LAST UPDATE: MAY 27, 2019
Our mission is to bring investor relationship management to the digital age. On the one hand the platform allows investors to track and support their investments and on the other hand helps startups to streamline and simplify their investors reporting.
- The type, scope and collection of personal data
- How we process personal data
- Who we share personal data with
- The options you have regarding how to access, update and remove your personal data
Responsible for Data Privacy
Investory Onlineplattform GmbH
Hintere Achmühlerstr. 1a
CEO: Guillermo Falco
What data we process
- Basic data (e.g. Full Name)
- Contact data (e.g. Email)
- Content data (e.g. Photos, Text)
- Usage data (e.g. access statistics)
- Meta data (e.g. IP-address, system information)
Categories of people we collect data on
Visitors and users of our service offering (collectively referred to as “Users”).
Purpose of data processing
- Providing the Services offered (see Terms & Conditions for more details)
- Communication with Users for support and in the course of normal business activities
- Providing security measures (e.g. Logs, Backups, e-mail verification)
- Usage statistics and marketing (e.g. cookies, tracking systems)
According to Article 13 GDPR we have to inform you of the legal basis of our data processing. For obtaining consent the legal basis is listed in Article 6 (1) and Article 7, for the data processing in the course of our service offering and contractual provisions Article 6 (1) and for the compliance with regulatory responsibilities as well as our legitimate interest Article 6 (1) of the GDPR is the basis of data processing.
In accordance with Article 32 of the GDPR, we protect personal data based on state-of-the-art security measures. The appropriateness of the technical and organizational security measures is evaluated, based on the risk to the rights and freedoms of our users, probability of occurrence, implementation costs and the type and purpose of processed data.
We have security measures in place to ensure the confidentiality, integrity and availability of processed data. These measures apply to physical access as well as when entering, transferring and storing data. In addition, we have setup processes to ensure our users rights to delete and export their information. Furthermore, security measures are also deployed during the development, hardware/software selection and design of our service offering. For more details please also see our security policy here.
Working with third parties
We only work with and transfer data to third parties in the course of our Service offering (commissioned data processing), when there is a legal basis to do so. Either you have given us consent, we need to meet regulatory obligations or based on legitimate interests (e.g. freelancer or other external service providers).
If we commission third parties with the processing of data, we do so according to Article 28 of the GDPR.
Transfer of data outside of Europe
Our Service is hosted and operated in Europe (Germany), with development, support and maintenance operations in other countries inside the European Union (“EU”), through us and our service providers. If we transfer data to non-EU countries, we do so only to fulfil contractual obligations, with your consent or based on legitimate interests. We transfer data to non-EU countries only in case the conditions outlined in in Article 44 GDPR are adhered to. For example, transfer and processing outside of Europe is done based on special guarantees that the same data protection level is kept in the non-EU country (e.g. in the USA through the “Privacy Shield” agreement) or we specify these requirements in special contractual obligations.
Your rights as a user
- You have the right to ask which data is being processed and ask us to disclose this information as well as related information and copies of this data in accordance to Article 15 GDPR.
- You have the right to ask for correction or amendment of your data according to Article 16 GDPR.
- You have the right to ask for immediate deletion of your data (Article 17 GDPR) or to limit the use of data (Article 18 GDPR).
- You have the right to ask for transferal of provided data to another controller (Article 20 GDPR).
- You have the right to lodge a complaint with a supervisory authority (Article 77 GDPR).
- You have the right to revoke your consent of data processing for the future (Article 7 GDPR).
- You can object to future processing of your data according to Article 21 of the GDPR, this can be limited to processing for direct marketing purposes.
Deletion of Data
Data we are processing, can be deleted or limited in accordance to Article 17 and 18 of the GDPR. If not mentioned anywhere else, we delete data when or if they are no longer necessary for the completion of the initial purpose and there is no requirement to keep data for legal purposes. In case data is necessary for legal purposes or there is a regulatory retention period, processing of this data will be limited (e.g. data that needs to be retained due to tax or trade laws).
In Austria the retention of data is limited to 7 years in case of financial and business data (see § 132 (1) BAO).
How we process data
In the following a record of processing activities is provided. This extensive list is meant to provide a overview of the most relevant data processing activities we employ.
Business related processing
In addition to the data we process through our Service, we also process data in the course of normal business operations:
- Contract data (e.g. service offerings and contract subjects)
- Payment data (e.g. bank connection and payment history)
We use hosting service providers for the following purposes:
- Providing infrastructure and networking services
- Providing storage and database capabilities
- Providing maintenance and support services
The Amazon.com, Inc is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active).
Handling of access and system log files
We and some of our third-party providers store data about access to our systems due to legitimate interests defined in Article 6 (1) GDPR. In these logs data like names, accessed sites, data and time of access, system type and system versions as well as referrer URL and IP-Address may be temporarily stored.
These logs are used for security or maintenance purposes (e.g. to investigate issues or abuse situations) and will be deleted regularly. Data that might be used as evidence, might be stored until the case is resolved.
Provision of contractual services
We process basic data (e.g., names and addresses as well as contact information of users), contract data (e.g., services provided, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Article 6 (1) GDPR.
The storage of this data is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. A transfer of these data to third parties does not take place, unless it is necessary for the prosecution of our claims or there is a legal obligation in accordance with Article 6 GDPR.
We process usage data (e.g., the visited web pages of our online offering, interest in our products) for each user to provide relevant information based on their behavior (e.g. to send instructions, tips or guides based on their usage).
The deletion of this data takes place after expiration of legal warranty and comparable obligations, the necessity of the storage of the data is checked every three years; in the case of legal archiving obligations, the deletion takes place after its expiration. Information in the customer’s account remains until it is deleted.
Administration, financial accounting, office organization, contact management
We process data in the context of administrative tasks and organization of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of offering our Services in accordance with Article 6 of the GDPR. The purpose and interest in processing lies in administration, financial accounting, office organization, data archiving, that is, tasks that serve to maintain our business, perform our duties and provide our services. The deletion of the data in terms of contractual performance and contractual communication corresponds to the information provided in these processing activities.
We may disclose or transmit data to the financial administration, consultants, such as tax accountants or auditors, and other fee agents and payment service providers.
Furthermore, based on our business interests, we store information about suppliers, promoters and other business partners, e.g. for later contact. We generally store this company-related data permanently.
Business analysis and market research
In order to operate our business economically, to be able to recognize market trends, customer and user requirements, we analyze data on business transactions, contracts, inquiries, etc. We process basic data, communication data, contract data, payment data, usage data, metadata on the basis of Article 6 GPDR, whereby the users affected include customers, prospects, business partners, visitors and users of the Service
The analyses are carried out for the purpose of business analysis, marketing and market research. In doing so, we can provide the profiles of registered users with information, e.g. take into account their services. The analyses serve us to increase the user-friendliness, the optimization of our offer and the business economics. The analyses are for us alone and will not be disclosed externally unless they are anonymized and aggregated.
If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the users, otherwise after two years from the conclusion of the contract. Incidentally, the overall business analyses and general trend provisions are created anonymously wherever possible.
Privacy in the application process
We process the applicant data only for the purpose and in the context of the application process in accordance with the legal requirements. The processing of the applicant data takes place in order to fulfill our (pre-) contractual obligations in the context of the application process based on our legitimate interest (see Article 6 GDPR) or if the data processing is required in the context of legal proceedings.
The application process requires applicants to provide us with their applicant data. The necessary applicant data include the information on the person, postal and contact addresses and the application documents, such as cover letter, CV and the certificates. In addition, applicants can voluntarily provide us with additional information.
Applicants can send us their applications via e-mail. However, please note that e-mails are generally not sent in encrypted form and that applicants themselves must provide encryption. We can therefore take no responsibility for the transmission of the application between the sender and the reception on our server and therefore recommend rather to use encryption or the postal delivery. Instead of applying via e-mail, applicants have the opportunity to send us the application by post.
The data provided by the applicants may be further processed by us in the event of a successful application for employment. Otherwise, if the application is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which the applicants are entitled to at any time.
The deletion is scheduled after a period of a few months, so that we can answer any follow-up questions to the application. Invoices for any reimbursement of travel expenses are archived in accordance with the tax regulations.
Registering an account
Users can create a user account. As part of the registration, the required mandatory information is communicated to the users and based on Article 6 (1) GDPR processed for purposes of providing the user with an investory account. The processed data includes in particular the login information (name, password and an e-mail address). The data entered during registration will be used for the purpose of accessing their account. Users may be sent information relevant to their user account, e.g. technical changes will be sent by e-mail. If users have terminated their data, their entire account will be deleted, except there is regulatory required retention period. It is the responsibility of the users to secure their data before deletion. We are entitled to irretrievably delete all user data stored during the term of the usage.
During the registration or sign-up process, we may save information about you like the IP address and the time of registration/login. The storage is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. A transfer of this data to third parties does not take place, unless it is necessary for the prosecution of our claims or we have a legitimate interest in accordance with Article 6 (1) GDPR.
When contacting us (for example, by contact form, e-mail, telephone or via social media) your information may be processed to maintain contact in accordance with Article 6 (1) GDPR. User information may be stored in a Contact Management System, in a Customer Relationship Management System (“CRM System”) or comparable system. We delete requests, if they are no longer required.
If users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests in accordance with Article 6 (1) GDPR. If someone leaves illegal content in comments and contributions (insults, prohibited political propaganda, etc.), we may be prosecuted for the comment or post ourselves and are therefore interested in the identity of the author.
Furthermore, we reserve the right to process the information of users for the purpose of spam detection. The data provided in the comments and contributions are stored by us permanently until the users’ objects or requests deletion.
Cookies and objections to tracking tools
We and our third-party service providers collect information about you, your device, and your use of the Service through cookies, clear gifs (a.k.a. web beacons/pixels), and other tracking tools and technological methods (collectively, “Tracking Tools”).
Tracking Tools collect information such as computer or device operating system type, IP address, browser type, browser language, mobile device ID, device hardware type, the website or application visited or used before or after accessing our Service, the parts of the Service accessed, the length of time spent on a page or using a feature, and access times for a webpage or feature.
These Tracking Tools help us learn more about our users and analyze how users use our Service, such as how often users visit our Service, what features they use, what pages they visit, what emails they open, and what other sites or applications they used prior to and after visiting the Service.
Like many websites and mobile applications, we collect certain information through the use of “cookies,” which are small text files that are saved by your browser when you access our Service.
Cookies can either be “session cookies” or “persistent cookies”. Session cookies are temporary cookies that are stored on your device while you are visiting our Website or using our Service, whereas “persistent cookies” are stored on your device for a period of time after you leave our Website or Service. We use persistent cookies to store your preferences so that they are available for the next visit, and to keep a more accurate account of how often you visit our Service, and how your usage behavior varies over time.
We also use persistent cookies to measure the effectiveness of advertising efforts. Through these cookies, we may collect information about your online activity after you leave our Service.
If you don’t want to use or store Cookies, please deactivate this option in your browser settings. Existing Cookies can be deleted manually. However, please be aware that this might lead to a reduction of our online offering experience.
Content of the newsletter:
We only send newsletters, e-mails and other electronic notifications that contain information about our Services and accompanying information (such as instructions), offers, promotions and our company.
Double opt-in and logging:
Newsletter – Mailchimp
The email service provider may use the data of the recipients in pseudonymous form, without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of email sending and the presentation of newsletters or for statistical purposes. However, the email service provider does not use the data of our newsletter recipients to address them themselves or to pass the data on to third parties.
Newsletter – Intercom
The customer relationship service provider may use the data of the recipients in pseudonymous form, without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of relationships and the presentation of newsletters or for statistical purposes. However, the customer relationship service provider does not use the data of our newsletter recipients to address them themselves or to pass the data on to third parties.
Bugtracking – Bugsnag
The bugtracking service provider may store data of users in pseudonymous form, without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of relationships and the presentation of newsletters or for statistical purposes. However, the bugtracking service provider does not use the data of our bugs to address them themselves or to pass the data on to third parties.
Email – Tracking
The newsletters may contain a so-called “web-beacon”, a pixel-sized file that is retrieved from the server when opening the newsletter from our server, or if we use an email service provider. This call will initially collect technical information, such as information about the browser and your system, as well as your IP address and time of retrieval.
This information is used to improve the technical performance of services based on their specifications or audience and their reading habits, based on their locations (which can be determined using the IP address) or access times. Statistical surveys also include determining if the email will be opened, when they will be opened, and which links will be clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our goal nor, if used, that of the email service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
Jetpack (WordPress Stats)
Based on our legitimate interests (e.g. interest in the analysis, optimization and improvement of our Service) we use the plugin Jetpack, which includes Visitor Access Statistical Evaluation and Spam protection developed by from Automattic Inc., 60 29th Street # 343, San Francisco, CA 94110, USA. Automattic Inc is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active). Jetpack uses so-called “cookies”, text files that are stored on your computer and that allow an analysis of the use of the website by you.
The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly
The personal data of users will be deleted or anonymized regularly.
Mixpanel may use this information on our behalf to evaluate the use of our online Service by users, to compile reports on the activities and to provide us with further services related to the usage. It is possible to create pseudonymous usage profiles of the users based on the processed data.
The personal data of users will be deleted or anonymized regularly.
Facebook-Pixel, Custom Audiences and Facebook-Conversion
Based on our legitimate interests (e.g. interest in the analysis, optimization and improvement of our Service) we use the so-called “Facebook pixel” of the social network Facebook, by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are located in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (“Facebook”).
Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
With the help of the Facebook pixel, it is possible for Facebook to identify the visitors to our Service as a target group for display of advertisements (so-called “Facebook ads”). With the help of the Facebook pixel, we also want to make sure that our Facebook ads are in line with the interest of our users. We are also able to understand the effectiveness of the Facebook ads for statistical and market research purposes, in which we see whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”). The processing of the data by Facebook is part of Facebook’s data usage policy. Accordingly, general notes on how to display Facebook Ads, in Facebook’s Data Usage Policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook Pixel and how it works, visit the help section of Facebook: https://www.facebook.com/business/help/651294705016616.
You may object to the capture by the Facebook Pixel and use of your data to display Facebook Ads. To set which types of ads you see within Facebook, you can go to a special page set up by Facebook and follow the instructions for the usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform independent, meaning they are adopted for all devices, such as desktop computers or mobile devices.
You can also opt-out of using Cookies for tracking and promotional purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and in addition the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
We maintain online presence within social networks and platforms in order to communicate with customers, prospects and users active there and to inform them about our services. When communicating through the respective networks and platforms, the terms and conditions and the data processing guidelines of these networks and platforms apply.
Saltedge – Banking API
Stream.io – Feeds/Notifications
Stripe – Payment Provider
If users choose so, they can opt-in to subscribe to a paid plan by providing payment information, which is managed by our dedicated payment service Stripe. Stripe’s services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland. In providing Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc., in the U.S. To ensure the adequate protection of personal data, they have certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. For more information, please read their Stripe Privacy Shield Policy. In addition to Privacy Shield, Stripe continues to employ additional compliance measures to ensure an adequate level of protection of personal data transferred outside the European Economic Area.