Privacy Policy

This translation is provided for your convenience. For legal purposes, in case of differences, please refer to the german version.

1. General

1.1 Data protection is an important concern for us. For this reason, we would like to inform you in this data protection declaration about the collection, processing and use of personal data (collectively "data use") in the context of the use of our internet page ("internet page", "website"), our mobile app ("app") and our other online offerings (collectively "digital offer") as well as the services offered by us ("services"). Personal data in this context means any information relating to an identified or identifiable natural person. We may amend the terms of this Privacy Policy from time to time. For this reason, we recommend that you review the Privacy Policy regularly.

1.2 Scalable GmbH and Scalable Capital GmbH with its registered office at Seitzstraße 8e in 80538 Munich ("Scalable Capital", "we") are service providers and joint controllers within the meaning of the EU General Data Protection Regulation (EU GDPR), national data protection laws and other data protection provisions. The Joint Controller Agreement pursuant to Article 26 EU GDPR between Scalable GmbH and Scalable Capital GmbH provides that Scalable Capital GmbH complies with the obligations of the EU GDPR, in particular in regards to the exercising of the rights of the data subject and the information obligations pursuant to Articles 13 and 14 EU GDPR. You can contact us by telephone at +49 89 380 380 67 or by e-mail at
service@scalable.capital.

1.3 We have appointed the following data protection officer:

Dr. Karsten Kinast, LL.M., Attorney at Law
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
D-50672 Cologne
Phone : +49 221 - 222 183 0
www.kinast.eu/externer-datenschutzbeauftragter/

1.4 The responsibility under data protection law for our presence in social networks as well as for linked external content may lie jointly with us as well as the operator of the corresponding social network or the service providers of the corresponding linked internet presence.

2. Processing of personal data, disclosure to third parties and data storage period

2.1 We process personal data only insofar as

2.1.1. Consent has been given by the data subject (Art. 6 para. 1 lit. a EU-GDPR);
2.1.2. It is necessary for the performance of a contract (or implementation of pre-contractual measures) to which the data subject is a party (Art. 6 para. 1 lit. b EU-GDPR);
2.1.3. It is necessary for the fulfilment of a legal obligation to which our company is subject; (Art. 6 para. 1 lit. c EU-GDPR); and/or
2.1.4. It is necessary for the protection of a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the aforementioned interests, (Art. 6 para. 1 lit. f EU-GDPR).

2.2 We will share your data to the extent disclosed in this privacy policy with affiliated companies, external service providers, public authorities or other third parties. These third parties have been selected by us with due diligence and, if they are commissioned data processors, have been commissioned accordingly with the data processing. The processors are used by us on the basis of corresponding contractual agreements and within the framework of the legal requirements. Data may also be transferred to a third country outside the EU/EEA (e.g. USA). Such a data transfer takes place exclusively on the basis of an adequacy decision (Art. 45 EU-GDPR) and/or subject to appropriate guarantees (Art. 46 EU-GDPR).

2.3 The personal data of the data subject shall be deleted or blocked at regular intervals after the purpose of storage ceases to apply. Insofar as storage or recording obligations are provided for due to relevant European or national laws or other regulations, the personal data will be stored for the prescribed period and then deleted, insofar as they are no longer required at that time for the assertion, exercise or defence of legal claims.

3. Rights of the data subject

3.1 We process your personal data, therefore you are a data subject within the meaning of the EU Data Protection Regulation. You are therefore entitled to rights, which we would like to explain to you in more detail below:

3.1.1 You have the possibility to request information about the data stored about you, its origin, recipients or categories of recipients to whom the data is passed on, as well as the purpose of the storage (right to information).
3.1.2 You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete (right of rectification).
3.1.3 You can demand that we delete the personal data relating to you without delay. However, there is no right to deletion if there are legal, supervisory or other sovereign retention obligations to the contrary or the retention serves the assertion, exercise or defence of legal claims (right to deletion).
3.1.4 You may, under certain conditions (disputed accuracy, unlawful processing, cessation of the purpose of processing or lodging an objection), request the restriction of the processing of personal data concerning you (right to restriction of processing).
3.1.5 You have the right to receive the personal data relating to you that you have provided to us in a structured, commonly used and machine-readable format (right to data transmission).
3.1.6 You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is processed on the basis of Article 6(1)(e) or (f) of the EU GDPR (right to object). We will then no longer process your data unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

3.2. If you have any questions, please do not hesitate to contact us by email at datenschutz@scalable.capital, by telephone at +49 89 380 380 67 or in writing to Scalable Capital GmbH, Seitzstraße 8e, 80538 Munich. Please note that you can assert the aforementioned rights as a data subject under "Personal Data" on our website. Despite a request for deletion, we will continue to store your data for as long as and, insofar as this is necessary, for the fulfilment of a legal obligation to which we are subject or for the assertion, exercise or defence of legal claims.

3.3 In addition, you have the right to complain to a supervisory authority in accordance with Article 77 of the EU GDPR if you believe that the processing of personal data is not carried out lawfully. The address of the supervisory authority responsible for our company is:

Bavarian State Office for Data Protection Supervision (BayLDA)
PO Box 1349
91504 Ansbach
Phone: +49 (0) 981 180093-0
E-mail: poststelle@lda.bayern.de

4. Provision of the digital offer and creation of log files

4.1 Each time our digital offer is called up, our system automatically collects data and information from the computer system of the calling end device (so-called log files). In the case of the use of your browser, this includes the browser type and version, the operating system, the IP address and the time of the server query. In the case of the app, this includes the device identification, the access provider, the model of the mobile phone used and the version of the app used. The app is executed on the Android and iOS platforms in a so-called "sandbox" (i.e. access by the app to the system and access by the system to the data area of the app are subject to special restrictions) and all access authorisations of the app to system functions (camera, location localisation, push notifications and push ID) must be expressly released by you. This release can be cancelled at any time on the end device.

4.2 Data is also processed in log files on our website to ensure its functionality. In addition, we use the data to optimise the website and to ensure the security of our information technology systems.

4.3 The data will be stored in our IT systems and transmitted to Amazon Web Services EMEA SARL ("AWS") and Datadog Inc. ("Datadog"). AWS and Datadog are order processors of Scalable Capital. The legal basis for the temporary storage of the data and the log files in the customer area is Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)), for the use of the digital offer this is Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).

4.4 If you are logged into the customer area, the data will be deleted after expiry of the regulatory retention obligations and if the data is no longer required for the assertion, exercise and/or defence of legal claims. When using the digital offer, the data is automatically deleted every twelve months.

4.5 The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

5. Use of cookies in general

5.1 When using our digital offer, text files are used which are stored on your hard disk and through which certain information flows to us or our order processors (collectively "cookies"). This information is stored in the browser and varies according to use. Each cookie contains a distinctive string of characters that allows the user to be uniquely identified when they return to the website. Most of the cookies we use are automatically deleted from your hard drive at the end of the browser session. In addition, we also use cookies that remain on your hard drive. During a further visit, it is then automatically recognised that you have already been with us and which entries and settings you prefer. These cookies are stored on your hard drive and delete themselves after certain periods of time.

5.2 Cookies are stored on the user's computer and from there the information is transmitted to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

5.3. When calling up our website or app, an interface appears which informs each visitor about the use of cookies and enables them to make individual data protection settings ("Consent Management Tool"; "Tracking Settings"). Via this tool, you can also exercise your right to object at any time by deactivating the relevant cookies.

5.4 We use both our own cookies and third-party cookies. You can control the use of both types of cookies via the Consent Management Tool. In the following, we inform you about the processing of personal data in connection with cookies.

6. Own cookies

6.1 On the one hand, we use technically necessary cookies. These are used to improve the user-friendliness and functionality of the registration process and the website. The use of our own cookies is a necessary measure for Scalable Capital to be able to provide you with our digital content appropriately. On the other hand, we use cookies to make our marketing more efficient as well as more effective.

6.2 Some elements of our website require that the calling browser can be identified even after a page change. Furthermore, we want to make the registration process easier and as pleasant as possible for you by storing your data. The following data is stored and transmitted in the cookies: Last status of the registration process, selection of the language, selected settings of our website and selection of the portfolio/investment strategy. In addition, we use cookies that identify and store system errors during the use of our website.

6.3 We use our own cookies to monitor the traffic on our website ("traffic"), which are assigned to you pseudonymously when you visit our website. With the help of these cookies, we measure from which websites users reach our website, which and how many of these users become customers and which of our advertising measures work efficiently or effectively. These analyses are group-related and are not used by us for individual evaluation.
6.4 For the control and planning of our advertising, we also use cookies that collect information about which of our advertising measures you click on. For this purpose, a pseudonymised identification feature is assigned to your e-mail address during registration. This allows Scalable Capital to later track and evaluate which of the advertising measures used had the highest efficiency or effectiveness.

6.5 This data is stored in our IT systems and transmitted to AWS and salesforce.com Germany GmbH ("Salesforce") respectively. AWS and Salesforce are processors of Scalable Capital. Processors are used by us on the basis of corresponding contractual agreements and within the framework of the legal requirements.

6.6 The purpose of using our own cookies is to ensure the functionality of our website or our service. The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).

6.7 The data is deleted automatically every 24 months. If you register your email address with Scalable Capital, the data will be deleted after the regulatory retention obligations have expired.

6.8 The collection of data for the provision and functionality of the website is mandatory. Consequently, there is no possibility for the user to object.

7. Third party cookies

7.1 Website and app analytics services

7.1.1 We use the website analysis services Google Analytics, Google Adwords, Google Tag Manager, Google Optimize from Google Ireland Ltd. ("Google"), and Facebook Business from Facebook Ireland Ltd. ("Facebook"). Google Tag Manager is used to integrate the services and does not process any personal data. The other services use cookies that store data when you visit our website. The data we collect from you is pseudonymised and we cannot identify you personally. The data is encrypted by so-called hash values. The use of these services is a necessary measure for us to analyse the appropriateness of our digital content based on usage data. The legal basis for the data transfer is Art. 6 para. 1 lit. a EU-GDPR (consent). You have the option of deactivating or restricting the transmission of the cookies described above by changing the settings in your internet browser.
7.1.2 We use the analysis service Twitter Analytics from Twitter Inc. to evaluate the use of our website. ("Twitter Analytics"). These analysis services use cookies, which record data when visiting and using our website. The following data, among others, is stored and transmitted in the cookies: IP address, usage data, survey responses when using the survey.
7.1.3 When using our apps, the service Firebase (especially Crashlytics) from Google Ireland Ltd. ("Google") is used. The service records data in connection with the use of the app, including crash reports, performance data and information about the end device. This is done by assigning so-called unique identifiers. This is a pseudonymised string of characters that can be assigned to the browser, end device or app and thus enables the recording of the data. It is not possible to object to the service, as this is a necessary functionality of our app. We also use the "adjust" analysis technology from adjust GmbH ("Adjust"). Adjust uses only anonymised or pseudonymised user IDs for the analysis.
7.1.4 The purpose of using these services is to analyse the user behaviour of the digital offer and to optimise our service as well as our digital offer and advertising measures through the insights and feedback gained here. The legal basis for the transmission of the data is Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).
7.1.5 The data is automatically deleted in Google Analytics after 14 months.
7.1.6 The collection and storage of data for the analysis and optimisation of the digital offer can be revoked at any time. The user has the option to object via the consent management tool or by changing the settings in the internet browser. The collection and storage of data by Adjust can be deactivated at any time with effect for the future at https://www.adjust.com/opt-out.

7.2 Advertising and Marketing Services

7.2.1 We place advertising via various channels. Within the framework of the use of Google Analytics in combination with Google Adwords as well as Double Click of Google Ireland Ltd. ("Google"), Bing ads from Microsoft Inc. ("Bing ads") and the networks dianomi Ltd. ("dianomi"), Quantcast International Ltd. ("Quantcast") and Outbrain Inc. ("Outbrain") we place ads on the internet. In addition, we use advertising services of the social networks Facebook Ireland Ltd, Instagram Inc, LinkedIn Unlimited Company, TikTok Information Technologies UK Limited as well as Twitter International Company ("social networks"). Our ads are shown on websites through third party providers, including Google and Bing. Cookies or pixels are used to store personal data (IP address and usage data). This allows us to target, optimise and serve ads based on your previous visits to our website or use of our apps and if you are a user of the social networks. As a user of the social networks, we can exclude you from our advertising measures in this way, provided you are a customer of our service.
7.2.2 Furthermore, we advertise our webinars and events ("information events") on the aforementioned social networks. So-called "lead cards" are created for this purpose. These lead cards contain details of the information events and are displayed to selected users who are logged into the social network. If you have registered for one of our information events via a lead card, we will receive your email address.
7.2.3 We also use the services of the sales partners NetSlave GmbH ("NetSlave") and financeAds International GmbH ("financeAds"). Our advertisements are shown on partner websites of the networks (third-party providers). Cookies are used for this purpose, which assign a pseudonymised user ID to the user when calling up an advertisement based on, among other things, the type and time of the clicked advertisement. We can then use the stored data to determine whether the user has subscribed to our newsletter or has become our customer.
7.2.4 With the help of the technology used, we can present you with interest-based advertising and market our service in a more targeted manner. This data is not used to identify you personally, but is used solely for a pseudonymous evaluation of usage behaviour and to display targeted advertising. The data will not be merged with the data stored by us at any time. If you have registered for one of our information events via a social network, your data will be stored on the basis of Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)) and Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).
7.2.5 The data stored on the basis of Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)), Art. 6 para. 1 lit. a EU-GDPR (consent) as well as Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest) will be deleted after expiry of the retention obligations under supervisory law and insofar as the data are no longer required for the assertion, exercise and/or defence of legal claims.
7.2.6 The collection and storage of data for the purpose of advertising can be revoked at any time. The user has the option to object to the use of cookies via the consent management tool or via the settings of the internet browser as well as to the use of your email address via the link "Unsubscribe".

7.3 Data may also be transferred to a third country outside the EU/EEA (e.g. USA). Such a data transfer will only take place on the basis of an adequacy decision (Art. 45 EU GDPR) and/or subject to appropriate safeguards (Art. 46 EU GDPR).

8. Fan pages and social media plugins

8.1 We operate so-called fan pages on the platforms of various social networks (Facebook, LinkedIn, Xing, YouTube, Instagram and Twitter). Social plugins on our website take you to the respective presences (fan pages) of Scalable Capital on the social networks. When you click on these plugins, personal data may be collected by the respective social network as described below. When you call up such a plugin, the social network establishes a direct connection with your browser. As a result, the social network receives, among other things, the information that you have visited this website with your IP address/device ID. This takes place regardless of whether you are currently logged in to the social network or registered at all. If you are logged into the respective social network at the same time, the social network automatically assigns your page view to your profile. If you do not want the social network to assign your visit to our website to your respective user account, log out of the respective network when using our digital offer.
8.2 We would like to point out that the data collected in connection with the fan pages and plugins is exchanged exclusively between your browser and the operator of the social networks. We have no knowledge of the content of the collected and transmitted data. Against this background, we recommend that you read the respective current data protection declarations of the operators of the social networks.
8.3 For more information on our joint responsibility for the operation of our Facebook page and the processing of data by Facebook, please see our Facebook privacy policy.

9. Webinars and information talks

9.1 For the implementation of webinars, events and information sessions, your data will be stored or transmitted. In the course of conducting webinars, we use the GoToWebinar webinar software from LogMeIn, Inc. ("GoToWebinar"). To conduct face-to-face information sessions, we optionally provide our customers with the use of the booking service of YouCanBook.me Ltd. ("YouCanBookMe") at their disposal. For the registration and execution of webinars, the name as well as the e-mail address of the user is stored in our IT system. After the webinar has been held, we receive information from GoToWebinar as to whether a user has attended the webinar, the registration date, the user's registration time and the duration of participation. In order to arrange an information session via the YouCanBookMe service, we need to know your telephone number.

9.2 The technology we use enables us to hold information events for interested parties and potential customers. We need this data to verify you for our events and webinars or to call you at your preferred time for an information meeting. In addition, the data is used to keep in touch with you personally via our newsletter. You can unsubscribe from the newsletter at any time. The legal basis for the transmission of the data is Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)) as well as Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).

9.3 If you have participated in a webinar, the data will be stored for 12 months. If you have arranged a personal meeting via our website, the data will be stored for 24 months.

9.4 The collection of data takes place on a voluntary basis when registering for the aforementioned events or booking a callback for an informational interview and is necessary in order to carry out the events or interviews. Consequently, there is no possibility of objection on the part of the user.

10. Customer events

10.1 Within the scope of the events organised and carried out by us, photographs and video recordings of the visitors to the event may be made and subsequently published on our website, in print media, on social networks and via other marketing channels. We will use these recordings purely for public relations and marketing purposes. If necessary, we may use professional service providers (e.g. photographers) within the scope of commissioned processing to create the recordings.

10.2 The production and publication of photo and video material for the documentation of our events is an important marketing tool, especially in the digital age, and contributes significantly to the external presentation of Scalable Capital. The legal basis for the production and publication of the recordings is Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).

10.3 The data (photo and video recordings) will be deleted as soon as the purposes for which they were collected or otherwise processed are no longer necessary.

11. Newsletter, other notifications and tracking

11.1 If you have provided us with your email address for our newsletter, we will send you our newsletter regularly by email. The newsletter can also be adapted to your needs. To confirm your registration, you will receive an email ("double opt-in"). We process information about your location once at the time of your registration so that we can send you targeted information. This only involves a rough regional determination, which does not make it possible to determine your exact location.

11.2 We use a service from Salesforce to send the newsletter. The data received from you as part of the registration to receive the notifications will be transferred to Salesforce for this purpose and stored there. We receive analytics about the use of the newsletter ("tracking"). These analyses are group-related and are not used by us for individual evaluation. For example, we receive information about which proportion of the newsletters sent could actually be delivered or which proportion of recipients of the newsletter clicked on a certain link.

11.3 If you have registered for the press newsletter, your email address will be transmitted to Finsbury Glover Hering Europe GmbH ("Finsbury Glover Hering").

11.4 The processing of the data mentioned under 11.1. takes place in order to send you our newsletter. The legal basis for the processing in the context of sending the newsletter is Art. 6 para. 1 lit. a EU-GDPR (consent of the data subject). The legal basis for tracking your use of the notifications and the one-time, rough collection of your location is Art. 6 (1) lit. f EU-GDPR (protection of a legitimate interest).

11.5 The data will be deleted after expiry of the statutory retention obligations and if the data is no longer required for the assertion, exercise and/or defence of legal claims.

11.6 Consent for the transmission of notifications can be revoked at any time via the "Unsubscribe" link.

12. Processing customer enquiries

12.1 You can contact us via our service hotline, the contact form, chat and email. When using our service hotline, we use the services of Sipgate GmbH ("Sipgate") or Aircall.io, Inc. ("Aircall"). Your telephone number as well as the date and duration of the call are stored. In addition to the service hotline, it is possible to contact Scalable Capital via our contact form, chat or email. When sending the contact form or an email, you transmit your name, email address and the content of your personal message to us. When using the chat, the chat log and your usage data will be stored. In order to ensure an efficient response to your enquiries and a high level of service, user entries may be viewed by our staff during the current enquiry ("session") in the live chat. These are not stored at any time.

12.2 The data will be stored in our customer management system (Salesforce) as well as in the email system (Gmail by Google G Suite). This data as well as the content of your message will not be used for any other purpose than responding to your contact, i.e. you will not receive any further messages from us other than responding to your enquiry.

12.3 We store the data due to ensuring a functioning customer relationship management as well as due to legal requirements. The legal basis for storing the data is Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)) as well as Art. 6 para. 1 lit. c EU-GDPR (fulfilment of a legal obligation).

12.4 The data will be deleted after expiry of the statutory retention obligations and if the data is no longer required for the assertion, exercise and/or defence of legal claims.

12.5 The collection of data is absolutely necessary for our service. Consequently, there is no possibility for the user to object.

13. Surveys and feedback

13.1 We use the service Typeform S.L. ("Typeform") to conduct surveys on new features of our Service and to collect feedback. ("Typeform"). If you participate in a survey conducted on our website, your information will be transmitted to Typeform. Depending on the type and scope of the survey, your email address, your answers, the date and the identification data of the terminal device are transmitted.

13.2 The data is stored in order to obtain feedback for our service and to strengthen our customer relationships. The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).

13.3 The data will be deleted afterexpiry of the statutory retention obligations and insofar as the data is no longer required for the assertion, exercise and/or defence of legal claims.

13.4 The collection of data takes place on a voluntary basis when using the survey. Consequently, there is no possibility of objection on the part of the user.

14. Presentation of the website and mobile app

14.1 We use so-called web fonts for the uniform display of fonts on our website and mobile app, which are provided by Adobe Typekit, Adobe Inc. ("Adobe") and Google Fonts, Google Ireland Ltd. ("Google Fonts"). When you access our site, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly. We also use Google Maps and Apple Maps to display geographical information in our digital offering in a visually appealing way. Google Maps is a mapping service provided by Google Ireland Ltd. ("Google Maps"), Apple Maps is a map service of Apple Inc. ("Apple Maps").

14.2 For this purpose, the browser or app you use must establish a connection to the servers of the aforementioned services. In this way, the services become aware that our website has been accessed via your IP address. The use of web fonts and the aforementioned map services is in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 (1) f EU-GDPR.

14.3 The collection and storage of data within the scope of the use of the website can be revoked at any time. The user has the option to object via the Consent Management Tool.

15. Use of our services

15.1 In addition to the purely informational use of our digital offer, you can (depending on your custodian bank) make use of our services (asset management, brokerage, savings offers). To do so, you must register and create a user account ("registration"). This requires the provision of data. On the one hand, in the context of asset management, we require information about your knowledge and experience with regard to financial instruments/securities services, investment objectives and about your financial circumstances in order to be able to recommend a suitable investment strategy to you. Secondly, in order to use our services, we require personal information as well as contact details, reference account and tax information. Finally, as part of the identification process, we collect further data using the services of Deutsche Post AG and its affiliated companies ("Post Ident"), for example a copy of the identification document, photographs of the customer and an audio-visual recording of the identification process. If additional voluntary information is possible, this is marked accordingly. In order to clarify a possible status as a so-called Politically Exposed Person ("PEP"), we may forward data to Onfido Ltd, London ("Onfido").

15.2 The Institute, in cooperation with Raisin GmbH ("Raisin"), offers customers access to deposit-protected overnight and time deposits of partner banks of Raisin with registered offices in the European Union (EU) or in the European Economic Area (EEA) ("deposit offers"). In the process, your data (including identification data) is transmitted to Raisin, Raisin Bank AG and partner banks of Raisin so that you can use the deposit offers of Raisin. The transfer of data is based on Art. 6 para. 1 lit. a EU-GDPR (consent of the data subject). You can revoke your consent to the transfer of data at any time informally and without giving reasons.

15.3 We use the so-called double-opt-in procedure for registration, which means that your registration is only completed when you have previously confirmed your registration via an email sent to you for this purpose by clicking on the link contained therein. Your data will be stored in our IT systems in the course of registration and in this context will be passed on to service providers acting as processors in accordance with Article 28 EU-GDPR (e.g. software as a service providers (SaaS) and cloud service providers); these services include Amazon Web Services (AWS), Salesforce and G Suite from Google. Some of your data will also be transferred to the custodian bank. You can obtain further information by sending a request to service@scalable.capital or via our "Personal data" website.

15.4 As part of the use of our digital offer, we use the service Futurae Technologies AG ("Futurae") for two-factor authentication. For this purpose, the respective mobile device must be registered with Futurae. In order to activate two-factor authentication on the mobile device, data is passed on to Futurae. This data includes, for example, the IP address, information on the device used and/or information on the browser used. The two-factor authentication is carried out on a voluntary basis by the respective user and increases the security when using the app. The data disclosed during this process is essential for the functioning of the two-factor authentication.

15.5 We will send you occasional notifications when you use our services. For this purpose, we use the data you provided during registration or received within the framework of the contractual relationship. We use the Salesforce service to send these notifications. We receive extensive analysis options about the use of the notifications ("tracking"). These analyses are group-related and are not used by us for individual evaluation. For example, we receive information about which proportion of the notifications sent could actually be delivered or which proportion of recipients of the notifications clicked on a certain link.

15.6 As a securities institution, we are subject to various statutory record-keeping and retention obligations, which arise primarily from the German Banking Act (KWG), the German Securities Trading Act (WpHG), the German Money Laundering Act (GwG), the German Commercial Code (HGB) and the German Fiscal Code (AO). In addition, the limitation periods under civil law are also relevant for the duration of the retention.

15.7 These statutory record-keeping and storage obligations require us to store data for at least five years, depending on the regulations, and also apply to transactions that serve to prepare or initiate a business relationship or the conclusion of a contract.

15.8 We delete your data after the complete termination and settlement of the legal relationship with you, at the earliest, however, after the expiry of the statutory, regulatory and/or other sovereign retention periods and insofar as the data is no longer required for the assertion, exercise and/or defence of legal claims.

15.9 The purpose of processing the aforementioned data is to identify our customers in accordance with the legal requirements, to carry out the legally required suitability check and to enable the conditions for the provision of our services in general. The legal basis for the processing of the data is Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)) as well as Art. 6 para. 1 lit. c EU-GDPR (fulfilment of a legal obligation). The legal basis for the transmission of notifications is Art. 6 para. 1 lit. b EU-GDPR (fulfilment of a contract (or implementation of pre-contractual measures)) as well as Art. 6 para. 1 lit. f EU-GDPR (protection of a legitimate interest).

15.10. The legal basis for tracking your use of notifications (see section 15.5.) is Art. 6 para. 1 lit. f EU-GDPR (safeguarding legitimate interests). You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is processed on the basis of Art. 6(1)(e) or (f) EU-GDPR. Furthermore, the data processing described in this section 15 is absolutely necessary for our service (cf. Art. 6 para. 1 lit. b EU-GDPR). Consequently, there is no possibility for the user to object.

Status: 10 June 2021