Version “App” 6.0 from 22.March 2024
In accordance with Article 12 of the General Data Protection Regulation (hereinafter: GDPR), we are obliged to inform you about the processing of your data when using our app. We take the protection of your personal data very seriously and this data protection declaration informs you about the details of the processing of your data and your legal rights in this regard. We reserve the right to adapt the data protection declaration with effect for the future, especially in the case of further development of the app, the use of new technologies or changes in the legal basis or the corresponding case law. We encourage you to review the Privacy Policy from time to time and keep a printout or copy for your records.
The data protection declaration applies to all functions of the native Timeless app for mobile devices. It does not extend to any linked websites or internet presences from other providers.
Responsible for the processing of personal data within the scope of this data protection declaration is:
New Horizon GmbH
Neue Schönhauser Str. 2
10178 Berlin
contact@timeless.investments
If you have any questions about data protection with regard to our company or our app, you can contact our data protection officer:
SPIRIT LEGAL Fuhrmann Hense partnership of lawyers
Lawyer and data protection officer
Peter Hense
Postal Address
Data Protection Officer
New Horizon GmbH
Neue Schönhauser Straße 2
10178 Berlin
Contact via email:
dataprivacy@timeless.investments
We have taken comprehensive technical and organizational precautions to protect your personal data from unauthorized access, misuse, loss and other external disturbances. To this end, we regularly review our security measures and adapt them to the state of the art.
You have the following rights with regard to your personal data, which you can assert against us:
You can assert your rights by notifying the contact details given in the “Responsible provider” section or the data protection officer appointed by us. If you believe that the processing of your personal data violates data protection law, you also have the right under Art. 77 GDPR to complain to a data protection supervisory authority of your choice. This also includes the data protection supervisory authority responsible for us: Berlin Commissioner for Data Protection and Information Security, Friedrichtstr. 219, 10969 Berlin. You can find more information about your rights in relation to your personal data, for example, from the European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en .
We process your personal data if and to the extent that this is necessary for the initiation, justification, implementation and/or termination of a legal transaction with our company. The legal basis for this is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. After the purpose has been achieved (e.g. contract processing), the personal data will be blocked for further processing or deleted, unless we have given your consent (e.g. consent to the processing of the e-mail address for sending electronic advertising mail), a contractual Agreement, a legal authorization (e.g. authorization to send direct mail) or due to legitimate interests (e.g. storage to enforce claims) are entitled to further storage and processing required in the respective context. Your personal data will be passed on if it is necessary for the establishment, implementation or termination of legal transactions with our company (e.g. when passing on data to a payment service provider/a shipping company to process a contract with you), (Art. 6 Paragraph 1 sentence 1 lit. b) GDPR), or
Your personal data will not be passed on to other people, companies or bodies unless you have given your effective consent to such a transfer. The legal basis for the processing is Article 6 Paragraph 1 Clause 1 Letter a) GDPR.
When downloading the mobile app, the required information and your data will be sent to the app store you have selected (Google Play: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland or Apple App Store: Apple Inc., 1 Infinite Loop , Cupertino, CA 95014, USA), in particular username, email address and customer number of your accounts, time of download, payment information and the individual device code. We have no influence on this data processing by Apple and Google and are not responsible for it. We only process data to the extent necessary to download the mobile app to your mobile device. Apple and Google may also process your data in the USA. We have agreed standard contractual clauses with Apple and Google to oblige both providers to maintain an appropriate level of data protection. We will provide you with a copy on request. Further information on data protection, in particular on the storage period, can be found at Apple https://www.apple.com/legal/privacy/en-ww/ and on Google athttps://policies.google.com/privacy?hl=en&gl=en.
As part of your use of the app, we automatically process certain data that is required for the use of the app, in particular to ensure access to the Internet. Which includes:
The access data is not used to identify individual users and is not merged with other data sources. The access data will be deleted when they are no longer required to achieve the purpose for which they were processed. In the case of the collection of data for the provision of the app and internet access, this is the case when you end your visit to the app.
The access data is automatically transmitted to us in order to make the app and the associated functions available to you and to prevent and eliminate misuse and malfunctions. Processing of your IP address, for example, is required for the duration of the app usage session. IP addresses are stored in log files to ensure the functionality of the mobile app and to prevent misuse. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. The access data will be stored for as long as is necessary to achieve the purpose of the processing. In the case of the collection of data for the provision of the app and for internet access, this is the case when you exit the app.
IP addresses are stored in log files to ensure the functionality of the mobile app. In addition, we use the data to optimize the mobile app and to ensure the security of our information technology systems. In principle, the data will be deleted after seven days at the latest; further processing is possible in individual cases. In this case, the IP address is deleted or alienated in such a way that it is no longer possible to assign the calling client.
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
If you contact our company, e.g. by e-mail, the personal data you provide will be processed by us to answer your request. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. The data is processed exclusively for processing in the context of the conversation. We delete the data arising in this context after the processing is no longer necessary, or restrict the processing to compliance with the existing statutory retention requirements.
You can object to the processing. Your right to object exists for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
When registering in our app, you can log in with your Google, Apple or Facebook accounts or you must enter your e-mail address and a password of your choice. If you wish to acquire a share of a digital asset, further personal data will be requested, eg your name and address. Furthermore, the following data is processed at the time of registration: IP address, date/time of registration. The data will be deleted as soon as they are no longer required to achieve the purpose of their processing. After successful registration, you will be assigned an account ID to enable transactions to be assigned to you.
The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your data is contractually required and obligatory for registering for the app. If you do not register, it is not possible to conclude/implement a contract for using the app. The data will be stored until they are no longer required to achieve the purpose of their processing or until the statutory retention requirements have expired (e.g. mandatory commercial and tax retention requirements with regard to invoice data). This is the case for the data collected during the registration process if the registration in the app is canceled or completely changed. If you remove the app from your end device, we will delete your data collected for using the app.
You have the option of registering in our app using the Google login function. “Google Sign In” allows you to log in to us using your Google account. The purpose of this option is to save you the hassle of creating another account and the time it takes to complete the registration process. When you log in with your Google account, your relevant data will be transmitted to us by Google, in particular your name, email address, profile picture and language settings. Google, on the other hand, is given the opportunity to collect and process information about your user behavior in our app. If you are logged in via your Google account, it is possible for Google to receive data on your user activity, your app calls and other short-term data. Google may also process your data in the USA. We have agreed standard contractual clauses with Google to oblige Google to maintain an appropriate level of data protection. We will provide you with a copy on request.
The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f) GDPR. With the “Google Sign In” option, we are pursuing the legitimate interest of making it easier for you to use our app by not having to create another account and by using your Google account to save time in the registration process. Google deletes all data at the latest when you delete your Google account ( https://policies.google.com/technologies/retention?hl=en ). Further information on data protection at Google can be found under the following link: https://policies.google.com/privacy?hl=en .
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
To enable you to register in our app via your Facebook account, we have implemented a Facebook login function using programming interfaces from Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, hereinafter: “Facebook”) . If you use the login function offered by our app, you have the option of logging into our app via Facebook. The purpose of this integration is to make the registration process easier for you, to optimize our registrations and to have Facebook campaigns convert better. When you use the Facebook login function, Facebook sends us personal data from you, in particular your surname, first name, email address and Facebook user ID. In turn, Facebook processes information from you about app events (in particular app installations, loading the SDK, SDK performance and app starts), configuration data, error messages and other short-term data such as your user activity after you have logged in. Facebook may also process your data in the USA. We have agreed standard contractual clauses with Facebook to oblige Facebook to maintain an appropriate level of data protection. We will provide you with a copy on request. The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f) GDPR. With the Facebook login function, we are pursuing the legitimate interest of saving you from registering on our platform and optimizing our offer or designing it individually for you. According to Facebook, it will stop processing data as soon as the data is no longer required to provide services and Facebook products. Further information on the storage period and other information on data protection on Facebook can be found in the associated data protection guidelines at https://de-de.facebook.com/about/privacy/ be removed. You can find more information about Facebook’s programming interfaces at: https://developers.facebook.com/docs/ios and https://developers.facebook.com/docs/android .
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
You also have the option of registering in our app using the Apple login function. With the help of “Apple Sign In” you can log in to us with your Apple ID. We would like to save you the creation of an additional account and the time required for the registration process. When you log in with your Apple ID, depending on your selection, either your email address stored with Apple or an email address generated once by Apple will be sent to us. Only Apple can assign the e-mail address once created to the user and their e-mail address. Apple, on the other hand, only receives the information that you are a user of our app. There is no further processing of your usage data by Apple. Apple may also process your data in the USA. We have agreed standard contractual clauses with Apple to oblige Apple to maintain an adequate level of data protection. We will provide you with a copy on request. The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f) GDPR. With the login function, we are pursuing the legitimate interest of saving you from registering on our platform and optimizing our offer or designing it individually for you. Further information on data protection, in particular on the storage period, can be found at https://www.apple.com/legal/privacy/en-ww/ .
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
If users from Switzerland use the app, data will be transferred to member states of the EU and vice versa to Switzerland to provide the app. Data is transferred to Switzerland on the basis of the European Commission’s adequacy decision 2000/518/EG (available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32000D0518&from =EN) according to Art. 45 GDPR, according to which Switzerland offers an appropriate level of protection for your data. Data is transferred to the European Union on the basis of the list of countries published by the Swiss Federal Data Protection and Information Commissioner for countries of the European Union that offer an appropriate level of protection under Swiss data protection law.
Authorizations for access to functionalities of your end device
The use of the app requires the following authorizations of the respective end device:
The processing of the corresponding usage data (IP address, photo, etc. and end device information) takes place to provide the app functionalities and is required to use the app. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your usage data is necessary for the fulfillment of the user contract between you and us and you are contractually obliged to provide your usage data. If your data is not provided, you can only use the app to a limited extent, ie it is not possible to conclude and/or implement the contract by accessing the hardware and processing the usage data. We store the data related to accessing the functionalities of your end device for as long as they are required to provide the app functions.
Various functions relating to digital assets are available to you in our app in accordance with the applicable terms of use. If you reserve a share in a digital asset (share), your expression of interest will be assigned to your user account. If you decide to purchase a share, further personal data such as your full name and address will be requested and stored in your user account and wallet along with an overview of your transactions. Only your wallet ID is then stored with the digital asset on the blockchain. Only a randomly assigned identification number is assigned and processed on the blockchain. Your digital assets are mapped to this ID on the blockchain. Provider is EOS Blockchain (Block.one, George Town, Cayman Islands). There is no adequacy decision for the transmission of your data. We have concluded standard data protection clauses with Block.one in order to oblige Block.one to provide an appropriate level of data protection. We will provide you with a copy on request. We process your data exclusively for contract processing and will forward your payment data in particular to the respective payment service provider for the purpose of payment processing, depending on the payment method you have selected. For more information, see the “Payment Service Providers” section.
If you decide to sell your share or buy new shares after the lookup period has expired, the information will be added to your wallet in your user account. Only your wallet ID is then stored with the digital asset on the blockchain. If shares are sold, the data will be processed in accordance with the payment method used for the repayment. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your data is necessary and obligatory for the conclusion and implementation of the contract. If the data is not provided, it is not possible to acquire shares in digital assets.
The payment options Apple Pay, Google Pay, credit card, Sofort Banking, Direct Banking and GiroPay are integrated via “Stripe” (provider is Stripe Inc., Townsend Street, San Francisco, CA 94103, USA, hereinafter: “Stripe”). If you select one of the payment options mentioned, the payment details you provided during the booking process together with the information about your booking will be passed on to “Stripe” for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the payment methods mentioned. As part of the data processing, your data will also be transmitted to the USA. There is no adequacy decision by the EU Commission for data transfer to the USA. We have concluded so-called standard contractual clauses with “Stripe” in order to oblige “Stripe” to an appropriate level of data protection. We will be happy to provide you with a copy on request. Further information on data protection and the storage period at Stripe can be found at: https://stripe.com/en/privacy .
In our app we offer you payment via “Apple Pay” (Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA). If this payment method is selected, the payment will be processed via “Apple Pay”. We pass on the payment details you provided during the booking process together with the information about your booking to “Apple Pay” for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the “Apple Pay” payment method. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations.
In our app we offer you payment via “Google Pay” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC 1600 Amphitheater Parkway Mountain View, CA 94043, USA). If this payment method is selected, the payment will be processed via “Apple Pay”. We pass on the payment details you provided during the booking process together with the information about your booking to “Apple Pay” for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the “Apple Pay” payment method. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations.
If you select the “credit card” payment method, we will pass on the payment data required for the credit card payment to the bank commissioned with the payment or to the payment and billing service provider commissioned by us, if necessary, for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or carry out a contract using a credit card payment. The data required for payment processing are transmitted securely via the “SSL” procedure and processed exclusively for payment processing. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations.
The payout of the sales of the trading function described below is handled by “secupay” (provider is secupay AG, Goethestaße 6, 01896 Pulsnitz, Germany). If you accept the conditions for the fiduciary processing of payments, the disbursement data you provided during the registration process, consisting of the disbursement amount, disbursement account and identification data, will be shared with secupay. The processing is based on Article 6 para. 1 p. 1 lit. b) DSGVO. The provision of the payment data is necessary and obligatory for the conclusion of the contract or the execution of the payout. If the payment data is not provided, it will not be possible to conclude the contract and/or carry out the payment. The data required for the payout shall be forwarded to secupay via API and processed exclusively for the purpose of processing the payout. We delete the data accrued in this context after the storage is no longer required or restrict the processing if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we restrict the processing and reduce the processing in compliance with the existing legal obligations. Further information on the processing of your data by “secupay” can be found at: https://secupay.com/en/privacy
If you select the “SOFORT” payment method as part of your payment, we will forward the data you have provided to Sofort GmbH (Theresienhöhe 12, 80339 Munich, Germany; hereinafter referred to as “SOFORT”) for the purpose of payment processing. “SOFORT” is a direct transfer procedure in which a transfer can be completed and executed in real time during the payment process. To do this, you will be redirected to the website of the payment service provider “SOFORT”. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract using the “SOFORT” payment method. The data required for payment processing are transmitted securely via the “SSL” procedure and processed exclusively for payment processing. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations. Further information on the processing of your data by “SOFORT” can be found at https://www.sofort.com/datenschutz.html .
You have the option of paying using “Giropay” (Giropay GmbH, An der Welle 3, 60322 Frankfurt am Main, Germany, hereinafter: “Giropay”). “Giropay” is a direct transfer method that allows a transfer to be made during the ordering process. To do this, you will be redirected to the website of the payment service provider “Giropay”. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the “Giropay” payment method. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations. You can find more information on the processing of your data by “Giropay” at https://www.giropay.de/rechts/datenschutzerklaerung .
In addition to reserving, buying and selling shares, you can also trade digital assets (shares) in our app. In order to be able to use this function fully, it is necessary due to legal obligations under the Money Laundering Act that the user account is verified. For this we use the video identification services of WebID (WebID Solutions GmbH, Friedrichstraße 88, 10117 Berlin) and Onfido (Onfido Ltd., 3 Finsbury Avenue London EC2M 2PA United Kingdom). After calling up the identification process in our app, you will be forwarded to either a WebID or Onfido interface.
If you have not yet carried out an identity check for another service provider, your personal data such as first and last name, address, place and date of birth will be transmitted to WebID or Onfido. The transmission of this master data serves to verify the user by means of an audio-visual video identification and to verify a permissible identification document. This includes checking security features of an acceptable identification document to prevent misuse, fraud and counterfeiting by presenting the identification document during audiovisual video identification or scanning the identification document of the identification document. The processing of your personal data as part of the video identification procedure is carried out for the purpose of ensuring the statutory due diligence and identification obligations under the Money Laundering Act and the prevention of money laundering and terrorist financing. The video identification process is carried out in accordance with the Specifications of the Federal Financial Supervisory Authority for video identification procedures. Data is transferred to the United Kingdom to provide the Onfido verification service. The data transfer takes place on the basis of the adequacy decision of the European Commission C(2021) 4800 final according to Art. 45 DSGVO, according to which the United Kingdom offers an adequate level of protection for your data.
In the course of the verification process, due to the legal due diligence and identification obligations under the Money Laundering Act, information on tax liability as well as knowledge and experience with financial products is requested in addition to the master data. In addition, to ensure the trading function, New Horizon carries out investment brokerage as a contractually bound agent (cf. Section 2 (10) of the German Banking Act) of the financial services institute CONCEDUS (CONCEDUS GmbH, Schlehenstraße 6, 90542 Eckental). For the purposes of this mediation activity, CONCEDUS is provided with the user’s master data such as first and last name, address, place of birth, date of birth and information from the video identification (photo ID document, portrait photo, audio and video file) in order to fulfill the legal due diligence and identification obligations under the Money Laundering Act . The app also asks whether the user is a politically exposed person (PEP). After successfully identifying and verifying the account by entering the TAN provided by WebID or Onfido in our app, the user can trade shares as a seller or buyer.
In order to fulfill the due diligence and identification obligations under the Money Laundering Act, an address check based on the address data provided (salutation, first name, surname, gender, derived from the salutation or first name, academic degree, title, street, house number, postcode, town and city -Addendum) required as an additional independent source. For the address comparison, we use the “Addressfactory” service of Deutsche Post (Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf) to determine the existence of the specified address. With the help of the address comparison, we can check the address data provided to ensure that the data stored at Deutsche Post is up to date and deliverability (e.g. correcting the spelling of names, processing relocations, blocking data as a result of death) and thus complying with our duty of care and identification comply with the Money Laundering Act. Further information can be found in Deutsche Post’s data protection informationregarding address matching. In the event that the address check fails because Deutsche Post does not have the information for the address comparison (e.g. moving to a new apartment), we ask users to fulfill the due diligence and identification obligations under the Money Laundering Act in accordance with the Requirements of the Federal Financial Supervisory Authority politely to present the letterhead of an invoice from the respective energy supplier or telecommunications provider, from which the name, address and date can be seen. A corresponding copy of the proof of identity will be forwarded to the financial services institution CONCEDUS for the purpose of proving compliance with the due diligence and identification obligations under the Money Laundering Act.
Your personal data is processed for the purpose of preventing money laundering and terrorist financing. The legal basis for processing as part of the implementation of the verification procedure is Article 6 Paragraph 1 Clause 1 Letter c) GDPR in conjunction with Article 11a Paragraph 1 of the Money Laundering Act (GwG). According to Sections 10 ff. GwG, we are legally obliged to identify users of the trading function with the necessary care. The storage period of the data for carrying out the verification procedure is five years in accordance with the legal storage obligation under the Money Laundering Act, unless other legal provisions on recording and storage obligations provide for a longer period.
To offer shares (selling), the user selects the number and unit price of the shares in our app that he would like to offer for sale. After binding confirmation, the offer will be published on the “bulletin board” in the app and the user will be asked to provide their bank details to which the subsequent payment should be made. The master data provided will be processed exclusively for the purpose of executing the contract. Payments are processed by the payment service provider Stripe ( provider is Stripe Inc., Townsend Street, San Francisco, CA 94103, USA, hereinafter: “Stripe” ). The processing of the payouts is handled by the payment service provider secupay (provider is secupay AG, Goethestraße 6, 01896 Pulsnitz, Germany, hereinafter: “secupay”). When carrying out the sales process, the amount due, the desired payment method, the customer data, the shopping cart and the payee involved in the transaction are transmitted to Stripe via a programming interface (API). The master data recorded as part of the identification process is transmitted to Stripe by the financial services institute CONCEDUS (CONCEDUS GmbH, Schlehenstraße 6, 90542 Eckental) to secupay for confirmation of the successful verification process. Stripe will then request the payment details. Stripe checks the transmitted data in real time and gives us feedback as to whether the transaction was successful. If the offer is accepted, the payment and the relevant information will be added to your wallet in your app. Before a payment is requested by the user, the transaction shares are calculated for all payees and created at secupay as follow-up transactions, and the payment data is submitted to the user’s respective bank. For more information on Stripe’s processing, see the section above entitled Stripe.
The legal basis for processing in connection with the sale of shares is Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your data is necessary and obligatory for the conclusion and implementation of the contract. If the data is not provided, trading or selling shares in digital assets is not possible. The data will be stored for as long as they are required to achieve the purposes of processing or until the statutory retention requirements have expired (e.g. mandatory commercial and tax retention requirements in relation to invoice data). This is the case for the data collected during the registration process if the registration in the app is canceled or completely changed.
To purchase shares (buying), the user selects the relevant asset and checks it. If he decides to accept the offer of the selling user, he can confirm this by clicking the “Buy now” button. Your payment data will then be sent to Sofort GmbH for the purpose of payment processing via the payment service provider Stripe ( provider is Stripe Inc., Townsend Street, San Francisco, CA 94103, USA, hereinafter: “Stripe” ), depending on the payment method you have chosen (Theresienhöhe 12, 80339 Munich, Germany) if you choose the payment method “Sofort” or to the respective bank or payment service provider according to the payment method you have chosen. For more information on how Payment Method is processed, please see the section above under the relevant Payment Method heading. For more information on Stripe’s processing, see the section above entitled Stripe. After successful completion of the purchase, your purchased shares will be assigned to your wallet. Only your wallet ID is stored with the digital asset on the blockchain.
The legal basis for processing in connection with the purchase of shares is Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your data is necessary and obligatory for the conclusion of the contract or the implementation. If the data is not provided, trading or the purchase of shares in digital assets is not possible. The data will be stored for as long as they are required to achieve the purposes of processing or until the statutory retention requirements have expired (e.g. mandatory commercial and tax retention requirements in relation to invoice data). This is the case for the data collected during the registration process if the registration in the app is canceled or completely changed.
Within the scope of our offer of financial products, we are obliged to pay the capital gains tax, church tax and, if applicable, the solidarity surcharge. For the purpose of fulfilling our obligation to pay the capital gains tax as well as the church tax and, if applicable, the solidarity surcharge, we process your data, such as tax identification number and your investment income, and transmit them to the tax office, if applicable. In this context, we may ask the Federal Central Tax Office whether you are liable for church tax by providing your tax identification number and your date of birth. If we do not know your tax identification number, we can also request this from the Federal Central Tax Office. The legal basis for processing your data in connection with the withholding of capital gains tax is Art. 6 (1) sentence 1 lit. c) DSGVO in conjunction with Section 44 (1) sentence 3 of the German Income Tax Act (EStG). The legal basis for the query at the Federal Central Tax Office is Art. 6 para. 1 p. 1 lit. c) DSGVO in conjunction with § 51a para. 1, para. 2c no. 3 EStG. The legal basis for querying your tax identification number is Art. 6 para. 1 p. 1 lit. c) DSGVO in conjunction with § 51a para. 1, para. 2c no. 3 and no. 2 EStG. The storage period of the data is six years in accordance with the statutory retention obligation, unless other statutory provisions on recording and retention obligations provide for a longer period.
For the execution of the contract, we process together with Timeless Investments GmbH & Co. KG (Neue Schönhauser Str. 2, 10178 Berlin) your data required for the purchase and sale of fractions (such as title, academic degree, first and last name, address, e-mail address, date of birth, place of birth, information on tax liability, knowledge and experience with financial products, capacity as a politically exposed person as well as data on the transacted assets offered by Timeless Investments GmbH & Co. KG). We are joint controllers with Timeless Investments GmbH & Co. KG with regards to the collection and processing of personal data required to perform the contract with Timeless Investments GmbH & Co. KG, the invoicing on behalf of the fractional owners, the verification of the disbursement requirements as well as the coordination of the distribution of the payment receipt among the fractional owners who meet the disbursement requirements, and the ongoing reminder of the fractional owners at the disbursement date, if the disbursement requirements are not met. For the purpose of executing the contract, Timeless Investments GmbH & Co KG will have access to the data collected via our platform and will process your data for the purpose of managing and executing the contract concluded with Timeless Investments GmbH & Co KG.
In principle, you can assert your data protection rights within the scope of joint responsibility both against us and against Timeless Investments GmbH & Co KG. Timeless Investments GmbH & Co. KG and we will inform each other without delay about the assertion of data subject rights and provide each other with all information necessary to respond to requests for information. Within the scope of the data subject rights, we act as a central point of contact. You can find our contact details in the section “Responsible provider”. For further information on processing by Timeless Investments GmbH & Co. KG, please refer to the data protection information [link] of Timeless Investments GmbH & Co. KG.
We reserve the right to use the e-mail address you provided during registration in accordance with legal regulations to send you the following content by e-mail during or after registration, provided that you consent to this use of your E-mail address or push notifications have not already objected:
If the sending of electronic information is not necessary for the execution of the contract (e.g. e-mail in an informative format) and the legal basis from Article 6 Paragraph 1 S. 1 lit. b) DSGVO is relevant, the processing is based on the legal basis according to Article 6 Paragraph 1 sentence 1 lit. f) GDPR. Our legitimate interests in the processing mentioned lie in increasing and optimizing our services, sending direct mail and ensuring customer satisfaction. We delete your data when you end your user contract, but no later than three years after the end of the contract. For more information about the email marketing service used to send email advertising, see the SendInBlue section.
We would like to point out that you can object to the receipt of direct mail and data processing for the purpose of direct mail at any time without incurring any costs other than the transmission costs according to the basic tariffs. To do this, click on the unsubscribe link in the respective e-mail for the Receive e-mails or deactivate the push notification function in the app menu item “Notifications” or send us your objection to the contact details given in the “Responsible provider” section. In the event of an objection, we will continue to process your data, in particular your e-mail address, to ensure that you will not receive any further direct advertising from us. For this purpose, we put your e-mail address on a so-called blacklist, which we can use to carry out a comparison to ensure that you will not receive any further newsletters from us. The legal basis for data processing is Article 6 Paragraph 1 Clause 1 Letter c) GDPR in order to comply with our storage obligation.
If you unsubscribe by exercising your right to object to the processing of your personal data by way of advertising to existing customers, we will process your data, in particular your e-mail address, to ensure that you do not receive any further e-mail advertising from us . For this purpose, we add your e-mail address to a so-called ” block list ” which enables you not to receive any e-mail advertising from us . The legal basis for data processing is Article 6 Paragraph 1 Clause 1 Letter c) GDPR in order to comply with our obligation to provide evidence, otherwise Article 6 Paragraph 1 Clause 1 Letter f) GDPR. In this case, our legitimate interests consist in complying with our legal obligations to reliably no longer send you e-mail advertising.
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.
In addition, we process the aforementioned data for the establishment , exercise or defense of legal claims. The legal basis for processing is Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. In these cases, we have a legitimate interest in asserting or defending against claims.
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.
You have the option to subscribe to our newsletter via WhatsApp (WhatsApp LLC., 1601 Willow Road Menlo Park, California 94025, USA and WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; hereinafter: “WhatsApp”), with which we will regularly inform you about the following content:
To receive the newsletter, you are required to provide your name or pseudonym and a valid mobile phone number. We process your mobile phone number for the purpose of sending you our WhatsApp newsletter and as long as you have subscribed to the newsletter. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. a) DSGVO. WhatsApp also transfers your data to the USA. No adequacy decision of the EU Commission exists for the USA. We have concluded so-called standard data protection clauses with WhatsApp in order to commit WhatsApp to an adequate level of data protection. We will gladly provide you with a copy upon request. We process your data for the purpose of sending you our newsletter via WhatsApp until you revoke your consent.
You can revoke your consent to the processing of your telephone number for receiving the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message via the contact details provided under “Person responsible”. This does not affect the lawfulness of the processing that took place based on the consent until the time of your revocation.
As part of the use of WhatsApp, certain data are automatically processed that are necessary for the use of the app, in particular to ensure access to the Internet. These include: IP address, date and time of the server request, time zone difference to Greenwich Mean Time (GMT), content of the request (concrete app function), access status, amount of data transferred in each case, app from which the request comes, device type, operating system used and its interface (Android or IOS), language and version of the operating system, device identifiers. We do not process any data of users in this context. WhatsApp (WhatsApp LLC., 1601 Willow Road Menlo Park, California 94025, USA and WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) is solely responsible for this processing. For more information about WhatsApp’s privacy policy, please visit: https://www.whatsapp.com/privacy.
In the event that you unsubscribe from our newsletter, we process your data, in particular your e-mail address or mobile phone number, to ensure that you do not receive any further newsletters from us. For this purpose, we add your email address or mobile phone number to a so-called “block list”, which makes it possible that you do not receive any newsletter from us. The legal basis for data processing is Art. 6 (1) p. 1 lit. c) DSGVO, in order to comply with our verification obligations, otherwise Art. 6 (1) p. 1 lit. f) DSGVO. Our legitimate interests in this case are to comply with our legal obligations to reliably no longer send you newsletters.
You may object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details listed in the “Responsible party” section.
In addition, we process the aforementioned data for the establishment, exercise or defense of legal claims. The legal basis for the processing is Art. 6 para. 1 lit. c) DSGVO and Art. 6 para. 1 lit. f) DSGVO. In these cases, we have a legitimate interest in asserting or defending claims.
You may object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details listed in the “Responsible party” section.
We use the services of Braze, Inc. (330 W 34th St. 18th floor, New York USA, hereinafter “Braze”) for newsletter marketing and push marketing. Braze processes user data such as email, push tokens, interaction data and IP address to control the sending of service, functional and marketing messages and to analyse user interactions.
The newsletters sent by Braze contain so-called “web beacons” or “tracking pixels” – these are pixel-sized files that are retrieved from the Braze server when the newsletter is opened. As part of this retrieval, information about the browser and your system, as well as your IP address and the time of retrieval, is collected. This information is collected for the purpose of technical improvement of the services on the basis of the technical data or the target groups and your reading behaviour on the basis of the access locations (which can be determined with the help of the IP address) or the access times. The statistics also include whether and when the newsletter is opened and which links are clicked on. Braze’s services enable us to optimise our newsletter campaigns: This allows us to statistically analyse the opening rates of the newsletters, the number of clicks on the links contained therein and the reading time, to measure the reach of the newsletters and thus to adapt the offers and information sent to your personal interests.
With regard to the storage of and access to information on your terminal device, your consent is the legal basis in accordance with Section 25 (1) of the GDPR; your consent is also the legal basis for further processing in accordance with Art. 6 (1) sentence 1 lit. a) GDPR. We will delete your data when you unsubscribe from the newsletter. You can revoke your consent at any time, either by sending us a message (see contact details in the “Controller” section) or by clicking directly on the unsubscribe link contained in the newsletter. This will not affect the lawfulness of any processing carried out on the basis of your consent up to the time of your withdrawal.
Braze also transfers personal data to servers outside the EU, namely the USA, in order to carry out the above functions. For the US, the EU-U.S. Privacy Framework is an adequacy decision by the EU Commission that confirms that certified companies provide an adequate level of data protection and legitimises the transfer of data. Braze is certified under the EU-U.S. Data Privacy Framework and is also registered on the U.S. Department of Commerce’s (Data Privacy Framework List).
For more information about Braze’s privacy policy, please visit https://www.braze.com/company/legal/privacy.
We use the SendInBlue marketing service (Sendinblue GmBH, Köpenicker Straße 126, 10179, Berlin) to send you emails to the email address you have provided or messages within our app for various administrative and functional purposes, such as to reset your password. The legal basis for data processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your data is necessary and obligatory for the execution of the contract in the context of sending messages. If the data is not provided, it is not possible to send messages. If you have not objected to receiving advertising from existing customers, we will also send you e-mails or messages with advertising content (further information can be found under the point “Soliciting from existing customers”). In this case, the legal basis for the processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in the processing mentioned lie in increasing and optimizing our services, information about technical changes to our app, sending direct mail and ensuring customer satisfaction. We delete your data when you end your user contract, but no later than three years after the end of the contract. Further information on data protection at SendInBlue can be found at: https://www.brevo.com/legal/privacypolicy/–
If the processing is based on the legal basis of Article 6 Paragraph 1 Clause 1 Letter f) GDPR, we would like to point out that you can object to receiving direct advertising at any time without incurring any costs other than the transmission costs according to the basic tariffs develop. To do this, click on the unsubscribe link in the respective e-mail to receive e-mails or deactivate the push notification function in the app menu item “Notifications” or send us your objection to the person named in the “Responsible provider” section Contact details.
This app uses Google Firebase with Google’s In App Messaging and Cloud Messaging features to show you notifications on your device in Notification Center and within the app. Notifications are only displayed on your end device if you have activated the corresponding authorization in the device settings of your end device.
For this we use a programming interface, the Firebase Software Development Kit (SDK), which is provided by Google in order to be able to access the notification function of the end device used and to display notifications. The notifications include, for example, technical information and product updates, information on new app functions and new offers on digital assets. The processing of the corresponding usage data (IP address and device information) takes place to provide the app functionalities and is required to use the notification function. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your usage data is necessary for the fulfillment of the user contract between you and us and you are contractually obliged to provide your usage data. If your data is not provided, you can only use the app to a limited extent, ie it is not possible to conclude and/or execute the contract using end device access. We store the data related to accessing the functionalities of your end device for as long as they are required to provide the app functions.
Google may also process your data in the USA. We have agreed standard contractual clauses with Google. We will provide you with a copy on request. Further information on data protection, in particular on the storage period, can be found at https://policies.google.com/privacy?hl=en&gl=en . According to Google, the storage period is a maximum of 14 months ( https://support.google.com/firebase/answer/9019185?hl=en ). Further information from Google about handling user data can be found at:https://policies.google.com/privacy?hl=en.
You can object to the processing if the processing is based on the legal basis of Article 6 (1) sentence 1 lit. f) GDPR. You have the right to object for reasons that arise from your particular situation. You can exercise your right to object by deactivating the notification function in the app settings.
A share function is available in the app for recommending our app. The central sharing function of the respective smartphone operating system (IOS from Apple or Android from Google) is available for this purpose, with which you can place a link to our app in the Apple app store or Google Playstore, e.g. via a messenger app or email app of your choice. New Horizon does not process any user data in this context and is not responsible for the data processing by the respective service provider and the user. Please find out about the processing of your data from the respective provider of the app.
We use external hosting services from Amazon Web Services (Amazon Web Services Inc., 410 Terry Avenue North, Seattle WA 98109, United States) to provide you with the following services: infrastructure and platform services, computing capacity, storage resources and database services, Security and technical maintenance services. All data required for the operation and use of our app is processed. We use external hosting services to operate this app offering. Amazon also processes your data in the USA . We have agreed standard contractual clauses with Amazon in order to oblige Amazon to maintain an appropriate level of data protection. We will provide you with a copy on request. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in the use of external hosting services are an efficient and secure provision of our app offering.
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
(132 Hawthorne Street, San Francisco, California 94107, USA, email: compliance@sentry.io) in our app . The purpose of the processing is to optimize and ensure that our app functions in a user-friendly manner. For this purpose, your usage data and metadata (e.g. device ID, IP address, user ID) are processed by Sentry in the USA by monitoring system stability and identifying code errors. We have agreed standard contractual clauses with Sentry to oblige Sentry to maintain an appropriate level of data protection. We will provide you with a copy on request. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in integrating Sentry lie in ensuring and improving the technical stability of our services. For more information on data protection and storage periods at Sentry, see https://sentry.io/privacy/ .
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
We also use Cloudfront as a content delivery network (CDN). The provider of this is Amazon Web Services Inc., 440 Terry Ave N, Seattle, WA 98109, USA. If you use our app, requests are forwarded to the CDN server. Your IP address will be transmitted and processed. Amazon also processes your data in the USA. We have agreed standard contractual clauses with Amazon to oblige Amazon to maintain an appropriate level of data protection. We will provide you with a copy on request. A permanent storage of your data does not take place here. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. We use Cloudfront to make our app offering more attractive and to optimize app loading times.
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.
We use Intercom, a service of Intercom, Inc. a Delaware corporation (55 2nd Street, 4th Fl., San Francisco, CA 94105, USA, hereinafter: Intercom), in order to be able to process enquiries from our users by e-mail more quickly and in a more structured manner. The use of Intercom is for the purpose of improving our customer service and simplifying email communication. The legal basis for the processing by Intercom is Art. 6 para. 1 p. 1 lit. f) DSGVO. Our legitimate interests are to optimise and improve our customer service and to ensure customer satisfaction. Intercom may also process the data in the USA. There is no adequacy decision of the EU Commission for a data transfer to the USA. We have entered into an agreement with Intercom with the standard contractual clauses, in order for Intercom to comply with an adequate level of data protection. We will provide you with a copy of this upon request. We delete the data accruing in this context after the processing is no longer necessary or restrict the processing to compliance with existing legally mandatory retention obligations. Further information on data protection at Intercom can be found here: https://www.intercom.com/legal/privacy.
You can object to the processing. You have the right to object on grounds relating to your particular situation. You can send us your objection via the contact details mentioned in the section “Responsible provider”.
We use the external analysis service Firebase Analytics from Google ( Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter: “Google”) in order to be able to optimally tailor our app to the interests of the users. For this we use a programming interface, the Firebase Software Development Kit (SDK), which is provided by Google to enable a statistical analysis of the use of the app. There is no access to the advertising ID (IDFA for iOS-based and AAID for Android-based devices) of the operating system used. With the help of the Firebase SDK we can define various events (e.g. average app usage, average sessions per user, button presses, frequency of views, recognition of usage preferences) in order to be able to track and understand the usage behavior of app users and thus the functionalities to optimize and improve the app accordingly. We can also detect and fix errors in programming and prevent fraudulent activity in the app. For the purpose of fraud prevention and statistical analysis, Google processes end device information such as a shortened IP address of the end device used and provides us with anonymous statistics on interactions with our app. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in processing lie in recognizing app usage preferences, fraud prevention and optimizing the functionalities of our app. Google also processes some of the data in the USA. There is no adequacy decision by the EU Commission for data transfer to the USA. We have agreed standard contractual clauses with Google to oblige Google to an appropriate level of data protection. We will be happy to provide you with a copy on request.
You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.
