Privacy Policy Scalable Capital

1. Controller / contact details

In the following we inform you about the processing of your personal data carried out by Scalable Capital GmbH, Seitzstraße 8e, 80538 Munich, Germany ("Scalable", "we" or "Controller") in connection with the use of our website, our web application and our mobile application (hereinafter collectively referred to as "App").

To exercise your rights and for further information, please contact us by e-mail at service@scalable.capital or by post at Scalable Capital GmbH, Seitzstraße 8e, 80538 Munich, Germany.

You can reach our Data Protection Officer at: privacy@scalable.capital.

Further information on Scalable Capital can be found in the legal notice.

2. General information on the processing of personal data

2.1. General information

In principle, you decide which personal data you provide to us. Within the scope of the business relationship, you are required to provide the personal data that is necessary for the initiation, implementation and termination of the business relationship and which we are legally obliged to collect and process, e.g. in accordance with anti-money laundering regulations. Without this data, we are not able to provide you with our services or functions.

2.2. Purposes and legal basis

We only process your personal data insofar as this is permissible in accordance with Art. 6 GDPR. Processing includes, for example, the collection, retrieval, use, storage or transmission of personal data. In the following, we describe the purposes and legal bases of the processing of personal data in detail.

2.2.1 Consent pursuant to Art. 6 (1) (a) GDPR

Processing on the basis of your consent in accordance with Art. 6 (1) (a) GDPR are carried out for defined purposes. You may withdraw your consent at any time with effect for the future. The withdrawal of consent does not invalidate the lawfulness of the processing carried out on the basis of the consent until revocation.

2.2.2 Fulfilment of contractual obligations or measures in the context of contract initiation pursuant to Art. 6 (1) (b) GDPR

We process personal data in accordance with Art. 6 (1) (b) GDPR in the context of contract initiation and fulfilment. This primarily includes processing that is directly related to the opening and provision of your account with us. Further information on the scope and purposes of the respective processing depending on the specific product can be found in the corresponding contractual documents.

2.2.3 Compliance with legal requirements pursuant to Art. 6 (1) (c) GDPR

As a financial institute, we are subject to numerous legal requirements arising from, for example, the German Money Laundering Act (GwG), the German Banking Act (KWG), the German Securities Trading Act (WpHG) or tax laws as well as banking supervisory requirements (e.g. from institutions such as the Federal Financial Supervisory Authority, the German Bundesbank, the European Central Bank or the European Banking Authority). The processing of personal data to fulfil legal requirements includes, for example, identification checks, the fulfilment of tax law controls and reporting obligations, the handling of client complaint procedures, fraud and money laundering prevention as well as the assessment and management of risks within the institution. At the request of the authorities, we are authorised to report the transactions carried out by our clients to these authorities.

2.2.4 Legitimate interests pursuant to Art. 6 (1) (f) GDPR

Where necessary, we process your personal data in accordance with Art. 6 (1) (f) GDPR to protect our legitimate interests or those of third parties beyond the actual fulfilment of the contractual relationship. Processing is carried out for the following purposes, for example:

  • Testing and optimisation of procedures for demand analysis and client segmentation,
  • Performing direct marketing activities or market research on our products and services, to the extent permitted and provided you have not objected to the use of your data in this regard,
  • Assertion and enforcement of legal claims and defence in legal disputes,
  • Ensuring the IT security, IT operations and IT infrastructure of Scalable Capital,
  • Prevention and investigation of criminal offences,
  • Measures for business management and development of services and products,
  • Ensuring the compliance and security of business processes,
  • Financial and risk management, including the regular review of internal risk models,
  • Providing personal analyses, evaluations and statistics (e.g. year-end recap), or
  • Data exchange with credit agencies (e.g. Creditreform) to determine creditworthiness and default risks.

2.3 Processing of personal data of third parties

We process personal data of persons who are in contact with us but are not our clients. This includes, for example, authorised representatives, legal guardians, payees, legal representatives, visitors to our website or other persons involved in a transaction. We process the data on the basis of our legitimate interest in providing our services to our clients and to fulfil our legal obligations.

3. Processing of your personal data when accessing our website and apps

3.1. Hosting

For hosting the database and web content, we use Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg ("AWS"), a subsidiary of Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA, as a data processor. The data is stored exclusively in a German data centre in Frankfurt am Main, which meets the highest security standards. In addition, we have agreed corresponding EU standard contractual clauses with Amazon Web Services, Inc. in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914. In conjunction with additional technical and organisational measures to ensure an adequate level of protection, it is guaranteed that the EU data protection requirements can also be met when processing data in the USA.

3.2. Use of our website for information purposes

When you visit our website, we process access data that is stored in so-called log files. The following personal data is processed automatically in the course of this:

  • IP address of the requesting device
  • Type of web browser used
  • Language of the web browser used
  • Version of the web browser used
  • Operating system and its version
  • Date and time of the visit
  • Time zone difference from Greenwich Mean Time (GMT)
  • Access status/ http status code
  • Amount of data transferred
  • Web page visited
  • Referrer
  • Web pages that are called up by the visitor's system via our website
  • Internet service provider of the user

The processing of this data is performed out in accordance with Art. 6 (1) (f) GDPR due to our legitimate interest in being able to properly display the website to you as well as to defend against attacks and for the purpose of the security of our systems. The log files are deleted or anonymised immediately after they are no longer required to achieve the aforementioned purposes, but at the latest after 14 days.

3.3. Use of cookies, tracking tools and third-party services on our websites and apps

3.3.1 General information

We use cookies and similar technologies, such as pixels, on our website. Cookies are small text files that are stored on your end device and process device-specific information. There are session-based and persistent cookies. While session-based cookies are deleted immediately at the end of a browser session, persistent cookies enable the settings you have selected to be saved for a longer period of time. Persistent cookies are used to provide you with the most pleasant user experience possible. We use our own code in our apps and also utilise software development kits ("SDKs"). An SDK is provided by our partners and contains code parts that execute certain functions.

The storage and reading (so-called "tracking") of information, e.g. through the setting of cookies or the integration of SDKs on users' end devices, is only permitted on the basis of legal requirements with the express consent of the user (Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR). Insofar as the storage and processing is absolutely necessary for the performance of our services, no consent is required in accordance with Section 25 (2) TDDDG. The further processing takes place in each case according to Art. 6 (1) (f) GDPR for purposes that outweigh the protection of your data or are in your interest, such as fraud prevention, improving IT security and improving our digital services. If the processing of the following services is based on your consent, you can withdraw your consent at any time with effect for the future and manage and adjust this in the data protection settings.
For further general information on the cookies, tracking technologies and SDKs used, please refer to the Cookie Policy. You can also manage your consent and settings there.

3.3.2 Login to the personal area

To enable you to use our services securely, we use Auth0 Inc, 10800 NE 8th Street, Ste. 600, Bellevue, WA, 98004, USA ("Auth0") as a data processor. For this purpose, Auth0 processes your e-mail address and password together with your IP address, the geolocalisation data derived from the IP address, time stamps and the device information in accordance with Art. 6 (1) (b) GDPR.

To further protect the access to your account from criminal activities and access by third parties, we implement various measures. As part of the registration process, we analyse the IP address, the location of the requesting device and access metadata (e.g. date and time of the request, information about the end device or action performed). In addition, we use the functions of Auth0 to monitor at regular intervals whether your login credentials have been part of published third-party security breaches. We immediately notify you in case of any suspicion or in case your access data was part of such a security breach to assist you in changing your login credentials. In these cases, we have a legitimate interest in the processing of the corresponding personal data in accordance with Art. 6 (1) (f) GDPR.

Auth0 does not have access to any other personal data at any time. Your data is encrypted at all times and processed exclusively within the European Union (EU). In individual cases, however, a transient processing of data in the USA cannot be ruled out. As an additional measure, we have agreed corresponding EU standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021. You can view this Implementing Decision (EU) 2021/914, including the EU standard contractual clauses used, via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

3.3.3 Authentication mechanisms

As part of the registration process and for authentication purposes, we use Futurae Technologies AG, Eichstrasse 23, 8045 Zurich, Switzerland ("Futurae") as a data processor. To activate two-factor authentication on the mobile device, Futurae processes personal data such as IP address, device data, browser information and your telephone number stored with us. The transfer of the aforementioned data to Switzerland is based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR. You can access the relevant adequacy decision at the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518.

3.3.4 Consent Management Service

On our website and in our apps, we use the Consent Management Service of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany ("Usercentrics") to inform you about cookies, similar technologies and SDKs used by us and to ensure that these are only set or activated in accordance with applicable law and, if necessary, only with your consent. In connection with the collection of your consent, we process your IP address, opt-in and opt-out data, referrer URL, user agent, user preferences, consent ID, time of consent, consent type, template version and banner language. Your consent is stored in relation to a Usercentrics Consent ID. The use of Usercentrics is necessary so that we can comply with the legal requirements for the setting of cookies and in particular the applicable requirements for the documentation of consent. The data is processed on the basis of § 25 (2) no. 2 TDDDG in conjunction with Art. 6 (1) (c) GDPR.

Further information on data protection when using Usercentrics can be found here https://usercentrics.com/privacy-policy/.

3.3.5 Comfort settings (e.g. language settings)

In order to be able to display content such as your country and language settings as desired, we use session-based or persistent cookies. Your country settings will be deleted as soon as your browser session has ended. Your language settings are saved for a maximum of one year. The legal basis for the processing of these cookies is § 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR.

3.3.6 Performance Monitoring

We use DataDog, Inc. 620 8th Avenue, 45th Floor New York, NY 10018, USA ("DataDog") as a data processor to collect information about the performance of our website and any technical malfunctions that may occur. For this purpose, DataDog sets up a cookie for the browser session and collects geolocation, device, and operating system data of the user of our website and apps. We process the aforementioned data in accordance with § 25 para. 2 TDDDG in conjunction with Art. 6 (1) (f) GDPR in order to ensure the security of our platform for the provision of our services and to minimise a possible risk of damage. Your personal data will be deleted after 15 days. For analysis purposes, we collect and process additional usage data on the basis of your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
Corresponding EU standard contractual clauses were concluded in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as an appropriate guarantee for data processing in non-European countries. You can view this implementing decision (EU) 2021/914, including the EU standard contractual clauses used, via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

3.3.7 Cyber Security Incident Monitoring

We use DataDog as a processor to process information for the purposes of detecting and responding to cyber security incidents or cyber security incidents. For this purpose, we process login data incl. email address, IP address, device information, geolocation data derived from IP address of the user when accessing our apps. We process the above data on the basis of our legitimate interest to ensure and maintain IT security in accordance with Art. 6 (1) (f) in conjunction with Art. 32 GDPR. Your data will be deleted after 15 days unless it is required for forensic analysis and investigations.

3.3.8 Friendly Captcha (Bot/ Spam Protection)

We use the "Friendly Captcha" service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany, to prevent the use of our website and apps by automated programmes and scripts (so-called "bots"). For this purpose, a program code from Friendly Captcha has been integrated in order to pose a calculation task to the respective device of the visitor. Depending on the result of the calculation, the respective request such as the client login or newsletter sign- up process, will be processed or rejected. Friendly Captcha does not set or read any cookies on the visitor's end device. Collected IP addresses are processed in hashed (one-way encrypted) form.
This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 para. 1 lit. f GDPR to ensure the security and reliability of the website and apps and to protect them from abusive access by bots, i.e. spam protection and attacks (e.g. through mass requests). If personal data is stored, this data is deleted within 30 days.
Further information on data protection when using Friendly Captcha can be found at https://friendlycaptcha.com/legal/privacy-end-users/.

3.3.9 Push Notifications/ messages

We use push notifications to inform you, for example, about the successful execution of orders, when price alerts have been reached or when your deposit has been received. For this purpose, a device token from Apple or a registration ID from Google is assigned. These are encrypted, anonymised device IDs. The sole purpose of their use is to provide push services. For this purpose, we use the "Simple Notification Service" from AWS as well as the Firebase Cloud Messaging Service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for devices with an Android operating system. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR in order to be able to display informative push notifications on your device. You can activate and deactivate this function at any time in your device settings.

3.3.10 Phrase over the Air

Using "Phrase over the Air", we can update notices and information texts in our apps automatically and in real time. The updates are transferred to the apps without the need to update to a new app version. In this context, we process device identification data and the version of the installed app. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR to ensure that the information and information texts in disclaimers, FAQs or information boxes are correct and up-to-date.

3.3.11 Google Firebase Crashlytics

We use "Google Firebase Crashlytics" to ensure the stability of the apps and to make improvements. Information about the device used and the use of our apps, such as user ID, device model, operating system version, app version, timestamp of the message, is collected and processed. This generates so-called "crash reports", which contain information about problems and crashes. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR to provide you with functional apps and to fix stability problems.

3.3.12 Google Firebase Remote Config

The "Google Firebase Remote Config" service enables us to activate new features in our apps and configure content without having to download the apps again from the respective app stores. In this context, we process the device identification data, such as the version and type of operating system or the device model. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR to ensure the stable and secure operation of our apps.

3.3.13 Google Tag Manager

We use “Google Tag Manager” as a tag management platform that enables us to manage and trigger tracking services and customised tracking tags based on the consent given. This data is processed in accordance with Section 25 (2) TDDDG in conjunction with Art. 6 (1) (f) GDPR.

3.3.14 Google Firebase Performance Monitoring

We use the "Google Firebase Performance Monitoring" service to collect performance data in our apps and then check and analyse it. The service helps us to understand in real time where the performance of our apps can be improved. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.15 Google Analytics

We use "Google Analytics" to analyse the use of our website and apps. For this purpose, cookies are set in the browser or the "Google Analytics for Firebase" service is used in our apps to collect and analyse information about the use of and interactions with our website and apps and to compile reports on the corresponding activities. We use this data to make user-orientated improvements, among other things. The data processing is based on a pseudonymous identification number. In addition, the following metadata is derived from IP addresses: City including the derived latitude and longitude of the city, continent, country, region and subcontinent. For access originating from the European Union (EU), IP address data is only used to derive location data and then deleted immediately. It is not logged, accessible, or used for any additional use cases. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.16 Google Ads

In order to check the effectiveness of our adverts placed via “Google Ads”, we use conversion tracking on our website. When you click on an ad placed by Google, a cookie for conversion tracking is set on your device. These conversion-cookies lose their validity after 30 days and do not allow any direct conclusions to be drawn about an individual user. As long as the cookie is valid, we can track whether a person has clicked on an advert placed via Google Ads to reach our website. We can use conversion cookies to measure the effectiveness of our advertising measures. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 para. 1 TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.17 Google Maps

The use of “Google Maps” allows us to provide users with suggestions and functions for automatically completing the form when they enter address information, thereby improving user-friendliness in the registration process and when changing personal information. By using Google Maps, your location data and IP address will be forwarded to Google, and this data will be collected and processed exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.18 Google Firebase A/B Testing

The service “Google Firebase A/B Testing” allows us to test changes to the user interface of our apps, features or engagement campaigns before we fully roll out changes. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.19 YouTube

We have embedded videos on our website via “YouTube”, which is provided by Google. After clicking on a video, device information, IP address and the information that you have watched the video are transmitted to YouTube. If you are logged in to YouTube, this information is also assigned to your user account with YouTube. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
You can find more details on the processing of your personal data by YouTube in YouTube's data protection information at https://policies.google.com/privacy. You can find a general option to object to the processing of your data by Google here: https://tools.google.com/dlpage/gaoptout?hl=en.

3.3.20 Affiliate programs (financeAds and NetSlave)

We cooperate with financeAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany, financeAds International GmbH, Hardenbergstr. 32, 10623 Berlin, Germany (both hereinafter collectively referred to as "financeAds") and NetSlave GmbH, Simon-Dach-Str. 12, 10245 Berlin, Germany ("NetSlave") in order to reach new clients through advertising partners. FinanceAds and NetSlave are affiliate networks, which enable commercial operators of websites to display advertisements, which are usually remunerated via click or completion fees, on websites of third parties (so-called affiliates). Via the affiliate network, an advertising medium, e.g. an advertising banner or text link, is made available, which can be integrated by an affiliate on its own internet pages. We use the "Scalable Capital - Marketing" cookie on our websites to measure the effectiveness of the advertising material and to process the remuneration of affiliates. In this way, we record the time at which a specific advertising medium was clicked on from a terminal device and process additional device information. In addition, an individual sequence of numbers is stored, which cannot be assigned to the individual user by the affiliate partner, with which the affiliate program of an affiliate, the publisher, and the time of the user's action (click or view) are documented. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

Further information on data protection at financeAds can be found at https://www.financeads.net/aboutus/datenschutz/ and at NetSlave at https://www.netslave.de/datenschutz-2019.html.

3.3.21 Scalable Analytics and Custom Event Tracking

Within our apps, we collect so-called event data in order to be able to analyse user interactions with our apps and offers. Event data includes, for example, clicks on certain buttons, form submissions and/or scroll events. We process the data collected for internal analysis purposes. The data can also be forwarded to third parties, such as Google, and processed there. We also use this data as a basis for improvements to our user interfaces, services and services and to optimise our marketing activities, internal processes and as part of risk management, e.g. for fraud prevention. The processing may include the creation of user profiles. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.22 Meta

We use the "Meta Pixel" and "Meta Conversion API" services of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta") to place our marketing campaigns in a targeted manner with Meta and within the services of the partners cooperating with Meta (so-called "Audience Network", see: https://www.facebook.com/audiencenetwork/). This allows us to target marketing campaigns to people who have already visited our websites and apps or who have certain characteristics, such as an interest in certain topics or products. In addition, we can determine the effectiveness of our marketing campaigns by recording certain actions (so-called "events") that take place on the website or within the app. This includes, for example, registration, completion of the identification process, conclusion of a customer contract and the first transaction (so-called "conversions"). The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

The collection and transmission of event data (but not the further processing of the data) is the joint responsibility of Meta. A special agreement has been concluded with Meta for this purpose (available at: https://www.facebook.com/legal/controller_addendum), in which, among other things, the security measures to be fulfilled (available at: https://www.facebook.com/legal/terms/data_security_terms) and the responsibility in the fulfilment of the rights of data subjects (i.e. users can, for example, send requests for information or deletion requests directly to Meta) are regulated.
Joint processing is carried out for the following purposes:

  • Display of content advertising information that corresponds to the presumed interests of users;
  • Delivery of commercial and transactional messages (e.g., targeting users via Facebook Messenger);
  • Improve ad delivery and personalization of features and content (e.g., improve the identification of which content or advertising information is likely to be of interest to users).
For more information visit https://www.facebook.com/legal/controller_addendum.

If Meta provides us with analyses and reports in aggregated form and without details of individual users, this processing is carried out on the basis of our data processing agreement with Meta. Further information on the data processing agreement can be found at https://www.facebook.com/legal/terms/dataprocessing and https://www.facebook.com/legal/terms/data_security_terms.

3.3.23 LinkedIn Insight Tag

We use the "LinkedIn Insight Tag" from LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Via the LinkedIn Insight Tag, we receive aggregated and anonymised evaluations of our advertising campaigns on LinkedIn and additionally aggregated and anonymised information on how users interact with our websites and apps. We use the information to understand the effectiveness of our marketing campaigns, to evaluate them and to present corresponding content in our adverts on LinkedIn. The LinkedIn Insight Tag is used to collect data about users' visits to our website, including URL, referrer, IP address, device and browser characteristics, timestamp and page views. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

You can object to the collection of data generated by the cookie and its processing by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Further information can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

3.3.24 Microsoft Advertising Remarketing

We use "Microsoft Advertising Remarketing" from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft") on our website. If you have reached our website via a Microsoft advert, Microsoft will set a so-called "conversion cookie" on the end device, with which we can track that a Microsoft advert has been clicked on, which has redirected the user to our website after a certain target page ("conversion site") has been visited beforehand. Microsoft collects, processes and uses information via the cookie, on the basis of which usage profiles are created using pseudonyms. These usage profiles are used to analyse visitor behaviour and are used to display advertisements. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
You can find more information on data protection at Microsoft in Microsoft's privacy policy at https://privacy.microsoft.com/de-de/privacystatement.

3.3.25 TikTok

We use tracking technologies from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin D02 T380 Ireland, to display targeted and personalised advertising on the "TikTok" platform and to create interest-based user profiles. We use the data to measure the effectiveness of the ads and to optimise the performance of our marketing campaigns on TikTok. We also measure conversions from TikTok advertisements in order to optimise advertisements, create target groups for future advertisements and reach users who have already carried out an event on our website again. We process this data primarily to ensure that the content of our adverts is relevant to our users. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.26 Reddit Advertising

We use tracking technologies from Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015CS, Amsterdam, Netherlands, to display targeted and personalised advertising on the "Reddit" platform and to create interest-based user profiles. We also use the data to improve future campaigns and adverts on the Reddit platform and to measure event-based conversions of Reddit adverts in order to better target adverts to our target groups. The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.

3.3.27 Adjust

In order to measure the success of our app marketing campaigns, for our own market research and to optimise our apps, we use the "Adjust" analysis technology from adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany. Adjust processes data on interaction with our advertising materials, installation and event data (e.g. start of onboarding, confirmation of onboarding email, conclusion of contract) in the context of the use of our apps and provides these as pseudonymised evaluations. For this purpose, the following data is processed from you: IT usage data (e.g. timestamp of events, assigned click timestamp, IP address), device information (e.g. your IDFA or Android ID, operating system version and type, model number and country code of the end device, internet service provider) as well as the Meta Ads ID, Campaign ID and Ads Set ID. The collected information is used for the execution and optimization of our app advertising campaigns and is additionally forwarded to corresponding providers or advertising partners (e.g. Meta, TikTok, Google). The collection and processing of this data takes place exclusively on the basis of your consent in accordance with § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR which you have given us in the course of your visit to our website or apps.
Further, you can object to the collection, evaluation and use of your data at following https://www.adjust.com/opt-out/.

4. Provision of our services

4.1. Registration / creation of client profile

To make use of our services, you must first register, create a client profile and open a clearing account and securities account. For this purpose, we collect your private contact and identification data (e.g. title, first and last name, address, email address, telephone number, date of birth, place and country of birth and nationality), tax data (e.g. tax number, tax residency) and reference account data (e.g. IBAN). As part of the registration process, you will also set a password for your personal access. In addition, depending on the services you use, we may collect information about your knowledge and experience in dealing with certain types of financial instruments or investment services, information about your investment objectives, including your risk tolerance, and about your financial circumstances, including your ability to bear losses. We process this data in order to be able to recommend a suitable investment strategy or to assess the appropriateness of certain financial instruments. We store your entries made during the registration process for a maximum of six months to enable you to resume your registration. The aforementioned processing is carried out in order to fulfil our legal and contractual obligations in accordance with Art. 6 (1) (b) and 6 (1) (c) GDPR.
If you have opened a custody account for the use of our services not with us, but with Baader Bank AG, Weihenstephaner Str. 4, 85716 Unterschleißheim, Germany, Baader Bank AG processes your data under its own responsibility. Information on data protection at Baader Bank AG can be found at https://www.baaderbank.de/Sonderseiten-436.

4.2. Identification process

As part of our due diligence obligations under anti money laundering law, we are obliged to identify our clients in the course of establishing a business relationship. For this purpose, we process the private contact and identification data provided by you during your registration (e.g. your name, nationality, date and place of birth, address, email address and telephone number). The identification is carried out by means of a valid identification document. We are also obliged to store the required information, a copy of the identification document and a visual and acoustic recording of the identification procedure carried out. The legal basis for the processing is Art. 6 (1) (b) and (c) GDPR, as we are obliged to provide identification in accordance with the Anti Money Laundering Act and this is necessary for the fulfilment of the contract.

For the purpose of identification, we use Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany as a data processor. We use the POSTIDENT procedure, which, in addition to identification using the online ID function ("eID"), also enables identification via video chat or in a post office. After completion of the process, Deutsche Post AG transmits to us your identification data, a copy of the identification document and a visual and acoustic recording of the identification process that has taken place, which are processed exclusively for the purpose of fulfilling the statutory obligations under German Anti Money Laundering Law. Further information on data processing as part of the POSTIDENT procedure by Deutsche Post AG can be found here: https://www.deutschepost.de/de/p/postident/postident-datenschutzhinweise.html.

For clients residing in Spain, Italy, the Netherlands and France, the identification procedure is generally carried out by Fourthline B.V., Tesselschadestraat 12, 1054 ET, Amsterdam, the Netherlands ("Fourthline"). In order to comply with regulatory requirements, it is necessary to accept Fourthline's General Terms and Conditions, which do not impose any obligations on you other than verifying your identity. As soon as you have completed the identification process, Fourthline will send us the results of the identification. We process this data for the purpose of complying with legal and contractual requirements. Information on data protection at Fourthline can be found at https://fourthline.com/privacy-statement.

We reserve the right to forward your personal contact and identification data (such as your first and last name, your address and your date of birth) to our processor Fourthline at regular intervals for comparison with sanctions lists and to check whether our clients are so-called politically exposed persons ("PEPs"). We process this data for the purpose of complying with legal and regulatory obligations pursuant to Art. 6 (1) (c) GDPR.

If you decide to identify yourself via video chat, the respective provider is obliged to ensure the authenticity of your identification document (e.g. ID card or passport). At the beginning of such video identification, your express consent pursuant to Art. 6 (1) (a) GDPR to take the photos and record the conversation. You can withdraw your consent to processing at any time by cancelling the video identification process and using an alternative method of identification.

4.3. Trading in securities and other financial instruments, asset management

In order to provide our services, in particular to process orders for securities, we process your personal data and may transfer it to third parties, such as custodian banks, other institutions or comparable institutions. The legal basis for the processing is Art. 6 (1) (b) and (c) GDPR, as this is necessary for the fulfilment of our contractual and legal obligations.

4.4 Credit offering ("Credit")

When applying for a loan as part of our credit offer and to determine the credit limit, we carry out a creditworthiness assessment. For this purpose, we use internal scoring and also forward your data to credit rating agencies. Further information on scoring can be found in the section Automated decision-making and on credit agencies in the section Recipients or categories of recipients of personal data. The legal basis for the processing is Art. 6 (1) (b) and (f) GDPR, as this is necessary for the fulfilment of our contract and due to our legitimate interest in assessing the creditworthiness and default risks.

4.5 Omnibus Trust Account

We co-operate with trustee banks for the purpose of holding trust credit balance in custody. An overview of the trustee banks with which we generally co-operate can be found on our website. You can check your account statements to see which trustee bank holds your deposits.
For the safekeeping of trust credit balance, we transmit your personal data and information on trust credit balances at the respective trustee bank for the purposes of deposit insurance. We transfer your personal data to the respective trustee bank for the purpose of fulfilling our contractual obligations in accordance with Art. 6 (1) (b) GDPR. The trustee banks process the data on their own responsibility.

4.6 Preparation of tax information

We process your financial transaction data and tax data (e.g. your personal tax identification number and tax residency) in order to calculate capital gains tax and to provide you with relevant tax-related information. For clients residing outside of Germany the overview of the taxes to be paid is prepared by KPMG AG, Badenerstrasse 172, CH-8036 Zurich, Switzerland ("KPMG"). For this purpose, we transfer internal identification numbers and financial transaction data (e.g. security number, order type, time of execution) to KPMG. The transfer of the aforementioned data to Switzerland as a third country takes place on the basis of an adequacy decision of the European Commission in accordance with Art. 45 GDPR. Further information can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518.
Please note that KPMG processes your data under its own responsibility. For more information, please see KPMG's privacy notice at: https://home.kpmg/ch/de/home/misc/privacy.html.

The legal basis for the processing of the aforementioned data is Art. 6 (1) (b) and (c) GDPR, as this is necessary for the fulfilment of our contractual and legal obligations.

4.7 Risk management, prevention, detection and investigation of criminal offences

We process the personal data collected as part of the contract initiation process or processed as part of the contractual relationship for the purposes of fraud and money laundering prevention and for risk management purposes in order to identify, assess the potential financial risks we face. In the course of our business relationship, we may request additional documents and information from you regarding the origin of the assets, such as proof of income, tax returns or account statements from other institutions. In acute cases of suspicion, we may collect further information from publicly accessible sources and take this into account in the decision-making process for blocking or releasing suspicious transactions.

The processing is carried out on the basis of our legitimate interest in averting damage to us, you or third parties as well as the assessment and management of risks in accordance with Art. 6 (1) (f) GDPR, as well as for the fulfilment of the corresponding legal obligations in accordance with Art. 6 (1) (c) GDPR. At the same time, these measures also serve to protect clients from possible unauthorised dispositions by third parties.

4.8. Compilation of statistics and analyses

We process personal data that we collect as part of the contract initiation or contractual relationship with you, as well as usage data of our products and services, on the basis of our legitimate interest in accordance with Art. 6 (1) (f) GDPR, to provide you with personal analyses, evaluations and statistics (e.g. the year-end recap) and for the purpose of analysing our current client base.

We also process this data to create anonymous statistical data sets. This processing is based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR to create forecasts and reports and to evaluate and optimise our performance and product quality. These anonymised data set do not constitute personal data.

4.9 Communication in connection with the use of our products and services

In order to inform you about the processes related to your use of our products and services, we use emails, SMS, letters and push notifications as well as other communication channels within our apps to fulfil our contractual obligations in accordance with Art. 6 (1) (b) GDPR. For this purpose, we use the following data processors: Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany for sending emails and push notifications, Sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, Germany for sending text messages and Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany and Deutsche Post E-POST Solutions GmbH, Vorgebirgsstraße 49, 53119 Bonn, Germany for sending letters.

4.10 General retention periods

Your personal data will be stored and processed for the duration of the business relationship. We delete or anonymise your data after the business relationship with you has been fully terminated and processed, but at the earliest after expiry of the statutory, regulatory and/or otherwise required retention periods and if the data is no longer required for the assertion, exercise and/or defence of legal claims.

As a regulated company, we are subject to various statutory recording and retention obligations, which arise primarily from the German Banking Act (KWG), the German Securities Trading Act (WpHG), the German Anti Money Laundering Act (GwG), the German Commercial Code (HGB) and the German Fiscal Code (AO). These statutory recording and retention obligations require us - depending on the applicable regulation - to store data for at least five (5) years and up to ten (10) years. These obligations also apply to processes that enable the initiation of a contractual relationship or the conclusion of a contract. The processing and storage of the data is carried out to fulfil statutory retention obligations in accordance with Art. 6 (1) (c) GDPR.

In addition, the retention periods under civil law are also relevant to determine the duration of the data retention. According to the provisions of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years. The respective legal basis for this is Art. 6 (1) (f) GDPR, as we have a legitimate interest in the preservation of evidence to secure our own legal claims.

5 Asset management (ING, Oskar and Gerd Kommer Capital)

5.1 Data processing as part of the cooperation with ING

As part of our co-operation with ING-DiBa AG, Theodor-Heuss-Allee 2, 60486 Frankfurt am Main, Germany ("ING"), ING acts as custodian bank, while Scalable Capital manages your portfolio. In order to use these services, it is necessary to open a custody account with a clearing account with ING as our cooperating custodian bank. The collection and processing of personal data for the purpose of fulfilling contractual, legal and regulatory requirements is carried out by ING under its own responsibility.
We process your personal data, such as private contact and identification data, in order to manage your securities account, e.g. to instruct you to buy and sell securities, to provide you with regular overviews and reports and to suggest investment strategies in line with your risk profile. The processing is carried out to fulfil our contractual and legal obligations in accordance with Art. 6 (1) (b) and 6 (1) (c) GDPR.

Further information on data protection at ING can be found at: https://www.ing.de/datenschutz/.

5.2 Data processing in the context of wealth management "Oskar”

"Oskar" is a trademark of Oskar.de GmbH, Gartenstraße 67, 76135 Karlsruhe, Germany, under which it operates the websites and apps under its own responsibility. Scalable Capital manages your assets, while Baader Bank AG, Weihenstephaner Str. 4, 85716 Unterschleißheim, Germany, manages the custody accounts with the clearing accounts. In order to use these services, it is necessary to open a custody account with a clearing account at Baader Bank AG as our cooperating custodian bank. Baader Bank AG processes your data under its own responsibility. Information on data protection at Baader Bank can be found at: https://www.baaderbank.de/Sonderseiten-436.
As part of the registration process, Oskar collects your private contact and identification data (e.g. title, first name and surname, address, email address, telephone number, date, place and country of birth and nationality), your tax information (e.g. tax identification number or tax residency), the IBAN of your reference account, your financial circumstances and, if necessary, the private contact and identification data of third parties such as the children or children of the account holder and forwards these to us. For written communication we use the service address service@oskar.de. This email address is made available to us by Oskar.de GmbH under a data processing agreement.

We process your data for the purpose of fulfilling the contract pursuant to Art. 6 (1) (b) GDPR in order to offer you our service and to fulfil our legal obligations pursuant to Art. 6 (1) (c) GDPR. Further information on data protection at Oskar.de GmbH can be found at: https://www.oskar.de/datenschutz/. Please note that the "Oskar" asset management service is only available to clients resident in Germany.

5.3 Data processing in the context of wealth management "Gerd Kommer Capital”

Gerd Kommer Capital ("GKC") is a brand under which Scalable Capital offers financial portfolio management. Scalable Capital manages your assets, while Baader Bank AG manages the custody accounts with the clearing accounts. In order to use these services, it is necessary to open a custody account and clearing account with Baader Bank AG as our cooperating custodian bank. Baader Bank AG processes your data under its own responsibility. Information on data protection at Baader Bank AG can be found at: https://www.baaderbank.de/Sonderseiten-436.
We are advised by Gerd Kommer Invest GmbH, Sendlinger Straße 41, 80331 Munich, Germany, on the composition and management of the portfolios. For this purpose, we exchange data with Gerd Kommer Invest GmbH. We use the service email address service@gerd-kommer-capital.de for written communication. This email address is made available to us by Gerd Kommer Invest GmbH under a data processing agreement. We process your data for the purpose of fulfilling the contract pursuant to Art. 6 (1) (b) GDPR in order to offer you our service and to fulfil our legal obligations pursuant to Art. 6 (1) (c) GDPR.

The website https://www.app.gerd-kommer-capital.de used for registration and login at GKC is technically provided by us. Within the scope of this website, we use marketing and statistics cookies. You have the option of individually consenting to the use of cookies using the Consent Management Tool. If you give your consent, this data will also be transmitted to Gerd Kommer Invest GmbH. On the website we use services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information can be found in this document in the section 3.3 Use of cookies, tracking tools and third-party services on our websites and apps.

As part of the conclusion of the contract, you can consent to receiving the newsletter by Gerd Kommer (Art. 6 (1) (a) GDPR). As part of your consent, we will transmit the e-mail address you have provided to Gerd Kommer Invest GmbH. Further information on data protection at Gerd Kommer Invest GmbH can be found at: https://gerd-kommer.de/regulatorisches/#datenschutz. Please note that the "GKC" wealth management service is only available to clients resident in Germany.

6. Client Service and support

6.1 General information on processing client enquiries

You can contact us via our service hotline, by post, our web form, the chat and by e-mail and send us an enquiry. In this context, we process the information and data you provide, including personal data such as your first name, surname, email address and telephone number and, if applicable, the time of your enquiry and the duration of your call in a ticket, in order to contact you and process your enquiry. When you use the chat, the chat log, your usage data (e.g. start and end time of request, duration of interaction, IP address), device identification data (e.g. type of operating system or device model) and event data are stored and, if applicable, assigned to your account. In order to answer your enquiries efficiently and to ensure a high level of service, user entries can be viewed by our employees during the current enquiry (so-called "session") as part of the live chat. The processing is carried out to fulfil our contractual obligations or in the context of contract initiation and execution in accordance with Art. 6 (1) (b) GDPR. Furthermore, we process the information in accordance with Art. 6 para. 1 lit. f GDPR in order to continuously improve our customer service and support.

6.2 Information about Data Processors

Sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, Germany, Aircall.io, Inc, 11 Rue Saint-Georges, 75009 Paris, France, Teleperformance A.E., 330 Thisseos Avenue, 17675 Kallithea, Greece, TELUS International Services Limited, Point Village, East Wall Road, Dublin 1, Ireland and Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany as processors support us in processing your enquiries. In addition, we have agreed corresponding EU standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 with Salesforce, Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, based in the USA. You can view the EU standard contractual clauses used via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

6.3 Recordings of telephone conversations, analysis of client interactions and satisfaction surveys

If you contact us by telephone or take part in telephone satisfaction surveys, we will ask you for your consent before the conversation begins in accordance with Art. 6 (1) (a) GDPR to record the conversation for the purpose of quality assurance and to derive and implement measures to improve our customer experience and our products and services. You can revoke your consent to the recording of the conversation at any time by informing the agent during the conversation or by sending us your revocation after the end of the conversation via the contact options listed in the section "Your contacts". Only if you have given us your express consent to record one or more conversations will we record your conversation and link the recording to the existing history of previous conversations. Call recordings and customer interactions are used to quality assure agent performance, investigate and resolve complaints, identify training needs and maintain quality standards for customer success, and improve our customer support and products and services. We will delete your data within 30 days, provided that no other retention obligations prevent the deletion. If you have given us your consent, we will send you a questionnaire following your contact with our customer service in order to analyse the quality of our service and to derive measures for improvement (pursuant to Art. 6 (1) (a) GDPR).

7. Marketing communication, marketing campaigns and client satisfaction surveys

7.1 Marketing emails

In order to be able to send you personalised marketing content from us and our partners and to conduct client surveys to improve our products and services, we ask for your consent when you open an account or register for the newsletter. In this context, we analyse your user behaviour (e.g. recent transactions, participation in events and webinars) and use this information to provide you with personalised information that is relevant and in line with your personal interests. In addition, we have implemented pixels in our newsletter to better understand your interaction with our newsletter and our content. The processing is based on your consent ( Art. 6 (1) (a) GDPR). You may withdraw your consent at any time with effect for the future. To do this, simply click on "Unsubscribe" at the end of a marketing e-mail or contact us using the contact options mentioned above. The withdrawal of consent does not invalidate the lawfulness of the processing carried out on the basis of the consent until revocation.
To ensure that no one can register with a third-party email address, we have implemented the so-called double opt-in procedure. This means that you will receive an email after registration asking you to confirm your registration. The confirmation of the subscription to the newsletter is logged in order to be able to prove the subscription process in accordance with the legal requirements. For this purpose, we process the IP address, date and time of access in accordance with Art. 6 (1) (f) GDPR.
We use Salesforce as a data processor to send our emails. Since processing in the USA cannot be ruled out, we have agreed corresponding EU standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 with Salesforce, Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, based in the USA. You can view this Implementing Decision (EU) 2021/914, including the EU standard contractual clauses used, via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

7.2 Marketing push notifications

To provide you with marketing content from us and our associated partners according to your personal interests via push notifications, we ask you for your consent when you open your account in accordance with Art. 6 (1) (a) GDPR. Your data is only processed for the purpose of sending push notifications once you have completed the registration process, logged in to the app and activated the "System Opt-In" for push notifications on the device. Your consent to receive marketing push notifications is managed on a device-by-device basis, with consent being set individually on each device. You can activate or deactivate this function at any time in your device settings. The withdrawal of consent does not invalidate the lawfulness of the processing carried out on the basis of the consent until revocation. Your consent to receive marketing push notifications is logged in order to be able to prove this accordingly. For this purpose, we process the device ID, date and time of registration of the device in accordance with Art. 6 (1) (f) GDPR. To facilitate push notifications we rely on Salesforce as a data processor. Since processing in the USA cannot be ruled out, we have agreed corresponding EU standard contractual clauses in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 with Salesforce, Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, based in the USA. You can view this Implementing Decision (EU) 2021/914, including the EU standard contractual clauses used, via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

7.3 Marketing campaigns

If you take part in one of our marketing campaigns or competitions (the respective terms and conditions apply), we process your personal data, such as first and last name, e-mail address or user ID, to carry out the marketing campaign or competition, in particular to notify you of the prize in accordance with Art. 6 (1) (b) GDPR. Depending on the respective promotion or sweepstakes, we additionally process the data listed in the corresponding terms and conditions of the campaign.
We delete personal data as soon as the campaign or competition has ended and the data is no longer required for the fulfilment of the aforementioned purposes and provided there is no other legal basis (e.g. retention periods under commercial and tax law).

7.4 Participation in beta test phases

To test individual new functions, you have the option of registering for participation in the test phase using a registration form provided for the relevant function. For this purpose, we collect your email address based on your consent in accordance with Art. 6 (1) (a) GDPR to enable you to try the feature and for us to contact you by email in the event of further inquiries. We will delete your information after the beta test phase has been completed at the latest or upon withdrawal of your consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. We will accept your withdrawal using the contact details provided.

7.5 Information for media representatives

You can register in our contact database to receive the latest press releases. To do so, please send us your email address, the media organisation for which you work and your first and last name by email to presse@scalable.capital. We process your data to inform you about current developments of Scalable Capital and to send you press releases to the e-mail address you have provided. The processing is based on your consent ( Art. 6 (1) (a) GDPR). You can withdraw your consent at any time by sending an email to presse@scalable.capital or by using the contact options listed on our newsroom website at https://de.scalable.capital/newsroom. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8. Social Media

We do not use any social media plugins on our website. If our website contains icons from social media providers (e.g. Facebook, X (formerly Twitter), LinkedIn, Instagram or YouTube), we only use these for passive linking to the pages of the respective providers.
For further information, please refer to our privacy policy on our social media presences.

9. Recipients or categories of recipients of personal data

In order to offer you our products and services, your personal data is made available to internal departments that require your data to fulfil our contractual and legal obligations. We also transfer certain data to other companies affiliated with Scalable Capital, in particular Scalable GmbH, Seitzstraße 8e, 80538 Munich, Germany, and Scalable Operations GmbH, Seitzstraße 8e, 80538 Munich, Germany. External third parties, such as processors and independent controllers, may also receive data for these purposes, provided that they undertake to comply with our written instructions under data protection law.

Insofar as third parties receive and process personal data on our behalf, we have concluded data processing agreements with the respective parties and agreed appropriate guarantees to safeguard the protection of personal data. These recipients include companies and service providers to whom we outsource parts of our financial services, such as IT services (e.g. IT security, cloud service providers), text analysis services (including artificial intelligence), customer service outsourcing service providers, printing and shipping services.

According to the client contract agreed between you and Scalable Capital, we are obliged to maintain confidentiality about all client-related facts and assessments of which Scalable Capital gains knowledge. We may only pass on information about you if this is permitted or required by law, if you have given your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be the following:

  • Public bodies: Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), Deutsche Bundesbank, European Central Bank (ECB) and other supervisory authorities, such as the national supervisory authorities of the EU member states in which we operate, tax authorities, judicial authorities and other authorities. Data is transmitted to fulfil our legal obligations, e.g. to combat terrorism and prevent money laundering, as well as to enforce claims or for the legal defence of claims.
  • Financial institutions or comparable institutions: depending on the contract, e.g. custodian banks, trustee banks, stock exchanges, service providers for risk assessments or clearing centres such as Clearstream Banking AG for the settlement of domestic and foreign securities transactions;
  • Credit rating agencies: As part of the overall business relationship (consisting of individual business relationships) and in particular as part of the application to conclude a credit agreement in accordance with the Special Terms and Conditions: Credit, we transmit the personal data collected to Creditreform Boniversum GmbH, Hammfelddamm 13, 41460 Neuss, Germany ("Creditreform Boniversum"). Further information on the processing of your data by Creditreform Boniversum can be found at: http://www.boniversum.de/eu-dsgvo.
  • Research institutes: sharing data, where permitted by law, with partners such as universities and other independent research organisations that use it for their research and innovation. The data is exchanged at an aggregated level and the research results are anonymous. We carefully select the research institutes and subject them to strict requirements.

10. Transfer of personal data to third countries

We only transfer personal data to recipients in third countries if an adequate level of data protection can be established and maintained by means of the following mechanisms:

We will inform you separately about the details, if required by law.

11. Automated decision making

In the following cases, we process your data partially automatically in order to evaluate certain personal aspects and to fulfil our legal obligations. In the cases in which we use automated decision-making according to Art. 22 GDPR, we will inform you about this separately. You also have the right to request a personal review of the automated individual decision.

  • We process your data partly automatically to combat money laundering, terrorist financing and criminal offences that pose a threat to assets on the basis of legal and regulatory requirements. Data analyses, including transaction data, are also carried out for this purpose. These measures are taken in particular for your protection.
  • As part of the assessment of your creditworthiness, we use a scoring system to calculate the probability that our clients will fulfil their payment obligations in accordance with the contract. The score values determined help us to make decisions when offering certain products and payment methods and are also incorporated into ongoing risk management.

12. Your rights

Right to access: You have the right to request information about the data stored about you, its origin, recipients or categories of recipients to whom the data is disclosed, as well as the purpose of the storage ( Art. 15 GDPR).

Right to rectification: You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete (Art. 16 GDPR).

Right to deletion: You can demand that we delete the personal data relating to you without delay. However, there is no right to erasure if statutory, regulatory or other sovereign retention obligations prevent erasure or if the retention serves the assertion, exercise or defence of legal claims (Art. 17 GDPR).

Right to restriction of processing: You may, under certain conditions (disputed accuracy, unlawful processing, cessation of the purpose of processing or lodging an objection), request the restriction of the processing of personal data concerning you (Art. 18 GDPR).

Right to data transfer: You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format (Art. 20 GDPR).

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is processed on the basis of Art. 6 (1) (e) or (f) GDPR. We will then no longer process your data unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is for the establishment, exercise or defence of legal claims (Art. 21 GDPR).

Right to complain to the supervisory authority: Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority if you are of the opinion that the processing of personal data is not carried out lawfully. The address of the supervisory authority responsible for our company is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Postfach 1349, 91504 Ansbach, Germany, phone: +49 (0) 981 180093-0, email: poststelle@lda.bayern.de.

Version: 12/2024