The protection of your personal data is of particular concern to us. We treat the personal data you provide when using our website and offers confidentially and in accordance with the legal data protection regulations and this privacy policy. The following notes inform you in detail about which of your personal data we collect, for which purposes it is used, with whom it is shared and which control and information rights you may have when you visit our website.

Personal data is any information relating to an identified or identifiable natural person (Art. 4 No. 1 EU General Data Protection Regulation ("GDPR")).

Controller is QUIN Technologies GmbH, Oranienburger Str. 91, 10178 Berlin, Germany, e-mail [email protected]. Our data protection officer can be contacted at [email protected].

The data processing on this website includes those personal data that are required to enable the informational use of our website. Further personal data is only processed if you consent to the processing or if another legal basis permits this.

If you use our website merely for informational purposes, without providing personal data via registration or in any other way, only personal data that your browser transmits to our server will be processed. The processed data include:

• Internet browser (browser type and browser version),
• operating system used,
• Referrer URL,
• Host name of the accessing computer,
• Time of the page request,
• IP address

This data is technically necessary for us to display our website to you and to ensure stability and security and must therefore be processed by us.

The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. b) GDPR, as we need the automatically collected data for an effective provision of our website, as well as Art. 6. para. 1 p. 1 lit. f) GDPR, as the storage serves our legitimate interest to ensure the stability and security of the website.

For more information on the collection of personal data in the context of visiting our website, please refer to section 4.

Below, we inform you about the data processing that we ourselves carry out in connection with the various functions of our website that you use.

4.1 Use of cookies

Cookies are used on the website. Cookies are pieces of information that are transferred from our web server or third-party web servers to the browser of the website visitor and stored there for later retrieval. Cookies can be small files or other types of information storage. Information is stored in cookies that is generated in connection with the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. A cookie also contains information about its origin and the storage period. However, this does not mean that the identity of the website visitor can be obtained directly from a cookie.

Absolutely Necessary Cookies

When you visit the website, cookies are set that are absolutely necessary for the operation of the website. These absolutely necessary cookies may, for example, be cookies that are required to display the website with a content management system, that are used to recognize language settings or that are used to document whether consent has been given to the setting of further (optional) cookies or whether such storage has been rejected. The strictly necessary cookies, including their purpose and storage or deletion period, are explained below and also in the cookie banner that is displayed when the website is accessed.

Optional Cookies

Optional cookies are also used, for example, to collect additional information about the interests of visitors to the website or their usage behavior in order to analyze and optimize the website and customer interactions in general.

Optional cookies, including their purpose and storage or deletion period, are explained below and also in the banner that is displayed when the website is accessed. Optional cookies are only set if you have expressly consented to the setting of optional cookies.

Consent Management

The website uses a consent management tool to inform website visitors about the cookies used on the website and to request consent to the use of optional cookies and, if necessary, to document this.

A permanent cookie may be stored in the browser to store the status of consent (which cookies have been consented to).

The legal basis for this data processing is initially the Controller's legitimate interest in obtaining the consent of website visitors to the storage of optional cookies as part of the provision of the website. If such consent has been given, the legal basis for the processing of the data for consent is the fulfillment of the legal obligation to obtain and document consent for this.

4.2 Requests by E-mail or Phone

If you contact us by e-mail or telephone, your request including all resulting personal data (e.g. name, request) will be stored and processed by us for the purpose of processing your request.

The processing of this data is based on Art. 6 para. 1 p. 1 lit. b) GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests sent to us (Art. 6 para. 1 p. 1 lit. f) GDPR) or on your consent (Art. 6 para. 1 p. 1 lit. a) GDPR) if this was requested.

The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular legal retention periods - remain unaffected.

4.3 Chatbot (Intercom)

We use a chatbot from Intercom, Inc. (55 2nd Street, 4th Floor, San Francisco, CA 94105 USA; "Intercom") a messenger and communication service provider to handle customer inquiries. The chatbot offers you the opportunity to get your questions answered as quickly as possible. When you contact us via chatbot, your conversation including all personal data resulting from it (e.g. name, inquiry, IP address, etc.) will be stored and processed by us for the purpose of processing your request

The processing of this data is based on Art. 6 (1) p. 1 lit. b) GDPR, provided that your request is related to the performance of a contract or is necessary for the performance of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6 para. 1 p. 1 lit. f) GDPR) or on your consent (Art. 6 para. 1 p.1 lit. a) GDPR) if this was requested.

If the legal basis for data processing ceases to exist, all personal data entered by you will be deleted. Data that is required for contract processing or is subject to statutory retention periods (e.g. for tax reasons) remains unaffected.

Your data may also be processed in countries outside the European Union when using the chatbot. In the USA, the general level of data protection is not congruent with that which exists in the European Union; it also cannot be ruled out that authorities in the USA or in other countries may be able to access your data. For more information on the safeguards for securing data transfers, please see Section 6 below.

For more information about Intercom's data processing, please refer to their privacy policy at https://www.intercom.com/terms-and-policies#privacy.

4.4 Registration on this website

You can register on our website by providing personal data in order to use additional functions on the website. The data is entered in an input mask and transmitted to us and stored. Registration is required for the provision of certain content and services on our website. Registration provides you with the opportunity to access the mobile app and web app. You can use the various functions of getquin, e.g. portfolio aggregation, view key figures on various stocks and read the various posts from the community, comment on them and write posts yourself.

The following data is collected during the registration process:

• Username
• Email address

The following data is also stored at the time of registration:

• Email address
• IP address
• First name
• Last name
• Username
• Profile picture
• Language
• Country
• Currency
• Broker name
• Transactions from broker
• IP address
• User behavior
• Additional context may include IP, device information, etc.

The data entered during registration is processed for the purpose of implementing the user relationship established by the registration and, if necessary, for initiating further contracts (Art. 6 para. 1 p. 1 lit. b) GDPR).

The data collected during registration will be stored by us as long as you are registered on our website and will then be deleted. Mandatory legal provisions - in particular legal retention periods - remain unaffected.

4.5 Registration with Facebook Connect

Instead of registering directly on this website, you can also register with Facebook Connect. The provider of this service is Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland; "Facebook").

If you decide to register with Facebook Connect and click on the "Login with Facebook"/"Connect with Facebook" button, you will automatically be redirected to the Facebook platform. There you can log in with your usage data. This links your Facebook profile to this website or our services. This link gives us access to your data stored on Facebook. These are mainly:

• Facebook name
• Facebook profile and cover picture
• Facebook cover picture
• Email address on file with Facebook
• Facebook ID
• Facebook friends lists
• Facebook Likes ("Like" votes)
• Birthday
• Gender
• Country
• Language

This data is used to set up, provide, and personalize your account. We use Facebook Connect to facilitate the registration process for you and to shorten it.

The registration with Facebook Connect and the associated data processing operations are based on your consent (Art. 6 para. 1 p.1 lit. a) GDPR). You can revoke this consent at any time with effect for the future. All data will be stored for as long as it is required to fulfill the stated purpose and then deleted, unless there is a legal obligation to retain it. With regard to the data processed by Facebook, we also refer to the Facebook privacy policy.

Your data may also be processed in countries outside the European Union when using Facebook Connect. In the USA, the general level of data protection is not congruent with that which exists in the European Union; it also cannot be ruled out that authorities in the USA or in other countries may be able to access your data. Further information on the protective measures for safeguarding data transfer can be found below under item 7.

For more information on data protection at Facebook, please refer to the Facebook privacy policy at https://de-de.facebook.com/about/privacy/.

4.6 Newsletter

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data is not collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.

For registration we use the so-called double-opt-in procedure. In this process, after you have registered on our website, you will receive an e-mail with a link that you can use to confirm that you are the owner of the e-mail address and wish to create a user account on our website. If your confirmation is not received within 12 hours, your registration and your personal data provided in the process will be automatically deleted.

The processing of the data entered in the newsletter registration form is based on your consent (Art. 6 para. 1 p.1 lit. a) GDPR). You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe from the newsletter. Data that has been stored by us for other purposes remains unaffected by this.

After your unsubscription from the newsletter distribution list, your e-mail address will be stored by us or the newsletter service provider in a blacklist, if necessary, to prevent future newsletter e-mails. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 (1) f) GDPR). The storage in the blacklist is limited to a maximum of 2 years. You can object to the storage if your interests outweigh our legitimate interest.

4.7 Application: by e-mail, by post or via online application form

If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship.

The legal basis for this is Section 26 (1) of the German Federal Data Protection Act (initiation of an employment relationship), Article 6 (1) sentence 1 lit. b) of the General Data Protection Regulation (GDPR) (general contract initiation) and - if you have given your consent - Article 6 (1) sentence 1 lit. a) of the GDPR. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to store the data you have provided with us for up to 6 months from the end of the application process (rejection or withdrawal of the application) on the basis of our legitimate interests (Art. 6 para. 1 p.1 lit. f) GDPR). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will not be deleted until the purpose for continued storage no longer applies.

Longer storage may also take place if you have given your corresponding consent (Art. 6 para. 1 p.1 lit. a) GDPR) or if legal storage obligations prevent deletion.

If we do not make you a job offer, it may be possible to include you in our applicant pool. In the event of inclusion, all documents and details from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.

Inclusion in the applicant pool is based exclusively on your express consent (Art. 6 para. 1 p.1 lit. a) GDPR). The provision of consent is voluntary and is not related to the current application process. The data subject may revoke his/her consent at any time. In this case, the data from the applicant pool will be irrevocably deleted, unless there are legal reasons for retention.

The data from the applicant pool will be irrevocably deleted no later than two years after consent has been given.

5.1 Account

If you create an account to use the getquin platform (hereinafter ‘platform’), we will collect and process your data as the controller in order to enable you to use the platform.

In this context, we process your data as part of the provision of the platform or to provide the services we offer. This may include the processing of the surname and first name of the users of the platform, address(es), contact data (e.g. e-mail address, telephone number), contract data (e.g. subject matter of the contract, term), payment data and data collected in the context of the provision of our services and/or required for the provision of our services, in particular information on the users' assets managed via the getquin platform.

Your data will be processed for as long as you use your account. If you close/delete your account, the data processed via your account will be deleted (subject to any retention obligations, see ‘Storage/retention and deletion’ below).

The legal basis for this storage and processing is the fulfilment of the contract or the implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b) GDPR.

5.2 Hosting of the platform

We use highly secure data centres from various hosting service providers to host our platform. The platform is hosted in the EU. The hosting service providers work for us as processors on the basis of an order processing agreement in accordance with Art. 28 GDPR.

5.3 Content Delivery Network for the platform

We use a Content Delivery Network (CDN) to increase the security and delivery speed of the platform. A CDN is a network of globally distributed servers that is able to deliver optimised content to users. For this purpose, personal data may be processed in server log files of the CDN provider.

The provider of the CDN acts for us as a processor on the basis of an order processing agreement in accordance with Art. 28 GDPR.

Since a CDN is a network of globally distributed servers, personal data may be transferred to a third country without an adequate level of data protection when using a CDN. In this case, we ensure that suitable guarantees are provided for the transfer in accordance with Art. 46 GDPR. We are happy to provide proof of suitable guarantees at any time on request.

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. Our overriding legitimate interest is to increase the security and delivery speed of the platform.

5.4 Analysis of the use of the platform

In order to better understand how you use the platform and to continuously improve the platform and our services, we collect and analyse the use of the platform by users. The data collected is used to create aggregated usage reports.

We use the analytics service Google Analytics with IP anonymisation to analyse usage. Google Analytics is provided by Google Ireland Limited in Ireland (hereinafter referred to as ‘Google’).

We can use JavaScript tags to collect information about your use of the platform. Google Analytics also regularly uses cookies to collect information about a user's interactions with the platform.

As part of the use of Google Analytics, your IP address and information about the use of the platform, browser type and version, operating system used, the previously visited page and the time of the server request are transmitted to Google servers and processed there.

As part of IP anonymisation, the IP addresses of users within the European Economic Area are truncated before being transmitted to the USA. Only in exceptional cases, in the event of technical faults in Europe, will the unabridged IP address be transmitted to Google in the USA and abbreviated there. The transmitted IP addresses are not merged with other Google data.

Google acts for us as a processor on the basis of an order processing agreement in accordance with Art. 28 GDPR.

As explained, personal data may be transferred to a third country without an adequate level of data protection. In this case, we ensure that suitable guarantees are provided for the transfer in accordance with Art. 46 GDPR. We are happy to provide proof of suitable guarantees at any time on request.

The legal basis for this data processing is the express consent pursuant to Art. 6 para. 1 lit. a) GDPR.

5.5 Support

In the case of support requests via electronic messages, when creating support tickets and during live chat, the contact details and other content you provide will be collected and processed. This processing is carried out to manage and process your support or contact enquiry.

The legal basis for this storage and processing is Art. 6 para. 1 lit. f) GDPR. Our overriding legitimate interest is communication with the users of the platform and the provision of optimal support for our users.

For the ticketing system and live chat, we use an external service provider as a processor on the basis of an order processing agreement in accordance with Art. 28 GDPR.

Personal data may be transferred to a third country without an adequate level of data protection. In this case, we ensure that suitable guarantees are provided for the transfer in accordance with Art. 46 GDPR. We are happy to provide proof of suitable guarantees at any time on request.

5.6 Transaction messages

For transactional messages (e.g. by email) that are sent in connection with your use of the platform, we use external service providers who send the messages for us and ensure the deliverability of the messages.

These service providers act for us as processors on the basis of an order processing agreement in accordance with Art. 28 GDPR.

Personal data may be transferred to a third country without an adequate level of data protection. In this case, we ensure that suitable guarantees are provided for the transfer in accordance with Art. 46 GDPR. We are happy to provide proof of suitable guarantees at any time on request.

The legal basis for the sending of transaction messages in connection with the use of the platform is the fulfilment of the contract pursuant to Art. 6 para. 1 lit. b) GDPR.

5.7 Proprietary Connections

When you choose to connect your external financial or brokerage accounts (e.g., bank, broker, investment platform) with our Services (“Connected Accounts”), we receive data from your Connected Accounts to update and display information within our platform. We collect and store the following information from those Connected Accounts:

• Account Details: Account numbers, account balances, and asset information.
• Transaction History: Full records of transactions, including dates, amounts, and descriptions.

We process this information to:

• Provide Our Services: We use your account information to offer you a consolidated view of your assets, enable transaction tracking, generate insights, and improve your financial management experience.
• Perform Analytics: We may analyze transaction patterns and account balances to offer tailored recommendations and features (e.g., portfolio analytics).

You are free to decide which Connected Accounts to link to our platform. If you do not wish to provide access to certain accounts, you are not obligated to do so. You can revoke our access to your Connected Accounts at any time through your account settings. Once revoked, we will no longer collect or update data from that account.

The legal basis for the data processing and data transfers from Connected Accounts via our proprietary connections is the fulfilment of the contract pursuant to Art. 6 para. 1 lit. b) GDPR.

5.8 getquin AI

Our products or features using artificial intelligence or machine learning, collect information to enhance the quality, reliability and/or accuracy of our AI features by creating, developing, training, testing, improving, and maintaining AI and ML models run by getquin or our service providers. We use de-identified information for AI features only.

5.9 YouTube

Videos (YouTube): YouTube videos are embedded on the website. These are provided by Google Ireland Ltd. in Ireland via a plugin. The provider acts as a data processor on the basis of a data processing agreement.

When a website with the YouTube plugin is accessed, a connection to Google is inevitably established and the IP address of the website visitor is transmitted to Google.

Personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing is the Controller's legitimate interest in the integration of videos and the associated optimization of the interactivity of the website and customer interactions. If consent has been obtained, the expressly granted consent, which can be revoked at any time, constitutes the legal basis.

In order to offer the functions of our website, we integrate third-party services. In the following, we distinguish between functional services and analysis services.

6.1 Functional services

Functional services enable you to use our website smoothly and are mandatory to use our website.

6.1.1 Cloudflare

We use functions of the company Cloudflare, Inc. 101 Townsend St., San Francisco, CA 94107, USA (hereinafter "Cloudflare").

Cloudflare offers a globally distributed content delivery network. This technically routes the transfer of information between your browser and our website through Cloudflare's network. This enables Cloudflare to analyze traffic between your browser and our website and to serve as a filter between our servers and potentially malicious traffic from the Internet. In doing so, Cloudflare may also use cookies or other technologies to recognize Internet users, but these are used solely for the purpose described herein.

The use of Cloudflare is based on our legitimate interest in providing our website as error-free and secure as possible (Art. 6 para. 1 p.1 lit. f) GDPR).

All data is stored for as long as it is required to fulfill the aforementioned purpose and then deleted, unless there is a legal obligation to retain it.

You can find more information about security and data protection at Cloudflare here: https://www.cloudflare.com/privacypolicy/

6.1.2 Stripe

On this website, we offer, among other things, payment using the services of Stripe Payments Europe, Ltd,1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe").

When you make a payment via Stripe, your payment data is forwarded to Stripe via an interface on our site in order to make the payment. You can read details about this in Stripe's privacy policy at the following link: https://stripe.com/de/privacy.

The transfer of your data to Stripe is based on Art. 6 para. 1 p.1 lit. b) GDPR as well as on our legitimate interest in using reliable and secure payment processes (Art. 6 para. 1 p.1 lit. f) GDPR). All data is stored for as long as it is required to fulfill the aforementioned purpose and then deleted, unless there is a legal obligation to retain it.

6.2 Analytics services

Analytics services help us better understand how our platforms are used.

6.2.1 Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, dwell time, operating systems used and the origin of the user. This data may be summarized by Google in a profile that is assigned to the respective user or their end device.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is transferred to a Google server in the USA and stored there. In the USA, however, the general level of data protection is not the same as that which exists in the European Union; it also cannot be ruled out that authorities in the USA or other countries may be able to access your data.

We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

The storage of the data is based on your consent, Art. 6 para. 1 p.1 lit. a) GDPR. You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Demographic characteristics in Google Analytics

This website uses the "demographic characteristics" function of Google Analytics to display suitable advertisements to website visitors within the Google advertising network. This allows reports to be generated that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google as well as from visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as shown in the item "Objection to data collection".

Data stored by Google at user and event level that is linked to cookies, user IDs (e.g. User ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. For details, please see the following link: https://support.google.com/analytics/answer/7667196?hl=en

6.2.2 Google Firebase Crashlytics

This website uses functions of the crash analysis service Google Firebase Crashlytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Firebase Crashlytics is used to ensure the stability of our apps and to implement improvements. In doing so, information about the device used and the usage of our apps—such as user ID, device model, operating system version, app version, and the timestamp of the error message—is collected and processed. This results in the creation of so-called "crash reports," which contain details about issues and crashes.

The processing of this data is based on our legitimate interest in providing a stable and functional application (Section 25 (2) TDDDG in conjunction with Art. 6 para. 1 p.1 lit. f) GDPR). All data is stored only as long as necessary to fulfill the aforementioned purpose and is then deleted, unless a legal obligation requires retention.

Further information on data protection at Google can be found here: https://firebase.google.com/support/privacy?hl=en

6.2.3 Google Conversion Tracking

This website uses Google Conversion Tracking. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

With the help of Google conversion tracking, Google and we can recognize whether the user has performed certain actions. For example, we can evaluate which buttons on our website were clicked how often and which products were viewed or purchased particularly frequently. This information is used to create conversion statistics. We learn the total number of users who clicked on our ads and what actions they took. We do not receive any information with which we can personally identify the user. Google itself uses cookies or comparable recognition technologies for identification.

The use of Google conversion tracking only takes place after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future.

More information on Google conversion tracking can be found in Google's privacy policy: https://policies.google.com/privacy?hl=en

6.2.4 Smartlook

This website utilizes Smartlook, a product analytics tool provided by Smartsupp.com, s.r.o., with its registered office at Milady Horákové 13, 602 00 Brno, Czech Republic (website: https://www.smartlook.com/) to analyze user behavior on this website and record mobile app sessions to improve the user experience of our visitors. It enables us to record mouse movements, clicks, and scrolling activity of the users. Smartlook may also collect information about the length of time the cursor stays in a specific position. With this data, Smartlook generates Heatmaps, which help us understand the parts of the website that the visitors find most interesting.

We exclude all sensitive information, such as login credentials, payment information, or personally identifiable information, from these recordings to protect the privacy of our users.

Additionally, Smartlook helps us identify the pages that visitors spend the most time on, and when they exit. We may also use Smartlook to track conversion funnels and obtain direct feedback from website visitors to improve our offerings.

Smartlook uses technologies like cookies or device fingerprinting to recognize the user and analyze user behavior patterns. The use of this analysis tool is based on Art. 6 Sect. 1 lit. f) GDPR. The website operator has a legitimate interest in the analysis of user patterns, in order to optimize the operator's web offerings and advertising. If a corresponding agreement has been requested (e.g. an agreement to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a) GDPR; the agreement can be revoked at any time.

If you would like to deactivate the recording of data by Smartlook, please click on the link below and follow the instructions provided under the link: https://www.smartlook.com/opt-out/. Please note that you will have to separately deactivate Smartlook for every browser and every device.

For more detailed information about Smartlook and the data to be recorded, please consult the Data Privacy Declaration of Smartlook under the following link: https://help.smartlook.com/docs/privacy-statement-full

6.2.5 Segment

The getquin application uses the Segment analytics service. The provider is Segment.io, Inc. 100 California Street, Suite 700 San Francisco, CA 94111.

Segment is used to analyze user data in mobile devices and the Internet. The data is stored on Segment servers in the USA. However, the general level of data protection in the USA is not the same as that which exists in the European Union; it also cannot be ruled out that authorities in the USA or in other countries may be able to access your data. Further information on the protective measures for safeguarding data transfer can be found below under section 6.

The use of Segment only takes place after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future.

You can also find more information about Segment's data protection here: https://www.twilio.com/en-us/legal/privacy

6.2.6 Customer.io

The getquin application uses Customer.io. Provider is Peaberry Software, Inc. 921 SW Washington Street, Suite 820, Portland, Oregon 97205.

Customer.io is used to send contextual messages (e.g. newsletters). Your personal data is stored on servers operated by Peaberry Software, Inc. in the USA. However, the general level of data protection in the USA is not the same as that which exists in the European Union; it also cannot be ruled out that authorities in the USA or in other countries may be able to access your data. Further information on the protective measures for safeguarding the transfer of data can be found below under point 6.

The use of customer.io only takes place after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future.

For further information, please refer to the privacy policy of Peaberry Software, Inc.: https://customer.io/legal/privacy-policy/

6.2.7 Amplitude

This website uses functions of the analytics service Amplitude. The provider is Amplitude Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103, USA.

Amplitude collects technical information about your device, such as the device type (e.g.,2.8 iPhone 7) and operating system version (e.g., iOS 10.3). In addition, Amplitude processes location data (e.g., country) and internal data (e.g., language, server upload time, session ID) generated when using our Adjust Dashboard. This may include information such as the duration of your session and the country from which you accessed the Dashboard. The use of Amplitude enables us to analyze user behavior and improve the user experience accordingly.

The processing of this data is based on our legitimate interest in optimizing our services and ensuring a smooth user experience (Art. 6 para. 1 p.1 lit. f) GDPR). All data is stored only as long as necessary to fulfill the aforementioned purpose and is then deleted, unless a legal obligation requires retention.

Further information on data protection at Amplitude can be found here: https://amplitude.com/privacy

6.2.8 Datadog

This website uses functions of the monitoring and analytics service Datadog. The provider is Datadog, Inc., 620 8th Avenue, 45th Floor, New York, NY 10018, USA ("Datadog").

Datadog is used to collect information about the performance of our website, detect potential technical malfunctions, and monitor cybersecurity incidents. For this purpose, Datadog sets a cookie for the duration of the browser session and processes geolocation data, as well as information about the user’s device and operating system. Additionally, we process login data, including email address, IP address, device information, and geolocation data derived from the user's IP address when accessing our apps. This processing helps detect and respond to cybersecurity threats.

The processing of this data is based on our legitimate interest in ensuring the security, stability, and IT protection of our platform (Section 25 (2) TDDDG in conjunction with Art. 6 para. 1 p.1 lit. f) and Art. 32 GDPR). Your personal data is deleted after 15 days unless further storage is required for forensic analysis and investigations.

For additional analysis purposes, we collect and process further usage data based on your consent, which you provide during your visit to our website or apps (Section 25 (1) TDDDG in conjunction with Art. 6 para. 1 p.1 lit. a) GDPR).

To ensure an appropriate level of data protection when processing data in non-European countries, we have concluded the corresponding EU standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021. You can view the decision, including the standard contractual clauses, here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914

Further information on data protection at Datadog can be found here: https://www.datadoghq.com/legal/privacy/

6.2.9 Revenuecat

This app offers functions for purchasing paid content through the app store provider of the respective device (Google for Android devices and Apple for iOS devices). The app uses the technical interface provided by the provider to verify whether a purchase has been made. This process involves communication with the app store provider. The transmitted data is processed in accordance with the provider’s privacy policy and is not accessible to us.

To manage and analyze in-app purchases, the app uses the RevenueCat service from RevenueCat, Inc., 633 Tarava St. Suite 101, San Francisco, CA 94116, USA ("RevenueCat"). The transmission of data is carried out in accordance with Art. 46 GDPR. RevenueCat stores data either in the USA or Europe and complies with the EU General Data Protection Regulation (GDPR) under its Data Processing Agreement (DPA): https://www.revenuecat.com/dpa

Further information can be found in RevenueCat's Terms and Privacy Policy:

General Terms and Conditions: https://www.revenuecat.com/terms

Privacy Policy: https://www.revenuecat.com/privacy

The data stored and processed by RevenueCat for analysis purposes can be reviewed here: https://www.revenuecat.com/dpa

6.2.11 Google Cloud

This website uses the cloud storage service Google Cloud. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which is responsible for all Google services in the European region.

Google Cloud is used to store files, photos, and videos necessary for the operation of our website. In this process, Google may also process data in the USA and other countries. Google is an active participant in the EU-US Data Privacy Framework, which ensures the correct and secure transfer of personal data from EU citizens to the USA. Further information on this framework is available here: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, Google relies on Standard Contractual Clauses (SCCs) in accordance with Art. 46 (2) and (3) GDPR. These clauses, provided by the EU Commission, are designed to ensure that personal data transferred to third countries (such as the USA) is processed in accordance with European data protection standards. By adopting these clauses and participating in the EU-US Data Privacy Framework, Google commits to maintaining the European level of data protection even when processing and storing data outside the EU. The full text of the EU Commission’s implementing decision, including the standard contractual clauses, can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj/eng

Google also provides a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR, which serves as the legal basis for our contractual relationship with Google. This agreement incorporates the EU standard contractual clauses. You can review the terms of this agreement here: https://business.safety.google/intl/en/adsprocessorterms/

Further details on how Google Cloud processes data can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=en

6.3 Marketing related services

We process personal data for our marketing activities and in connection with our use of social media. Below you can find information on our processing activities with regard to marketing and social media.

6.3.1 Everflow

This website uses the tracking and analytics service Everflow, provided by Everflow Technologies B.V., Herengracht 449A, 1017 BR Amsterdam, Netherlands. Everflow is used to analyze user interactions and optimize our platform's performance.

We have concluded a Data Processing Agreement (DPA) with Everflow Technologies B.V. in accordance with Art. 28 GDPR, ensuring that the processing of personal data complies with European data protection regulations.

The access to information on the user's terminal device is carried out in accordance with § 25 para. 2 TTDSG.

Further details on data processing by Everflow can be found in Everflow's privacy policy: https://www.everflow.io/legal/data-processing-addendum

6.3.2 Apple Search Ads

This website uses the search engine advertising service Apple Search Ads, provided by Apple Inc., One Apple Park Way, Cupertino, California 95014, USA. Apple Search Ads is used to optimize the visibility of our content within the Apple App Store.

Apple may process data in the USA and other countries. However, according to the European Court of Justice, the USA currently does not offer an adequate level of data protection comparable to that of the EU. This may involve certain risks regarding the legality and security of data processing.

To ensure an appropriate level of data protection when transferring data to third countries (such as the USA), Apple relies on Standard Contractual Clauses (SCCs) in accordance with Art. 46 (2) and (3) GDPR. These clauses, provided by the EU Commission, are designed to ensure that personal data is processed in compliance with European data protection standards, even if stored outside the EU. Through these clauses, Apple commits to maintaining the European level of data protection when processing relevant data. The full text of the EU Commission’s implementing decision, including the standard contractual clauses, can be found here: https://eur-lex.europa.eu/eli/dec\_impl/2021/914/oj?locale=en

Further details on Apple’s data processing practices and Standard Contractual Clauses can be found in Apple’s privacy policy: https://www.apple.com/legal/privacy/en-ww/

6.3.3 Reddit Pixel

We use tracking technologies from Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015 CS, Amsterdam, Netherlands, to display targeted and personalized advertising on the Reddit platform and to create interest-based user profiles. This allows us to optimize our future advertising campaigns and improve the relevance of our ads.

Additionally, we use this data to measure event-based conversions of Reddit ads, enabling us to better target our advertising efforts to our audience. The collection and processing of this data occur exclusively based on your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR, which you provided during your visit to our website or apps.

For further information on how Reddit processes your data, please refer to Reddit’s privacy policy: https://www.redditinc.com/policies/privacy-policy

6.3.4 Microsoft Bing Ads

We use Microsoft Advertising Remarketing from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft") on our website. If you have reached our website via a Microsoft advertisement, Microsoft places a conversion cookie on your end device. This cookie allows us to track whether a Microsoft advertisement was clicked and whether it redirected you to our website after a specific target page ("conversion site") was visited.

Microsoft collects, processes, and uses information via this cookie to create pseudonymized user profiles. These profiles help us analyze visitor behavior and display targeted advertisements. The collection and processing of this data occur exclusively based on your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR, which you provided during your visit to our website or apps.

For further information on how Microsoft processes your data, please refer to Microsoft’s privacy policy: https://www.microsoft.com/en-us/privacy/privacystatement

6.3.5 FinanceAds

We use the services of financeAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg ("financeAds") and financeAds International GmbH, Hardenbergstraße 32, 10623 Berlin ("financeAdsInt"). Our ads are shown on partner websites of the networks (third-party providers). Cookies are used for this purpose, which assign a pseudonymized user ID to the user when calling up an ad based on, among other things, the type as well as the time of the clicked ad. We can then use the stored data to determine whether the user has registered in our application.

The use of financeAds and financeAdsInt only takes place after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future.

Further information can also be found in the privacy policy of financeAds and financeAdsInt: https://www.financeads.com/privacy-policy/ https://www.financeads.net/aboutus/datenschutz/

6.3.6 Facebook Pixel

This website uses the services of Meta Platforms Ireland Limited ("Facebook"), 4 Grand Canal Square, Dublin 2, Ireland for conversion measurement of the visitor action pixel.

This makes it possible to track the behavior of page visitors after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The collected data is anonymous for us as the operator of this website, we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Use Policy. This allows Facebook to enable the placement of advertisements on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.

The use of Facebook Pixel only takes place after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future. You can also deactivate the remarketing function "Custom Audiences" in the settings for advertisements section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook. If you do not have a Facebook account, you can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: https://www.youronlinechoices.com/ma/your-ad-choices

You can find more information about protecting your privacy in Facebook's privacy policy: https://de-de.facebook.com/about/privacy/

6.3.7 Instagram

This Website uses services from Instagram, a social network operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta"). Meta provides us with usage statistics related to our Company Profile and marketing activities.

To generate these statistics, Meta processes personal data of its users and visitors to our Company Profile. The processing of this data is carried out under a joint controllership agreement between us and Meta.

You can view the joint controller agreement with Meta at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

6.3.8 Google Ads

The website operator uses the online advertising program of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to play out advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be played on the basis of user data available at Google (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively by analyzing, for example, which search terms have led to the display of our advertisements and how many ads have resulted in corresponding clicks.

The use of Google Ads only takes place after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future.

6.3.9 TikTok

We use services from TikTok, a social network operated by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland ("TikTok"). TikTok provides us with usage statistics related to our Company Profile and marketing activities, including impressions, ad spend, and cost per event.

To generate these statistics, TikTok processes personal data of its users and visitors to our Company Profile. The processing of this data is carried out under a joint controllership agreement between us and TikTok.

You can view the joint controller agreement with TikTok at the following link: https://www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en

6.3.10 X (Formerly Twitter)

We use services from X, a social network operated by Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland ("Twitter"). X provides us with usage statistics related to our Company Profile and marketing activities.

To generate these statistics, Twitter processes personal data of its users and visitors to our Company Profile.

You can find more information about Twitter's privacy practices at the following link: https://x.com/en/privacy

6.3.11 Appsflyer

The getquin application uses the mobile analytics service "AppsFlyer". AppsFlyer is a service provided by AppsFlyer Ltd, Maskit St. 14, Hertsliya, Israel.

The AppsFlyer service makes the success of mobile advertising campaigns measurable by measuring the effectiveness of app install campaigns.

AppsFlyer is only used after explicit consent according to Art. 6 para. 1 p. 1 lit. a) GDPR. This can be revoked at any time with effect for the future. If you do not want AppsFlyer to collect and process data, you can download an opt-out cookie via the following link: https://www.appsflyer.com/optout. Once you delete your cookies, you will also need to download the opt-out cookie again.

For more information about data protection at AppsFlyer, please refer to the privacy policy at: https://www.appsflyer.com/privacy-policy/

6.3.12 LinkedIn Ads

LinkedIn Ads: Tracking pixels and cookies provided by LinkedIn Ireland Unlimited Company in Ireland are used on the website to track the use of the website and the actions of website visitors for the purpose of conversion tracking. The provider acts as a data processor on the basis of a data processing agreement.

The tracking pixels are a code snippet that can be used to track the actions of visitors to the website, which makes it possible to personalize and improve advertisements and measure their success. This allows the use of the website to be evaluated for statistical and market research purposes and advertising campaigns to be optimized.

The data collected via LinkedIn Ads may be used by LinkedIn as Controller for its own tracking and advertising purposes. For further details, please refer to LinkedIn's Privacy Policy at https://www.linkedin.com/legal/privacy-policy?

If a visitor to the website is a member of the LinkedIn social media platform and has allowed the provider to do so via the settings of the user account with the social media network, the provider of the social media network or tracking pixel can link the information collected about the visit to the website with the associated user account with the respective social media network and use it for the targeted placement of advertisements.

The website provider can also measure the effectiveness of advertisements in the respective social media networks and see whether a user was redirected to the website via such advertisements (conversion measurement).

When such tracking pixels are integrated, personal data may be transferred to third countries that do not offer an adequate level of data protection. In this case, it is ensured that appropriate safeguards are provided for such a transfer in order to ensure an adequate level of data protection. The Controller will provide evidence of these appropriate safeguards on request.

The legal basis for this data processing, including the transfer of data to LinkedIn, is the express consent of the website visitor.

6.3.13 Outbrain

We use the Outbrain Custom Audience Pixel, a service provided by Outbrain Inc., 39 West 13th Street, 3rd Floor, New York, NY 10011, USA.

This technology enables us to display targeted and personalized advertising based on user behavior and to analyze the effectiveness of our advertising campaigns.

Further information on data processing by Outbrain can be found in Outbrain’s privacy policy: https://www.outbrain.com/legal/privacy

6.4 Connecting services

Connecting services are used to connect financial institutions such as brokerages, wallet providers etc. getquin uses a combination of third-party-providers and proprietary APIs to retrieve transaction history to be displayed on our platform.

6.4.1 Plaid

The getquin application uses Plaid Inc. and its affiliates and subsidiaries, including Plaid Financial Ltd. and Plaid, B.V. (collectively, “Plaid”), registered at PO Box 7775 #35278, San Francisco, California 94120-7775.

Plaid enables among others users to provide access to a point-in-time consolidated summary of their financial account data—like account balances, transaction histories, and account holder identity information—to Plaid and the apps and services they choose. Plaid collect identifiers, financial information, commercial data, location data, electronic network activity data, and derives inferences from this data.

For further information, please refer to the privacy policy of Plaid: https://plaid.com/legal/#end-user-services-agreement-us

6.4.2 Flanks

For bank account aggregation, we work with Flanks, a service provider based at Calle del Sol, nº55, 08840, Viladecans, Barcelona, Spain.

Flanks processes data in accordance with its privacy policy, which you can view at the following link: https://www.flanks.io/security-and-privacy

6.4.3 FinApi

We use the payment service finAPI, provided by finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich, Germany, to enable secure online banking transactions.

As a BaFin-licensed fintech company, finAPI handles all online banking transactions within our platform. When you initiate a payment (e.g., bank transfer), finAPI communicates directly with the bank and transmits account statements or transaction details after the transaction is completed.

For security reasons, a transaction number (TAN) must be entered for all payment-initiating processes (e.g., bank transfers, direct debits). Neither we nor finAPI store TANs—they are used exclusively to execute transactions. Our platform and the finAPI interface use TLS 3.0 and 256-bit encryption, ensuring the same security standard as conventional online banking.

The processing of your data is based on Art. 6(1)(b) GDPR, as it is necessary to fulfill payment obligations under a contract with you. Additionally, the use of an external payment service provider is based on our legitimate interest (Art. 6(1)(f) GDPR) in offering you a secure and convenient payment solution.

For more information on finAPI’s privacy policy, please visit: https://www.finapi.io/en/data-protection-policy/

6.4.4 SnapTrade

We use the account aggregation service SnapTrade, which provides secure connections to leading stock brokerages in the USA, Canada, UK, Netherlands, India, and Australia.

SnapTrade collects and securely stores the login credentials (such as username and password) that you share in order to access and aggregate financial data. This information is never stored by or disclosed to us.

For more details on SnapTrade’s privacy practices, please visit: https://snaptrade.com/privacy-policy

6.5 Miscellaneous Services

Remaining services that do not fall under the previous described categories can be found below.

6.5.1 Typeform

We use Typeform, a service provided by Typeform S.L., 163 Carrer de Bac de Roda, Barcelona, Spain, for quizzes and online forms. Typeform processes content data (e.g., entries in forms) and meta/communication data (e.g., device information, IP addresses) in the USA.

The legal basis for processing is Art. 6 (1) (f) GDPR, as we have a legitimate interest in collecting information from customers and users in a user-friendly and engaging way.

Data transfers to countries outside the EEA are based on standard contractual clauses in accordance with Art. 46 (2) (c) GDPR, ensuring compliance with European data protection standards.

Your data is deleted once the purpose for its collection no longer applies and no legal retention obligations exist.

For more details, please refer to Typeform’s privacy policy: https://admin.typeform.com/to/dwk6gt

6.5.2 Upvoty

We use Upvoty, a service provided by Upvoty, Hurksestraat 19, 5652 AH, Eindhoven, The Netherlands, to collect and manage customer feedback and suggestions. This helps us to enhance our product and better tailor it to user needs.

We only collect the minimum necessary data to process feedback, which includes your customer number and your submitted suggestion.

The processing of your data is based on our legitimate interest in improving our services and optimizing our website, in accordance with Art. 6 (1) (f) GDPR. You can opt out of receiving notifications at any time via your browser or mobile device settings.

We have entered into a data processing agreement with Upvoty, ensuring that user data is processed in compliance with our instructions and EU data protection regulations.

For more details, please refer to Upvoty’s privacy policy: https://www.upvoty.com/gdpr/

6.5.3 Calendly

We use Calendly, a scheduling and organization tool provided by Calendly LLC, 271 17th St. NW, Ste 1000, Atlanta, Georgia, USA. Calendly enables users to book appointments efficiently, and in the process, personal data may be transferred to the USA.

The use of Calendly is voluntary and is based exclusively on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG.

For further details, please refer to Calendly’s privacy policy: https://calendly.com/de/privacy

6.5.4 GetMyInvoices

We use GetMyInvoices, an invoice management software service, provided by fino data services GmbH, Universitätsplatz 12, 34127 Kassel, Germany, to facilitate invoice collection.

For more details, please refer to their data processing agreement: https://www.getmyinvoices.com/en/dpa/

7.1 External hosting

Our website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster's servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contractual data, contact data, names, website accesses and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 p. 1 lit. b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 p.1 lit. f) GDPR).

Our hoster will only process your data to the extent necessary to fulfill its service obligations.

7.2 Other cases

Except in the cases mentioned in this Privacy Policy, your personal data will not be disclosed to third parties or processors within the meaning of Article 28 of the GDPR.

If we are legally entitled or obliged to do so (e.g. due to applicable law or a court order), we may disclose your personal data.

Please note that data processed in other countries may be subject to foreign laws and may be accessible to local governments, courts, law enforcement and regulatory authorities. However, when transferring your personal data to third countries, we will take appropriate measures to adequately secure your data.
Unless an adequacy decision of the EU Commission exists for the recipient country, the transfer of your data to a third country is protected by the fact that EU standard contractual clauses have been concluded with the recipient or binding internal data protection guidelines are in place. Otherwise, a transfer will only take place if an exception according to Art. 49 GDPR is fulfilled.

Our aim is to process your personal data only to the minimum extent possible. We will therefore only store your personal data for as long as it is necessary to fulfill the purpose for which it was originally collected or - if applicable - for as long as longer storage (for example, to fulfill commercial and tax retention obligations) is required or justified by law.

Depending on the circumstances of the specific case, you have the following data protection rights:

• Information: you have the right to request information about and access to your personal data and/or copies of this data. This includes information about the purpose of the use, the category of data used, its recipients and authorized persons and, if possible, the planned duration of data storage or, if this is not possible, the criteria for determining this duration.

• Correction, blocking, deletion: you have the right to demand the correction, deletion or restriction of the processing of your personal data, insofar as their use is inadmissible under data protection law. This is the case in particular if (i) the data is incomplete or inaccurate, (ii) it is no longer necessary for the purposes for which it was collected, (iii) the consent on which the processing was based has been revoked, or (iv) you have successfully exercised a right to object to data processing; in cases where the data is processed by third parties, we will forward your requests for rectification, erasure or restriction of processing to those third parties, unless this proves impossible or involves a disproportionate effort;

• Refusal/revocation of your consent: many data processing operations are only possible with your explicit consent. You have the right to refuse your consent or to revoke consent you have already given - without affecting the lawfulness of the data processing operations carried out prior to revocation - at any time.

• Automated decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you;

• Data portability: you have the right to have data that you have provided to us handed over to you or to a third party in a commonly used structured, machine-readable format. However, the right to request direct transfer to another controller only exists to the extent that this is technically feasible.

• Right of complaint to the competent supervisory authority: if you believe that your rights have been violated as a result of processing of your personal data that is not in compliance with data protection law, you have the right to lodge a complaint with the competent supervisory authority.

• Right to object: you have the right to object to the processing of your personal data at any time, insofar as we process your personal data for purposes of direct advertising or insofar as we process your personal data for the pursuit of our legitimate interests and there are reasons arising from your particular situation.

You may (i) exercise the above rights or (ii) ask questions or (iii) lodge a complaint against the processing of your personal data carried out by us by contacting us - as indicated in section 2 above.

If we are involved in a restructuring, acquisition, asset sale, merger, financing, transfer of services to another provider, due diligence, insolvency or receivership, your personal data may be transferred to third parties to the extent legally permitted in connection with and as part of the relevant legal process, subject to the basic principles of data protection law.

12.1 Active Sourcing
We carry out so-called active sourcing measures to identify promising potential employees on the external labor market and actively contact potential applicants and employees. The purpose of data processing is recruitment, e.g. by individually drawing the attention of promising candidates to job vacancies in our company.

We collect the following categories of data for active sourcing: Surname, first name, gender, contact details, education, professional experience, qualifications, salary data, application data, non-professional experience and interests and other information resulting from public profiles on social networks, in particular LinkedIn and Xing, and/or from other publicly accessible sources on the internet.

All personal data processed in the context of active sourcing is collected from generally/publicly accessible sources on the Internet, in particular from social networks such as LinkedIn and Xing.

The legal basis for the collection and processing of publicly accessible data in the context of active sourcing is the Controller's legitimate interest in identifying, approaching and recruiting the best possible employees for the company.

12.2 Application Process
We collect and process personal data from applicants for the purpose of carrying out the application process.

If we conclude an employment contract with an applicant, the data transmitted will be processed for the purpose of implementing the employment relationship in compliance with the statutory provisions. If no employment contract is concluded, the application documents will be deleted immediately after the end of the application procedure, provided that there is no overriding legitimate interest in deletion, such as the defense against claims or the preservation of evidence in accordance with equal treatment and anti-discrimination laws.

The legal basis for this storage and processing is the implementation of pre-contractual measures.

12.3 Talent Pool
If the applicant has consented to a longer storage of his/her data, we will store the data submitted as part of the application in our talent pool for a further 2 years after the end of the application process in order to identify future positions of potential interest to the applicant and, if necessary, contact the applicant in this regard. After this period, the data will be deleted.

Such consent to the storage of application data in our talent pool can be withdrawn at any time for the future. To do so, please send us an email to the contact details provided above.

The legal basis for the storage of application documents in our Talent Pool is, where applicable, the explicit consent of the applicant, which can be revoked at any time.

12.4 Compliance/Sanctions Screening
Applicants who are shortlisted as part of the application process may be subject to an initial compliance check. The compliance check involves a comparison of the applicant's name and address with relevant sanctions lists, in particular on the basis of the EU anti-terrorism regulations.

To carry out the compliance/sanctions list screening, we use an external service provider as a data processor on the basis of a data processing agreement.

The legal basis for this storage and processing is, if there is a legal obligation to carry out a compliance/sanctions list screening, the fulfillment of the legal obligation. In individual cases, depending on a balancing of interests, compliance/sanctions list screening can also take place if there is no mandatory legal obligation. In this case, the legal basis is our legitimate interest in avoiding potential sanctions by foreign authorities.

We reserve the right to change this privacy policy as our website is updated. Please visit this website regularly to review the most current Privacy Policy.

This privacy policy was last updated on April 11, 2025.