Privacy Notice

The entity responsible for the collection and processing of personal data in the EU is:

Moonfare GmbH

Schlesische Str. 33/34

10997 Berlin

Germany

Phone: +49 30 220 560 771

Email: [email protected]
‍

For details of the entity responsible for the collection and processing of personal data outside the EU, please see the local country sections at the end of this notice.

‍

You can contact our data protection officer at:  

mip Consult GmbH 

Attorney-at-law Asmus Eggert 

Wilhelm-Kabus-Str. 9

10829 Berlin 

[email protected]

www.sofortdatenschutz.de

We process personal data that we receive from you while using our website and, if applicable, in the course of our business relationship. 

In the case of purely informational use of our website, i.e. if you do not register or otherwise submit information to us, we only collect the personal data that your browser transmits to our server. When you access our website, we collect the following access data, which is technically necessary for us to present our website to you and to ensure stability and security. The access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific website accessed), access status/HTTP status code, amount of data transferred in each case, referrer URL (previously visited page), operating system and its interface, language and version as well as type of browser software and notification of successful retrieval. 

If you undergo certain verification checks and submit identity information such as your identity card or passport, we process your personal data contained in these documents. 

Furthermore, we receive your personal data if you contact us via a contact form, chat or email, and through any associated documentation that you complete when subscribing for an interest in Moonfare. The personal data that we collect in these circumstances are, for example, name, address, e-mail address, telephone number, date of birth, passport details or other national identifier, driving license, your national insurance or social security number and income, employment information and details about your investment or retirement portfolio(s), and, if applicable, any data contained in the message that you send us. Depending on the type of request, it may be necessary to provide further data. Please note that when communicating by email, we cannot guarantee complete data security for this transmission method, so we recommend that you send information requiring a high level of confidentiality via your account on the Platform.

‍

‍

The data provided will be processed within the European Union, in the USA and Singapore. When transferring data to the USA or Singapore, we ensure that the recipients of the data are certified in accordance with the EU-U.S. Data Privacy Framework or we agree EU standard data protection clauses with recipients without certification. If we base the data transfer on the EU standard data protection clauses, we will take additional security measures in order to achieve an appropriate level of protection for your personal data. You have the opportunity to receive or view a copy of the EU standard data protection clauses. If necessary, we will obtain your express consent for the transfer of data to the USA.

In accordance with Art. 15 GDPR, you have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where they are being processed, to access the personal data. In this case, we will provide you with the stored personal data. You also have the right to the information specified in detail in Art. 15 para 1 GDPR. However, the aforementioned right is not unlimited; the right to obtain a copy of your personal data shall not adversely affect the rights and freedoms of others under Art. 15 para 4 GDPR.

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and to completion of incomplete personal data in accordance with Art. 16 GDPR.

You have the right to obtain the erasure of personal data concerning you without undue delay in accordance with Art. 17 GDPR. The right to erasure (“right to be forgotten”) is not unrestricted. In particular, erasure cannot be demanded, if we need to process your personal data further in order to perform our contract, to fulfil a legal obligation or to assert, exercise or defend legal claims. The requirements and restrictions of the right to deletion are set out in detail in Art. 17 GDPR.

You have the right, in accordance with Art. 18 GDPR, to request that the processing of your personal data be restricted if one of the conditions of Art. 18 para 1 GDPR is met. In this case, we may continue to store this data, but may process it only under strict conditions. The conditions and restrictions of the right to restrict processing are set out in detail in Art. 18 GDPR.

Pursuant to Art. 20 GDPR, you have a right to data portability. You may request to receive the personal data provided by you, which we process in an automated process on the basis of the contract existing between us or your consent, in a structured, common and machine-readable format. In addition, you may request us to transmit this data directly to another responsible party, insofar as this is technically feasible. The requirements and restrictions of the aforementioned rights can be found in detail in Art. 20 para 3 and 4 GDPR.

You can withdraw your consent to the processing of your personal data at any time. Please note that the withdrawal only takes effect for the future and does not affect the legality of the processing carried out based on the consent up to the withdrawal.

Information about your right to object according to Art. 21 GDPR 

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 para 1 (e)GDPR (data processing in the public interest) and Art. 6 para 1 (f) GDPR (data processing based on balancing of interests); this also includes profiling under these provisions within the meaning of Art. 4 (4) GDPR.

If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves the purposes of asserting, exercising or defending legal claims.

In individual cases and where we have obtained your consent to do so (unless any applicable legal exemption to obtaining such consent applies), we may process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is associated with such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes. 

Objections do not require a particular form and no costs are incurred, other than the transmission costs according to the basic tariffs. If possible, any objection should be addressed to the above-mentioned address or email.

The above notifications and measures requested by you will be made available to you free of charge in accordance with Art. 12 para 5 GDPR.

You have a right to complain to a data protection supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR or any other applicable data protection laws, without prejudice to any other administrative or judicial remedy. We would, however, appreciate the chance to deal with your concerns before you approach the relevant data protection or other supervisory authority so please contact us in the first instance.

In the context of accessing our website or in the context of contacting us by form or e-mail, we do not use any fully automated decision-making pursuant to Article 22 GDPR. Should we use these procedures in individual cases, we will inform you about this separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (profiling). 

‍

You must provide the personal data that is required for the use of our website for technical or IT security reasons in order to use our website. If you do not provide this data, you will not be able to use our website.

When contacting us by form or e-mail, you only need to provide the personal data that is required to process your request. Otherwise we will not be able to process your request.

When you enter into a business relationship with us, you must provide the personal data that is required for the establishment, performance and termination of a business relationship or that we are required to collect by law. Without this data, we usually have to refuse to conclude a contract or can no longer fulfill an existing contract and may have to terminate it.

For the creation of a Moonfare account we collect the following data: First and last name, phone number, email address, date of birth, nationality      and investment preference. The registration process takes place in two stages. When you submit the form, we send you an email asking you to confirm the registration and to set a secure password. We then use a questionnaire to collect information about your professional background and verify your identity.

We log the registration in order to be able to provide proof of the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. The logging of the registration process is based on our legitimate interests according to Art. 6 para. 1 (f) GDPR.

The Questionnaire is an important part of our assessment process to determine whether potential investors are suitable for Moonfare's financial products and is based on applicable securities laws and regulations. 

Based on legal requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, tax laws) as well as banking supervisory requirements (e.g. of the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority -BaFin), we are obliged to establish your identity. 

For the purpose of identification, we process the personal data you provide (name, date of birth, address, e-mail address, telephone number) for verification. Finally, during the identification procedure, photos of you and your identification document (passport, ID card) are taken via the camera of your device. 

The identification procedure is carried out on our behalf by "NECT" (Nect GmbH, a company with its registered office at Großer Burstah 21, 20457 Hamburg, Germany), who specialize in this area. The data processing by NECT is carried out as a service provider/contract processor and NECT is also obliged to comply with all applicable data protection regulations.

We would like to point out that it is not possible to become a customer with us without such identification procedure. A personal identification on site is not possible, also sending a copy of an ID card is not sufficient. The reason for this is the legal regulations.

You can find more information about the data processing within the identification procedure in the Privacy Notice of NECT: https://nect.com/en/data-protection/

Moonfare uses multi-factor authentication provided by "Okta" (Okta UK Limited, a company with its registered office at 20 Farringdon Road, ECIM 3HE, United Kingdom). 

Multi-factor authentication verifies the user’s identity in multiple steps using different methods and provides another layer of security on top of the login credentials. For multi-factor authentication, Okta accesses the username and password of the person logging in and creates a cookie with a security token. With the help of this security token, Okta checks whether the respective person has access rights for the respective app. 

The legal basis for the use of this cookie is Art. 6 para. 1 (b) GDPR and our interest in the data security of our platform Art. 6 para. 1 (f) GDPR.

Within this process the collected data is also transferred by Okta to the USA. Please note that the protection of personal data in the USA does not correspond to the level of data protection required by the UK/EU/EEA. In particular, there is a lack of enforceable rights that safeguard the protection of your data against access by government agencies. Thus, there is a risk that these government agencies can access the personal data without the data transmitter or the recipient being able to effectively prevent this. 

You can find out more about Okta’s privacy policy here: https://www.okta.com/privacy-policy/ .

We use Zoom (Zoom Video Communications Inc., a company with its registered office at 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA) to record and analyze order-related telephone and video calls and electronic communications with potential and existing customers. 

We are required by regulatory obligations to record telephone calls and electronic communications (so-called taping) that directly relate to the conclusion of a transaction with you or that are intended to result in such a transaction. The legal basis for this is Art. 6 para 1 sentence 1 lit. c GDPR; Sec. 83 para 3 Securities Trading Act (WpHG); Art. 16 para 7 Markets in Financial Instruments Directive (MiFID II). The legal basis for analyzing the call is Art. 6 para. 1 (b) GDPR.

Within this process the collected data is also transferred by Zoom to the USA. Zoom is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. 

In this context, we store the correspondence associated with the order (e-mail and recorded telephone call). This includes the processing of the following data: First and last name, company, position, telephone number, e-mail address, birth date, transaction-related information, e.g. number of transaction, investment preference, bank information, etc. We also process data relating to the monitoring of the business relationship, such as usage, login, and device information about users and prospective users (connection data, technical and aggregate usage data, such as user agent, IP addresses and approximate location information based on those IP addresses, device data (such as type, operating system, device ID, browser version, locale used, and language settings), activity logs, and session records.

We have entered into a data processing agreement with Zoom in accordance with Art. 28 GDPR. In this contract, Zoom contractually undertakes to ensure the security of the information, systems and services with the help of appropriate technical and organizational measures.

For further details, we refer you to the "Zoom Global Data Processing Addendum", which you can access at https://zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf

In Exhibit A of this document, you can find, among other things, a list of personal data collected by Zoom. Exhibit B describes the data security and control requirements provided, and Exhibit C contains the wording of the data processing contract.                                             

We ourselves and the service providers we use process personal data on this website and use cookies and similar technologies, such as web storage or web beacons, in this context. These technologies can store information on your device or access information that is stored on your device (so-called client-based tracking).

Cookies are stored in the browser on the user's end device. They contain information that is stored about a visited page. The cookie is either sent to the browser by the web server or generated in the browser by a script (JavaScript). The web server can read this cookie information directly on subsequent visits to this page or transmit the cookie information to the server via a script on the website. If cookies are set, they generally collect and process certain user information such as browser and location data and IP address values to an individual extent. Some of these cookies are essential for the functioning of our website, while other cookies help us to improve our website by providing us with insights into how you use the website.

With web storage, information is stored locally in the cache of your browser. The stored information is either automatically deleted again after the browser window is closed ("session storage") or remains there so that it can be read again when you visit the website again ("local storage"), unless you delete your browser cache ("browser data"). 

Web beacons are 1×1 pixel-sized graphics that are integrated into websites or emails (newsletters) in various ways and are also used to collect and analyze user data.

You can prohibit the storage of cookies individually via the settings of your browser (you can find out how to set the cookie handling on the browser's help page). You can find help on cookie management in the most common browsers at the following addresses:

Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-loeschen-daten-von-websites-entfernen

Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies

Google Chrome: https://support.google.com/accounts/answer/61416?hl=de 

Opera: http://www.opera.com/de/help 

Safari: https://support.apple.com/kb/PH17191?locale=de_DE&viewlocale=de_DE

Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09.

Please note that deactivating cookies can lead to functional restrictions on this website.

We will inform you about the specific use of the above-mentioned technologies and the scope of the information collected in each case in the following paragraphs.

15.1 Google Analytics 

Google Analytics 4 is a service provided by Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) hereinafter "Google". Based on your consent, Google Analytics uses targeting cookies that are stored on your device and can be read by us. If individual pages of our website are accessed, the following data is stored:

• three bytes of the IP address of the accessing system ("anonymizeIP");
• the website accessed;
• the website from which you accessed the page on our website (referrer);
• the subpages that are accessed from the accessed page;
• the time spent on the website;
• the frequency with which the website is accessed.

Google processes the data for us to evaluate the use of our Website by the users, to create reports about the activities within our Website and to provide further services connected with the use of our Website. We use this data to make user-oriented improvements to the design of our online presence. In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address will be shortened by Google within EU/EEA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Google is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. Since Google servers are distributed worldwide and a transfer to third countries (for example to Singapore) cannot be completely ruled out, we have also concluded the EU standard contractual clauses with the provider.

Further information on data processing by Google, setting and objection options can be found on the Google website at https://policies.google.com/technologies/partner-sites
‍

15.2 Google Ads 

We use the Google Ads service of Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) hereinafter "Google" based on your consent. 

Google Ads is an internet banner advertising service that allows us to display ads in both Google search engine results and the Google advertising network. Google Ads allows us to pre-define certain keywords that will display an ad in Google's search engine results only when the user performs a keyword-relevant search. In the Google advertising network, our ads are displayed on topic-relevant websites by means of an automatic algorithm and in compliance with the keywords we have previously defined. 

In order to check the effectiveness of our advertisements placed via Google Ads, we use conversion tracking on our website. When you click on an ad placed by Google, a conversion tracking cookie is set on your device. These conversion cookies lose their validity after 30 days and do not allow any direct conclusions to be drawn about an individual person. As long as the cookie is valid, we can track whether a user has clicked on an ad placed via Google Ads to reach our website. We can use conversion cookies to measure the effectiveness of our advertising measures.

We also use “Google Ads Customer Match lists” as part of our Google advertising activities based on your consent. When Customer Match is used, lists with encrypted user data (only email addresses) are uploaded to Google. Google then compares whether the transmitted user data matches existing Google customers. This in turn can be used to create target groups that can be used to target ads/campaigns. Once the customer match lists have been created, the encrypted customer data is automatically deleted again. 

You can object to this use by preventing the installation of cookies by setting your browser software accordingly (deactivation option).  You can also customize personalized advertising in your Google user account in the Privacy tab according to your wishes. To do this, log in to Google and go to "Manage Google Account" in the "Data and Privacy" section. Further information and Google's applicable privacy policy can be found at https://policies.google.com/technologies/partner-sites.

We also use "Google Tag Manager" from Google. This tool does not process personal data, but ensures the triggering of scripts that are required by other services to collect data.

This allows us to interact and integrate other marketing Google tools such as Google Analytics 4, Google Ads, etc. Further information and Google's applicable privacy policy can be found at https://policies.google.com/privacy.
‍

15.3 Use of Hotjar

This website uses features of the web analytics service Hotjar. The provider is Hotjar Inc. with its registered office at Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta.

We use Hotjar to analyze and regularly improve the use of our website. We can use the statistics obtained to improve our offer and to make it more interesting for you as a user. On behalf of the operator of this website, Hotjar will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage. The information generated by the cookie about your use of the website will be transmitted to and stored by Hotjar on servers in the United States.

We use Hotjar's anonymization feature on this website. This shortens your IP address and ensures that the analytics data is not personally identifiable. We do not merge the data with other personal data.

We only use the tool in case of your consent, which you can give via the cookie banner, legal basis is Art. 6 para. 1 p. 1 lit. a GDPR. You can also opt out of the analysis function by simply activating the standard "Do not Track" function in your browser. In this case, we will not process your personal data in the manner described here. An explanation of how you can activate the "Do not Track" function can be found under this link: www.hotjar.com/legal/compliance/opt-out/.

‍
15.4 reCAPTCHA

We use the reCAPTCHA function of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), in order to be able to recognize whether entries in forms are made by humans and not by automatically acting software tools (so-called "bots"). 

The data processed includes IP address, information on operating systems, devices and browsers used, language settings, location, mouse movements, interactions with ReCaptcha on other websites, cookies if applicable and results of manual recognition processes (e.g. selection of images according to certain criteria). 

There are corresponding risks associated with the processing of your data by Google in the USA. By giving your consent via our cookie banner, you agree to the processing of your data (here your IP address) in the USA despite potential access by US authorities.

The privacy information can be found at https://policies.google.com/technologies/partner-sites.

‍
15.5 Meta Pixel and Custom Audiences     

On the basis of your consent, we use the so-called Meta Pixel of the social network Meta (before: Facebook), which is operated by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA). Meta is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. 

With the help of the Meta Pixel, it is possible for Meta to determine the visitors to our application as a target group for the display of advertisements (so-called "Meta ads"). 

Accordingly, we use the Meta Pixel for the analysis, optimization and economic operation of our application and our company in order to display the Meta ads placed by us only to those Meta users who have also shown an interest in our application or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Meta (so-called "Custom Audiences"). With Meta Pixel, we also want to ensure that our Meta ads correspond to the potential interest of users and do not have a harassing effect. We can also track the effectiveness of the Meta ads for statistical and market research purposes by seeing whether users were redirected to our application after clicking on a Meta ad (so-called "conversion").

We are jointly responsible (Art. 26 GDPR) with Meta Ireland Ltd. for the collection or receipt (but not the further processing) of "event data" that Meta collects by means of the Meta pixel and comparable functions (e.g. interfaces) on our online offer or receives in the context of a transmission for the following purposes: a) displaying content advertising information that corresponds to the presumed interests of users; b) delivering commercial and transaction-related messages (e.g. addressing users via Meta Messenger); c) improving the delivery of advertising and personalizing functions and content (e.g. improving the recognition of which content or advertising information corresponds to the presumed interests of users). 

We have entered into a data protection agreement with Meta ("Addendum for Data Controllers", https://www.facebook.com/legal/controller_addendum) that, among other things, specifies the security measures that Meta must follow (https://www.facebook.com/legal/terms/data_security_terms) and in which Meta has agreed to fulfill the rights of data subjects (e.g., users can send information or deletion requests directly to Meta). Note: When Meta provides us with metrics, analytics and reports (which are aggregated, i.e., do not contain any information about individual users and are anonymous to us), this processing is not done under joint controller relationship, but rather on the basis of a data processing agreement ("Data Processing Conditions", https://www.facebook.com/legal/terms/dataprocessing), the "Data Security Terms" (https://www.facebook.com/legal/terms/data_security_terms) and, with respect to processing in the U.S., on the basis of standard contractual clauses ("Meta-EU Data Transfer Addendum", https://www.facebook.com/legal/EU_data_transfer_addendum). Meta is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. The user's rights (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Meta.

You can opt-out of the Meta Pixel’s collection and use of your data to display Meta Ads. To adjust which types of ads are displayed to you within Facebook, you can visit the page set up by Meta and follow the instructions there on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads.

Further information and Meta's applicable privacy policy can be found at https://www.facebook.com/about/privacy/.                                         

‍

15.6 Cloudflare 

We use the service Cloudflare. The provider is Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”).

Cloudflare offers a globally distributed content delivery network with DNS. This technically routes the transfer of information between your browser and our website through Cloudflare’s network. This enables Cloudflare to analyze traffic between your browser and our website and serve as a filter between our servers and potentially malicious traffic from the Internet. In doing so, Cloudflare may also use cookies or other technologies to recognize Internet users, but these are used solely for the purpose described herein.

The use of Cloudflare is based on our legitimate interest in providing our website as error-free and secure as possible (Art. 6 para. 1 lit. f GDPR).

CDNJS

We use CDNJS to properly deliver the content on our website. CDNJS is a service of Cloudflare, Inc., which acts as a content delivery network (CDN) on our website. A CDN helps to provide content of our online offer, especially files such as graphics or scripts, faster with the help of regionally or internationally distributed servers. When you access this content, you establish a connection to servers of Cloudflare, Inc. whereby your IP address and possibly browser data such as your user agent are transmitted. This data is processed solely for the purposes stated above and to maintain the security and functionality of CDNJS.

The use of the Content Delivery Network is based on our legitimate interests, i.e. interest in a secure and efficient provision as well as the optimization of our online offer according to Art. 6 para. 1 lit. f. GDPR.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Cloudflare, Inc. Further information can be found in the privacy policy for CDNJS: https://www.cloudflare.com/privacypolicy/.

Cloudflare Insights

We have integrated Cloudflare Insights on our website. Cloudflare Insights is a service provided by Cloudflare, Inc. which develops cloud-based software that allows website and application owners to track the performance of their services. 

Cloudflare Insights provides the ability to determine statistical evaluations of the technical performance of our services (e.g., the duration of a particular database query, the stability and accessibility of our servers, or the response time of our servers). For this purpose, application and browser data are collected and stored in the browser by means of cookies.

The use of Cloudflare Insights is based on our consent according to Art. 6 para. 1 lit. a. GDPR.

Cloudflare is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. 

For more information about security and data protection at Cloudflare, please click here: https://www.cloudflare.com/privacypolicy/.
‍

15.7 Hubspot 

We use the Hubspot service of HubSpot Inc., 25 First Street, 2^nd Floor, Cambridge, MA 02141, USA, on our websites for the purposes described below.

Hubspot is a web-based customer relationship management software solution (CRM system) that we use to cover various aspects of our online marketing. We use Hubspot for email marketing, in particular newsletter distribution, contact management (e.g. user segmentation & customer relationship management/CRM), chat, operation of landing pages and contact forms, social media publishing and reporting.

Hubspot processes your personal data when you interact with our landing page moonfare.com, e.g. when you use our registration forms there. Information collected when you use our landing page includes information about your computer and your visits to our landing page, such as your IP address, geographic location, browser type, length of visit, Internet service provider (ISP), pages visited and files viewed on our site (e.g., HTML pages and graphics), operating system, clickstream data, access times, and addresses of websites from which you linked to our site. This data is used to compile general statistics on the use of the landing page. We may link this automatically collected data to other personally identifiable information such as name, email address, address, and phone number.

You can view Hubspot’s privacy policy here: https://legal.hubspot.com/privacy-policy.

The legal basis for this processing is your consent pursuant to Art. 6 para 1 sentence 1 lit. a GDPR, Art. 49 para 1 sentence 1 lit. a GDPR. Consent given can be withdrawn at any time. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected. The withdrawal can be made to the contact details above.

In the context of processing via HubSpot, data may be transferred to the USA. We have concluded an data processing agreement with Hubspot. In addition, by concluding standard contractual clauses with us, HubSpot Inc has undertaken to ensure the European data protection principles and the European level of data protection also in the context of data processing taking place in the USA. However, if you choose to consent to the use of Hubspot we would like to point out that the European Court of Justice (CJEU) stated in its Schrems II ruling that the protection of personal data in the USA does not meet the requirements in the EU. In particular, there is a lack of enforceable rights that safeguard the protection of your data against access by government authorities. Therefore, there is a risk that these government agencies may access the personal data without Hubspot, you or us being able to effectively prevent this.|
‍

We use the following Hubspot services:

Hubspot Analytics

HubSpot uses cookies or similar technologies (such as web beacons and JavaScript) to analyze trends for us, track users’ movements around the site and gather aggregate demographic information about users. The legal basis for this processing is your consent pursuant to Art. 6 para 1 sentence 1 lit. a GDPR, Art. 49 para 1 sentence 1 lit. a GDPR.

You can find more details about our use and management of cookies in the “Cookies” chapter of this privacy information. You can manage your cookie settings by clicking on the “Change cookie consent” link in the footer of the website.
‍

‍Hubspot Chat

We use the live chat and chatbot function offered by Hubspot. A chat is basically a directly conducted online conversation between humans. A chatbot, on the other hand, is software that automatically answers users’ questions or informs them of messages, if applicable, during a chat without human interaction. 

When you use chat functions, we process your personal data provided in the chat for the purposes of the chat as well as for the purpose of further customer support and information about interesting products, offers, services and/or related actions by us. The legal basis for this processing is your consent pursuant to Art. 6 para 1 sentence 1 lit. a GDPR, Art. 49 para 1 sentence 1 lit. a GDPR.
‍

Hubspot Newsletter Service

We use the newsletter function offered by Hubspot. In the following, we inform you about our newsletter as well as the registration, mailing and evaluation procedure and inform you about your rights of objection. If you subscribe to our newsletter, you agree to receive the newsletter and you agree to the described procedure.

Newsletter content: We send newsletters, e-mails and other electronic notifications, e.g. whitepapers, with promotional information (hereinafter “newsletter”) only on the basis of the recipient’s consent or on the basis of legal permission. If we specifically describe individual newsletters as part of the registration process, this description is decisive for the consent of a newsletter subscriber. If no separate description is provided, our newsletters will contain information about our products, offers and promotions as well as information about our company.

Double-Opt-In: The registration for our newsletter takes place in the so-called double-opt-in procedure. This means that after you have registered for the newsletter, we will send you an e-mail in which we ask you to confirm your registration. This confirmation serves to ensure that only persons who have access to the specified e-mail address register for our newsletter. We log the registrations to the newsletter in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Changes to your data stored with the newsletter service provider are also logged.

According to its own information, Hubspot uses the data to optimize or improve its own services. However, the newsletter service provider does not use the data of our newsletter recipients to write to them itself or to pass them on to third parties. 

To register for the newsletter, it is sufficient to enter your e-mail address. Optionally, we ask you to provide a first and last name, company, telephone number, for the purpose of personal address in the newsletter.

The newsletters contain a so-called web beacon, i.e. a pixel-sized file that is retrieved from Hubspot’s server when the newsletter is opened. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval are collected. This information is used for the technical improvement of the services based on the technical data or the target groups and your reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The sending of the newsletter and the measurement of success are based on the consent of the recipients according to Art. 6 para 1 sentence 1 lit. a GDPR, Art. 49 para 1 sentence 1 lit. a GDPR, Art. 7 GDPR in conjunction with § 7 para. 2 No. 3 UWG or on the basis of the legal permission according to § 7 para. 3 UWG. The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para 1 sentence 1 lit. f GDPR and serves as proof of consent to receive the newsletter. 

You can unsubscribe from receiving our newsletter at any time, i.e. withdraw your consent. You will find a link to cancel the newsletter at the end of each newsletter. If users have only subscribed to the newsletter and have cancelled this subscription, their personal data will be deleted.
‍

15.8 LinkedIn Insight Tag

The LinkedIn Insight Tag of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland is used on our application. LinkedIn is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. This is a JavaScript code that sets a cookie or pixel on your device that enables the collection of, among other things, the following data: IP address, device and browser properties and page events (e.g. page views). The use of cookies is based on your consent. This data is encrypted, anonymized within seven days and the anonymized data is deleted within 90 days.

We learn via the “LinkedIn Insight Tag” about which LinkedIn ad or interaction on LinkedIn you came to our application. This allows us to better control the display of our advertising. In addition, LinkedIn offers the possibility of retargeting via the Insight Tag. We can use this data to display targeted advertising outside our application without identifying you as an application visitor.

Please note that the data may be stored and processed by LinkedIn so that a connection to the respective user profile is possible and LinkedIn may use the data for its own advertising purposes. LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To disable the Insight tag on our application ("opt-out") click https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

The processing of the data is a joint responsibility of LinkedIn and us pursuant to Art. 26 GDPR. The primary responsibility for the processing of personal data via the Insight Tag lies with LinkedIn and all obligations under the GDPR are fulfilled with regard to the processing of personal data by LinkedIn (in particular the information obligations pursuant to Article 12 et seq. GDPR, safeguarding of data subject rights pursuant to Article 15 et seq. GDPR, notification of data breaches pursuant to Articles 33, 34 GDPR). The joint responsibility agreement pursuant to Art. 26 GDPR can be found at: https://legal.linkedin.com/pages-joint-controller-addendum.

For more information, please see LinkedIn's privacy policy at: https://de.linkedin.com/legal/privacy-policy.     
‍

15.9 Microsoft Advertising

The website uses the remarketing function Bing Ads of Microsoft Corporation One Microsoft Way, Redmond, WA 98052-6399, USA. ("Microsoft Advertising"). 

In this context, Microsoft Bing Ads stores a cookie on your computer if you have accessed our website via a Microsoft Bing ad. In this way, Microsoft Bing and we can recognize that someone has clicked on an ad, has been redirected to our website and has reached a previously determined target page (conversion page). We only learn the total number of users who clicked on a Bing ad and were then redirected to the conversion page. No personal information about the user's identity is disclosed.

By giving your consent via our cookie banner, you consent to the processing of your data by Microsoft. Therefore the legal basis for the use of Microsoft Advertising is your consent in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR.

If you do not want information about your behavior to be used by Microsoft as explained above, you can refuse the required setting of a cookie in our banner or by browser setting that generally disables the automatic setting of cookies. You can also prevent the collection of data generated by the cookie and related to your use of the website, as well as the processing of this data by Microsoft, by following the link below: http://choice.microsoft.com/de-DE/opt-out to declare your objection. For more information on data protection and the cookies used by Microsoft and Bing Ads, please visit the Microsoft website at https://privacy.microsoft.com/de-de/privacystatement.

‍
15.10 Heap Analytics ‍

We use the web analytics tool Heap Analytics by Heap Inc, 225 Bush St #200, San Francisco, CA 94104, USA, based on your consent. Heap Analytics uses cookies to enable an analysis of your use of the website. The cookies are only set if you have consented within the framework of the so-called "cookie banner". Therefore, the legal basis for the use of Heap is your consent in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR.

Heap is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. 

As a basis for data processing at recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. especially in the USA) or data transfer there, Heap uses so-called Standard Contractual Clauses according to Art. 46 para.2 and 3 GDPR. 

More information about the Standard Contractual Clauses can be found at: https://help.heap.io/data-privacy/heap-and-data-privacy/using-heap-to-comply-with-data-privacy-legislation/ . 

You can learn more about the data processed by Heap in the Privacy Policy: https://heap.io/privacy?tid=331657198431   
‍

15.11 Segment

We use the Segment Persona’s service of Twilio Inc., 101 Spear St Fl 5,San Francisco, CA 94105, USA, based on your consent. The provider processes usage data (e.g. sites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA. Segment/Twilio is certified under the EU-U.S. Data Privacy Framework, which ensures a GDPR-compliant data transfer to the USA. Furthermore, Twilio uses EU standard contractual clauses: https://www.twilio.com/en-us/legal/data-protection-addendum

Segment/Twilio helps us to manage the data collected by the third-party providers and stores data in pseudonymous usage profiles. These usage profiles are used to analyze visitor behavior, to validate user interactions in our own data environment and are evaluated to improve our offer. We process your in-app usage data to create conversion tracking reports. You can withdraw your consent at any time in your profile settings.

Further information is available in Twilio's privacy policy at https://www.twilio.com/en-us/legal/privacy     

You can find us on social networks and platforms, so that we can also communicate with you there and inform you about our services. 

We point out that your data may be processed outside the European Union / European Economic Area and that the data is usually processed for market research and advertising purposes. Profiles can be created from the usage behaviour and resulting interests of the users. These profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For this purpose, cookies may be stored on the computers of the users, in which the usage behaviour and the interests of the users are stored. Other data may also be stored in these usage profiles, especially if the users are members of the respective platforms and are logged in to them.

We only link to our company profiles on the respective social networks on our website. However, please note that when you click on a link to the social networks, data is transmitted to their servers. If you are logged in to the respective social network at this time with your username and password, the information that you have visited our company profile on the respective social network from our website will be transmitted there and the respective provider can store this information in your user account.

In principle, we have no influence on the data processing of the social networks. However, we receive statistics from them about the use and visits of our company profile in their social network (e.g. information about the number of views, interactions such as likes and comments as well as summarized demographic and other information or statistics). For more information about the data processed by the social networks, please see the respective privacy notices linked below.

Insofar as we receive your personal data in the context of our social media profiles (e.g. in the context of a communication), you are entitled to the rights mentioned in this privacy notice. You can address your requests regarding data processing within the scope of our company profiles to us via the contact data mentioned above.

If you also wish to exercise rights against the provider of the social network, the easiest way to do so is to contact the respective network directly. The network knows both the details of the technical operation of the platform and the associated data processing as well as the specific purposes of the data processing. The contact details can be found in the privacy notice linked below. We will also be happy to support you in exercising your rights, insofar as this is possible for us.

The processing of your personal data is generally based on your consent in accordance with Art. 6 para 1 sentence 1 lit. a GDPR. The legal basis is also Art. 6 para 1 lit. b GDPR if we receive and process your data as part of a contract-related inquiry. The legal basis for the linking and operation of our company profiles in the social networks, including the receipt of statistics on the use of our company profiles, is Art. 6 para 1 lit. f GDPR based on our legitimate interest in our corporate communication in the respective social networks.

For information on the respective processing and the objection options, we refer to the privacy notice of the networks linked below:

• Meta Platforms (Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA)). We operate our Facebook and Instagram pages on the basis of a shared personal data processing agreement with Meta. Privacy Information: https://www.facebook.com/about/privacy/, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.
• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland), social network for maintaining existing and making new business contacts. Privacy information: https://www.linkedin.com/legal/privacy-policy , opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland), online service for sharing photos and videos. Data protection information: https://help.instagram.com/519522125107875/?helpref=hc_fnav.‍
• X (Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland), microblogging service. Data protection information: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization.
• YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), video portal. Data protection information: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated.
  

The transfer of your personal data to the recipients listed above may involve the transfer of personal data to another country. In particular, due to our global business model, this may include transfers of your personal data to and from countries where a Moonfare subsidiary is located, including (but not limited to) Luxembourg, the United Kingdom, as well as other countries outside the European Economic Area, such as Australia, Singapore and the United States. Please click here for a list of countries where we have a local office.

To ensure that your personal data is always subject to an adequate level of protection, we ensure that all cross-border transfers of your personal data are made in accordance with the safeguards required under the GDPR (in particular, appropriate contractual arrangements), in addition to any other safeguards required by applicable laws and regulations.

As noted above, Moonfare has appointed a DPO. If you have any questions in relation to Moonfare’s use of your Personal Data as described in this Privacy Notice, or if you would like to submit a request with respect to your rights outlined above, please contact our DPO using the contact details set out at the beginning of this Privacy Notice.

In addition to the contact details above, Singapore residents may also contact the relevant local office to exercise their rights. Please note that this Privacy Notice does not in any way limit your rights under local data protection laws.

You also have the right to submit a complaint to your local data protection authority or other relevant supervisory authority in those European jurisdictions where a member of the Moonfare group of companies is registered with the national data protection authority (currently Germany). For more information on this topic, please visit the European Commission's website https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-are-data-protection-authorities-dpas-and-how-do-i-contact-them_en 

‍

17.1 Singapore 

The personal data collected in Singapore by Moonfare Group is collected, stored, used and/or processed in accordance with the obligations under the Personal Data Protection Act 2012 of Singapore (“PDPA”).

You can access the Personal Data Protection Act 2012 of Singapore here: https://sso.agc.gov.sg/Act/PDPA2012 

Further information from the local supervisory authority (including how to contact them) is available at: https://www.pdpc.gov.sg/ 

‍

17.2 UK 

The data collected in the UK by Moonfare Group is collected, stored, used and/or processed in accordance with the obligations under (a) the Data Protection Act 2018, (b) the GDPR, (c) the GDPR as it forms part of the laws of the UK by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK-GDPR"), and (d) the Privacy and Electronic Communications Regulations 2003..

You can access the UK Data Protection Act 2018 here:  https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf 

You can access the UK-GDPR here: https://www.legislation.gov.uk/eur/2016/679/contents 

Further information from the local supervisory authority (including how to contact them) is available at: https://ico.org.uk/ 

‍‍

17.3 USA - California Consumer Privacy Act (“CCPA“)

The personal data collected in the USA by Moonfare Group will be processed in accordance with the California Consumer Privacy Act ("CCPA"). 

Under the CCPA, California residents have certain rights regarding the Personal Information that businesses process about them. This includes the rights to request access or deletion of your Personal Information, as well as the right to direct a business to stop selling your Personal Information.

Personal Information disclosed for business purposes:

Moonfare shares and has shared in the preceding 12 months personal information as necessary for specific “business purpose,” as defined by the CCPA (Cal. Civ. Code 1798.140(d)) and specified in the section “How do we share and disclose information to third parties?” This includes sharing personal identifiers, commercial information, internet or other electronic network activity with payment processing providers, customer relationship management, consulting, email, product feedback, and helpdesk services. While Moonfare does not sell Personal Information in exchange for any monetary consideration, we do share Personal Information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). This includes sharing personal identifiers, commercial information, and internet or other electronic network activity with advertising networks, website analytics companies, and event sponsors. Moonfare does not sell Personal Information of consumers who are under 16 years of age.

The CCPA rights 

• Right to opt-out of sale: While Moonfare does not sell personal information in exchange for any monetary consideration, we do share Personal Information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). We support the CCPA and wish to provide you with control over how your Personal Information is collected and shared. You have a right to direct Moonfare not to sell your Personal Information. With respect to cookies, you can always customize your settings at any time. Please note that we may still use aggregated and de-identified Personal Information that does not identify you or any individual. We may also retain Personal Information as needed to comply with legal obligations, enforce Agreements, and resolve disputes.

• Right to request disclosure: You have the right to request disclosure about what categories of Personal Information Moonfare has sold or disclosed for a business purpose about you and the categories of third parties to whom the personal information was sold or disclosed. You have a right to request disclosure of specific pieces of Personal Information. Below is a complete list of the Personal Information that you can include in your request.
  ‍
  ○ The categories of Personal Information that Moonfare has collected about you.
  ‍
  ○ The categories of sources from which Moonfare collected the Personal Information.
  ‍
  ○ The business or commercial purpose for collecting or selling Personal Information.
  ‍
  ○ The categories of third parties with whom Moonfare shares Personal Information.
  ‍
  ○ The specific pieces of Personal Information Moonfare has collected about you.
  ‍
  ○ The categories of Personal Information that Moonfare disclosed about you for business purpose.
  ‍
  ○ The categories of Personal Information that Moonfare has sold about you, as well as the categories of third parties to whom Moonfare sold your Personal Information.

If you would like to exercise your right to request disclosure, please contact our DPO. 

• Right to request deletion: You have the right to request that Moonfare delete any Personal Information about you that Moonfare has collected from you. Please note that there are exceptions where Moonfare does not have to fulfill a request to delete Personal Information, such as when the deletion of information would create problems with completing a transaction or compliance with a legal obligation. If you would like to exercise your right to delete, please contact our DPO.
• Right to non-discrimination: Moonfare will not discriminate against you (e.g., through denying goods or services or providing a different level or quality of goods o/r services) for exercising any of the rights afforded to you.

How do we handle your requests?

We endeavor to respond to a verifiable consumer request within the required timeframes. If we need more time, we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain why we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

California and Delaware law require Moonfare to indicate whether it honors your browser’s “Do Not Track” settings concerning targeted advertising. Moonfare adheres to the standards set out in this Notice and does not monitor or respond to Do Not Track browser requests.

You can access the CCPA here: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article= 

Further information from the attorney general (regulator) (including how to contact them) is available at: https://oag.ca.gov/ 
‍

17.4 Australia - Privacy Act 1988

The personal data collected in Australia by Moonfare Group is collected, stored, used and/or processed in accordance with the obligations under the Privacy Act 1988 of Australia (No. 119, 1988).

You can access the Privacy Act 1988 here: https://www.legislation.gov.au/C2004A03712/latest/versions

Further information from the local supervisory authority (including how to contact them) is available at: https://www.oaic.gov.au/