Privacy policy – Invesdor

Last updated: 01 October 2025

In case of any discrepancies or inconsistencies between translations of this Policy, the English version shall prevail.

I. Contact details of the data controller

In case of any discrepancies or inconsistencies between translations of this Policy, the English version shall prevail.

The website "Invesdor" and its domains offer brokerage services (“Brokerage Services”) for companies as well as private and institutional investors. The technical service provider of the website and its domains is Invesdor INV AG, whereby Oneplanetcrowd International B.V. as the licensed entity of the Invesdor Group operates the platforms for the brokerage of financial instruments.

The Invesdor Group consists of Invesdor INV AG, Invesdor Collect GmbH and Invesdor Brokerage GmbH, each with registered offices in Berlin, Invesdor Oy and Invesdor Services Oy, each with registered offices in Helsinki, One Planet Crowd B.V. and Oneplanetcrowd International B.V., each with registered offices in Amsterdam and Invesdor GmbH with registered office in Vienna.

Data controller within the meaning of the General Data Protection Regulation (“GDPR”) and other data protection regulations is:

Invesdor INV AG

c/o Mindspace Germany GmbH

Uhlandstraße 32
10719 Berlin. Germany
+49 30 36428570
service@invesdor.com
www.invesdor.com

If your data is processed by other companies of the Invesdor Group for the provision of the Brokerage Services offered on the website or for the organisation of crowdfunding projects, these companies are deemed to be joint controllers with Invesdor INV AG.

II. Contact details of the data protection officer

The data protection officer of Invesdor INV AG is:

DataCo GmbH
Sandstraße 33
80335 Munich, Germany
+49 89 7400 45840
datenschutz@dataguard.de
www.dataguard.com
 

III. General information on data processing

1. Scope of the processing of personal data

We process personal data of the users of the services of our website ("Users") only insofar as this is necessary for the provision of a functioning website, our contents and services. The processing of personal data of the Users is primarily only carried out with the consent of the respective User. An exception applies in cases where it is not possible to obtain a prior consent and the data processing is required by regulatory reasons.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Art. 6 (1)(a) of the GDPR serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1)(b) of the GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1)(c) of the GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1)(d) of the GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, and when the fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1)(f) of the GDPR serves as the legal basis for the processing.

3. Data deletion and storage period

The personal data of the data subject shall be deleted or restricted in processing as soon as the purpose of the storage no longer applies. Storage may also be legitimate if applicable legislation requires so. The data will also be deleted or restricted in processing if a storage period prescribed by the aforementioned standards expires, unless there is a legal requirement for the continued storage of the data.
 

IV. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in respect to the data controller:

1. Right to information

You may request confirmation from the controller as to whether personal data concerning you are being processed by the data controller.

If there is such processing, you can request information from the controller about the following:

1. the purposes for which the personal data are processed
2. the categories of personal data which are processed
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed
4. the planned duration of the storage of the personal data or if specific information on this is not possible, criteria for determining the storage duration
5. the existence of a right to rectification or erasure of personal data, a right to restriction of processing by the controller or a right to object to such processing
6. the existence of a right of appeal to a supervisory authority
7. any available information on the origin of the data if the personal data are not collected from the data subject
8. the existence of automated decision-making including profiling, and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject

You also have the right to request information on whether personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 of the GDPR relating to the transfer.

2. Right to rectification

You have a right of rectification and/or completion in respect to the controller if the personal data processed concerning you are inaccurate or incomplete. The controller must perform the rectification without undue delay.

3. Right to restriction of processing

You may request the restriction of the processing of personal data concerning you when at least one of following conditions applies:

• if you contest the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data
• the processing is unlawful and you refuse to erase the personal data and instead request the restriction of the use of the personal data
• the controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise or defence of legal claims
• if you have objected to the processing pursuant to Art. 21 (1) of the GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds

Where the processing of personal data relating to you has been restricted, those data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of an EU Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to delete

You may request the controller to erase the personal data concerning you without undue delay and the controller is obliged to erase this data without undue delay if one of the following reasons applies:

1. the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed
2. you withdraw your consent on which the processing was based pursuant to Art. 6 (1)(a) or Art. 9 (2)(a) of the GDPR and there is no other legal basis for the processing
3. you object to the processing pursuant to Art. 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) of the GDPR
4. the personal data concerning you has been processed unlawfully
5. the deletion of the personal data concerning you is necessary for compliance with a legal obligation under EU or EU Member State law to which the controller is subject
6. the personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) of the GDPR

b) Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, taking account the available technology and the cost of implementation, to inform controllers which process the personal data that you, as the data subject, have requested that they erase all links to or copies or replications of that personal data.

c) Exceptions

The right to erasure as described above, does not exist insofar as the processing is necessary in at least one of the following situations:

• to exercise the right to freedom of expression and information
• for compliance with a legal obligation which requires processing under EU or EU Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• for reasons of public interest in the area of public health pursuant to Art. 9 (2)(h) and (i) and Art. 9 (3) of the GDPR
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, where the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
• for the establishment, exercise or defence of legal claims

5. Right to data controller’s notification

If you have exercised the right to rectification, erasure or restriction of processing in respect to the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed of these recipients by the controller.

6. Right to data portability

You have the right to obtain the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, when the following conditions apply:

• the processing is based on consent pursuant to Art. 6 (1)(a) GDPR or Art. 9 (2)(a) of the GDPR or on a contract pursuant to Art. 6 (1)(b) of the GDPR
• the processing is carried out by automated procedures
• other persons’ rights and freedoms are not adversely affected while using this right

In exercising this right, you also have the right to have the personal data concerning you transferred directly from a controller to another controller, insofar as this is technically feasible.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 (1) (e) or (f) of the GDPR. This also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. This also applies to profiling, insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

8. Right to withdraw the consent

You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal.

9. Automated decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply when at least one of the following applies:

1. the decision is necessary for entering into or performance of a contract between you and the controller
2. the decision is authorised by legislation of the EU or the EU Member States to which the controller is subject and that legislation contains adequate measures to safeguard your rights and freedoms and your legitimate interests
3. the decision is done with your explicit consent

However, these decisions must not be based on special categories of personal data pursuant to Art. 9(1) of the GDPR, unless Art. 9(2) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in 1 and 3, the data controller shall take reasonable steps to safeguard your rights, freedoms and legitimate interests, including the right to obtain human intervention, to express your point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

V. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

• Information about the browser type and version used
• The operating system of the respective User
• The Internet service provider of the respective User
• The IP address of the respective User
• Date and time of access
• Websites from which the system of the respective User accesses our website
• Websites that are called up by the system of the respective User via our website
• Time zone difference from Greenwich Mean Time; content of the request (specific page); status code; amount of data transferred

This data is stored in the log files of our system. This data is not stored together with other personal data of the respective User.

2. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the computer of the respective User. For this purpose, the IP address of the respective User must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 (1)(f) of the GDPR.

3. Legal basis for the data processing

The legal basis for the temporary storage of the data and the log files is Art. 6 (1)(f) of the GDPR.

4. Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

In the case of storage of data in log files, the data is deleted at the latest after seven days. If the data is stored longer than seven days, the IP addresses of the Users are deleted or alienated in a way that data cannot be associated to specific Users any longer.

5. Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the respective User to object.

VI. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the computer system of the respective User. When a User calls up a website, a cookie may be stored on the operating system of the respective User. This cookie contains a characteristic character string that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change. The following data is stored and transmitted in the cookies:

• Language settings
• Log-in information

We also use cookies on our website that allow us to analyse the browsing behaviour of Users. The following data can be transmitted in this way:

• Search terms entered
• Frequency of page views
• Use of website functions
• Status and role of the respective User; information on the referral source; information on interactions made; frequency of page views

The User data collected in this way is pseudonymised by technical precautions. Therefore, it is no longer possible to assign the data to the calling User. The data is not stored together with other personal data of the User.

2. Purpose of the data processing

The purpose of using technically necessary cookies is to simplify the use of websites for Users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. We need cookies for the following applications:

• Adoption of language settings
• Enabling log-in, service provision and registration

The User data collected through technically necessary cookies are not used to create User profiles.

Analysis cookies are used to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer.

3. Legal basis for the data processing

The legal basis for the processing of personal data using technically unnecessary cookies is Art. 6 (1)(a) of the GDPR.

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1)(f) of the GDPR.

4. Duration of storage

Cookies are regularly stored by the Users’ browser until manually deleted by the User. This also applies to opt-out cookies, which are set to prevent tracking measures.

5. Possibility of objection and removal

Cookies are stored on the computer of the respective User and are transmitted to our website by the User. Therefore, you as the User have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

VII. Newsletter

1. Description and scope of data processing

On our website, you have the option of subscribing to a free newsletter. When registering for the newsletter, the following data from the online form is transmitted to us:

• Email address
• Last name
• First name
• IP address of the calling computer
• Date and time of registration
• Country of residence

The data is used exclusively for sending the newsletter as well as surveys. No data is passed on to third parties.

2. Purpose of the data processing

The collection of the email address of the respective User serves to deliver the newsletter as well as surveys.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.

3. Legal basis for the data processing

The legal basis for the processing of data after registration for the newsletter by the User is Art. 6 (1)(a) of the GDPR if the User has given his/her consent.

4. Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. The email address of the respective User is therefore stored as long as the subscription to the newsletter is active.

5. Possibility of objection and removal

The subscription to the newsletter can be cancelled by the respective User at any time. For this purpose, there is a corresponding link in each newsletter as well as in the invitations to surveys.

This also enables the revocation of consent to the storage of personal data collected during the registration process.

VIII. Issue of vouchers

1. Description and scope of data processing

We may offer Users various vouchers in the form of cashback rewards as part of our promotional activities, user incentives or for customer support-related reasons. In this context, we may process the following personal data in connection with the issuance, use and management of vouchers:

• First name, last name, email address and other account details
• Voucher Information (voucher code, voucher value, expiration date, usage history)
• Transaction Data (time, location and method of voucher redemption)
• Banking or payment details

The data is used exclusively for issuing, using and managing vouchers, as well as for processing cashback payments via our bank and the user's bank. No other third parties receive the data.

2. Purpose of the data processing

The collection of personal data of the respective User serves to issue, use and manage the vouchers.

3. Legal basis for the data processing

The legal basis for the processing of data is our legitimate interest (Art. 6(1)(f) GDPR) in promoting our services and improving customer experience and the User’s consent (Art. 6 (1)(a) of the GDPR), where vouchers are issued in connection with marketing activities or newsletters.

4. Duration of the storage

We retain personal data related to a voucher for as long as necessary to fulfill its purpose: If the voucher is linked to an account, data will be stored as long as the account remains active.

5. Possibility of objection and removal

For data processed on the basis of consent, the data subject has the right to withdraw consent at any time.

IX. Email contact

1. Description and scope of data processing

On our website, it is possible to contact us via the email address provided. In this case, the personal data of the respective User transmitted with the email will be stored.

2. Purpose of the data processing

The data is used exclusively for processing the conversation. In addition, in some cases the data processing is necessary to entering into a contract.

3. Legal basis for the data processing

The legal basis for the processing of the data is Art. 6 (1)(a) of the GDPR if the respective User has given his/her consent.

The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 (1)(f) of the GDPR. If the email contact is aimed to entering into a contract, the additional legal basis for the processing is Art. 6 (1)(b) of the GDPR. If the data is stored due to retention obligations, the legal basis is Art. 6 (1) lit c GDPR.

4. Duration of the storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected and there are no other reasons or obligations to retain it.

5. Possibility of objection and removal

The User has the option to revoke his/her consent to the processing of personal data at any time. If the User contacts us by email, he/she can object to the storage of his/her personal data at any time. In such a case, the email conversation cannot be continued.

The revocation of consent and the objection to storage can be declared by email to service@invesdor.com.

All personal data stored in the course of contacting us via email will be deleted in this case:

• Email address
• Last Name
• First name

X. Job applications by email

1. Description and scope of data processing

You can send us your job application by email. We will collect your email address and the data you provide in the email.

2. Purpose of the data processing

The processing of personal data from your job application email is solely for the purpose of processing your application.

3. Legal basis for the data processing

The legal basis for the processing of the data is Art. 6 (1)(a) of the GDPR if the respective User has given his/her consent. The additional legal basis for the processing is Art. 6 (1)(b) of the GDPR when the application is aimed to entering into a contract.

4. Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

5. Possibility of objection and removal

The applicant has the possibility to object to the processing of personal data at any time. In such a case, the job application can no longer be considered.

The revocation of consent and the objection to storage can be declared by email to service@invesdor.com.

XI. Electronic signature services

DocuSign

1. Description and scope of data processing

We use the electronic signature service DocuSign provided by DocuSign, Inc., 221 Main Street, Suite 1000, San Francisco, CA 94105, USA, for the digital signing of legally binding documents, including, but not limited to, employment contracts, contractual agreements with our customers, etc. In the process, personal data such as name, email address, IP address, time of signing, and document metadata may be processed.

2. Purpose of the data processing

The use of DocuSign is necessary to efficiently and securely handle signature processes in a digital format.

3. Legal basis for the processing of personal data

The legal basis for the processing is Art. 6 (1)(b) GDPR if the use is related to the performance of a contract, and Art. 6 (1)(f) GDPR due to our legitimate interest in an efficient contract conclusion process.

4. Duration of storage

The data will be stored as long as it is necessary for documentation and verification purposes or for the performance of the contract. Statutory retention obligations remain unaffected.

5. Possibility of objection and removal

You may object to the data processing at any time by contacting us at service@invesdor.com. Further information can be found in DocuSign’s privacy policy.

XII. Social networks

Facebook and Instagram

1. Description and scope of data processing

On our company Facebook and Instagram pages, provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02 X525, Ireland (‘’Meta Platforms’’), we provide information and offer Users the opportunity to communicate with us. If you carry out an action on our Facebook or Instagram company page, it is possible that you will make your personal data (e.g. your name or your user profile picture) public. However, we cannot provide any binding information on the purpose and scope of the processing of your data, since we generally or to a large extent have no influence on the processing of your personal data by Meta.

2. Purpose of the data processing

Our presence on Facebook and Instagram is used for communication and information exchange with customers and potential customers. In particular, we use our company pages for the following purposes:

• to give information about products
• to give information about services
• advertising
• customer contact
• latest sector-specific news

Every Meta user is free to publish their personal data through their activities.

3. Legal basis for the data processing

The legal basis for data processing is Art. 6 (1)(a) of the GDPR.

4. Duration of the storage

The data generated by our company Facebook and Instagram pages is not stored in our own systems.

5. Possibility of objection and removal

You can object at any time to the processing of your personal data that we collect in the course of your use of our corporate presence on Facebook or Instagram and assert your data subject rights as set out in IV. of this Privacy Policy. To do so, send us an email to service@invesdor.com.

You can find more information about the processing of your personal data by Meta and the corresponding objection options in Meta’s privacy policy: https://www.facebook.com/privacy/policy

X (formerly Twitter)

1. Description and scope of data processing

On our company X page, provided by X International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (‘’X’’), we provide information and offer X Users the opportunity to communicate with us. If you carry out an action on our X page, it may be that you make your personal data (e.g. your name or your user profile picture) public. However, we cannot provide any binding information on the purpose and scope of the processing of your data, since we generally or to a large extent have no influence on the processing of your personal data by X.

2. Purpose of the data processing

Our presence in X is used for communication and information exchange with customers and potential customers. In particular, we use our X page for the following:

• to give information about products
• to give information about services
• advertising
• customer contact
• latest sector-specific news

Every X User is free to publish their personal data through their activities.

3. Legal basis for the data processing

The legal basis for data processing is Art. 6 (1)(a) of the GDPR.

4. Duration of the storage

The data generated by our company X page is not stored in our own systems.

5. Possibility of objection and removal

You can object at any time to the processing of your personal data that we collect in the course of your use of our X corporate presence and assert your data subject rights as stated under IV. of this Privacy Policy. To do so, send us an email to service@invesdor.com. You can find more information about the processing of your personal data by X and the corresponding objection options on X’s privacy policy: https://x.com/en/privacy

YouTube

1. Description and scope of data processing

On our company YouTube page, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, we provide information and offer YouTube users the opportunity to communicate with us. If you carry out an action on our YouTube page, it may be that you make your personal data (e.g. name or your user profile picture) public. However, we cannot provide any binding information on the purpose and scope of the processing of your data, since we generally or to a large extent have no influence on the processing of your personal data by YouTube.

2. Purpose of the data processing

Our presence in YouTube is used for communication and information exchange with customers and potential customers. In particular, we use the YouTube page for the following:

• to give information about products
• to give information about services
• advertising
• customer contact
• latest sector-specific news

Every YouTube user is free to publish their personal data through their activities.

3. Legal basis for the data processing

The legal basis for data processing is Art. 6 (1)(a) of the GDPR.

4. Duration of the storage

The data generated by our company YouTube page is not stored in our own systems.

5. Possibility of objection and removal

You can object at any time to the processing of your personal data that we collect in the course of your use of our YouTube corporate presence and assert your data subject rights as stated under IV. of this Privacy Policy. To do so, send us an email to service@invesdor.com. You can find more information about the processing of your personal data by YouTube and the corresponding objection options on YouTube’s privacy policy: https://policies.google.com/privacy

LinkedIn

1. Scope of data processing

On our LinkedIn page, provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, D02 AD98, Ireland ("LinkedIn"), we provide information and offer users the opportunity to communicate with us. The company page is used for job applications, information/PR and general marketing.

We do not have information on the processing of your personal data by LinkedIn. You can find more information on the data processing in LinkedIn’s privacy policy.

If you carry out an action on our company LinkedIn page, you may make your personal data (e.g. name or your user profile picture) public.

2. Legal basis for the data processing

The legal basis for the processing of your data in connection with the use of our company LinkedIn page are Art. 6 (1)(f) of the GDPR.

3. Purpose of the data processing

Our corporate LinkedIn page is used to inform the respective networks’ users about our services. Every user is free to publish their personal data through their activities.

4. Duration of the storage

We store your activities and personal data published via our corporate LinkedIn page until you revoke your consent. In addition, we comply with the statutory retention periods.

5. Possibility of objection and removal

You can object at any time to the processing of your personal data that we collect in the course of your use of our LinkedIn corporate presence and assert your data subject rights as stated under IV. of this Privacy Policy. To do so, send us an email to service@invesdor.com.

You can find more information on objection options on LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy

XIII. Hosting

The website is hosted on our service provider’s servers.

Our service provider is Amazon Web Services.

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The information stored is:

• Browser type and version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Date and time of the server request
• IP address

This data is not merged with other data sources. The collection of this data is based on Art. 6 (1)(f) of the GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website, for this reason the server log files must be recorded for this purpose.

The server is geographically located in Germany.

XIV. Geotargeting

We use the IP address and other information provided by the User (in particular postcode in the context of registration or usage of the website) for regional targeting (so-called "geotargeting").

Geotargeting is used for example to automatically show you regional offers or advertisements that are often more relevant to Users. The legal basis for the use of the IP address and, if applicable, other information provided by the User is Art. 6 (1)(f) of the GDPR, based on our interest in ensuring more precise targeting and thus providing offers and advertising with greater relevance for Users. A part of the IP address and the additional information provided by the respective User is only collected and not stored separately.

You can prevent geotargeting for example by using a VPN or proxy server that prevents precise localisation. In addition, depending on the browser used, you can also deactivate location localisation in the corresponding browser settings if this is supported by the respective browser. We use geotargeting on our website for the following purposes:

• Customer oriented approach
• Advertising purposes

XV. Registration

1. Description and scope of data processing

On our website, we offer Users the opportunity to register and do investments by providing personal data. After entering data into an online form, it is transmitted to us and stored. The data is not passed on to third parties. The following data is collected during the registration or investment process:

• Email address
• First name/Last name
• Address/Country of residence
• Tax residency
• Telephone/Mobile phone number
• IP address of the calling computer
• Date and time of registration
• Place/country of birth, date of birth, nationality
• Bank details
• Tax number, tax identification number, other tax related information, position in the company (for institutional investors and customers)
• Information on status as Politically Exposed Person (PEP)
• Indication whether US tax liability exists

As part of the registration and investment process, consent is obtained from the respective User for the processing of this data.

2. Purpose of the data processing

Registration of the respective User is necessary for the performance of a contract with the respective User or for the implementation of pre-contractual measures. Identification of Users is necessary for regulatory reasons.

3. Legal basis for the data processing

The legal basis for processing the data is Art. 6 (1)(a) of the GDPR if the respective User has given his/her consent.

If the registration serves the performance of a contract to which the User is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 (1)(b) of the GDPR.

4. Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

This is the case for the data collected during the registration process for the performance of a contract, or in case of implementation of pre-contractual measures when the data is no longer required for entering into a contract. Even after entering into a contract, it may be necessary for us to store personal data of the contractual party in order to fulfil our contractual or legal obligations.

5. Possibility of objection and removal

As a User, you have the option of cancelling your registration at any time in accordance with our Terms of Use. You can have the data stored about you rectified at any time. Users can request deletion by sending an email to service@invesdor.com.

If the data is required for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

XVI. Anti-Money Laundering activities - Customer Due Diligence

1. Description and scope of data processing

As providers of regulated financial services, we are an obliged entity according to EU Anti-Money Laundering regulation (Directive (EU) 2015/849; “EU AML Regulation”). As an obliged entity we have to perform customer due diligence measures defined in Art. 13 of the EU AML Regulation. Depending on the country of residency of a User, customer due diligence measures include the authentication of Users together with third party providers Onfido Limited, Deutsche Post AG and Lionware GmbH. Within the authentication, the following personal data can be processed:

• Last name/First name
• Date of birth/Place of birth
• Address
• National identification number
• Nationality
• Photo
• Type of ID (e.g., identity card, passport)
• ID number
• Issuing authority of the identification document
• Place and date of issuance of the identification document
• Expiry date
• Gender
• Signature

Some Users may be required to provide additional information and documents containing personal data as part of customer due diligence activities.

The data collected by us as part of the customer due diligence may be transmitted to the contractual partners (also obliged entities under the EU AML Regulation) in accordance with Art. 17 of the EU AML Regulation.

2. Legal basis for the data processing

The legal basis for the processing of personal data is our legal obligation to comply with the due diligence obligations stemming from the EU AML Regulation. The legal basis is therefore Art. 6 (1)(c) of the GDPR.

3. Purpose of the data processing

The processing of the personal data serves exclusively the purpose of fulfilling our legal obligations stemming from the EU AML Regulation.

4. Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Mandatory legal provisions - in particular retention periods - remain unaffected.

5. Possibility of objection and removal

As the processing of personal data is required to comply with legal obligations under the EU AML Regulation, there is no right to object to this processing pursuant to Art. 21 of the GDPR. You can find more information from the privacy policies of Onfido Limited, Deutsche Post AG and Lionware GmbH.

XVII. Payment and financial services providers

secupay

1. Description and scope of data processing

We use the payment service provider secupay AG, Goethestr. 6, 01896 Pulsnitz, Germany ("secupay") to process payments in connection with our services. When using secupay, personal data such as first name/last name, bank account details and payment amount, if necessary, additional personal data may be transferred to secupay. This transmission is necessary to make the payment and to prevent fraud.

2. Purpose of the data processing

The purpose of the data processing is to enable secure and efficient processing of payment transactions and to meet regulatory requirements, such as those under the Anti-Money Laundering Directive.

3. Legal basis for the processing of personal data

The legal basis for the processing is Art. 6 (1)(b) of the GDPR when the processing is necessary for the performance of a contract. In addition, Art. 6 (1)(c) of the GDPR applies where statutory obligations (e.g., from the German Anti-Money Laundering Act) must be fulfilled. For fraud prevention and IT security purposes, the legal basis is Art. 6 (1)(f) of the GDPR.

4. Duration of storage

Personal data will be stored as long as it is necessary for the processing of the payment and in accordance with legal retention obligations (e.g., German commercial and tax law retention periods of up to 10 years).

5. Possibility of objection and removal

The processing of personal data for payment processing is mandatory for the conclusion and performance of the contract. There is therefore no possibility of objection. For further information, please refer to secupay’s privacy policy at: https://www.secupay.com/en/privacy-policy

Buckaroo

1. Description and scope of data processing

We use the payment service provider Buckaroo B.V., Europalaan 100, 3526 KS Utrecht, Netherlands (“Buckaroo”) for processing payments relating to our services. When payments are processed via Buckaroo, the following personal data may be transmitted: name, address, email address, IP address, selected payment method, transaction details (such as amount, time and status), and if necessary, bank or credit card information. The transmission of data is required to initiate and complete the payment transaction and to comply with anti-fraud and regulatory requirements.

2. Purpose of the data processing

The processing of personal data serves the purpose of secure, fast, and user-friendly processing of payment transactions between you and us. It also ensures compliance with applicable financial and regulatory standards.

3. Legal basis for the processing of personal data

The legal basis for the processing is Art. 6 (1)(b) of the GDPR for the execution of the contract. Where processing is required to meet regulatory obligations, Art. 6 (1)(c) of the GDPR applies. For fraud prevention and internal administrative purposes, the processing is based on our legitimate interest in accordance with Art. 6 (1)(f) of the GDPR.

4. Duration of storage

Your personal data will be stored for as long as necessary for the payment process and in compliance with applicable legal retention periods, especially those required under commercial or tax law (typically up to 10 years).

5. Possibility of objection and removal

Since the processing of your personal data is necessary for the execution of the payment contract and to meet legal obligations, there is generally no right to object. For more information on the handling of your data by Buckaroo, please refer to their privacy policy: https://www.buckaroo.nl/privacy

Tink (formerly FinTecSystems GmbH)

1. Description and scope of data processing

We use the open banking service provider Tink Germany GmbH, Gottfried-Keller-Str. 33, 81245 Munich, Germany ("Tink"), for payment initiation. When using Tink, personal data such as first name, last name, bank details (e.g., IBAN, BIC), transaction details (e.g., transaction number and date), and technical log data (e.g., date, time, IP address) are processed. This data is required to facilitate secure online payments. Users provide explicit consent for this processing, typically via a checkbox during the payment process. For more information, refer to Tink’s privacy policy: https://tink.com/legal/notices/

2. Purpose of the data processing

The processing enables secure and efficient payment initiation and compliance with regulatory requirements, including anti-fraud measures.

3. Legal basis for the processing of personal data

The legal basis is Art. 6 (1)(b) GDPR for the performance of a contract (e.g., investment processes). Additionally, Art. 6 (1)(c) GDPR applies for compliance with legal obligations (e.g., under PSD2). Where consent is provided (e.g., via checkbox), Art. 6 (1)(a) GDPR applies. For fraud prevention, the basis is our legitimate interest under Art. 6 (1)(f) GDPR.

4. Duration of storage

Personal data is stored as long as necessary for the payment process and in accordance with legal retention periods (e.g., up to 10 years under commercial or tax law). Tink retains data only as required for service delivery and compliance.

5. Possibility of objection and removal

As data processing is essential for contract performance and legal compliance, there is generally no right to object. You may withdraw consent where applicable (e.g., for additional features), but this does not affect processing based on other grounds. Contact us to assert your rights.

TrueLayer

1. Description and scope of data processing

We use the open banking service provider TrueLayer Limited, 2 Grand Canal Square, Dublin 2, D02 A342, Ireland ("TrueLayer"), for payment initiation. When using TrueLayer, personal data such as first name, last name, bank details (e.g., IBAN, BIC), transaction details (e.g., transaction number and date), and technical log data (e.g., date, time, IP address) are processed. This data is required to facilitate secure online payments. Users provide explicit consent for this processing, typically via a checkbox during the payment process. For more information, refer to TrueLayer’s privacy policy: https://truelayer.com/legal/privacy/

2. Purpose of the data processing

The processing enables secure and efficient payment initiation, and compliance with regulatory requirements, including anti-fraud measures.

3. Legal basis for the processing of personal data

The legal basis is Art. 6 (1)(b) GDPR for the performance of a contract (e.g., investment processes). Additionally, Art. 6 (1)(c) GDPR applies for compliance with legal obligations (e.g., under PSD2). Where consent is provided (e.g., via checkbox), Art. 6 (1)(a) GDPR applies. For fraud prevention, the basis is our legitimate interest under Art. 6 (1)(f) GDPR.

4. Duration of storage

Personal data is stored as long as necessary for the payment process and in accordance with legal retention periods (e.g., up to 10 years under commercial or tax law). TrueLayer retains data only as required for service delivery and compliance.

5. Possibility of objection and removal

As data processing is essential for contract performance and legal compliance, there is generally no right to object. You may withdraw consent where applicable (e.g., for additional features), but this does not affect processing based on other grounds. Contact us at service@invesdor.com to assert your rights.

easybill

1. Description and scope of data processing

We use an invoicing software easybill GmbH, Düsselstraße 21, 41564 Kaarst, Germany (‘’easybill’’), for invoicing and accounting purposes.

When using easybill, personal data such as name, address, email address, bank details and transaction details included in invoices, receipts or expense reports, may be processed and transmitted to easybill. Data is processed within the provider’s secure cloud environment and may be shared with accounting systems like DATEV for further processing.

2. Purpose of the data processing

The processing enables efficient management of invoices, receipts, and company expenses, as well as integration with accounting systems to ensure accurate financial administration and compliance with regulatory requirements.

3. Legal basis for the processing of personal data

The legal basis is Art. 6 (1)(b) GDPR for the performance of contracts (e.g., processing supplier or customer invoices) and Art. 6 (1)(f) GDPR for our legitimate interest in optimizing financial and administrative processes. Where applicable, Art. 6 (1)(c) GDPR applies for compliance with legal obligations (e.g., tax or commercial law retention requirements).

4. Duration of storage

Personal data is stored as long as necessary for accounting and financial purposes or to comply with legal retention periods (e.g., up to 10 years under commercial or tax law). Each provider retains data only as required for service delivery and compliance.

5. Possibility of objection and removal

You may object to processing based on Art. 6 (1)(f) GDPR pursuant to Art. 21 GDPR, provided there are grounds relating to your particular situation. As processing is often necessary for contractual or legal purposes, objections may be limited. Contact us to assert your rights.

We may disclose your personal data to external service providers, such as accounting and auditing firms, for financial administration, tax obligations and regulatory compliance purposes. These providers are required to maintain confidentiality and protect the data in accordance with applicable laws.

XVIII. Registration and custody services

As part of the investment process, we work with several specialised service providers who offer technical and regulatory services to investors. These include:

• Smart Registry GmbH, Uhlandstraße 32, 10719 Berlin, Germany (electronic securities register in accordance with the German Electronic Securities Act – eWpG)
• Tangany GmbH, Brienner Str. 53, 80333 Munich, Germany (custody of crypto assets and cryptographic keys under Sec. 1 para. 1a sentence 2 no. 6 of the German Banking Act – KWG)
• Hauck Aufhäuser Digital Custody GmbH (HADC), Kaiserstraße 24, 60311 Frankfurt, Germany (technical custody solution for digital assets via a digital safe deposit box)
• StartGreen Capital B.V., Mauritskade 64, 1092 AD Amsterdam, Netherlands (management of a collective deposit under the Dutch Securities Giro Act – SGA)

Each of these providers acts as an independent controller within the meaning of Art. 4(7) GDPR (or the respective national data protection law).

From the moment the data is transmitted to the above-mentioned providers after the subscription offer has been submitted, these providers are considered data controllers.

XIX. Project owner

The project owners (companies based in the European Union) offering the financial instruments via our platform act in their own name and under their own responsibility with regard to the processing of personal data of investors. 

From the moment the data is transmitted to the project owners after the subscription offer has been submitted, the project owners shall be deemed to be the data controllers.  

XX. Ownersportal

In the case of the Ownersportal service for managing shareholders, bondholders and option holders lists, we act only as a data processor, while the company using the service is the data controller. 

XXI. Partner programs

Furthermore, we use the following partner programs: 

Own affiliate program, FinanceAds, Daisycon
 

XXII. Content delivery programs

Fastly

1. Description and scope of data processing

We use the content delivery network (CDN) service Fastly, Inc., 475 Brannan St, Suite 300, San Francisco, CA 94107, USA (“Fastly”). A CDN is a network of geographically distributed servers that deliver website content quickly and securely. When accessing our website, your browser connects to Fastly servers, which may result in the processing of the following data:

• IP address
• Browser type and version
• Operating system
• Referrer URL
• Date and time of access
• Requested content and technical information

2. Purpose of the data processing

The use of Fastly serves to ensure fast and secure delivery of our website content, load balancing, defence against cyberattacks, and overall performance optimisation.

3. Legal basis for the processing of personal data

The legal basis is our legitimate interest pursuant to Art. 6 (1)(f) of the GDPR in ensuring the security, availability and performance of our website.

4. Transfer to third countries

Fastly may process personal data on servers in the United States. Fastly is certified under the EU-U.S. Data Privacy Framework (DPF). According to Art. 45 (1) of the GDPR, data transfers to certified U.S. companies are permissible without additional safeguards.

5. Duration of storage

Fastly stores personal data only for as long as necessary to fulfil the processing purposes and to ensure the stability and security of the CDN infrastructure.

6. Possibility of objection and removal

As the CDN is technically necessary for the provision of the website, Users do not have the option to object to this processing. Further information can be found in Fastly’s privacy policy: https://www.fastly.com/privacy

XXIII. Plugins used

Google Tag Manager

1. Scope of the processing of personal data

We use the Google Tag Manager of Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (“Google”). The Google Tag Manager can be used to manage tags from Google services and third-party providers and to embed them in a bundle. Tags are small code elements on an online presence that are used, among other things, to measure website visitor numbers and behaviour, to record the impact of online advertising and social channels, to use remarketing and targeting and to test and optimise online presences. When a User visits the website, the current tag configuration is sent to the User's browser. It contains instructions on which tags should be triggered. Google Tag Manager triggers other tags which may collect data. Information on these can be found in this Privacy Policy in the sections concerning the use of these corresponding services. Google Tag Manager does not access this data.

You can find more information on Google Tag Manager on Google’s website and on Google's privacy policy.

2. Purpose of the data processing

The purpose of the processing of the personal data is to efficiently integrate the third party services.

3. Legal basis for the processing of personal data

The legal basis for the processing of the Users' personal data is generally the consent of the respective User in accordance with Art. 6 (1)(a) of the GDPR.

4. Duration of the storage

Your personal data will be stored as long as it is necessary to fulfil the purposes described in this Privacy Policy or as required by law. According to Google, advertising data in server logs is anonymised by deleting parts of the IP address and cookie information after 9 and 18 months respectively.

5. Possibility of objection and removal

You have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection and the processing of your personal data by Google by preventing third-party cookies from being stored on your computer, by using the "Do Not Track" function on your browser, by deactivating the execution of script code in your browser or by installing a script blocker to your browser.

You can also prevent the collection of data generated by cookies and your online presence (incl. your IP address) to Google as well as the processing of this data by Google by downloading and installing a browser plugin.

You can deactivate the use of your personal data by Google on Google’s website.

You can find more information on objection and removal options on Google’s privacy policy: https://policies.google.com/privacy

Google Analytics

1. Scope of the processing of personal data

We use Google Analytics, a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (“Google”). Google Analytics examines, among other things, the origin of website visitors, the time length they spend on individual pages and the use of search engines, thus enabling better monitoring of our advertising campaigns. Google sets a cookie on your computer, which allows personal data to be stored and analysed, in particular the activity of the respective User (especially which pages have been visited and which elements have been clicked on), device and browser information (especially the IP address and the operating system), data about the advertisements displayed (especially which advertisements were displayed and whether the User clicked on them) and also data from advertising partners (especially pseudonymised User IDs). The information generated by the cookie about your use of this website will be transmitted to and stored by Google on servers in the United States. In the event that IP anonymisation is activated on the website, your IP address will be truncated beforehand by Google inside the EU or EEA member states. Only in extraordinary cases the full IP address is transmitted to a Google server in the USA and truncated there after the transmission. On behalf of the operator of the website, Google will use this information for the purpose of analysing your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

You may refuse the use of cookies on your browser settings. However if you object using cookies, you may not be able to use the full functionality of the website.

Further information on the processing of data by Google can be found on Google’s privacy policy.

2. Purpose of the data processing

The purpose of processing personal data is to specifically address a target group that has already expressed an initial interest by visiting the website.

3. Legal basis for the processing of personal data

The legal basis for the processing of the Users' personal data is generally the consent of the respective User in accordance with Art. 6 (1)(a) of the GDPR.

4. Duration of storage

Your personal data will be stored as long as it is necessary to fulfil the purposes described in this Privacy Policy or as required by law. According to Google, advertising data in server logs is anonymised by deleting parts of the IP address and cookie information after 9 and 18 months respectively.

5. Possibility of objection and removal

You have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection and the processing of your personal data by Google by preventing third-party cookies from being stored on your computer, by using the "Do Not Track" function on your browser, by deactivating the execution of script code in your browser or by installing a script blocker to your browser.

You can also prevent the collection of data generated by the cookies and your online presence (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin.

You can deactivate the use of your personal data by Google on Google’s website.

You can find more information on objection and removal options on Google’s privacy policy: https://policies.google.com/privacy

Hotjar

1. Scope of the processing of personal data

We use the web analytics service Hotjar provided by Hotjar Ltd, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta (“Hotjar”). Hotjar uses, among other things, cookies that enable the analysis of your use of our online presence. This allows personal data to be stored and analysed, in particular the activity of the respective User (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system) and a tracking code (pseudonymised User ID). The information collected by this way is transmitted by Hotjar to a server in Ireland and stored there in anonymised form. Further information on the processing of data by Hotjar can be found on Hotjar’s privacy policy.

2. Purpose of the data processing

The use of the Hotjar plug-in is used to get a better understanding of the needs of our Users and to optimise our online presence.

3. Legal basis for the processing of personal data

The legal basis for the processing of the Users' personal data is generally the consent of the User pursuant to Art. 6 (1)(a) of the GDPR.

4. Duration of storage

Your personal data will be stored for as long as is necessary to fulfil the purposes described in this Privacy Policy or as required by law.

5. Possibility of objection and removal

You have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection and processing of your personal data by Hotjar by preventing third-party cookies from being stored on your computer, using the "Do Not Track" function on your browser, deactivating the execution of script code in your browser or installing a script blocker to your browser.

You can deactivate the use of your personal data by Hotjar on Hotjar’s website.

Information about objection and removal options in respect to Hotjar can be found on Hotjar’s privacy policy: https://www.hotjar.com/legal/policies/privacy/

Facebook Retargeting and Instagram Retargeting

1. Scope of the processing of personal data

We use functionalities of the advertising plugins called Facebook Retargeting and Instagram Retargeting provided by Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland (“Meta Platforms”).

Facebook Retargeting and Instagram Retargeting are used to carry out advertising campaigns and to interact with these campaigns. Users are reminded by Facebook Retargeting and Instagram Retargeting of products that they have searched for or viewed but have not purchased. Cookies are stored by Meta Platforms on your terminal device.

In particular, the following personal data is processed by Meta Platforms:

• Information about the activities of the respective User
• Websites accessed
• Which products have been displayed
• Which ads have been clicked on
• Device information, in particular device type and IP address
• Facebook and Instagram accounts of Users, if they are logged into Facebook and Instagram

Data is processed on servers of Meta Platforms, Inc., 1 Hacker Way, Menlo Park, California 94025, USA. Other recipients of the data are providers and service providers of Meta Platforms. Further information on the data processing by Meta Platforms can be found on Meta Platforms’ privacy policy.

2. Purpose of the data processing

We use Facebook Retargeting and Instagram Retargeting to serve ads on various platforms and to analyse how Users interact with these ads. In this way, we aim to be able to show Users personalised advertising.

3. Legal basis for the processing of personal data

The legal basis for the processing of the Users' personal data is generally the consent of the respective User in accordance with Art. 6 (1)(a) of the GDPR.

4. Duration of storage

Your personal data will be stored for as long as it is necessary to fulfil the purposes described in this Privacy Policy or as required by law.

5. Possibility of objection and removal

You have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection and processing of your personal data by Meta preventing third-party cookies from being stored on your computer, by using the "Do Not Track" function on your browser, by deactivating the execution of script code in your browser or by installing a script blocker to your browser.

Deactivating personalised advertising for Facebook and Instagram users is possible for logged-in users on Facebook’s and Instagram’s websites.

For more information on objection and removal options in respect to Facebook and Instagram can be found on Meta Platforms’ privacy policy: https://www.facebook.com/privacy/policy

LinkedIn Insight Tag

1. Scope of the processing of personal data

We use functionalities of the marketing plugin called LinkedIn Insight Tag provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). The plugin enables us to obtain information about website visitors and to run detailed campaign reports.

In particular, the following personal data is processed by LinkedIn:

• URL
• Referrer URL
• IP address truncated or hashed
• Device and browser properties as well as timestamp

Cookies from LinkedIn are stored on your terminal device. Further information on the cookies used can be found on LinkedIn’s privacy policy.

LinkedIn does not share any personal data with us, but only provides aggregated audience and ad reports. LinkedIn also offers a remarketing function that allows us to show you targeted personalised advertising outside of our website without revealing your identity.

For more information on how LinkedIn processes data can be found on LinkedIn’s privacy policy.

2. Purpose of the data processing

The use of LinkedIn Insight Tag serves us to collect information about website visitors.

3. Legal basis for the processing of personal data

The legal basis for the processing of the Users' personal data is generally the consent of the respective User in accordance with Art. 6 (1)(a) of the GDPR.

4. Duration of storage

LinkedIn User IDs are removed within seven days to pseudonymise the data. This remaining pseudonymised data is then deleted within 180 days.

5. Possibility of objection and removal

You have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection and processing of your personal data by LinkedIn by preventing the storage of third-party cookies on your computer, using the "Do Not Track" function on your browser, deactivating the execution of script code in your browser or installing a script blocker to your browser.

For more information on objection and removal options in respect to LinkedIn can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy

Zendesk

1. Description and scope of data processing

We use a program provided by Zendesk GmbH, Neue Schönhauser Str. 3-5, 10178 Berlin (“Zendesk”). We use the program for email, push messages, for live chats and the FAQ centre. Cookies may be used for this purpose. The cookies enable the recognition of the internet browser. As a result, personal data can be stored and analysed, especially the User's activity (in particular, which pages have been visited and which elements have been clicked on) and device and browser information (in particular, the IP address and the operating system). From this anonymised data, User profiles can be created under a pseudonym.

2. Legal basis of data processing

The legal basis for data processing is always the consent of the respective User, Art. 6 (1)(a) of the GDPR.

3. Purpose of data processing

We use Zendesk to enable interested website visitors to communicate more easily with our customer service, particularly in the context of support topics.

4. Duration of storage

The data is deleted as soon as the purpose of its collection has been fulfilled.

5. Possibility of objection and removal

You have the right to revoke your consent at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

You can prevent the collection and processing of your personal data by Zendesk by preventing third-party cookies from being stored on your computer, by using the "Do Not Track" function on your browser, by disabling the execution of script code in your browser or by installing a script blocker to your browser.

For more information, please see Zendesk's privacy policy: https://www.zendesk.de/company/agreements-and-terms/privacy-notice/

FinanceAds and Daisycon

1. Description and scope of data processing

We use affiliate marketing services to promote our services through partner networks, provided by

FinanceAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany (‘’FinanceAds’’), a performance marketing provider specializing in financial services and Daisycon B.V., P.J. Oudweg 5, 1314 CH, Almere, Netherlands (‘’Daisycon’’), an affiliate marketing network facilitating partnerships with publishers.

These services use cookies and tracking links to measure the success of advertising campaigns, such as clicks and conversions. The cookies contain anonymized tracking IDs and do not store directly identifiable personal data. Processed data may include IP addresses, browser information, device data, and user interactions (e.g., clicks on affiliate links). Further information can be found in the respective privacy policies: FinanceAds Privacy Policy and Daisycon Privacy Policy.

2. Purpose of the data processing

The processing serves to acquire new partnerships, optimize our marketing campaigns, and track the performance of affiliate activities to enhance our service offerings.

3. Legal basis for the processing of personal data

The legal basis is Art. 6 (1)(f) GDPR, based on our legitimate interest in promoting our services through affiliate marketing. Where cookies or tracking require consent, Art. 6 (1)(a) GDPR applies, obtained through our cookie consent mechanism.

4. Duration of storage

Tracking parameters (e.g., cookies) are stored in the user’s browser for up to 90 days (FinanceAds) or as specified by the provider (Daisycon). Anonymized data may be retained longer for statistical purposes by the respective providers.

5. Possibility of objection and removal

You may object to processing based on Art. 6 (1)(f) GDPR pursuant to Art. 21 GDPR, provided there are grounds relating to your particular situation. You can prevent the use of cookies by adjusting your browser settings, enabling the "Do Not Track" function, or installing a script blocker. You may also revoke your consent for cookie-based tracking at any time via our cookie settings. The revocation does not affect the lawfulness of processing carried out prior to the revocation.

Further information can be found in the respective privacy policies of FinanceAds and Daisycon: https://www.financeads.net/datenschutz/ and https://www.daisycon.com/en/privacy-policy/

Microsoft Advertising

1. Description and scope of data processing

On our pages, we use the conversion tracking of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. This involves Microsoft Advertising storing a cookie on your computer if you have accessed our website via Microsoft Advertising. In this way, Microsoft Advertising and we can recognise that someone has clicked on an ad, been redirected to our website and reached a previously determined target page (conversion page).

2. Purpose of the data processing

This software is used to collect data for the needs-based design of our website and for the statistical evaluation of website visits for marketing and optimisation purposes.

3. Legal basis of data processing

The legal basis of the processing is Art. 6 para. 1 lit a) DSGVO.

4. Duration of storage, objection and removal options

If you do not want information about your behaviour to be used by Microsoft as explained above, you can refuse the setting of a cookie required for this - for example, by means of a browser setting that generally deactivates the automatic setting of cookies. You can also prevent the collection of data generated by the cookie and related to your use of the website as well as the processing of this data by Microsoft by clicking on the following link: https://account.microsoft.com/privacy/ad-settings/signedout?lang=de-DE to declare your objection. Further information on data protection and the cookies used by Microsoft and Microsoft Advertising can be found on the Microsoft website at https://privacy.microsoft.com/de-de/privacystatement.

Google Ads

1. Description and scope of data processing

This website uses Google AdSense. This is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for the integration of advertisements. Google AdSense uses cookies. These are files which are stored on your PC and enable Google to analyse the data relating to your use of our website. Google AdSense also uses web beacons, which are invisible graphics that enable Google to analyse clicks on this website, traffic to this website and similar information.

The information obtained via cookies and web beacons, your IP address and the delivery of advertising formats are transmitted to a Google server located in the USA and stored there. Google may share this collected information with third parties if required to do so by law or if Google contracts with third parties to process the data. However, Google will merge your IP address with the other stored data.

2. Purpose of the data processing

This software is used to collect data for the needs-based design of our website and for the statistical evaluation of website visits for marketing and optimisation purposes.

3. Legal basis of data processing

The legal basis of the processing is Art. 6 para. 1 lit a) DSGVO.

4. Duration of storage, objection and removal options

You can prevent the aforementioned cookies from being stored on your PC by making the appropriate settings on your Internet browser. However, this may mean that the contents of this website can no longer be used to the same extent. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Unbounce

1. Description and scope of data processing

Unbounce, unbounce Marketing Solutions Inc, 400.401 West Georgia Street, Vancouver, BC, Canada, V6B 5A1, is a tool with which we integrate pop-ups on our website or create social media campaigns, which are intended to make it easier to subscribe to our newsletter. Your personal data is only processed if you enter it yourself. 

The following data is processed:

• First name/Last name
• Email address
• Language selection

2. Purpose of data processing

Personal data is collected in order to make it as easy as possible for users to subscribe to our newsletter and to make the service of our website as optimal as possible. 

3. Legal basis for data processing

The legal basis for the processing of the data after registration for the newsletter by the user ist Art. 6 para. 1 p. 1 lit. a GDPR if the user has given his/her consent.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected and there are no other reasons or obligations to retain it. 

5. Possibility of objection and removal

The user has the possibility to revoke his/her consent to the processing of personal data at any time by sending an email to service@invesdor.com. In addition, we refer to Unbounce's data protection declaration for further information on objection and removal options: https://unbounce.com/privacy/

Zapier

1. Description and scope of data processing

Zapier, Papier Inc., 584 Market St. #62411, San Francisco, CA 94104-5401, is an API tool that assists in the transfer of personal data entered by the user when subscribing to the newsletter via the pop-up integrated on our website by the service provider Unbounce (see above) into our newsletter distribution system.

The following data is processed:

• First name/Last name
• Email address
• Language selection

2. Purpose of data processing

Personal data is collected in order to optimise our services and user experience on our website, in particular in relation to our newsletter.

3. Legal basis for data processing

The legal basis for the processing of the data are Art. 6 para. 1 p. 1 lit. a GDPR as well as Art. 6 para. 1 p. 1 lit. f GDPR.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected and there are no other reasons or obligations to retain it.

  5. Possibility of objection and removal

The user has the possibility to revoke his/her consent to the processing of personal data at any time by sending an email to service@invesdor.com. In addition, we refer to Zapier's data protection declaration for further information on objection and removal options: https://zapier.com/legal/data-privacy 

XXIV. Communication and CRM services

Microsoft (SharePoint/Outlook)

1. Description and scope of data processing

We use Microsoft 365 services, including SharePoint and Outlook, provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, for internal communication, document management, and collaboration. In this context, personal data of employees, business partners, and customers may be processed, including names, email addresses, contact information, meeting data, and shared content. The data is processed within the Microsoft Cloud environment.

2. Purpose of data processing

The processing is necessary for the internal organization, communication, and documentation of business activities, in particular project coordination and email correspondence.

3. Legal basis for data processing

The legal basis for the use of Microsoft services is Art. 6 (1)(f) GDPR. We have a legitimate interest in ensuring efficient internal processes and secure communication infrastructure. Where necessary, data processing may also be based on Art. 6 (1)(b) GDPR for the performance of contractual relationships.

4. Duration of storage

Personal data are stored for as long as necessary to fulfill the purposes described above or as required by applicable retention obligations. Emails and documents may be archived according to statutory retention periods (e.g. commercial or tax law).

5. Possibility of objection and removal

Data subjects have the right to object to the processing of their personal data based on Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, insofar as there are grounds relating to their particular situation. However, the objection may be overridden if compelling legitimate grounds for the processing exist. Due to the essential nature of internal communication processes, this may limit the ability to comply with the objection in individual cases. Please contact us if you wish to assert your rights.

Confluence

1. Description and scope of data processing

We use Confluence, a documentation and collaboration platform provided by Atlassian Pty Ltd., with relevant data processing carried out by Atlassian, Inc., 350 Bush Street, Floor 13, San Francisco, CA 94104, USA. Confluence is used to manage internal documentation, meeting notes, project information, and shared knowledge. Personal data processed may include names, email addresses, comments, files, and access metadata.

2. Purpose of data processing

The tool supports team collaboration, knowledge management, and the centralized documentation of internal projects and communication.

3. Legal basis for data processing

The legal basis for the use of Confluence is Art. 6 (1)(f) GDPR. We have a legitimate interest in the organized and traceable handling of information relevant to internal workflows and projects. In some cases, Art. 6 (1)(b) GDPR may apply.

4. Duration of storage

Data are stored for as long as required to fulfill the intended purpose or to meet applicable legal retention obligations. Outdated content is reviewed and deleted on a regular basis.

5. Possibility of objection and removal

Data subjects may object to the processing of their data based on Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, unless overriding legitimate interests exist.

Confluence data may be transferred to and processed in the United States. Atlassian US Inc. is certified under the EU-U.S. Data Privacy Framework. According to Art. 45 (1) GDPR, this constitutes an adequacy decision by the European Commission, ensuring an appropriate level of data protection.

Asana

1. Description and scope of data processing

We use the task and project management tool Asana, provided by Asana, Inc., 633 Folsom Street, Suite 100, San Francisco, CA 941073600, USA. The tool is used internally for project planning, task assignment, and communication. In this context, personal data of employees and business contacts may be processed, including names, email addresses, task contents, comments, and attachments.

2. Purpose of data processing

The processing serves to organize internal workflows, manage team collaboration, and track project progress.

3. Legal basis for data processing

The legal basis for the use of Asana is Art. 6 (1)(f) GDPR. We have a legitimate interest in the structured and efficient organization of internal work processes. Where necessary, Art. 6 (1)(b) GDPR may apply for contract-related communications.

4. Duration of storage

Personal data are stored for as long as necessary to achieve the purposes described above or to comply with statutory retention requirements. Task-related data are regularly reviewed and deleted when no longer needed.

5. Possibility of objection and removal

Data subjects may object to the processing of their personal data based on Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, provided there are grounds relating to their particular situation. Due to operational requirements, overriding interests may apply.

Asana processes data on servers in the United States. Asana, Inc. is certified under the EU-U.S. Data Privacy Framework. According to Art. 45 (1) GDPR, this ensures an adequate level of data protection without the need for further safeguards.

Pipedrive

1. Description and scope of data processing

We use the CRM system Pipedrive, provided by Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Harju maakond, Estland, for managing customer relationships and sales activities. The tool is used by our sales department to store and manage contact details of customer representatives, including names, email addresses, phone numbers, job titles, company names, and interaction notes. The data is entered manually and used for structured lead and customer management.

2. Purpose of data processing

The processing serves to organize and document sales processes, maintain communication with business contacts, and manage customer relationships effectively.

3. Legal basis for data processing

The legal basis for using Pipedrive is Art. 6 (1)(f) GDPR. We have a legitimate interest in maintaining a professional customer relationship management system. In cases where communication relates directly to the performance of a contract, Art. 6 (1)(b) GDPR may apply.

4. Duration of storage

The data is stored as long as it is necessary to maintain the business relationship or fulfill statutory retention obligations. Data that is no longer required is regularly reviewed and deleted.

5. Possibility of objection and removal

Data subjects may object to the processing of their data under Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, provided there are grounds relating to their particular situation.

HubSpot

1. Description and scope of data processing

We use HubSpot, a platform provided by HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany, for managing contacts in our CRM system, sending newsletters and emails, organizing and documenting double opt-in processes, embedding forms (e.g. newsletter sign-ups), and analyzing the performance of marketing campaigns. In this context, personal data such as names, email addresses, IP addresses, form entries, and user interaction data (e.g. open and click rates) are processed.

2. Purpose of data processing

The processing serves to:

• maintain and manage contact information in our CRM system,
• create and send personalized emails and newsletters,
• document valid consent via double opt-in,
• collect contact data through online forms,
• and evaluate the performance of marketing activities through reporting and analytics.

3. Legal basis for data processing

The legal basis is Art. 6 (1)(a) GDPR if users give consent (e.g. for newsletter registration). Where processing supports our legitimate interest in effective customer communication and marketing, Art. 6 (1)(f) GDPR applies. If communication is necessary for contract performance, Art. 6 (1)(b) GDPR may also apply.

4. Duration of storage

Personal data is stored as long as necessary for the respective purpose or until consent is withdrawn. Contact data is reviewed regularly and deleted if no longer needed or if the data subject requests erasure, provided no legal retention obligations apply.

5. Possibility of objection and removal

Data subjects may withdraw consent at any time with future effect or object to processing based on Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, if justified by their particular situation.

HubSpot Inc. processes data on servers in the United States. The company is certified under the EU-U.S. Data Privacy Framework. According to Art. 45 (1) GDPR, this ensures an adequate level of data protection.

Typeform

1. Description and scope of data processing

We use Typeform, a service provided by Typeform S.L., Calle Bac de Roda 163, 08018 Barcelona, Spain, for the creation and distribution of online forms and surveys. Users may enter personal data such as names, email addresses, and free-text responses into these forms. In addition, technical metadata such as IP addresses, timestamps, and browser information may be collected. The collected data is stored and processed within the Typeform platform for further analysis or export.

2. Purpose of data processing

The data is processed to collect structured feedback, conduct surveys, and capture leads or contact requests in an interactive and user-friendly manner.

3. Legal basis for data processing

The legal basis for the processing of data is Art. 6 (1)(a) GDPR, provided that the data subject has given consent (e.g. by submitting a voluntary response). Where forms are used in the context of a contract or pre-contractual communication, Art. 6 (1)(b) GDPR may apply. In other cases, processing is based on our legitimate interest in obtaining feedback and contact data, pursuant to Art. 6 (1)(f) GDPR.

4. Duration of storage

Data is stored for as long as necessary to fulfill the purpose for which it was collected, or until consent is withdrawn. Exported results may be stored longer if required for evaluation or documentation, provided this is compatible with the original purpose.

5. Possibility of objection and removal

Data subjects may withdraw their consent at any time or object to processing based on legitimate interest pursuant to Art. 21 GDPR, provided there are grounds relating to their particular situation.

XXV. Email Services

Mailjet

1. Description and scope of data processing

We use the email delivery service Mailjet, provided by Sinch Mailjet SAS, 1313 bis rue de l’Aubrac, 75012 Paris, France, exclusively for sending transactional emails, such as confirmations of investments or verification messages ("Please confirm your email address").

The sending is initiated via an API interface from our platform. In this context, only the recipient’s email address and the content of the email (e.g. confirmation text, links) are temporarily transmitted to Mailjet. The service processes these data solely for delivery and deletes them afterwards. We do not maintain contact lists, segments, or carry out tracking activities within Mailjet.

2. Purpose of data processing

The processing is necessary to ensure the reliable and timely delivery of transactional system messages to users.

3. Legal basis for data processing

The legal basis for the use of Mailjet is Art. 6 (1)(f) GDPR. We have a legitimate interest in the technical implementation of system-relevant email communication. Where the communication relates to contract performance, Art. 6 (1)(b) GDPR may also apply.

4. Duration of storage

Mailjet only processes the relevant data temporarily for the purpose of sending the email. According to the provider, no permanent storage of the content or the recipient's email address takes place beyond what is technically necessary for delivery.

5. Possibility of objection and removal

Data subjects have the right to object to the processing of their personal data under Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, provided there are grounds relating to their particular situation.

As Mailjet is technically required for the delivery of essential transactional messages, objections may not be feasible in all cases. Please contact us if You wish to assert Your rights.

XXVI. Infrastructure and Security

Cloudflare

1. Description and scope of data processing

We use Cloudflare, a service provided by Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, for DNS management, DDoS protection, CAPTCHA verification, domain security, performance optimization, and the delivery of static content for our website and platform. In this context, Cloudflare may process technical information such as IP addresses, browser type, operating system, referrer URL, timestamps, and the URLs accessed. This data is automatically transmitted by users' browsers when visiting our services.

2. Purpose of data processing

The data is processed to ensure the secure, stable, and efficient operation of our services, protect against abuse (e.g. bots, DDoS attacks), and improve loading performance by distributing content via a content delivery network (CDN).

3. Legal basis for data processing

The legal basis for the use of Cloudflare is Art. 6 (1)(f) GDPR. We have a legitimate interest in the reliable, secure, and high-performance operation of our website and platform.

4. Duration of storage

Cloudflare retains the processed data only as long as necessary to fulfill the stated purposes. In most cases, IP addresses and log data are stored temporarily and either anonymized or deleted shortly after processing.

5. Possibility of objection and removal

Data subjects have the right to object to the processing of their personal data based on Art. 6 (1)(f) GDPR in accordance with Art. 21 GDPR, if there are grounds relating to their particular situation. As Cloudflare is technically essential for the secure and stable provision of our services, objections may not be enforceable in every case. Please contact us if You wish to assert Your rights.

Cloudflare Inc. may process data on servers located outside the EU/EEA, particularly in the United States. The company is certified under the EU-U.S. Data Privacy Framework. According to Art. 45 (1) GDPR, this ensures an adequate level of data protection.