Data Privacy Policy App

Information about the processing of your data

In accordance with Article 12 of the General Data Protection Regulation (hereinafter: GDPR), we are obliged to inform you about the processing of your data when using our app. We take the protection of your personal data very seriously and this data protection declaration informs you about the details of the processing of your data and your legal rights in this regard. We reserve the right to adapt the data protection declaration with effect for the future, especially in the case of further development of the app, the use of new technologies or changes in the legal basis or the corresponding case law. We encourage you to review the Privacy Policy from time to time and keep a printout or copy for your records.

Definitions

  • “App” means the Timeless App for the Android and iOS operating systems
  • Personal data” means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person. Personal data is therefore, for example, the name, e-mail address and telephone number of a person, but possibly also data about preferences, hobbies and memberships.
  • Processing means processes or series of processes carried out with or without the help of automated processes in connection with personal data such as collection, recording, organization, ordering, storage, adaptation, modification, reading, querying, use, disclosure by transmission, distribution or any other form of making available, matching, linking, restricting, deleting or destroying.
  • Otherwise, the definitions in Art. 4 GDPR apply.
  • Google also means Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001; Among other things, Google is the provider of the “Android” operating system
  • Apple means Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA; Among other things, Apple is the provider of the “iOS” operating system.

Scope

The data protection declaration applies to all functions of the native Timeless app for mobile devices. It does not extend to any linked websites or internet presences from other providers.

Responsible Vendor

Responsible for the processing of personal data within the scope of this data protection declaration is:

New Horizon GmbH

Neue Schönhauser Str. 2

10178 Berlin

contact@timeless.investments

Questions about data protection

If you have any questions about data protection with regard to our company or our app, you can contact our data protection officer:

SPIRIT LEGAL Fuhrmann Hense partnership of lawyers

Lawyer and data protection officer

Peter Hense

Postal address:

Data Protection Officer

New Horizon GmbH

Neue Schönhauser Str. 2

10178 Berlin

Contact via email:

dataprivacy@timeless.investments

Security

We have taken comprehensive technical and organizational precautions to protect your personal data from unauthorized access, misuse, loss and other external disturbances. To this end, we regularly review our security measures and adapt them to the state of the art.

Your rights

You have the following rights with regard to your personal data, which you can assert against us:

  • Right to information: You can request information in accordance with Art. 15 GDPR about your personal data that we process.
  • Right to correction : If the information concerning you is not (or no longer) correct, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request a completion.
  • Right to erasure : In accordance with Art. 17 GDPR, you can request the erasure of your personal data.
  • Right to restriction of processing: In accordance with Art. 18 GDPR, you have the right to request a restriction of your personal data.
  • Right to object to processing: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6 (1) sentence 1 lit. e) or lit. f) GDPR takes place, according to Art. 21 Para. 1 GDPR to file an objection. In this case, we will not process your data further unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, and if the processing serves to assert and exercise or defend against legal claims ( Art. 21 Para. 1 GDPR). In addition, according to Art. 21 Para. 2 GDPR, you have the right to object at any time to the processing of personal data relating to you for the purpose of direct advertising; this also applies to any profiling insofar as it is associated with such direct advertising. We draw your attention to the right of objection in this data protection declaration in connection with the respective processing.
  • Right to revoke your consent : If you have given your consent to processing, you have a right of revocation in accordance with Article 7 (3) GDPR.
  • Right to data portability : You have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format (“data portability”) and the right to have this data transmitted to another person responsible if the The prerequisite of Art. 20 Para. 1 lit. a, b GDPR are met (Art. 20 GDPR).

You can assert your rights by notifying the contact details given in the “Responsible provider” section or the data protection officer appointed by us. If you believe that the processing of your personal data violates data protection law, you also have the right under Art. 77 GDPR to complain to a data protection supervisory authority of your choice. This also includes the data protection supervisory authority responsible for us: Berlin Commissioner for Data Protection and Information Security, Friedrichtstr. 219, 10969 Berlin. You can find more information about your rights in relation to your personal data, for example, from the European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_de .

Legal bases for processing

We process your personal data if and to the extent that this is necessary for the initiation, justification, implementation and/or termination of a legal transaction with our company. The legal basis for this is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. After the purpose has been achieved (e.g. contract processing), the personal data will be blocked for further processing or deleted, unless we have given your consent (e.g. consent to the processing of the e-mail address for sending electronic advertising mail), a contractual Agreement, a legal authorization (e.g. authorization to send direct mail) or due to legitimate interests (e.g. storage to enforce claims) are entitled to further storage and processing required in the respective context. Your personal data will be passed on if it is necessary for the establishment, implementation or termination of legal transactions with our company (e.g. when passing on data to a payment service provider/a shipping company to process a contract with you), (Art. 6 Paragraph 1 sentence 1 lit. b) GDPR), or

  • a subcontractor or vicarious agent, whom we use exclusively within the scope of providing the offers or services you require, requires this data (unless you have been expressly informed otherwise, such auxiliary persons are only entitled to process the data to the extent that this is necessary for the provision of the offer or service is necessary),
  • an enforceable official order (Art. 6 Para. 1 S. 1 lit. c) GDPR) exists,
  • there is an enforceable court order (Art. 6 Para. 1 S. 1 lit. c) GDPR),
  • we are obliged to do so by law (Art. 6 Para. 1 S. 1 lit. c) GDPR),
  • the processing is necessary to protect the vital interests of the data subject or another natural person (Article 6 (1) sentence 1 lit. d) GDPR),
  • it is necessary for the performance of a task that is in the public interest or in the exercise of official authority (Art. 6 Para. 1 S. 1 lit. e),
  • we are authorized or even obliged to pursue overriding legitimate interests in disclosure (Article 6 (1) sentence 1 lit. f) GDPR).

Your personal data will not be passed on to other people, companies or bodies unless you have given your effective consent to such a transfer. The legal basis for the processing is Article 6 Paragraph 1 Clause 1 Letter a) GDPR.

Download the mobile app

When downloading the mobile app, the required information and your data will be sent to the app store you have selected (Google Play: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland or Apple App Store: Apple Inc., 1 Infinite Loop , Cupertino, CA 95014, USA), in particular username, email address and customer number of your accounts, time of download, payment information and the individual device code. We have no influence on this data processing by Apple and Google and are not responsible for it. We only process data to the extent necessary to download the mobile app to your mobile device. Apple and Google may also process your data in the USA. We have agreed standard contractual clauses with Apple and Google to oblige both providers to maintain an appropriate level of data protection. We will provide you with a copy on request. Further information on data protection, in particular on the storage period, can be found at Apple https://www.apple.com/legal/privacy/de-ww/ and on Google at https://policies.google.com/privacy?hl=de&gl=de .

Use of the native app, access data

As part of your use of the app, we automatically process certain data that is required for the use of the app, in particular to ensure access to the Internet. Which includes:

  • operating system used and its interface
  • Language and version of the operating system
  • Host name of the accessing end device
  • IP address
  • Content of the request (specific page)
  • Date and time of the server request
  • Amount of data transferred
  • Time zone difference to Greenwich Mean Time (GMT)
  • Name of the mobile device

The access data is not used to identify individual users and is not merged with other data sources. The access data will be deleted when they are no longer required to achieve the purpose for which they were processed. In the case of the collection of data for the provision of the app and internet access, this is the case when you end your visit to the app.

The access data is automatically transmitted to us in order to make the app and the associated functions available to you and to prevent and eliminate misuse and malfunctions. Processing of your IP address, for example, is required for the duration of the app usage session. IP addresses are stored in log files to ensure the functionality of the mobile app and to prevent misuse. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. The access data will be stored for as long as is necessary to achieve the purpose of the processing. In the case of the collection of data for the provision of the app and for internet access, this is the case when you exit the app.

IP addresses are stored in log files to ensure the functionality of the mobile app. In addition, we use the data to optimize the mobile app and to ensure the security of our information technology systems. In principle, the data will be deleted after seven days at the latest; further processing is possible in individual cases. In this case, the IP address is deleted or alienated in such a way that it is no longer possible to assign the calling client.

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Contacting our company

If you contact our company, e.g. by e-mail, the personal data you provide will be processed by us to answer your request. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. The data is processed exclusively for processing in the context of the conversation. We delete the data arising in this context after the processing is no longer necessary, or restrict the processing to compliance with the existing statutory retention requirements.

You can object to the processing. Your right to object exists for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Create Account

When registering in our app, you can log in with your Google, Apple or Facebook accounts or you must enter your e-mail address and a password of your choice. If you wish to acquire a share of a digital asset, further personal data will be requested, eg your name and address. Furthermore, the following data is processed at the time of registration: IP address, date/time of registration. The data will be deleted as soon as they are no longer required to achieve the purpose of their processing. After successful registration, you will be assigned an account ID to enable transactions to be assigned to you.

The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your data is contractually required and obligatory for registering for the app. If you do not register, it is not possible to conclude/implement a contract for using the app. The data will be stored until they are no longer required to achieve the purpose of their processing or until the statutory retention requirements have expired (e.g. mandatory commercial and tax retention requirements with regard to invoice data). This is the case for the data collected during the registration process if the registration in the app is canceled or completely changed. If you remove the app from your end device, we will delete your data collected for using the app.

Google sign in

You have the option of registering in our app using the Google login function. “Google Sign In” allows you to log in to us using your Google account. The purpose of this option is to save you the hassle of creating another account and the time it takes to complete the registration process. When you log in with your Google account, your relevant data will be transmitted to us by Google, in particular your name, email address, profile picture and language settings. Google, on the other hand, is given the opportunity to collect and process information about your user behavior in our app. If you are logged in via your Google account, it is possible for Google to receive data on your user activity, your app calls and other short-term data. Google may also process your data in the USA. We have agreed standard contractual clauses with Google to oblige Google to maintain an appropriate level of data protection. We will provide you with a copy on request.

The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f) GDPR. With the “Google Sign In” option, we are pursuing the legitimate interest of making it easier for you to use our app by not having to create another account and by using your Google account to save time in the registration process. Google deletes all data at the latest when you delete your Google account ( https://policies.google.com/technologies/retention?hl=de ). Further information on data protection at Google can be found under the following link: https://policies.google.com/privacy?hl=de .

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Facebook sign up

To enable you to register in our app via your Facebook account, we have implemented a Facebook login function using programming interfaces from Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, hereinafter: “Facebook”) . If you use the login function offered by our app, you have the option of logging into our app via Facebook. The purpose of this integration is to make the registration process easier for you, to optimize our registrations and to have Facebook campaigns convert better. When you use the Facebook login function, Facebook sends us personal data from you, in particular your surname, first name, email address and Facebook user ID. In turn, Facebook processes information from you about app events (in particular app installations, loading the SDK, SDK performance and app starts), configuration data, error messages and other short-term data such as your user activity after you have logged in. Facebook may also process your data in the USA. We have agreed standard contractual clauses with Facebook to oblige Facebook to maintain an appropriate level of data protection. We will provide you with a copy on request. The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f) GDPR. With the Facebook login function, we are pursuing the legitimate interest of saving you from registering on our platform and optimizing our offer or designing it individually for you. According to Facebook, it will stop processing data as soon as the data is no longer required to provide services and Facebook products. Further information on the storage period and other information on data protection on Facebook can be found in the associated data protection guidelines at https://de-de.facebook.com/about/privacy/ be removed. You can find more information about Facebook’s programming interfaces at: https://developers.facebook.com/docs/ios and https://developers.facebook.com/docs/android .

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Apple Sign In

You also have the option of registering in our app using the Apple login function. With the help of “Apple Sign In” you can log in to us with your Apple ID. We would like to save you the creation of an additional account and the time required for the registration process. When you log in with your Apple ID, depending on your selection, either your email address stored with Apple or an email address generated once by Apple will be sent to us. Only Apple can assign the e-mail address once created to the user and their e-mail address. Apple, on the other hand, only receives the information that you are a user of our app. There is no further processing of your usage data by Apple. Apple may also process your data in the USA. We have agreed standard contractual clauses with Apple to oblige Apple to maintain an adequate level of data protection. We will provide you with a copy on request. The legal basis for this data processing is Art. 6 (1) sentence 1 lit. f) GDPR. With the login function, we are pursuing the legitimate interest of saving you from registering on our platform and optimizing our offer or designing it individually for you. Further information on data protection, in particular on the storage period, can be found at https://www.apple.com/legal/privacy/de-ww/ .

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Data transfer to Switzerland / the EU

If users from Switzerland use the app, data will be transferred to member states of the EU and vice versa to Switzerland to provide the app. Data is transferred to Switzerland on the basis of the European Commission’s adequacy decision 2000/518/EG (available at: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32000D0518&from =EN ) according to Art. 45 GDPR, according to which Switzerland offers an appropriate level of protection for your data. Data is transferred to the European Union on the basis of the list of countries published by the Swiss Federal Data Protection and Information Commissioner (available at: https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2017/04/staateliste. pdf.download.pdf/staatsliste.pdf ) for countries of the European Union that offer an appropriate level of protection under Swiss data protection law.

Authorizations for access to functionalities of your end device

The use of the app requires the following authorizations of the respective end device:

  • Internet access for reserving, buying, managing and selling shares,
  • Access to mobile storage to download and use offline mode,
  • Sending of push notifications and display in the notification center of your operating system.

The processing of the corresponding usage data (IP address, photo, etc. and end device information) takes place to provide the app functionalities and is required to use the app. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your usage data is necessary for the fulfillment of the user contract between you and us and you are contractually obliged to provide your usage data. If your data is not provided, you can only use the app to a limited extent, ie it is not possible to conclude and/or implement the contract by accessing the hardware and processing the usage data. We store the data related to accessing the functionalities of your end device for as long as they are required to provide the app functions.

Reservation, purchase and sale of shares

Various functions relating to digital assets are available to you in our app in accordance with the applicable terms of use. If you reserve a share in a digital asset (share), your expression of interest will be assigned to your user account. If you decide to purchase a share, further personal data such as your full name and address will be requested and stored in your user account and wallet along with an overview of your transactions. Only your wallet ID is then stored with the digital asset on the blockchain. Only a randomly assigned identification number is assigned and processed on the blockchain. Your digital assets are mapped to this ID on the blockchain. Provider is EOS Blockchain (Block.one, George Town, Cayman Islands). There is no adequacy decision for the transmission of your data. We have concluded standard data protection clauses with Block.one in order to oblige Block.one to provide an appropriate level of data protection. We will provide you with a copy on request. We process your data exclusively for contract processing and will forward your payment data in particular to the respective payment service provider for the purpose of payment processing, depending on the payment method you have selected. For more information, see the “Payment Service Providers” section.

If you decide to sell your share or buy new shares after the lookup period has expired, the information will be added to your wallet in your user account. Only your wallet ID is then stored with the digital asset on the blockchain. If shares are sold, the data will be processed in accordance with the payment method used for the repayment. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your data is necessary and obligatory for the conclusion and implementation of the contract. If the data is not provided, it is not possible to acquire shares in digital assets.

Payment service provider

Stripes

The payment options Apple Pay, Google Pay, credit card, Sofort Banking, Direct Banking and GiroPay are integrated via “Stripe” (provider is Stripe Inc., Townsend Street, San Francisco, CA 94103, USA, hereinafter: “Stripe”). If you select one of the payment options mentioned, the payment details you provided during the booking process together with the information about your booking will be passed on to “Stripe” for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the payment methods mentioned. As part of the data processing, your data will also be transmitted to the USA. There is no adequacy decision by the EU Commission for data transfer to the USA. We have concluded so-called standard contractual clauses with “Stripe” in order to oblige “Stripe” to an appropriate level of data protection. We will be happy to provide you with a copy on request. Further information on data protection and the storage period at Stripe can be found at: https://stripe.com/de/privacy .

Apple Pay

In our app we offer you payment via “Apple Pay” (Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA). If this payment method is selected, the payment will be processed via “Apple Pay”. We pass on the payment details you provided during the booking process together with the information about your booking to “Apple Pay” for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the “Apple Pay” payment method. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations.

Google Pay

In our app we offer you payment via “Google Pay” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC 1600 Amphitheater Parkway Mountain View, CA 94043, USA). If this payment method is selected, the payment will be processed via “Apple Pay”. We pass on the payment details you provided during the booking process together with the information about your booking to “Apple Pay” for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the “Apple Pay” payment method. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations.

Credit card payment

If you select the “credit card” payment method, we will pass on the payment data required for the credit card payment to the bank commissioned with the payment or to the payment and billing service provider commissioned by us, if necessary, for the purpose of payment processing. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or carry out a contract using a credit card payment. The data required for payment processing are transmitted securely via the “SSL” procedure and processed exclusively for payment processing. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations.

Instantly

If you select the “SOFORT” payment method as part of your payment, we will forward the data you have provided to Sofort GmbH (Theresienhöhe 12, 80339 Munich, Germany; hereinafter referred to as “SOFORT”) for the purpose of payment processing. “SOFORT” is a direct transfer procedure in which a transfer can be completed and executed in real time during the payment process. To do this, you will be redirected to the website of the payment service provider “SOFORT”. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract using the “SOFORT” payment method. The data required for payment processing are transmitted securely via the “SSL” procedure and processed exclusively for payment processing. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations. Further information on the processing of your data by “SOFORT” can be found at https://www.sofort.com/datenschutz.html .

Giropay

You have the option of paying using “Giropay” (Giropay GmbH, An der Welle 3, 60322 Frankfurt am Main, Germany, hereinafter: “Giropay”). “Giropay” is a direct transfer method that allows a transfer to be made during the ordering process. To do this, you will be redirected to the website of the payment service provider “Giropay”. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The processing takes place on the basis of Art. 6 (1) sentence 1 lit. b) GDPR. The provision of the payment data is necessary and obligatory for the conclusion and implementation of the contract. If the payment data is not provided, it is impossible to conclude and/or execute a contract with the “Giropay” payment method. We delete the data arising in this context after the storage is no longer necessary, or restrict the processing if there are statutory storage obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after the end of the contract, we restrict the processing and reduce the processing to compliance with the existing legal obligations. You can find more information on the processing of your data by “Giropay” at https://www.giropay.de/rechts/datenschutzerklaerung .

Trading shares

Verification and Identification Procedures

In addition to reserving, buying and selling shares, you can also trade digital assets (shares) in our app. In order to be able to use this function fully, it is necessary due to legal obligations under the Money Laundering Act that the user account is verified. For this we use the video identification services of WebID (WebID Solutions GmbH, Friedrichstraße 88, 10117 Berlin) and Onfido (Onfido Ltd., 3 Finsbury Avenue London EC2M 2PA United Kingdom). After calling up the identification process in our app, you will be forwarded to either a WebID or Onfido interface.

If you have not yet carried out an identity check for another service provider, your personal data such as first and last name, address, place and date of birth will be transmitted to WebID or Onfido. The transmission of this master data serves to verify the user by means of an audio-visual video identification and to verify a permissible identification document. This includes checking security features of an acceptable identification document to prevent misuse, fraud and counterfeiting by presenting the identification document during audiovisual video identification or scanning the identification document of the identification document. The processing of your personal data as part of the video identification procedure is carried out for the purpose of ensuring the statutory due diligence and identification obligations under the Money Laundering Act and the prevention of money laundering and terrorist financing. The video identification process is carried out in accordance with the Specifications of the Federal Financial Supervisory Authority for video identification procedures. Data is transferred to the United Kingdom to provide the Onfido verification service. The data transfer takes place on the basis of the adequacy decision of the European Commission C(2021) 4800 final according to Art. 45 DSGVO, according to which the United Kingdom offers an adequate level of protection for your data.

In the course of the verification process, due to the legal due diligence and identification obligations under the Money Laundering Act, information on tax liability as well as knowledge and experience with financial products is requested in addition to the master data. In addition, to ensure the trading function, New Horizon carries out investment brokerage as a contractually bound agent (cf. Section 2 (10) of the German Banking Act) of the financial services institute CONCEDUS (CONCEDUS GmbH, Schlehenstraße 6, 90542 Eckental). For the purposes of this mediation activity, CONCEDUS is provided with the user’s master data such as first and last name, address, place of birth, date of birth and information from the video identification (photo ID document, portrait photo, audio and video file) in order to fulfill the legal due diligence and identification obligations under the Money Laundering Act . The app also asks whether the user is a politically exposed person (PEP). After successfully identifying and verifying the account by entering the TAN provided by WebID or Onfido in our app, the user can trade shares as a seller or buyer.

In order to fulfill the due diligence and identification obligations under the Money Laundering Act, an address check based on the address data provided (salutation, first name, surname, gender, derived from the salutation or first name, academic degree, title, street, house number, postcode, town and city -Addendum) required as an additional independent source. For the address comparison, we use the “Addressfactory” service of Deutsche Post (Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf) to determine the existence of the specified address. With the help of the address comparison, we can check the address data provided to ensure that the data stored at Deutsche Post is up to date and deliverability (e.g. correcting the spelling of names, processing relocations, blocking data as a result of death) and thus complying with our duty of care and identification comply with the Money Laundering Act. Further information can be found in Deutsche Post’s data protection information regarding address matching. In the event that the address check fails because Deutsche Post does not have the information for the address comparison (e.g. moving to a new apartment), we ask users to fulfill the due diligence and identification obligations under the Money Laundering Act in accordance with the Requirements of the Federal Financial Supervisory Authority politely to present the letterhead of an invoice from the respective energy supplier or telecommunications provider, from which the name, address and date can be seen. A corresponding copy of the proof of identity will be forwarded to the financial services institution CONCEDUS for the purpose of proving compliance with the due diligence and identification obligations under the Money Laundering Act.

Your personal data is processed for the purpose of preventing money laundering and terrorist financing. The legal basis for processing as part of the implementation of the verification procedure is Article 6 Paragraph 1 Clause 1 Letter c) GDPR in conjunction with Article 11a Paragraph 1 of the Money Laundering Act (GwG). According to Sections 10 ff. GwG, we are legally obliged to identify users of the trading function with the necessary care. The storage period of the data for carrying out the verification procedure is five years in accordance with the legal storage obligation under the Money Laundering Act, unless other legal provisions on recording and storage obligations provide for a longer period.

Selling Shares

To offer shares (selling), the user selects the number and unit price of the shares in our app that he would like to offer for sale. After binding confirmation, the offer will be published on the “bulletin board” in the app and the user will be asked to provide their bank details to which the subsequent payment should be made. The master data provided will be processed exclusively for the purpose of executing the contract. Payments are processed by the payment service provider Stripe ( provider is Stripe Inc., Townsend Street, San Francisco, CA 94103, USA, hereinafter: “Stripe” ). When carrying out the sales process, the amount due, the desired payment method, the customer data, the shopping cart and the payee involved in the transaction are transmitted to Stripe via a programming interface (API). The master data recorded as part of the identification process is transmitted to Stripe by the financial services institute CONCEDUS (CONCEDUS GmbH, Schlehenstraße 6, 90542 Eckental) to confirm the verification process that has taken place. Stripe will then request the payment details. Stripe checks the transmitted data in real time and gives us feedback as to whether the transaction was successful. If the offer is accepted, the payment and the relevant information will be added to your wallet in your app. Before a payment is requested by the user, the transaction shares are calculated for all payees and created as follow-up transactions, and the payment data is transmitted to the user’s respective bank. For more information on Stripe’s processing, see the section above entitled Stripe.

The legal basis for processing in connection with the sale of shares is Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your data is necessary and obligatory for the conclusion and implementation of the contract. If the data is not provided, trading or selling shares in digital assets is not possible. The data will be stored for as long as they are required to achieve the purposes of processing or until the statutory retention requirements have expired (e.g. mandatory commercial and tax retention requirements in relation to invoice data). This is the case for the data collected during the registration process if the registration in the app is canceled or completely changed.

Buying shares

To purchase shares (buying), the user selects the relevant asset and checks it. If he decides to accept the offer of the selling user, he can confirm this by clicking the “Buy now” button. Your payment data will then be sent to Sofort GmbH for the purpose of payment processing via the payment service provider Stripe ( provider is Stripe Inc., Townsend Street, San Francisco, CA 94103, USA, hereinafter: “Stripe” ), depending on the payment method you have chosen (Theresienhöhe 12, 80339 Munich, Germany) if you choose the payment method “Sofort” or to the respective bank or payment service provider according to the payment method you have chosen. For more information on how Payment Method is processed, please see the section above under the relevant Payment Method heading. For more information on Stripe’s processing, see the section above entitled Stripe. After successful completion of the purchase, your purchased shares will be assigned to your wallet. Only your wallet ID is stored with the digital asset on the blockchain.

The legal basis for processing in connection with the purchase of shares is Art. 6 (1) sentence 1 lit. b) GDPR. The provision of your data is necessary and obligatory for the conclusion of the contract or the implementation. If the data is not provided, trading or the purchase of shares in digital assets is not possible. The data will be stored for as long as they are required to achieve the purposes of processing or until the statutory retention requirements have expired (e.g. mandatory commercial and tax retention requirements in relation to invoice data). This is the case for the data collected during the registration process if the registration in the app is canceled or completely changed.

Email Marketing

Existing customer advertising

We reserve the right to use the e-mail address you provided during registration in accordance with legal regulations to send you the following content by e-mail during or after registration, provided that you consent to this use of your E-mail address or push notifications have not already objected:

  • technical information and product updates,
  • information about new features of the app,
  • new offers from our portfolio,
  • new offers for services of our products and services,
  • individual customer advice,
  • Requests for customer feedback as well
  • Invitations to company events.

If the sending of electronic information is not necessary for the execution of the contract (e.g. e-mail in an informative format) and the legal basis from Article 6 Paragraph 1 S. 1 lit. b) DSGVO is relevant, the processing is based on the legal basis according to Article 6 Paragraph 1 sentence 1 lit. f) GDPR. Our legitimate interests in the processing mentioned lie in increasing and optimizing our services, sending direct mail and ensuring customer satisfaction. We delete your data when you end your user contract, but no later than three years after the end of the contract. For more information about the email marketing service used to send email advertising, see the SendInBlue section.

We would like to point out that you can object to the receipt of direct mail and data processing for the purpose of direct mail at any time without incurring any costs other than the transmission costs according to the basic tariffs. To do this, click on the unsubscribe link in the respective e-mail for the Receive e-mails or deactivate the push notification function in the app menu item “Notifications” or send us your objection to the contact details given in the “Responsible provider” section. In the event of an objection, we will continue to process your data, in particular your e-mail address, to ensure that you will not receive any further direct advertising from us. For this purpose, we put your e-mail address on a so-called blacklist, which we can use to carry out a comparison to ensure that you will not receive any further newsletters from us. The legal basis for data processing is Article 6 Paragraph 1 Clause 1 Letter c) GDPR in order to comply with our storage obligation.

If you unsubscribe by exercising your right to object to the processing of your personal data by way of advertising to existing customers, we will process your data, in particular your e-mail address, to ensure that you do not receive any further e-mail advertising from us . For this purpose, we add your e-mail address to a so-called ” block list ” which enables you not to receive any e-mail advertising from us . The legal basis for data processing is Article 6 Paragraph 1 Clause 1 Letter c) GDPR in order to comply with our obligation to provide evidence, otherwise Article 6 Paragraph 1 Clause 1 Letter f) GDPR. In this case, our legitimate interests consist in complying with our legal obligations to reliably no longer send you e-mail advertising.

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.

In addition, we process the aforementioned data for the establishment , exercise or defense of legal claims. The legal basis for processing is Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. In these cases, we have a legitimate interest in asserting or defending against claims.

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.

WhatsApp Newsletter

You have the option to subscribe to our newsletter via WhatsApp (WhatsApp LLC., 1601 Willow Road Menlo Park, California 94025, USA and WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; hereinafter: “WhatsApp”), with which we will regularly inform you about the following content:

  • Interesting offers from our portfolio, especially on current deals, access to assets as well as news about our Timeless Collectors’ Club.
  • Requests for customer feedback and opinion and market research surveys.

To receive the newsletter, you are required to provide your name or pseudonym and a valid mobile phone number. We process your mobile phone number for the purpose of sending you our WhatsApp newsletter and as long as you have subscribed to the newsletter. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. a) DSGVO. WhatsApp also transfers your data to the USA. No adequacy decision of the EU Commission exists for the USA. We have concluded so-called standard data protection clauses with WhatsApp in order to commit WhatsApp to an adequate level of data protection. We will gladly provide you with a copy upon request. We process your data for the purpose of sending you our newsletter via WhatsApp until you revoke your consent.


You can revoke your consent to the processing of your telephone number for receiving the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message via the contact details provided under “Person responsible”. This does not affect the lawfulness of the processing that took place based on the consent until the time of your revocation.


As part of the use of WhatsApp, certain data are automatically processed that are necessary for the use of the app, in particular to ensure access to the Internet. These include: IP address, date and time of the server request, time zone difference to Greenwich Mean Time (GMT), content of the request (concrete app function), access status, amount of data transferred in each case, app from which the request comes, device type, operating system used and its interface (Android or IOS), language and version of the operating system, device identifiers. We do not process any data of users in this context. WhatsApp (WhatsApp LLC., 1601 Willow Road Menlo Park, California 94025, USA and WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) is solely responsible for this processing. For more information about WhatsApp’s privacy policy, please visit: https://www.whatsapp.com/privacy.

Block list

In the event that you unsubscribe from our newsletter, we process your data, in particular your e-mail address or mobile phone number, to ensure that you do not receive any further newsletters from us. For this purpose, we add your email address or mobile phone number to a so-called “block list”, which makes it possible that you do not receive any newsletter from us. The legal basis for data processing is Art. 6 (1) p. 1 lit. c) DSGVO, in order to comply with our verification obligations, otherwise Art. 6 (1) p. 1 lit. f) DSGVO. Our legitimate interests in this case are to comply with our legal obligations to reliably no longer send you newsletters.


You may object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details listed in the “Responsible party” section.

Legal defense

In addition, we process the aforementioned data for the establishment, exercise or defense of legal claims. The legal basis for the processing is Art. 6 para. 1 lit. c) DSGVO and Art. 6 para. 1 lit. f) DSGVO. In these cases, we have a legitimate interest in asserting or defending claims.


You may object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details listed in the “Responsible party” section.

E-Mail-Marketing provider

SendInBlue

We use the SendInBlue marketing service (Sendinblue GmBH, Köpenicker Straße 126, 10179, Berlin) to send you emails to the email address you have provided or messages within our app for various administrative and functional purposes, such as to reset your password. The legal basis for data processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your data is necessary and obligatory for the execution of the contract in the context of sending messages. If the data is not provided, it is not possible to send messages. If you have not objected to receiving advertising from existing customers, we will also send you e-mails or messages with advertising content (further information can be found under the point “Soliciting from existing customers”). In this case, the legal basis for the processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in the processing mentioned lie in increasing and optimizing our services, information about technical changes to our app, sending direct mail and ensuring customer satisfaction. We delete your data when you end your user contract, but no later than three years after the end of the contract. Further information on data protection at SendInBlue can be found at: https://de.sendinblue.com/legal/privacypolicy/

If the processing is based on the legal basis of Article 6 Paragraph 1 Clause 1 Letter f) GDPR, we would like to point out that you can object to receiving direct advertising at any time without incurring any costs other than the transmission costs according to the basic tariffs develop. To do this, click on the unsubscribe link in the respective e-mail to receive e-mails or deactivate the push notification function in the app menu item “Notifications” or send us your objection to the person named in the “Responsible provider” section Contact details.

Notifications

This app uses Google Firebase with Google’s In App Messaging and Cloud Messaging features to show you notifications on your device in Notification Center and within the app. Notifications are only displayed on your end device if you have activated the corresponding authorization in the device settings of your end device.

For this we use a programming interface, the Firebase Software Development Kit (SDK), which is provided by Google in order to be able to access the notification function of the end device used and to display notifications. The notifications include, for example, technical information and product updates, information on new app functions and new offers on digital assets. The processing of the corresponding usage data (IP address and device information) takes place to provide the app functionalities and is required to use the notification function. The legal basis for processing is Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The provision of your usage data is necessary for the fulfillment of the user contract between you and us and you are contractually obliged to provide your usage data. If your data is not provided, you can only use the app to a limited extent, ie it is not possible to conclude and/or execute the contract using end device access. We store the data related to accessing the functionalities of your end device for as long as they are required to provide the app functions.

Google may also process your data in the USA. We have agreed standard contractual clauses with Google. We will provide you with a copy on request. Further information on data protection, in particular on the storage period, can be found at https://policies.google.com/privacy?hl=de&gl=de . According to Google, the storage period is a maximum of 14 months ( https://support.google.com/firebase/answer/9019185?hl=de ). Further information from Google about handling user data can be found at: https://policies.google.com/privacy?hl=de .

You can object to the processing if the processing is based on the legal basis of Article 6 (1) sentence 1 lit. f) GDPR. You have the right to object for reasons that arise from your particular situation. You can exercise your right to object by deactivating the notification function in the app settings.

To invite friends

A share function is available in the app for recommending our app. The central sharing function of the respective smartphone operating system (IOS from Apple or Android from Google) is available for this purpose, with which you can place a link to our app in the Apple app store or Google Playstore, e.g. via a messenger app or email app of your choice. New Horizon does not process any user data in this context and is not responsible for the data processing by the respective service provider and the user. Please find out about the processing of your data from the respective provider of the app.

Hosting

We use external hosting services from Amazon Web Services (Amazon Web Services Inc., 410 Terry Avenue North, Seattle WA 98109, United States) to provide you with the following services: infrastructure and platform services, computing capacity, storage resources and database services, Security and technical maintenance services. All data required for the operation and use of our app is processed. We use external hosting services to operate this app offering. Amazon also processes your data in the USA . We have agreed standard contractual clauses with Amazon in order to oblige Amazon to maintain an appropriate level of data protection. We will provide you with a copy on request. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in the use of external hosting services are an efficient and secure provision of our app offering.

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Stability testing and monitoring

(132 Hawthorne Street, San Francisco, California 94107, USA, email: compliance@sentry.io) in our app . The purpose of the processing is to optimize and ensure that our app functions in a user-friendly manner. For this purpose, your usage data and metadata (e.g. device ID, IP address, user ID) are processed by Sentry in the USA by monitoring system stability and identifying code errors. We have agreed standard contractual clauses with Sentry to oblige Sentry to maintain an appropriate level of data protection. We will provide you with a copy on request. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in integrating Sentry lie in ensuring and improving the technical stability of our services. For more information on data protection and storage periods at Sentry, see https://sentry.io/privacy/ .

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Cloudfront

We also use Cloudfront as a content delivery network (CDN). The provider of this is Amazon Web Services Inc., 440 Terry Ave N, Seattle, WA 98109, USA. If you use our app, requests are forwarded to the CDN server. Your IP address will be transmitted and processed. Amazon also processes your data in the USA. We have agreed standard contractual clauses with Amazon to oblige Amazon to maintain an appropriate level of data protection. We will provide you with a copy on request. A permanent storage of your data does not take place here. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. We use Cloudfront to make our app offering more attractive and to optimize app loading times.

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible provider” section.

Freshdesk

We use Freshdesk, a service provided by Freshdesk, Inc. (1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA) to be able to process email inquiries from our users faster and in a more structured manner. Freshdesk is used to improve our customer service and simplify email communication. The legal basis for processing by Freshdesk is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests are to optimize and improve our customer service and to ensure customer satisfaction. Freshdesk may also process the data in the USA. There is no adequacy decision by the EU Commission for data transfer to the USA. We have agreed standard contractual clauses with Freshdesk to oblige Freshdesk to maintain an adequate level of data protection. We will provide you with a copy on request. We delete the data arising in this context after the processing is no longer necessary, or restrict the processing to compliance with the existing statutory retention requirements. You can find more information about data protection at Freshdesk here: https://www.freshworks.com/de/datenschutz/ .

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.

Analytics and Marketing Services

Google Firebase Analytics

We use the external analysis service Firebase Analytics from Google ( Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter: “Google”) in order to be able to optimally tailor our app to the interests of the users. For this we use a programming interface, the Firebase Software Development Kit (SDK), which is provided by Google to enable a statistical analysis of the use of the app. There is no access to the advertising ID (IDFA for iOS-based and AAID for Android-based devices) of the operating system used. With the help of the Firebase SDK we can define various events (e.g. average app usage, average sessions per user, button presses, frequency of views, recognition of usage preferences) in order to be able to track and understand the usage behavior of app users and thus the functionalities to optimize and improve the app accordingly. We can also detect and fix errors in programming and prevent fraudulent activity in the app. For the purpose of fraud prevention and statistical analysis, Google processes end device information such as a shortened IP address of the end device used and provides us with anonymous statistics on interactions with our app. The legal basis for processing is Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interests in processing lie in recognizing app usage preferences, fraud prevention and optimizing the functionalities of our app. Google also processes some of the data in the USA. There is no adequacy decision by the EU Commission for data transfer to the USA. We have agreed standard contractual clauses with Google to oblige Google to an appropriate level of data protection. We will be happy to provide you with a copy on request.

You can object to the processing. You have the right to object for reasons that arise from your particular situation. You can send us your objection using the contact details given in the “Responsible” section.