Privacy Policy Scalable Capital

1. Data Controller

Thank you for your interest in the services of Scalable Capital GmbH, Seitzstraße 8e in 80538 Munich, e-mail: service@scalable.capital, registered in the Commercial Register of the Local Court of Munich under HRB 217778 ("Scalable Capital"). In the following, we would like to inform you about the collection, processing and use of personal data (collectively "data use") in the context of the use of our website and our digital offer.

2. Processing of your personal data when visiting our website

2.1. General information

We process your personal data as long as this is necessary for the aforementioned purposes. In the event of an objection to processing on the basis of our legitimate interests (Art. 6(1)(f) GDPR), we will delete personal data unless its further processing is permitted under the relevant legal provisions. We also delete personal data if we are obliged to do so for other legal reasons. Personal data will be deleted immediately after the legal basis ceases to exist, if it is no longer required for the stated purposes or if the stated purposes cease to exist and if there is no other legal basis (e.g. retention periods under commercial and tax law).

Insofar as service providers process personal data on our behalf, we have concluded a contract processing agreement with these service providers and agreed on appropriate guarantees to ensure the protection of personal data. We also carefully select our service providers. In addition, these service providers process personal data exclusively for the performance of their tasks and are contractually bound to our instructions, have appropriate technical and organisational measures in place to protect personal data and are regularly monitored by us. Where relevant, appropriate EU standard contractual clauses have been concluded for the transfer of personal data to processors in third countries (as an appropriate guarantee for data processing in non-European countries). You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087.

2.2. Log files for informational use of our website

When you visit our website, we process access data that is stored in so-called log files. The following personal data is processed automatically in the log files:

  • IP address of the requesting device
  • Type of web browser used
  • Language of the web browser used
  • Version of the web browser used
  • Operating system and its version
  • Date and time of the visit
  • Time zone difference from Greenwich Mean Time (GMT)
  • Access status/ http status code
  • Amount of data transferred
  • Web page called
  • Referrer
Web pages that are called up by the visitor's system via our website Internet service provider of the user

The processing of this data is carried out in accordance with Art. 6 (1) (f) GDPR due to our legitimate interest in being able to properly display the website to you as well as to defend against attacks and for the purpose of the security of our systems. The log files are deleted or anonymised immediately after they are no longer required to achieve the aforementioned purposes, but at the latest after 14 days.

For hosting the database and web content, we use Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg ("AWS"), a subsidiary of Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA, as an order processor. The data is stored exclusively in a German data center (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018 as well as PCI DSS Level 1 and accordingly meets the highest security standards. In addition, we have agreed on corresponding EU standard contractual clauses with Amazon Web Services, Inc. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087. In conjunction with additional technical and organizational measures to ensure an adequate level of protection, it is guaranteed that the EU data protection requirements can also be met when processing data in the United States.

2.3. Comfort settings (e.g. language settings)

In order to be able to display content such as your country and language settings as desired, we use session-based or persistent cookies. Your country settings are deleted as soon as your browser session ends, your language settings are stored for a maximum of one year. The legal basis for the processing of these cookies is §25 (2) Telecommunications and Telemedia Data Protection Act (TTDSG).

2.4. Performance Monitoring

We use DataDog, Inc. 620 8th Avenue, 45th Floor New York, NY 10018, USA ("DataDog") as a processor to collect information about the performance of our website and any technical malfunctions that may occur. For this purpose, DataDog sets up a cookie for the browser session and collects geolocation, device, and operating system data of the user of the website. We process the above data to ensure the security of our platform for the provision of our services and to minimise a possible risk of damage (in accordance with §25 (2) Telecommunications and Telemedia Data Protection Act (TTDSG)). Your data will be deleted after 15 minutes. Appropriate EU standard contractual clauses have been concluded as an adequate guarantee for data processing in non-European countries. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087.

3. Use of our services

3.1. Registration/ Creation of customer profile

In order to use our services (asset management, brokerage), you must first register and create a user account ("registration"). For this purpose, we collect your private contact and identification data (e.g. title, first and last name, address, e-mail address, telephone number, date, place and country of birth as well as nationality), certain tax data (e.g. tax number, tax residency) as well as your reference account (e.g. IBAN). As part of the registration process, you will also set a password for your personal access. In addition, depending on the services you use, we may collect information about your knowledge and experience of dealing in certain types of financial instruments or investment services, your investment objectives, including your risk tolerance, and your financial circumstances, including your ability to bear losses. We process this data in order to be able to recommend a suitable investment strategy to you or to assess the appropriateness of certain financial instruments (Art. 6 (1) (b) GDPR).

Please note that in order to use our services it is necessary to open a custody account with a custodian bank cooperating with us.

At present, we cooperate with Baader Bank Aktiengesellschaft, Weihenstephaner Str. 4, 85716 Unterschleißheim, Germany ("Baader Bank"). Baader Bank processes your data under its own responsibility. Information on data protection can be found at https://www.baaderbank.de/Sonderseiten-426.

To enable you to use our service securely, we use Auth0 Inc, 10800 NE 8th Street, Ste. 600, Bellevue, WA, 98004, USA ("Auth0") as a processor. Auth0's service allows you, for example, to secure your access to the Customer Portal using two-factor authentication. For this purpose, Auth0 processes your user name or e-mail address and your password. Your data is encrypted at all times and processed exclusively within the European Union. In individual cases, however, a transient processing of data in the USA cannot be ruled out. Such processing is technically necessary and covered by the legitimate interest in protecting your account from unauthorized access (Art. 6 (1) (f) GDPR). The data is encrypted and in this context not permanently stored in the USA. Auth0 does not have access to any other personal data at any time. As an additional measure, we have concluded the EU standard contractual clauses as appropriate safeguarding measures. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087.

As part of the use of our digital offer, we use Futurae Technologies AG, Eichstrasse 23, 8045 Zurich, Switzerland ("Futurae") as a processor for the two-factor authentication. For the activation of the two-factor authentication on the mobile device, data (e.g. IP address, device/browser information) is processed by Futurae.

After your cancellation, you can still log in to your personal area and retrieve documents in your mailbox. You will continue to receive important documents there, such as your annual tax certificate. Your account will be deactivated no later than two years after the end of your contract. If required, access to your personal area can also be deactivated immediately after the end of the contract. To do so, please send us an e-mail at service@scalable.capital or use the contact options under point 11 your contact persons.

3.2. Identification

For the purpose of identification, we process the private contact and identification data provided by you (e.g. your name, nationality, date and place of birth, address, email address, telephone number). Pursuant to the German Act on the Tracing of Profits from Serious Crimes - Money Laundering Act ("GwG"), we are legally obliged to verify your identity by means of a valid identification document as part of the account opening process, to store the required information and a copy of the identification document as well as a visual and acoustic recording of the identification process carried out with us. The legal basis for the data processing is Art. 6 (1) (b) GDPR and Art. 6 (1) (c) GDPR (contractual and legal obligation) in conjunction with the Act on the Tracing of Profits from Serious Crimes (Money Laundering Act - in short: GwG).

For the purpose of identification, we use Deutsche Post AG ("Deutsche Post"), Charles-de-Gaulle-Straße 20 in 53113 Bonn, Germany, as well as subsidiaries affiliated with Deutsche Post as order processors. For this purpose, we use the Post-Ident procedure which, in addition to identification by means of the online ID function ("eID"), also enables identification by video chat or at a post office branch. After completion of the process, Deutsche Post AG transmits to us your identification data, a copy of the identification document and a visual and acoustic recording of the identification procedure that has taken place, which are processed exclusively for the purpose of fulfilling the statutory obligations under money laundering law.

We reserve the right to transfer your personal contact and identification data (such as your first and last name, address and date of birth) to our processor Onfido Ltd, 3 Finsbury Ave, London EC2M 2PA, United Kingdom for the purpose of checking against sanctions lists and whether our customers are so-called politically exposed persons. We process this data for the purpose of complying with legal and regulatory obligations.

For Brokerage clients residing in Spain, Italy and France, the identification process is carried out by SafeNed-Fourthline B.V., Tesselschadestraat 12, 1054 ET, Amsterdam, The Netherlands ("Fourthline"). In order to comply with regulatory requirements, it is necessary to accept Fourthline's Terms and Conditions, which do not impose any obligations on you as a customer other than verifying your identity. Once you have gone through the identification process, Fourthline will send the results to us. We process this data for the purpose of complying with legal and regulatory obligations.
For Fourthline privacy notices, please visit https://fourthline.com/privacy-statement.

If you opt for identification via video chat ("video identification"), the provider is obliged to ensure the authenticity of your identification document (e.g. ID card or passport). At the beginning of the video identification, your explicit consent is obtained in accordance with Art. 6 (1) (a) GDPR to take the photos and record the conversation. You can object to this processing at any time by cancelling the video identification process and choosing an alternative method of identification.

We process this above-mentioned data for as long as is necessary for the aforementioned purpose and generally delete it immediately after the legal basis ceases to apply. According to §§ 8, 10 GwG we are obliged to keep your private identification and contact data for at least five years.

3.3. Savings offers

For wealth management clients with a custody account at Baader Bank and domiciled in Germany, there is the option of additionally opening a fixed term deposit account via Scalable Capital at Raisin DS GmbH, Schlesische Straße 33/34, 10997 Berlin, Germany ("Raisin"). In doing so, we transmit your private contact and identification information to Raisin, to Raisin Bank AG, Niedenau 61-63, 60325 Frankfurt am Main, Germany ("Raisin Bank") and to partner banks of Raisin. The transfer of data is based on your consent pursuant to Art. 6 (1) (a) GDPR. You can revoke your consent to the transfer of data at any time and without giving reasons. Please note that Raisin processes your data after transmission on its own responsibility and that we are not responsible for this data processing. Information on data protection by Raisin can be found at https://www.raisin.com/privacy-policy/.

3.4. Securities trading

In order to be able to provide our services and in particular to enable the transmission of trading orders to the custodian banks and securities trading to the custodian banks, we process the personal data mentioned in section 3 Use of our Services. This includes, in particular, the transmission of orders (together with the corresponding personal data) to the custodian bank. The legal basis of the processing is Art. 6 (1) (b) GDPR (fulfilment of contractual obligations). The data is processed in our hosting databases, which are provided by AWS.

3.5. Tax information for brokerage clients outside Germany

Brokerage customers residing outside Germany have the option of receiving an overview of the taxes to be paid. Provided consent is given, we will forward your private contact and identification data (e.g. first and last name, address) as well as financial transaction data (e.g. security number, type of order, time of execution) to KPMG AG, Badenerstrasse 172, CH-8036 Zurich, Switzerland ("KPMG"). Please note that KPMG processes your data under its own responsibility. For more information, please see KPMG's privacy notice at: https://home.kpmg/ch/de/home/misc/privacy.html. This transfer of personal data to Switzerland is based on an adequacy decision issued by the European Commission.

3.6. Risk management and crime prevention, detection and investigation

For the prevention and detection of criminal offences, including fraud or criminal activities, misuse of our services as well as the security of our IT systems, it is our legitimate interest pursuant to Art. 6 (1) (f) GDPR to collect further information from publicly available sources in acute cases of suspicion and to take this into account in the decision-making process for blocking/unblocking suspicious transactions. In this context, data analyses (e.g. in payment transactions) are also carried out. At the same time, these measures serve to protect you against possible unauthorized dispositions by third parties.

3.7. Retention obligations/ disclosure to third parties

We store the information processed in the context of securities trading in accordance with the retention periods stipulated by legal obligations such as the German Commercial Code (cf. Section 257 HGB), the German Fiscal Code (cf. Sections 146, 147 AO) and the German Money Laundering Act (cf. Section 8 GwG), which Scalable Capital must adhere to as a supervised investment firm. The retention periods may vary from a minimum of 2 to a maximum of 10 years. The legal basis for the storage of personal data for these purposes results from the fulfilment of the contract according to Art. 6 (1) (b) GDPR and from the obligation to fulfil legal obligations according to Art. 6 (1) (c) GDPR. If it is evident that the storage of your data will be necessary after the expiry of the storage period (e.g. due to an impending or pending legal dispute), deletion will only take place when the data has become irrelevant.

Furthermore, we may be required to disclose personal data processed in connection with the provision of our services to public authorities and institutions such as the German Federal Bank (Deutsche Bundesbank), the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin), European banking supervisory authorities, the European Central Bank (ECB) and financial authorities.

4 Data processing in the context of wealth management "Oskar

Oskar is a brand of Oskar.de GmbH, Gartenstraße 67, 76135 Karlsruhe, Germany ("Oskar"), under which it operates the websites and apps on its own responsibility. Scalable Capital manages your assets, while Baader Bank AG manages the custody accounts with the clearing accounts.

As part of the registration process, Oskar collects your private contact and identification data (e.g. title, first and last name, address, e-mail address, telephone number, date, place and country of birth and nationality), your tax data (e.g. tax number, tax residency), the account number of your reference account (e.g. IBAN), your details of your financial circumstances and, if necessary, private contact and identification data of third parties such as children or grandchildren of the Deposit Account Holder (e.g. birth certificates of minors), details of your financial circumstances and, if necessary, private contact and identification data of third parties such as children or grandchildren of the securities account holder (e.g. birth certificates of minors, certificates of guardianship) and forwards these to us. We process your data for the purpose of fulfilling the contract pursuant to Art. 6 (1) (b) GDPR in order to offer you our service and to fulfil our legal obligations pursuant to Art. 6 (1) (c) GDPR.

For written communication we use the service address service@oskar.de. This e-mail address is made available to us by Oskar.de GmbH.

Please note that Oskar operates its websites and apps under its own responsibility and that we are not responsible for them. Information on Oskar's data protection policy can be found at https://www.oskar.de/datenschutz.

5. Data processing in the context of wealth management "Gerd Kommer Capital

Gerd Kommer Capital ("GKC") is a brand under which Scalable Capital offers financial portfolio management. Scalable Capital is advised by Gerd Kommer Capital GmbH, Sendlinger Straße 41, 80331 Munich ("Gerd Kommer Capital GmbH") in the management of the portfolios. The custodian bank is Baader Bank AG. In the context of wealth management GKC, we share data with Gerd Kommer Capital GmbH and Baader Bank AG. For further information on the processing of your personal data in the context of the provision of the service, please refer to section 3 Use of our Services in this document.

As part of the conclusion of the contract, you can consent to receiving the newsletter by Gerd Kommer (Art. 6 (1) (a) GDPR). In the course of your consent, we transmit the e-mail address to Gerd Kommer Capital GmbH.

The website https://www.app.gerd-kommer-capital.de used for registration and login at GKC is technically provided by us. Within the scope of this website, we use marketing and statistics cookies. You have the possibility to individually consent to the use of cookies by means of the Consent Management Tool. If you give your consent, this data will also be transmitted to Gerd Kommer Capital GmbH, among others. On the website we use services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). For more information, please refer to section 9 Use of cookies, tracking tools and third-party services on our websites in this document. The data processing is based on your consent (Art. 6 (1) (a) GDPR).

We use the service e-mail address service@gerd-kommer-capital.de for written communication. This e-mail address is made available to us by Gerd Kommer Capital GmbH.

6. Customer service and support

You can contact us via our service hotline, the contact form, the chat as well as by e-mail and send us a request. In this context, we process the information and data you provide (including personal data such as first name, last name, email address and telephone number) and, if applicable, the time and duration of your call in a ticket in order to contact you and process your request (Art. 6 (1) (b) GDPR). When using the chat, the chat log, your usage data (e.g. start and end time of request, duration of interaction, IP address), device identification data (e.g. type of operating system, device model) as well as event data are stored and, if applicable, assigned to your account. In order to efficiently respond to your requests and to ensure a high level of service, user input may be viewed by our staff during the current request ("session") in the context of the live chat.

We are supported in processing your requests by Sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, Germany ("Sipgate"), gkk DialogGroup GmbH, Hanauer Landstraße 154, 60314 Frankfurt am Main, Germany ("gkk Dialog"), Aircall.io, Inc, 11 Rue Saint-Georges, 75009 Paris, France ("Aircall"), Teleperformance A.E., 330 Thisseos Avenue, 17675 Kallithea, Greece ("Teleperformance") and Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany ("Salesforce") as data processors. In addition, we have agreed to appropriate EU standard contractual clauses with Salesforce.com Inc. based in the US. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087.

We delete your data as soon as we have answered your inquiry to your satisfaction, provided that no other retention periods (e.g. tax retention periods) are opposed.

7. Information events

To provide more insights about us and our services, we offer on-site events, webinars and information sessions. You can register for all information events at https://de.scalable.capital/events. For the implementation of webinars, events and information sessions, we process your private contact and identification data that you have provided to us, e.g. by means of a registration form (e.g. first and last name, e-mail address, telephone number) (pursuant to Art. 6 (1) (b) GDPR).
In the course of conducting webinars, we use the GoToWebinar webinar software of GoTo Technologies Ireland Unlimited Company, The Reflector, 10 Hanover Quay, Dublin 2, D02R573, Ireland ("GoToWebinar"), which we use as a processor. In the course of conducting webinars, personal data may be processed, e.g. your IP address, your e-mail address and, if applicable, your first and last name. After the webinar has been held, we receive from GoToWebinar the information as to whether a user has attended the webinar, the registration date as well as the user's registration time and the duration of participation.
The integration of GoToWebinar is based on our legitimate interest (Art. 6 (1) (f) GDPR) to facilitate a technically flawless execution of the webinar with professional tools.
For the purpose of conducting face-to-face information sessions, we optionally provide our customers with the use of the booking service of YouCanBook.me Ltd, 38 Mill Street, Bedford, MK40 3HD, United Kingdom ("YouCanBookMe"). For the registration and execution of webinars, your name, telephone number and e-mail address will be stored in our IT system.
We use the Youtube.com platform of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to conduct online live seminars. Further information on the processing of your data can be found in our data protection information on social networks.

The collection and processing of your personal data is based on the contract initiation or contract performance with regard to the implementation of an online webinar in accordance with Art. 6 (1) (b) GDPR. After participation in a webinar, your data will be stored for a maximum of 12 months. If you have arranged a personal meeting via our website, the data will be stored for a maximum of 6 months.

8. Marketing activities and communication

8.1. Marketing e-mails

If you would like to be informed about our services and offers in the future, we need your e-mail address. We will send you marketing e-mails if you expressly consent to receiving marketing e-mails when opening an account or on our website (pursuant to Art. 6 (1) (a) GDPR) or to send you, as our customer, emails containing direct advertising for our own similar goods or services and security-related information on the basis of our legitimate interest (Art. 6 (1) (f) GDPR).

We will check whether you are the owner of the specified e-mail address or whether its owner agrees to receive the marketing e-mails (so-called double opt-in procedure). We document the log data collected in connection with the double opt-in procedure, such as your IP address, date and time of access, in order to track your qualified consent. To ensure that you receive personalized information that is relevant to you and matches your personal interests, we review and analyze your user behavior (e.g. recent transactions, participation in events and webinars) and use this information for some marketing emails.

Your data will only be used for sending the marketing emails and will not be passed on to third parties. As part of our marketing emails, we use the remarketing functions of the Salesforce Marketing Cloud. For this purpose, we use our service provider Salesforce as a processor. In addition, we have agreed to corresponding EU standard contractual clauses with Salesforce.com, Inc. based in the USA. You can view the EU standard contractual clauses used via the following link:https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087. If you consent to receive our marketing emails, cookies are used to enable us to track the interest of our customers or recipients in the marketing email. For this purpose, so-called pixels are placed in the marketing email. Pixels are small image files that are integrated into the marketing e-mail and thus allow a recording as well as an analysis of the access data ("log files"). In this way, we receive information, for example, about what proportion of the sent newsletters could actually be delivered or what proportion of recipients of the newsletter clicked on a certain link.

You may object to the processing or revoke your consent at any time free of charge with effect for the future vis-à-vis Scalable Capital. The revocation can be made via a link in the marketing emails themselves or by sending a message to the contact options listed in section 13 Your contact persons. As soon as you unsubscribe from the marketing emails, your personal data provided for the marketing emails will be deleted, unless the data is needed for other purposes (e.g. to fulfil our contractual obligations) or other retention periods (e.g. tax retention periods) apply. For more information on how to exercise your rights, please see the section under point 12 Your rights.

8.2. Press Newsletter

To receive current press releases by e-mail, you can be added to our distribution list. To do so, please send us your e-mail address and your first and last name by e-mail to presse@scalable.capital. We process your data exclusively to inform you about the current developments of our company and to send press releases. We cooperate with Finsbury Glover Hering Europe GmbH, Berliner Allee 44, 40212 Düsseldorf, Germany, as a consulting firm for strategic communication for the management of press releases. You can object to the processing at any time by sending an e-mail to presse@scalable.capital or by using the contact details provided in section 13 Your contacts and revoke your consent.

8.3. Promotions

If you become a customer of ours as part of a promotion or raffle (the respective conditions of participation apply), we process your personal data such as first and last name, e-mail address, and user ID, to determine the prize pursuant to Art. 6 (1) (b) GDPR. Depending on the respective promotion or sweepstakes, we additionally process the data listed in the corresponding conditions of participation.
We delete personal data as soon as the promotion or the competition has ended and the data is no longer required for the fulfilment of the aforementioned purposes and unless there is another legal basis (e.g. commercial and tax retention periods).

9. Use of cookies, tracking tools and third-party services on our websites

9.1. Cookies

We use cookies on our website. Cookies are small files that are sent by us to the browser of your terminal device during your visit to our website and stored there. Some functions of our website cannot be offered without the use of technically necessary cookies. Other cookies, however, enable us to perform various analyses. Cookies are, for example, able to recognise the browser you are using when you visit our website again and to transmit various information to us. With the help of cookies, we can, among other things, make our website more user-friendly and effective for you, for example by tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly from your browser. For more information about our cookies, please refer to the Cookie Policy.

9.2. Google services

On our website we use the services of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Further information on the handling of user data can be found in Google's privacy policy: https://www.google.de/intl/de/policies/privacy. The data processing is based on your consent (Art. 6 (1) (a) GDPR).

9.2.1. Google Analytics

To analyze the use of our website, we use the service "Google Analytics" from Google. For this purpose, cookies are set so that we receive information about the use of our website by users. Google processes the transmitted information on our behalf to evaluate the use and interaction of the user with our website, to compile reports on the activities on our website and to provide us with other services related to the use. We use this data to perform user-oriented improvements to the design of our online services. Your data (e.g. IP address, access to our website) is usually transferred to a Google server in the USA and processed there. To protect your privacy, we use the so-called IP anonymization function, which shortens your IP address transmitted to us before transmission to the USA and makes it partially unrecognizable. In exceptional cases, it may happen that your complete IP address is transmitted to a Google server in the USA and only shortened there. We process and transmit your data if you have given us your consent to do so. You can revoke your consent at any time via the settings in the cookie management tool.

For more information on the terms of use and data protection at Google Analytics, please visit http://www.google.com/analytics/terms/en.html or https://www.google.de/intl/de/policies/.

9.2.2. Google Ads

In order to check the effectiveness of our advertisements placed via Google Ads, we use the so-called conversion tracking on our website. When you click on an ad placed by Google, a cookie for conversion tracking is set on your device. These cookies lose their validity after 30 days and do not allow any conclusions to be drawn about an individual user. As long as the cookie is valid, we can track whether a user has clicked on an ad placed via Google Ads to reach our website. With the help of the conversion cookies, we can draw conclusions about the effectiveness of our advertising measures. This data is processed exclusively on the basis of your consent (pursuant to Art. 6 (1) (a) GDPR), which you have given us in the course of your visit to our website.

You can revoke your consent at any time if you do not wish to participate in the tracking. To do this, you can deactivate the Google conversion tracking cookie via our cookie management tool. After deactivating the cookie, you will not be included in the conversion tracking statistics. Further information on Google Ads and Google conversion tracking can be found in Google's privacy policy: https://policies.google.com/privacy?hl=en.

9.2.3. Google Analytics Remarketing

We use the technology "Google Remarketing" to display ads for users who have already visited our websites and online services and are interested in a certain offer. Within the Google advertising network, this allows targeted and interest-based advertisements to be displayed on our site. Google remarketing uses cookies for this analysis. This enables our visitors to be recognised as soon as they call up websites within the Google advertising network. Within the Google advertising network, targeted and interest-based advertisements can thus be displayed, which are based on the websites of the Google advertising network (which also use the Google remarketing function) previously visited by the visitor.
If you do not wish to receive targeted, interest-based advertising, you may opt-out of Google's use of cookies for these purposes by clicking on the link:
Disable https://www.google.de/settings/ads.

9.2.4. Google Tag Manager

On the website as well as in the app, we use "Google Tag Manager" from Google. This tool does not process personal data, but ensures the triggering of scripts that are required by other services to collect data. It is not possible for the Google Tag Manager to access this data.

9.2.5. Google Optimize

In addition, we use Google Optimize on our website. Google Optimize analyzes the use of different variants of our website and helps us improve the user experience according to the behavior of our users on the website. Google Optimize is a tool integrated into Google Analytics.

9.3. Facebook

In order to display the Facebook ads placed by us to users on Facebook and within the services of partners cooperating with Facebook (so-called "Audience Network", see: https://www.facebook.com/audiencenetwork/) who have already visited our online offer or who have certain characteristics (e.g. interest in certain topics or products that are evident from the websites visited), we use the "Facebook Pixel" service. By means of Facebook Pixel, it is possible for Facebook to determine the visitors of Scalable Capital's online offer as a target group for the display of dedicated advertising content (so-called "Facebook Ads"). Furthermore, it is possible for us to track the effectiveness of our Facebook ads for statistical and market research purposes. For this purpose, we analyze whether users were redirected to our online offers after clicking on a Facebook ad (so-called "conversion measurement"). We collect and transmit your personal data only if you have given us your consent under data protection law (pursuant to Art. 6 (1) (a) GDPR).

The collection and transmission of so-called "event data" (but not the further processing of the data) is carried out under joint responsibility with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For this purpose, a special agreement ("Addendum for Responsible Parties", see: ttps://www.facebook.com/legal/controller_addendum) has been concluded with Facebook, in which, among other things, the security measures to be fulfilled (https://www.facebook.com/legal/terms/data_security_terms) and the responsibility in the assumption of the fulfilment of the data subject rights (i.e. users can, for example, direct information or deletion requests directly to Facebook) are regulated.

Shared responsibility is for the following purposes:

  • Display of content advertising information that corresponds to the presumed interests of users;
  • Delivery of commercial and transactional messages (e.g., targeting users via Facebook Messenger);
  • Improve ad delivery and personalization of features and content (e.g., improve the identification of which content or advertising information is likely to be of interest to users).
If Facebook provides Scalable Capital with measurements, analyses and reports in aggregated form and without information on individual users, then this processing is carried out on the basis of our order processing agreement with Facebook. Further information on agreed data processing can be found at https://www.facebook.com/legal/terms/dataprocessing) and https://www.facebook.com/legal/terms/data_security_terms). Appropriate EU standard contractual clauses have been concluded in order to adequately protect your personal data. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087.

9.4. LinkedIn Insight Tag

On our website, we use "LinkedIn Conversion Tracking" as part of the "LinkedIn Insight Tag" from LinkedIn (LinkedIn Inc.). Via "LinkedIn Conversion Tracking" we receive aggregated and anonymised evaluations of our advertising campaigns on LinkedIn and additionally aggregated and anonymised information on how users interact with our website. We use "LinkedIn Conversion Tracking" to be able to track the efficiency of our advertising campaigns and to present interest-based advertising on LinkedIn to visitors to our website. Using the "LinkedIn Insight Tag", data is collected from users' visits to our website, including URL, referrer, IP address, device and browser characteristics, timestamp and page views. This data is encrypted, anonymized within seven days, and deleted within 90 days. We process their data to evaluate campaigns and collect information about website visitors who may have reached us through our campaigns on LinkedIn. We collect your data on the basis of your consent pursuant to Art. 6 (1) (a) GDPR.

LinkedIn does not forward the personal data to the website operator, but only provides aggregated evaluations of the target group and the advertising performance of the website. In addition, LinkedIn offers the possibility of retargeting via the Insight Tag. This enables us to display personalized ads based on our website with the help of this data without identifying the user.

You can object to the collection of the data generated by the cookie and its processing by LinkedIn. To do so, follow the instructions in this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. You can find more information in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

9.5. Bing Ads

Our website uses the technologies of Bing Ads. In the process, data is collected and stored, from which usage profiles are created using anonymous. This is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. This service allows us to track the activity of users on our website if they have arrived on our website via ads from Bing Ads. If you arrive on our website via such an ad, a cookie is set on your computer. A Bing UET tag is integrated into our website. This is a code that, in conjunction with the cookie, stores some non-personal information about your use of the website. The storage of "conversion cookies" is based on your consent according to Art. 6 (1) (a) GDPR. Please note that Microsoft may track your usage behavior across several of your electronic devices through so-called cross-device tracking and is thus able to display personalized advertising on or in Microsoft websites and apps. For more information about Microsoft's and Bing's privacy practices, please see Microsoft's privacy policy at https://privacy.microsoft.com/de-de/privacystatement.

9.6. Affiliate programs: NetSlave and financeAds

We participate in the affiliate programs of FinanceAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany ("FinanceAds") and NetSlave GmbH, Simon-Dach-Str. 12, 10245 Berlin, Germany ("NetSlave") in order to reach new customers through advertising partners. FinanceAds and NetSlave are so-called affiliate networks, which enable commercial operators of websites to display advertisements, which are usually remunerated via click or completion fees, on websites of third parties (so-called affiliates). Via the affiliate network, an advertising medium (e.g. an advertising banner or text link) is made available, which can be integrated by an affiliate on its own Internet pages.
Cookies are used for this purpose, which record when a particular advertising medium was clicked on by an end device. For this purpose, an individual sequence of numbers is stored, which cannot be assigned to the individual user, with which the affiliate program of an affiliate, the publisher, and the time of the user's action (click or view) are documented. FinanceAds and NetSlave also collect information about the end device from which a transaction is carried out, e.g. the operating system and the calling browser. These cookies serve the sole purpose of correctly assigning the success of an advertising medium and the corresponding billing within the framework of its network.
If the information also contains personal data, the described processing is carried out on the basis of our legitimate financial interest in the processing of commission payments with FinanceAds or NetSlave in accordance with Art. 6 (1) (f) GDPR.
The validity of the cookies embedded in the user's browser is max. 30 days.

For more information on data usage, please see FinanceAds' privacy policy at https://www.financeads.net/aboutus/datenschutz/ and NetSlave's privacy policy at https://www.netslave.de/datenschutz-2019.html.
If you do not wish cookies to be stored in your browser, you can do this by changing your browser settings accordingly.

9.7 Friendly Captcha (Bot/ Spam Protection)

We have integrated the "Friendly Captcha" service of Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany, on our website in order to make it more difficult for automated programs and scripts (so-called "bots") to use our website.

For this purpose, a program code from Friendly Captcha has been integrated in order to pose a calculation task to the respective end device of the visitor. Depending on the result of the calculation, the respective request (e.g. in the context of the newsletter form) is further processed or rejected. The data is used exclusively for the protection against spam and bots. Furthermore, Friendly Captcha does not set or read any cookies on the visitor's device. Collected IP addresses are only stored in hashed (one-way encrypted) form and do not allow us and Friendly Captcha to draw any conclusions about an individual person.

The processing of this data is carried out in accordance with Art. 6 (1) (f) GDPR based on our legitimate interest to protect our website from abusive access by bots, hence spam protection and attacks (e.g. mass requests). If personal data is stored, this data is deleted within 30 days.

Further information on data protection when using Friendly Captcha can be found at https://friendlycaptcha.com/legal/privacy-end-users/.

10. Social Media

We do not use social media plugins on our website. If our website contains icons from social media providers (e.g. Facebook, Twitter, LinkedIn, Instagram, YouTube), we only use these for passive linking to the pages of the respective providers. For further information, please refer to our data protection notices on our social media presences.

11. Processing in the context of the use of our app

11.1. Push Notifications

We use so-called informative push notifications to inform you, for example, about the successful execution of orders, the achievement of price alerts or the receipt of your deposit. For this purpose, a device token from Apple or a registration ID from Google is assigned. These are encrypted, anonymized device IDs. The sole purpose of their use is to provide push services. For this purpose, we use the "Simple Notification Service" from AWS and additionally the Firebase Cloud Messaging Service from Google for devices with Android operating system. We will only send you these push notifications if the data processing is necessary for the performance of the contract (pursuant to Art. 6 (1) (b) GDPR). You can activate and deactivate this function at any time via the "Notifications" setting in your device settings.

For more information on the Firebase Cloud Messaging Terms of Use, please visit Firebase's website: https://firebase.google.com/terms/.

11.2. Adjust

In order to measure the success of our app marketing campaigns, for our own market research as well as for the optimization of our app, we use the analytics technology Adjust of adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany ("Adjust"). Adjust processes data on interaction with our advertising materials, installation and event data (e.g. start of onboarding, confirmation of onboarding email, conclusion of contract) in the context of the use of our App and provides these as pseudonymized evaluations. For this purpose, the following data is processed from you: IT usage data (e.g. timestamp of events, assigned click timestamp, IP address), device information (e.g. your IDFA or Android ID, operating system version and type, model number and country code of the end device, internet service provider) as well as the Facebook Ads ID, Campaign ID and Ads Set ID. The collected information is used for the execution and optimization of our app advertising campaigns and is additionally forwarded to corresponding providers or advertising partners (e.g. Facebook Inc., TikTok Technology Limited, Google). The legal basis for the data processing is your consent pursuant to Art. 6 (1) (a) GDPR. You can object to the collection, evaluation and use of your data at https://www.adjust.com/opt-out/. The Adjust service is tested and certified according to the ePrivacyseal (European Seal for your Privacy) (see https://www.eprivacy.eu/kunden/vergebene-siegel/).

11.3. Firebase Crashlytics / Performance Monitoring

We use Google's Firebase Crashlytics technology as part of the Google Cloud Platform to ensure the stability of the app and to make improvements. Information about the device used and the use of our app is collected (e.g. user ID, device model, operating system version, app version, timestamp of the message), which enables us to diagnose problems and remedy them in the long term. In the process, so-called "crash_reports" are generated, which only receive information about problems and crashes. We use Crashlytics for the purpose of providing a functional mobile app and fixing stability issues. The data is analysed in a fundamentally anonymised way. The processing is carried out in the context of our contract fulfilment to provide you with a performant app according to Art. 6 (1) (b) GDPR. The data is processed exclusively on servers within the EU and automatically deleted after 90 days.

11.4. Firebase Analytics

In order to be able to analyse the use of our app to improve our offer, we use the analysis service Google Analytics for Firebase and Google Analytics from Google. For this purpose, a so-called app instance ID is generated (pseudonymised), which is recorded as a randomly generated ID when the app is used for the first time. In the course of this, we collect device identification data (e.g. version and type of operating system and device model) as well as IT usage data (e.g. session duration, region, accesses and app updates). Your IP address is anonymized as soon as the data is received by Google Analytics before any storage or processing takes place.
We use the analytics service to track the use of our app and to deduce which features are of particular interest to users and how we can further improve the app. The processing is carried out in the context of our contract fulfilment to provide you with a performant app according to Art. 6 (1) (b) GDPR. You can find more information at https://support.google.com/firebase/answer/9234069?hl=en

11.5. Firebase Remote Config

Firebase Remote Config by Google allows us to unlock new features in the app and configure content without having to download the app again from the respective app store. In this context, we process device identification data (e.g. version and type of operating system and device model). We use this service to continuously develop and improve the app. The processing is carried out in the context of our contract fulfilment to provide you with a performant app according to Art. 6 (1) (b) GDPR.

12. Your rights

Right to access: You have the possibility to request information about the data stored about you, its origin, recipients or categories of recipients to whom the data is disclosed, as well as the purpose of the storage. (Art. 15 GDPR)

Right to rectification: You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. (Art. 16 GDPR)

Right to deletion: You can demand that we delete the personal data relating to you without delay. However, there is no right to deletion if legal, supervisory or other sovereign storage obligations are opposed or the storage serves the assertion, exercise or defense of legal claims. (Art. 17 GDPR)

Right to restriction of processing: You may, under certain conditions (disputed accuracy, unlawful processing, cessation of the purpose of processing or lodging an objection), request the restriction of the processing of personal data concerning you. (Art. 18 GDPR)

Right to data transfer: You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. (Art. 20 GDPR)

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is processed on the basis of Article 6(1)(e) or (f) EU GDPR. We will then no longer process your data unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is for the establishment, exercise or defence of legal claims. (Art. 21 GDPR)

Right to complain to the supervisory authority: Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority if you are of the opinion that the processing of personal data is not carried out lawfully. The address of the supervisory authority responsible for our company is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Postfach 1349, 91504 Ansbach, phone: +49 (0) 981 180093-0, e-mail: poststelle@lda.bayern.de.

13. Your contact persons

Contact person for the exercise of your rights
For the exercise of your rights and further information, please contact Scalable Capital GmbH, Seitzstraße 8e, 80538 Munich, by e-mail to service@scalable.capital or by letter.

Data Protection Officer
Our data protection officer is available to you as a contact for data protection-related concerns:

Data Protection Officer of Scalable Capital GmbH
Seitzstrasse 8e, 80538 Munich
privacy@scalable.capital

Version as of July 2022