Data privacy

This data protection notice intends to inform you about the processing of your personal data by us and the claims and rights to which you are entitled under data protection regulations, in particular the European General Data Protection Regulation (GDPR).
‍
Below you will learn about the type, scope and purpose of the processing of personal data on the Tokenize.it platform (hereinafter “Platform“) available on www.tokenize.it. This data protection notice also applies to all services related to the Platform. The data protection information applies regardless of the domains, platforms and devices used (e.g. desktop, mobile, etc.).
‍
Personal data within the meaning of the GDPR is all data that can be related to you personally, e.g. name, address, email addresses, user behavior. Which data is processed in detail and how it is used depends largely on the services you use.
‍
We use various other terms in relation to the GDPR in our data protection information. This includes terms such as processing, restriction of processing, profiling, pseudonymization, controller, processor, recipient, third party, consent, supervisory authority and international organization. You can find corresponding definitions for these terms in Art. 4 GDPR.
‍

1. Who is responsible for data processing and who can I contact?

The person responsible is: 

Tokenize.it GmbH
Markt 16
09648 Mittweida
Tel.: 03727 5999530
E-Mail: hi@tokenize.it

You can reach our data protection officer at:
‍
mip Consult GmbH
Rechtsanwalt Asmus Eggert
Wilhelm-Kabus-Str. 9
10829 Berlin
privacy@tokenize.it

2. Which sources and data do we use?

We process personal data that we collect as part of your use of our Platform and, if applicable, as part of our business relationship with certain companies for whom we are providing technology services enabling them to launch digital Private Offers, (employee) participation programs and public fundraises (hereinafter “Crowdinvesting”) via the Platform.
‍
Information about what data we process when you register on our Platform, make an investment via our Platform or participate as a beneficiary in a company's profit participation program can be found in the following paragraphs.
‍
When you use our Platform, we collect personal data that your browser transmits to our server. When you access our Platform, we collect the following access data, which is necessary from a technology perspective for us to make the Platform available to you and to ensure stability and security. The access data includes the IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e. name of the specific page accessed), access status/HTTP status code, amount of data transferred, referrer URL (previously page visited), operating system and its interface, language and version as well as type of browser software, notification of successful access.
‍
We will also receive your personal data if you contact us. Personal data in this case includes, for example, name, email address and, if applicable, the data that you send to us as a message (hereinafter “contact details").

3. What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”), among others, for the following purposes and on the basis of the following legal bases:
‍
Consent, Art. 6(1) sentence 1 lit. a GDPR:
As long as you consent to the processing of your personal data for specific purposes, this processing based on your consent is lawful.
Consent given can be revoked at any time. Please note that the revocation will only take effect for the future. Processing that took place before the revocation is therefore not affected by the revocation. The revocation can be sent to the contact details above.

Performance of pre-contractual measures at the request of the person or performance of a contract, Art. 6(1) sentence 1 lit. b GDPR:
When contacting us (via contact form or email), your information will be processed to handle the contact request and its processing.

In the context of balancing interests to safeguard legitimate interests, Art. 6(1) sentence 1 lit. f GDPR, and § 25(2) No. 2 TTDSG; based on your consent, Art. 6(1) sentence 1 lit. a GDPR, and § 25(1) TTDSG:
We use cookies and similar technologies on our Platform. We store information on your device because this is absolutely necessary to provide you with our Platform. Data processing is carried out to safeguard our legitimate interest in the best possible functionality of the Platform.When you visit our website for the first time, you will also be asked whether you consent to the use of non-essential cookies and similar technologies. If you consent to data collection and storage in accordance with § 25(1) TTDSG, and the possibly associated subsequent data processing pursuant to Art. 6(1) sentence 1 lit. a GDPR, we may use this information, for example, to analyze the use of our Platform or to conduct marketing activities.

You have the option to revoke your consent at any time with effect for the future via the cookie button (consent settings), which is displayed to you at the bottom left of our Platform.

In section 10, you will also receive further information about the services, cookies, and similar technologies used by us, especially regarding the management and deletion of cookies.

Compliance with legal obligation Art. 6(1) sentence 1 lit. c GDPR in conjunction with Sections 10, 11 para. 1 sentence 1, 12 Money Laundering Act (“GWG”):
To prevent and detect money laundering and terrorist financing and to comply with other sanctions and embargo regulations as part of our “KYC” (Know Your Customer) process, we will process certain personal data, including: to identify you, verify your identity and compare your information with sanctions lists.

As part of the balancing of interests to safeguard legitimate interests, Art. 6(1) sentence 1 lit. f GDPR:
We process your data to safeguard our legitimate interests or those of third parties. In particular, we pursue the following legitimate interests:
- Ensuring IT security, especially the security of the Platform;
- Advertising or market and opinion research, provided you have not objected to the use of your data; and
- Assertion of legal claims and defense in legal disputes.

4. Who receives my data?

Within our company, only those departments receive access to your data that require it to fulfill our contractual and legal obligations.
Service providers (Article 28 GDPR) employed by us may also receive data for the purposes mentioned above. These may include, for example, our IT service providers, hosting providers, or other third parties providing printing, telecommunications, distribution, and marketing services. If we disclose data to our service providers, they may only use the data to fulfill their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have appropriate technical and organizational measures to protect the rights of data subjects, ensure an adequate level of data protection, and are carefully monitored by us.
‍
Disclosure of data to third parties who are not data processors only occurs within the framework of legal requirements.
‍
We transmit personal data as a tied agent when providing investment brokerage services in the context of Crowdinvesting to Concedus GmbH, Schlehenstraße 6, 90542 Eckental as our regulatory liability umbrella (the “liability umbrella“) to fulfill our contractual obligations.
‍
We transmit personal data to law enforcement authorities and, if necessary, to injured third parties if this is necessary to investigate unlawful use of our services or to carry out criminal prosecution. However, this only happens if there are specific indications of illegal or abusive behavior. A transfer may also be made to enforce our terms of use or other agreements. We are also required by law to provide information upon request to certain public authorities, such as law enforcement authorities, administrative offense authorities and tax authorities. These transfers are based on our legitimate interests in combating abuse, assistance of law enforcement and asserting claims that outweigh your rights and interests in protecting your personal data. This is done in accordance with Article 6(1) lit. f GDPR or due to a legal obligation according to Article 6(1) sentence 1 lit. c GDPR.
‍
We also pass on user data to third parties if, for example, this is based on Article 6(1) sentence 1 lit. b GDPR for contractual purposes or based on legitimate interests in accordance with Article 6(1) sentence 1 lit. f GDPR if it is necessary for the economical and effective operation of our business or you have consented to the data transfer.

5. How long will my data be stored?

For security reasons (e.g., to investigate misuse or fraud), log file information is stored for a maximum of 30 days and then deleted (see above point 2). Data that must be retained for evidentiary purposes is excluded from deletion until the final resolution of the respective incident.
‍
To the extent necessary, we process and store your personal data for the duration of our business relationship, which also includes the initiation of a contract via contact form or email.
‍
In addition, we are subject to various retention and documentation obligations, which arise, among other things, from the Commercial Code (HGB) and the Tax Code (AO). The periods specified there for storage and documentation are two to ten years.
‍
The retention period for identification data, the results of the sanctions list comparison and the determination of the PEP status extend beyond the end of your contractual relationship with us: According to Sections 8 and 10 of the GWG, we are obliged to store identification data for at least five years. This retention obligation begins at the end of the calendar year in which our customer relationship with you ends - the entire retention period can therefore be longer than five years after the end of the contract.
‍
Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sections 195 ff. of the Civil Code (BGB), are usually 3 years, but can in certain cases be up to thirty years.
‍
If you assert your rights as a data subject, we will store the information provided to you until the expiration of the statutory limitation period pursuant to § 31 para. 2 No. 1 OWiG, § 41 para. 1 BDSG, Art. 83 para. 5 lit. b GDPR for 3 years. This period may be extended if the statutory limitation period is extended due to interruptions of limitation periods (e.g., in the context of inquiries from supervisory authorities).
‍
Unless otherwise stated, we will delete or anonymize your personal data as soon as it is no longer required for the purposes for which we collected or used it according to the preceding paragraphs. If data must be retained for legal reasons, their processing will be restricted. The data will then no longer be available for further use.

6. Will data be transferred to a third country or to an international organization?

The data provided is processed within the European Union and in the USA. When transferring data to the USA, we ensure that the recipients of the data are certified under the EU-U.S. Data Privacy Framework or that we agree with recipients without certification on EU standard data protection clauses. If we base the data transfer on EU standard data protection clauses, we will take additional security measures to protect your data and to achieve an adequate level of protection for your personal data. You have the option to receive or inspect the EU standard data protection clauses in a copy. If necessary, we will obtain your express consent for the transfer of data to the USA.

7. What data protection rights do I have?

Every data subject has:
‍
• the right to information pursuant to Art. 15 GDPR (i.e., you have the right to obtain information about your personal data stored by us at any time),
• the right to rectification pursuant to Art. 16 GDPR (i.e., in the event that your personal data are incorrect or incomplete, you may request the rectification of this data),
• the right to erasure pursuant to Art. 17 GDPR and the right to restriction of processing pursuant to Art. 18 GDPR (i.e., you may, if necessary, request the erasure or restriction of processing of your personal data if, for example, there is no longer a legitimate business purpose for such processing and statutory retention obligations do not require further storage),
• the right to data portability under Art. 20 GDPR (i.e., you may, if necessary, receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and transmit this data to another controller without hindrance).Furthermore, you can generally revoke your consent with effect for the future.
‍
In addition, there is a right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). You can find the supervisory authority responsible for you at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html. We would appreciate it if we could address your concerns before you contact the responsible data protection authority or another supervisory authority and therefore ask you to first contact us with your complaint.
‍
In addition, we would like to draw your attention to your right to object under Art. 21 GDPR:
‍
Information about your right to object under Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1) sentence 1 lit. e GDPR (processing in the public interest) and Article 6(1) sentence 1 lit. f GDPR (processing based on a balance of interests), including profiling based on that provision according to Article 4 No. 4 GDPR.
‍
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
‍
In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made informally and no costs other than the transmission costs according to the basic rates will be incurred.

If you wish to make use of your right to object, an informal notification, e.g. to the above-mentioned contact details, is sufficient.

8. To what extent is there automated decision-making in individual cases, including profiling?

When accessing our Platform or when contacting us via form or email, we generally do not use fully automated decision-making in accordance with Article 22 GDPR. If we use these procedures in individual cases, we will inform you separately if this is required by law. We do not process your data automatically with the aim of evaluating specific personal aspects (profiling).

9. Do I have an obligation to provide data?

Within the scope of our Platform, you must provide the personal data that is required for technical or IT security reasons to use our Platform. Unless you provide this data, you will not be able to use our Platform.
‍
In the context of contacting us, for example, by email, you only need to provide those personal data that are necessary for processing your request. Otherwise, we cannot process your request.
‍
In order to use our Platform and the services provided in connection with investments and profit participation programs on the Platform, you must provide us with the personal data that is strictly necessary for the use of the Platform and the services or which we are legally obliged to collect. Without this data we are required to restrict access to our services.

10. Cookies and similar technologies

a) General
We and services that we may use on our Platform use cookies and similar technologies, such as web storage or web beacons (see below).

Cookies are stored in the user's browser on the end device. They contain information that is stored for a visited page. The cookie is either sent from the web server to the browser or generated in the browser by a script (JavaScript). The web server can read this cookie information directly on subsequent visits to this page or transfer the cookie information to the server via a script on the Platform. When cookies are set, they generally collect and process certain user information such as browser and location data as well as IP address values. Some of these cookies are essential for the functioning of our Platform, while others help us improve our Platform by providing insights into your use of the Platform.

With web storage, information is stored locally in your browser cache. The stored information is either automatically deleted after closing the browser window ("session storage") or remains in place so that it can be read again when the Platform is visited again ("local storage"), unless you delete your browser cache ("browser data").
‍
Web beacons are 1x1 pixel-sized graphics that are integrated into websites or emails (newsletters) in various ways and also serve to collect and evaluate user data.
‍
We store information on your end device if this is absolutely necessary to provide you with our Platform, § 25 (2) No. 2 TTDSG. Otherwise, data collection is generally only carried out with your explicit consent in accordance with § 25 (1) TTDSG. If individual cookies also process personal data, the processing is carried out in accordance with Article 6 (1) (b) GDPR to perform the contract, in accordance with Article 6 (1) (f) GDPR to safeguard our legitimate interests in the best possible functionality of the Platform and a user-friendly and effective design of the page visit, or in accordance with Article 6 (1) (a) GDPR following your consent. You have the option to withdraw your consent with effect for the future at any time via the cookie button (consent settings) at the bottom left of our Platform.
‍
You can individually prohibit the storage of cookies through the settings of your browser (you can find out how to set the cookie treatment via the help page of the browser). Assistance with cookie management in the most common browsers can be found at the following addresses:

Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-loeschen-daten-von-websites-entfernen
Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Google Chrome: https://support.google.com/accounts/answer/61416?hl=de
Opera: http://www.opera.com/de/help
Safari: https://support.apple.com/kb/PH17191?locale=de_DE&viewlocale=de_DE
Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09Please note that deactivating cookies may lead to functional restrictions on the Platform.

In addition, you can deactivate cookies used for audience measurement and advertising purposes via the deactivation page for consumers in the EU https://www.youronlinechoices.com/de/praferenzmanagement/.

We inform you about the specific use of cookies and similar technologies, as well as the scope of the information collected, in the following paragraphs.
‍
b) Consent Management
To enable you to conveniently manage your consents, you will be shown a consent banner when you first visit our website. You will have the opportunity to give your consent to consent-required services. In this context, the IP address and geographic location, opt-in and opt-out data, referrer URL, user agent, your user settings, a consent ID, and the time of consent and the type of consent are collected. Your consent settings are stored in a cookie on your end device. The validity period of the cookie is 6 months.
‍
If you have given us your consent to set cookies and similar technologies and to process your data, you can revoke your consent at any time via the consent settings in the footer of our Platform with effect for the future.
‍
The data collection takes place in accordance with § 25 (2) No. 2 TTDSG, the subsequent data processing in accordance with Article 6 (1) (c) GDPR, since obtaining consent for the use of cookies and similar technologies and the processing of personal data is legally required, and in accordance with Article 6 (1) (f) GDPR based on our legitimate interest in consent management.

11. Sentry

To ensure the technical stability of our Platform, we use Sentry, an analysis service provided by Functional Software, Inc. (“Sentry"). Through the service, we collect user data such as the IP address, browser and device information, as well as any steps that led to a technical error in the code (including stack trace). Bugs are reported by Sentry.io and can be analyzed. The service does not use cookies or similar technologies. Sentry processes the data on our behalf.
‍
Data collection and data storage is carried out in accordance with Section 25 Paragraph 2 No. 1 TTDSG. The subsequent data processing is carried out in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR on the basis of our legitimate interest in ensuring the functionality and availability of our Platform and based on our legitimate interest in efficient error monitoring, elimination and performance monitoring.

12. Registration

In order to use the services and conclude investment and profit participation contracts via the Platform, you must successfully register on the Platform and create a user account using a valid email address and/or connect your account to an external Blockchain wallet.

To manage and authenticate your user account, we use the services of Horkos, Inc. (d/b/a Privy), 228 Park Avenue South, PMB 67932, New York, NY 10003, USA (https://www.privy.io). Privy enables login via various authentication methods (e.g., Google or email link).

Privy acts solely as a technical data processor pursuant to Art. 28 GDPR on behalf of Tokenize.it. The data processed includes, in particular, your email address, login metadata, and, where applicable, cryptographic keys used for signing your transactions.

The transfer of personal data to the United States is based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Further information on how Privy processes personal data is available at: https://www.privy.io/privacy-policy.
‍
The user's registration may require the successful completion of an identification process and the positive verification of the legal requirements for money laundering regulations (in particular the Money Laundering Act), the so-called KYC process, see point 13.
‍
For successful registration as an investor, we also require the investor account to be activated by us and, in the case of Crowdinvesting, require approval of the liability umbrella. Our activation and an approval by the liability umbrella occurs at our and the liability umbrella’s own discretion. Only after successful completion of the KYC process and activation of the account can the user conclude investment and profit participation contracts via the Platform and acquire or receive participation rights in the form of tokens via the Platform.
‍
a) Natural person
If you register as a natural person on our Platform, we collect your first and last name, your address and email address. We will then send you an email to the email address you provided, asking you to verify your email address and confirm registration on our Platform (so-called double opt-in procedure).
‍
b) Legal entities or partnerships
If legal entities or partnerships register as investors in their own name and on their own account and not on behalf of a third party, in particular not as trustees, we collect data from the registered Platform user. This includes the first and last name, position in the company and email address. After entering the data, the registered user receives an email asking them to verify the email address provided and to confirm registration on our Platform (so-called double opt-in procedure).
‍
For successful registration of a legal entity or partnership, further company information must be provided, such as the company name, a general company description, the commercial register number and company address.

13. Know-Your-Customer ("KYC") Process

As part of the registration, an identification process and a money laundering check, the so-called “KYC” process, may take place. This applies in particular to participation in a public fundraising campaign (hereinafter referred to as "Crowdinvesting"). The KYC process is intended to prevent business relationships from developing with people who are linked to, among other things, terrorism, corruption or money laundering. Another goal is to ensure compliance with applicable sanctions.
‍
The identity check and the comparison of your data according to money laundering regulations may be carried out for Private Offers via a service provider connected to the Platform (e.g. IDnow GmbH, Munich) and for Crowdinvesting via a service provider commissioned by our liability umbrella. Further information about Idnow GmbH's identification process can be found at https://www.idnow.io/de/faq/.
‍
In the context of us providing investment brokerage services, the liability umbrella sends us the results of its KYC checks in order for us to fulfill our legal obligations. The liability umbrella is responsible for processing your data itself. Further information can be found in the liability umbrella's data protection information at https://concedus.com/dokumentencenter/. We may also pass on the data to the fundraising company.

13.1 Identity verification

Identity verification ensures that a known natural and real live person is behind any transaction. As a primary outcome, it proves that any person is who they say they are. It is required by law and prevents one person from carrying out a transaction on behalf of another person without authorization and using fake identities to commit fraud.
‍
We receive the identification result, which contains images of the user and the identification document.
‍
Data processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with. §§ Sections 10, 11 para. 1 sentence 1, 12 GWG on the basis of a legal obligation to identify contractual partners, any persons acting on their behalf and beneficial owners before establishing a business relationship.
‍
a) Natural person
For the purpose of identification, we collect the following data in accordance with Section 11 paragraphs 4 and 5 GWG: first and last name, place of birth, date of birth, nationality and a residential or postal address.
‍
During identity verification, the user's ID and identity are checked via Auto-Ident or VideoIdent, depending on legal requirements. The identity check is carried out using a valid identification document (e.g. passport, ID card, residence permit, driving license).
‍
As part of the identity check, the identification document is first verified. The document’s key information is read and static security checks are carried out. Biometric verification is then carried out in which the user is compared with the image of the ID document.
‍
b) Legal entities or partnerships
For the purpose of identification, we collect the following information in accordance with Section 11 Paragraphs 4 and 5 GWG: formal legal company name or designation, legal form, registration number, if available, address of the registered office or main branch and the names of the members of the representative body or the names of the legal representatives.
‍
For the verification, an extract from the commercial register, confirmation of the representative’s status as an authorized representative, the certificate of incorporation and a list of shareholders must be uploaded. We also need information about the shareholders who own more than 25 percent of the shares in the company. The first and last name, the respective company share, date of birth, place of birth, nationality and address are recorded.
‍
Depending on the product, the identity check is carried out by the company or the liability umbrella, which may commission IDnow.

13.2 Sanctions list comparison

Part of the KYC process is the comparison of the actual beneficial owners with sanctions lists. We check whether the investor or beneficial owner is on sanctions lists. Sanctions lists are lists of people, groups or organizations against whom economic or legal restrictions have been imposed. No financial assets or economic resources may be made available, directly or indirectly, to those included in these lists.
‍
As part of the sanctions list check, the name and address of the authorized person are compared with the sanctions lists. If we do not find a corresponding entry, the check is completed without any further consequences for the person concerned. If we we find a potential match, we inform the person concerned about this result and give them the opportunity to comment. A decision is then made about establishing or continuing a business relationship. If the data of the person concerned matches a data set on the sanctions list, we are obliged to report the hit to the Deutsche Bundesbank. The result of this test is recorded as evidence.
‍
Data processing related to the comparison with sanctions lists is carried out in accordance with Article 6 Paragraph 1 Sentence 1 Letter c GDPR in order to fulfill our legal obligation to check and comply with sanctions lists.

13.3 Determination of PEP status (politically exposed persons)

According to the Money Laundering Act, as part of the general due diligence obligations in accordance with Section 10(1) no. 4 GWG, we check whether the investor or its beneficial owner is a politically exposed person (hereinafter “PEP“), a family member or a person known to be close to a PEP, see Section 1 para. 13 et seq. of the GWG. This is done as part of our KYC process.
‍
According to Section 1 para. 12 of the GWG, any person who holds or has held a high-ranking, important public office at the international, European or national level or who holds or has held a public office below the national level whose political significance is comparable is to be regarded as a PEP.
‍
As part of the PEP check, the name and address of the beneficiary are compared with the PEP lists. Identification as a politically exposed person, a family member of a PEP or a person known to be close to a PEP means that there is a higher risk of money laundering or terrorist financing in accordance with Section 15 of the GWG, which is why we must fulfill increased due diligence obligations in accordance with Section 15 of the GWG. In order to fulfill our due diligence obligations, additional personal data may be collected, for example in order to be able to determine the origin of the assets used as part of the business relationship.
‍
If we have any facts that indicate that
- an asset that is related to a business relationship or a transaction comes from a criminal offense that could constitute a predicate offense of money laundering,
- a business event, transaction or asset is related to terrorist financing or
- you do not fulfill your disclosure obligation in accordance with Section 11 para. 6 sentence 3 GWG, whether you want to establish, continue or carry out the business relationship or transaction for a beneficial owner,
‍
we are legally obliged to report suspected money laundering to the Central Office for Financial Transaction Investigations.
‍
We reserve the right to check the PEP status at appropriate intervals during the ongoing business relationship.
‍
The data processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with. § Section 10 para. 1 no. 4 GWG and Section 15 para. 2, 3 no. 1 GWG on the basis of a legal obligation to check and fulfill increased due diligence obligations in accordance with Section 15 GWG to combat money laundering.

13.4 Adverse-Media Check

On a case-by-case basis, part of the KYC process may include carrying out an adverse media screening of investors or their beneficial owners.
‍
Adverse media is publicly available information that is viewed by financial institutions as relevant to financial crime risk management. The purpose of the comparison is to determine whether the high-risk data subject has been investigated for money laundering or terrorist financing in the past or whether the data subject has been subject to regulatory enforcement in the past.
‍
The data processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with. § Section 10 para. 1 no. 4 GwG on the basis of our legal obligation to fulfill our due diligence obligations to combat money laundering and in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of our legitimate interest in protecting ourselves against financial, legal and reputational risks.

14. User account; Linking a wallet; Conclusion of investment and participation contracts

Companies, investors and token recipients need a blockchain wallet to issue, purchase, receive and hold tokens. We have integrated a wallet infrastructure on our Platform. This gives you the option of connecting your user account to one or more wallets (e.g. MetaMask, WalletConnect, Coinbase Wallet) or having the Platform create a “virtual wallet” that is connected to your Google account. Your user account will then be linked to your wallet address or Google account and signed with your private key or Google account password.
‍
By registering, you have the opportunity to conclude investment and profit participation contracts via our Platform and to invest in companies. You can manage the token-based investments and participations yourself in your account.
‍
Deletion of your user account is possible at any time and can be done by sending a message to our address above. You also have the option of deleting your user account yourself by logging into the platform and using the delete function under "Account". Issued tokens and the associated smart contracts remain on the public Ethereum and/or Gnosis blockchain regardless of whether your user account still exists. If you request the deletion of your user account, we will block your data with regard to the statutory retention periods and delete it after these periods have expired, unless you have expressly consented to further use of your data or we have reserved the right to further use of your data as permitted by law, about which we will inform you accordingly below.

15. Appropriateness check

When providing investment brokerage services, we and the liability umbrella are legally obliged to assess the appropriateness of the investments for investors. As a tied agent, we are also obliged to transmit the results of the appropriateness check to the liability umbrella. The liability umbrella is separately responsible for the processing of your data. Further information can be found in the data protection information of the liability umbrella at https://concedus.com/dokumentencenter/.
‍
In order to assess the appropriateness of the investments for you as an investor, we request information about your knowledge and experience as an investor with regard to transactions with certain types of financial instruments or investment services as part of the registration process or an individual investment. This includes information about the types of financial investments with which you are already familiar, the type, scope, frequency and period of past transactions with financial investments, as well as information about your training and professional activity. We also ask you about your assets and income. This includes estimates of your monthly income and details of your investment portfolio. This data is processed to determine your maximum investment amount. Based on the information you provide about your previous knowledge and experience with securities and investments as well as capital market products and your financial circumstances, we create an investor and financial profile.

We will only inquire about your financial circumstances to the extent that this is required as part of providing investment brokerage services or otherwise required by law, and only with the aim of providing you the resulting information required by law, but not for the purpose of providing personalized investment recommendations.

It is your choice whether or not to provide information about your financial knowledge and experience, however, without this information, the liability umbrella and we as a tied agent cannot assess whether the investments available on the Platform are appropriate for you.

The evaluation may show that your financial knowledge and experience are not sufficient to adequately assess the risks associated with the acquisition of these types of securities. If the liability umbrella and we, as part of the appropriateness check, come to the conclusion that the investments offered are or may not be appropriate for you, we will inform you accordingly. Informing you of such a decision serves merely as a warning. You still have the opportunity to invest if you choose to do so.

Data processing is carried out in accordance with Art. 6(1) sentence 1 lit. c GDPR in conjunction with Section 16 (2) FinVermV on the basis of our legal obligation to carry out an appropriateness check prior to providing investment brokerage services.

16. Setting up a Monerium account

Monerium EMI ehf., Bjargargata 1, 102 Reykjavík, Iceland (“Monerium”) operates a proprietary on-chain payment solution that automates the issuance and redemption of electronic money and facilitates automatic settlement and reconciliation.
‍
You have the option of setting up a Monerium bank account when subscribing to certain investments on the Platform. By setting up a bank account with Monerium, you will receive a Monerium IBAN ("IBAN") that you can use to add funds for issuing e-money on the blockchain. In addition, you get the opportunity to hold electronic money in different currencies at the same time.
‍
If you have a Monerium bank account, you can link the Monerium IBAN to your user account on this Platform.
‍
Each IBAN is customer-specific and managed by Monerium. When funds are transferred to your IBAN account, an automatic process is initiated that issues e-money to your linked blockchain address oder “virtual wallet” linked to your Google account. You can also use your IBAN to send payments via traditional payment networks such as the Single Euro Payments Area ("SEPA"). Once you submit a send request, the corresponding value of e-money will be redeemed from your linked blockchain address or Google Account “virtual wallet”. Monerium charges for its services in accordance with the fee schedule available on the Monerium website: https://monerium.com/.
‍
If you decide to set up a bank account with Monerium, we will transmit the result of our KYC check to Monerium in order to fulfill your legal obligations in accordance with Article 6 Paragraph 1 Sentence 1 Letter c GDPR. Monerium is responsible for processing your data. Further information can be found in Monerium's data protection information at https://monerium.com/policies/privacy-notice/.
‍
For more information about Monerium and its services, please visit https://monerium.com/policies/business-terms-of-service/.

17. Hotjar

We use the web analytics service Hotjar of Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (“Hotjar”).
‍
Hotjar collects information about the use of our Platform on our behalf to evaluate it, compile reports on activities within this Platform. Hotjar sets cookies on our Platform for these purposes, which are stored on your device, as well as web storage.
‍
The following data is processed as part of web analytics: IP address and geographical location, browser and device information, and referrer URL. In addition, information about the usage behavior of our visitors on the Platform is recorded. With Hotjar, we can record your mouse and scroll movements and clicks. Hotjar can also determine how long you stayed with the mouse pointer on a specific spot. Hotjar creates so-called heatmaps from this information, which can be used to determine which areas of the Platform are preferred by the Platform user. Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at which point you abandoned your entries in a contact form (so-called conversion funnels). Hotjar creates pseudonymous user profiles. The collected data is stored for 12 months.

The data is usually transmitted to a server in the USA.
‍
Data collection and storage are carried out in accordance with § 25 (1) TTDSG. Subsequent data processing is carried out in accordance with Article 6 (1) (a) GDPR based on your explicit consent. You can revoke your consent at any time with effect for the future in the consent settings.

For more information on Hotjar's privacy policies, please visit https://www.hotjar.com/privacy.
‍

Last edited: 27 May 2025