigned to the individual user by the affiliate partner, with which the affiliate program of an affiliate, the publisher, and the time of the user's action (click or view) are documented. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
Further information on data protection at FinanceAds can be found at https://www.financeads.net/aboutus/datenschutz/ and at NetSlave at https://www.netslave.de/datenschutz-2017.html.
Within our apps, we collect so-called event data in order to be able to analyse user interactions with our apps and offers. Event data includes, for example, clicks on certain buttons, form submissions and/or scroll events. We process the data collected for internal analysis purposes. The data can also be forwarded to third parties, such as Google, and processed there. We also use this data as a basis for improvements to our user interfaces, services and services and to optimise our marketing activities, internal processes and as part of risk management, e.g. for fraud prevention. The processing may include the creation of user profiles. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
We use the "Meta Pixel" and "Meta Conversion API" services of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta") to place our marketing campaigns in a targeted manner with Meta and within the services of the partners cooperating with Meta (so-called "Audience Network", see: https://www.facebook.com/audiencenetwork/). This allows us to target marketing campaigns to people who have already visited our websites and apps or who have certain characteristics, such as an interest in certain topics or products. In addition, we can determine the effectiveness of our marketing campaigns by recording certain actions (so-called "events") that take place on the website or within the app. This includes, for example, registration, completion of the identification process, conclusion of a customer contract and the first transaction (so-called "conversions"). The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
The collection and transmission of event data (but not the further processing of the data) is the joint responsibility of Meta. A special agreement has been concluded with Meta for this purpose (available at: https://www.facebook.com/legal/controller_addendum), in which, among other things, the security measures to be fulfilled (available at: https://www.facebook.com/legal/terms/data_security_terms) and the responsibility in the fulfilment of the rights of data subjects (i.e. users can, for example, send requests for information or deletion requests directly to Meta) are regulated.
Joint processing is carried out for the following purposes:
For more information visit https://www.facebook.com/legal/controller_addendum.
If Meta provides us with analyses and reports in aggregated form and without details of individual users, this processing is carried out on the basis of our data processing agreement with Meta. Further information on the data processing agreement can be found at https://www.facebook.com/legal/terms/dataprocessing and https://www.facebook.com/legal/terms/data_security_terms.
We use the "LinkedIn Insight Tag" from LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Via the LinkedIn Insight Tag, we receive aggregated and anonymised evaluations of our advertising campaigns on LinkedIn and additionally aggregated and anonymised information on how users interact with our websites and apps. We use the information to understand the effectiveness of our marketing campaigns, to evaluate them and to present corresponding content in our adverts on LinkedIn. The LinkedIn Insight Tag is used to collect data about users' visits to our website, including URL, referrer, IP address, device and browser characteristics, timestamp and page views. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
You can object to the collection of data generated by the cookie and its processing by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Further information can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
We use "Microsoft Advertising Remarketing" from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft") on our website. If you have reached our website via a Microsoft advert, Microsoft will set a so-called "conversion cookie" on the end device, with which we can track that a Microsoft advert has been clicked on, which has redirected the user to our website after a certain target page ("conversion site") has been visited beforehand. Microsoft collects, processes and uses information via the cookie, on the basis of which usage profiles are created using pseudonyms. These usage profiles are used to analyse visitor behaviour and are used to display advertisements. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
You can find more information on data protection at Microsoft in Microsoft's privacy policy at https://privacy.microsoft.com/de-de/privacystatement.
We use tracking technologies from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin D02 T380 Ireland, to display targeted and personalised advertising on the "TikTok" platform and to create interest-based user profiles. We use the data to measure the effectiveness of the ads and to optimise the performance of our marketing campaigns on TikTok. We also measure conversions from TikTok advertisements in order to optimise advertisements, create target groups for future advertisements and reach users who have already carried out an event on our website again. We process this data primarily to ensure that the content of our adverts is relevant to our users. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
We use tracking technologies from Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015 CS, Amsterdam, Netherlands, to display targeted and personalised advertising on the "Reddit" platform and to create interest-based user profiles. We also use the data to improve future campaigns and adverts on the Reddit platform and to measure event-based conversions of Reddit adverts in order to better target adverts to our target groups. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
In order to measure the success of our app marketing campaigns, for our own market research and to optimise our apps, we use the "Adjust" analysis technology from adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany. Adjust processes data on interaction with our advertising materials, installation and event data (e.g. start of onboarding, confirmation of onboarding email, conclusion of contract) in the context of the use of our apps and provides these as pseudonymised evaluations. For this purpose, the following data is processed from you: IT usage data (e.g. timestamp of events, assigned click timestamp, IP address), device information (e.g. your IDFA or Android ID, operating system version and type, model number and country code of the end device, internet service provider) as well as the Meta Ads ID, Campaign ID and Ads Set ID. The collected information is used for the execution and optimization of our app advertising campaigns and is additionally forwarded to corresponding providers or advertising partners (e.g. Meta, TikTok, Google). The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
Further, you can object to the collection, evaluation and use of your data at following https://www.adjust.com/opt-out/.
We do not use social media plugins on our website. If our website contains icons from social media providers (e.g. Facebook, X (formerly Twitter), LinkedIn, Instagram, YouTube), we only use these for passive linking to the pages of the respective providers. For further information, please refer to our privacy policy on our social media presences.
Right to access: You have the possibility to request information about the data stored about you, its origin, recipients or categories of recipients to whom the data is disclosed, as well as the purpose of the storage. (Art. 15 GDPR)
Right to rectification: You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. (Art. 16 GDPR)
Right to deletion: You can demand that we delete the personal data relating to you without delay. However, there is no right to deletion if legal, supervisory or other sovereign storage obligations are opposed or the storage serves the assertion, exercise or defence of legal claims. (Art. 17 GDPR)
Right to restriction of processing: You may, under certain conditions (disputed accuracy, unlawful processing, cessation of the purpose of processing or lodging an objection), request the restriction of the processing of personal data concerning you. (Art. 18 GDPR)
Right to data transfer: You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. (Art. 20 GDPR)
Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is processed on the basis of Article 6(1)(e) or (f) GDPR. We will then no longer process your data unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is for the establishment, exercise or defence of legal claims. (Art. 21 GDPR)
Right to complain to the supervisory authority: Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority if you are of the opinion that the processing of personal data is not carried out lawfully. The address of the supervisory authority responsible for our company is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Postfach 1349, 91504 Ansbach, Germany, phone: +49 (0) 981 180093-0, email: poststelle@lda.bayern.de.
Contact person for the exercise of your rights
For the exercise of your rights and further information, please contact Scalable Capital GmbH, Seitzstraße 8e, 80538 Munich, Germany, by email to support-fr@scalable.capital or by letter.
Data Protection Officer
Our data protection officer is available to you as a contact for data protection-related concerns:
Data Protection Officer of Scalable Capital GmbH
Seitzstrasse 8e, 80538 Munich, Germany
privacy@scalable.capital
Version as of October 2024