NAO app privacy statement

I. GENERAL INFORMATION

We, NAO Co-Investment GmbH and DonauCapital Wertpapier GmbH (hereinafter jointly: “NAO”, “we” or “us”) have been imposed additional obligations as part of our data protection responsibility as a result of the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR”) to protect personal data of the person affected by processing (we also refer to you as a data subject as “customer”, “user” below”, “you”, “you” or “affected person” at). Insofar as we either alone or decide together with others on the purposes and means of data processing, this includes in particular the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (see Art. 13 and Art. 14 GDPR). With this statement (hereinafter: “Privacy Policy”), we inform you how your personal data is processed by us.

general

Definitions

Following the example of Article 4 GDPR, this data protection notice is based on the following definitions:
— “Personal data” (Art. 4 No. 1 GDPR) is any information relating to an identified or identifiable natural person (“data subject”). An individual is identifiable when they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, an online identifier, location data or using information about their physical, physiological, genetic, psychological, economic, cultural or social identity characteristics. Identifiability can also be provided by combining such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or sound recordings may also contain personal data).
— “Processing” (Art. 4 No. 2 GDPR) is any process involving the handling of personal data, whether with or without the aid of automated (i.e. technology-based) procedures. This includes in particular the collection (i.e. procurement), recording, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure through transmission, dissemination or other provision, reconciliation, linking, restriction, deletion or destruction of personal data and changing a purpose or purpose that was originally the basis for data processing.
— “Responsible person” (Art. 4 No. 7 GDPR) is the natural or legal person, authority, agency or other body which, alone or together with others, decides on the purposes and means of processing personal data.
— “Third party” (Art. 4 No. 10 GDPR) is any natural or legal person, authority, agency or body other than the person concerned, the controller, the processor and the persons who, under the direct responsibility of the controller or processor, are authorized to process personal data; this also includes other corporate entities.
— “Processor” (Art. 4 No. 8 GDPR) is a natural or legal person, authority, agency or other body which processes personal data on behalf of the person responsible, in particular in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a contract processor is in particular not a third party.
— “Consent” (Art. 4 No. 11 GDPR) of the data subject means any voluntary, informed and unequivocal statement of will made by the data subject in the form of a statement or other unequivocal affirmative act by which the data subject indicates that he or she agrees to the processing of personal data concerning him or her.
Amendment to the privacy policy
As part of the further development of data protection law and technological or organizational changes, our data protection information is regularly reviewed for the need for adjustments or additions. You will be notified of any changes.

Information about the processing of your data

‍The collection of personal data concerning you
(1) We provide a mobile app that you can download to your mobile device. When you use our app, we collect personal data about you.
(2) Personal data is all data relating to you (see general information above). For example, your name, location data, IP address, device ID, SIM card number, address and email address include personal data, your fingerprint, pictures, movies, audio recordings, but also your user behavior falls into this category.

Legal basis for data processing

‍(1) In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:
— Article 6 (1) (a) of the GDPR (“Consent”): If the person concerned has voluntarily, in an informed and unequivocal manner, by means of a statement or other unequivocal affirmative act, indicated that he agrees to the processing of personal data concerning him for one or more specific purposes;
— Article 6 (1) (1) (b) GDPR: If processing is necessary to fulfill a contract to which the data subject is a party or to carry out pre-contractual measures taken at the request of the person concerned;
— Art. 6 (1) (c) GDPR: If processing is necessary to fulfill a legal obligation to which the person responsible is subject (e.g. a legal storage obligation);
— Art. 5 (1) (d) GDPR: If processing is necessary to protect the vital interests of the data subject or of another natural person;
— Article 6 (1) (1) (e) GDPR: If processing is necessary for the performance of a task which is in the public interest or is carried out in the exercise of official authority delegated to the person responsible, or
— Article 6 (1) (1) (f) GDPR (“Legitimate Interests”): If processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or of a third party, unless the conflicting interests or rights of the data subject prevail (in particular if the person concerned is a minor).
(2) We indicate the applicable legal basis for the processing operations carried out by us below. Processing may also be based on several legal bases.
Data storage period
(1) We delete your personal data as soon as it is no longer required for the purposes for which we collected or used it after. As a rule, we store your personal data via the app for the duration of the usage or contractual relationship.
(2) However, storage may take place beyond the specified time in the event of an (imminent) legal dispute with you or other legal proceedings.
(3) Third parties used by us will store your data on their systems for as long as is necessary in connection with providing the service to us in accordance with the respective order.
(4) Legal requirements for storage and deletion of personal data remain unaffected by the above (e.g. § 257 HGB or § 147 AO). When the storage period required by legal regulations expires, the personal data will be blocked or deleted, unless further storage by us is necessary and there is a legal basis for this.‍

data security

‍(1) We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or against unauthorized access by third parties, taking into account the state of the art, implementation costs and the nature, scope, context and purpose of processing, as well as the existing risks of a data breach (including its probability and effects) for the person concerned. Our security measures are constantly being improved in line with technological developments.
(2) We will be happy to provide you with more detailed information on this subject upon request. To do so, please contact our data protection officer (see III. 1.).
No automated decision making (including profiling)
We have no intention of using personal data collected from you for an automated decision making process (including profiling).

Change of purpose

‍(1) Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the amended purpose of data processing.
(2) In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes before further processing and provide you with all other relevant information.‍

‍Processing subject to joint responsibility

‍Information on the joint responsibility of DonauCapital Wertpapier GmbH and NAO Co-Investment GmbH
(1) NAO acts on behalf of and under liability of DonauCapital Wertpapier GmbH (Section 3 (2) WPIG). The resulting investment brokerage agreement is concluded between you and DonauCapital Wertpapier GmbH with the involvement of Nao as a contractually bound agent.
(2) DonauCapital Wertpapier GmbH and NAO are “jointly responsible” in accordance with Art. 26 GDPR as part of the initiation and execution of the investment brokerage agreement concluded with you. There is an agreement between DonauCapital Wertpapier GmbH and NAO on joint responsibility. This agreement essentially includes mutual assistance between the joint controllers in fulfilling the rights of data subjects, internal liability for breaches of data protection law and the fulfilment of information obligations. The main elements of the agreements will be made available to you upon request.
(3) NAO and DonauCapital Wertpapier GmbH primarily use their respective computer systems to process the data. With regard to data processing via these systems, the respective responsible parties — although not to the same extent — have the opportunity to carry out the necessary processing activities. In any case, the final decision is the responsibility of the person responsible who provides the respective computer system.
(4) The liability regulations relate exclusively to the internal relationship. Insofar as data processing concerns joint responsibility, the external relationship with you remains governed by Article 82 GDPR.

Responsible person and contact details

‍(1) The body responsible for processing your personal data within the meaning of Article 4 No. 7 GDPR for the processing operations referred to in this Chapter III is us

NAO Co-Investment GmbH
c/o ZEITGEIST, Monbijoustrasse 7
10117 Berlin
Phone: +49 (0) 30 75 43 88 60
email: hello@investnao.com
and
DonauCapital Wertpapier GmbH
Passauer Strasse 5 94161 Ruderting
Telephone 08509 - 910 955
Fax 08509 - 910 917
as a joint controller within the meaning of Article 26 GDPR.
(2) DonauCapital Wertpapier GmbH is available to answer any questions you may have and as a contact person regarding data protection with us using the information provided above. However, under Article 26 (3) GDPR, you are free, within the scope of joint responsibility, to assert your rights against the NAO who is also responsible. We have accordingly agreed to inform each other if you assert your data subject rights under the GDPR against one of the joint controllers. This applies in particular to the rights set out in Chapter VI.
Mutual information will of course not be provided if you assert an overriding legitimate interest vis-à-vis the person responsible to whom you are contacting that the other joint controller should refrain from informing the other joint controller.

Data collected during use
(1) When using the mobile app, we process the personal data described below as part of contract initiation and execution in order to be able to offer you our investment brokerage services:
—IP address
—Mobile number
—Date and time of request
—Time zone difference to Greenwich Mean Time (GMT)
—Access status/HTTP status code
—amount of data transferred in each case
—First and last name
—Email address
—Date of birth
—Address
—Citizenship
—Tax number
—Marital status
—Withdrawal account, securities account
—Employment relationship
—Experience and knowledge with financial instruments
-Contract history data (in particular performance data such as payment history, fund data, custody account data, custody accounts, transactions, balances, exchange values, contract changes and cancellations)
(2) We only collect this data if this is necessary to initiate and/or fulfill the investment brokerage contract between you and us (Art. 6 para. 1 lit. b GDPR). Insofar as you have given us consent to process personal data for specific purposes, the lawfulness of this processing is (also) based on your consent in accordance with Article 6 (1) (a) GDPR. In addition, data processing may be based on the legal basis of Art. 6 para. 1 lit. c) GDPR (legal requirements), as we are subject to various legal obligations (e.g. tax laws, money laundering law) or on Art. 6 para. 1 lit. f) GDPR, provided that processing is necessary to protect our legitimate interests or those of third parties.
The data is processed for the following purposes:
to be able to identify you as our customer;
for identification based on legal requirements (GwG);
to check whether you have PEP status or are on a sanctions list;
in order to be able to advise you and inform you about risks when concluding a contract with us;
to correspond with you;
to forward the relevant applications/orders to recipients/categories of recipients referred to in Chapter V.;
for risk and business management;
to optimize our business processes;
for commission accounting, internal control and care;
for advertising and information about products/direct marketing;
to participate in referral programs.
(3) The provision of personal data is generally voluntary. Anything else only applies if the collection of the relevant data is required by law (in particular processing of identification data) or is necessary to fulfill the obligations arising from the investment brokerage contract with you.
If you are not prepared to provide us with the requested personal data, it may be that we are unable to establish the requested contractual relationship. If you have already concluded an investment brokerage contract with us and are not prepared to provide us with the personal data requested, it may be that we are unable to properly execute the contract.
Duration of processing
(1) We keep documents from the contractual relationship with you, such as correspondence between you and us, for as long as we are obliged to do so due to supervisory, commercial and tax storage obligations, which may arise, for example, from the Securities Institutions Act (WPIG), Securities Trading Act (WpHG), Commercial Code (HGB), Tax Code (AO). The storage and documentation periods specified there are generally six to ten years.
(2) In addition, we keep documents from the contractual relationship with you for as long as we need them to assert, exercise or defend legal claims.
(3) We also keep documents until the end of the statutory statute of limitations. According to Sections 195 et seq. of the Civil Code (BGB), these limitation periods may amount to up to 30 years, with the regular limitation period being three years from the end of the calendar year in which the claim arose and the creditor became aware of the circumstances giving rise to the claim.Processing subject to NAO's responsibility

Responsible person and contact details

‍The body responsible for processing your personal data in accordance with this Chapter IV within the meaning of Article 4 No. 7 of the GDPR is:
NAO Co-Investment GmbH
Ziegelstr. 17, 10117 Berlin
Phone: +49 (0) 30 75 43 88 60
Email: hello@investnao.com
Our data protection officer is available at any time if you have any questions and as a point of contact with us regarding data protection. Contact details are:
Namn: Protectra GmbH
Street: Lerchenweg 3
City, zip code: Monheim am Rhein, 40789
Phone: +49 2173 9930310
email: info@protectra.de

Please contact this contact point in particular if you want to assert your rights against us.

If you have any further questions or comments regarding the collection and processing of your personal data, please also contact the contacts mentioned above.

The data collected during the download

‍When you download this app, certain necessary data about you is transmitted to the corresponding app store.
In particular, when downloading, the e-mail address, the user name, the customer number of the downloading account, the individual device code, payment information and the time of the download will be transferred to the app store.
We have no influence on the collection and processing of this data; rather, it is carried out exclusively by the app store you have selected. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the App Store.
Use of cookies
We use cookies to operate our app. Cookies are small text files that are stored in the device memory of your mobile device and stored in association with the mobile app you are using and through which certain information flows to the location that sets the cookie. Cookies cannot run programs or transfer viruses to your computer and therefore do not cause any damage. They are used to make our app more user-friendly and effective overall, i.e. more pleasant for you.
Cookies can contain data that makes it possible to recognize the device used. However, in some cases, cookies only contain information about certain settings that are not personally identifiable. However, cookies cannot directly identify a user.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, cookies in turn differentiate between:
— Technical cookies: These are absolutely necessary to move within the app, use basic functions and ensure the security of the app; they neither collect information about you for marketing purposes nor do they store which websites you have visited;
— Performance cookies: These collect information about how you use our app, which pages you visit and, for example, whether there are errors when using the app; they do not collect any information that could identify you — all information collected is anonymous and is only used to improve our app and find out what interests our users;
— Advertising cookies, targeting cookies: These are used to offer app users tailored advertising within the app or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
— Sharing cookies: These are used to improve the interactivity of our app with other services (such as social networks); sharing cookies are stored for a maximum of 13 months.
Any use of cookies that is not necessarily technically necessary constitutes data processing that is only permitted with your express and active consent in accordance with Article 6 (1) (a) GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we will only pass on your personal data processed through cookies to third parties if you have given your express consent to do so in accordance with Article 6 (1) (a) GDPR.
‍
We collect and process the following data from you:
Device information: Access data includes the IP address, device ID, device type, device-specific settings and app settings as well as app properties, the date and time of retrieval, time zone, the amount of data transferred and the message as to whether the data exchange was complete, app crash, browser type and operating system. This access data is processed to technically enable the app to operate
Data that you provide to us: It is necessary to create a user account to use the app. To do this, enter at least your login name.
‍
Information with your consent: We process other information (e.g. GPS location data) if you allow us to do so.
‍
Contact form data: When using contact forms, the data transmitted as a result is processed (e.g. gender, last name and first name, address, company, e-mail address and time of transmission).
Data collection when you contact us
If you contact us by e-mail or via a contact form, we will store your e-mail address, name and any other personal data that you have provided in the course of contacting us so that we can contact you to answer the question.
We delete this data as soon as storage is no longer necessary. If there are legal retention periods, the data will be stored, but we will restrict processing.

customer account

‍a) Purpose of data processing
The person concerned can register with us by providing personal data that is transmitted to and stored by us. The data provided during registration as well as the IP address, the date and time of registration are stored. Registration is necessary to provide certain content and services and also serves to establish and fulfill our contract with the person concerned.

b) Duration of storage
As soon as the data is no longer necessary to achieve the purpose, it will be deleted. If you register without further conclusion of a contract, this is the case when the customer account is deleted. Otherwise, personal data will be deleted from the additional contract after full performance of the mutually provided performance obligations.

c) Legal basis
The processing of the above data is carried out on the legal basis in accordance with Art. 6 para. 1 lit. b DSGVO as part of the performance or initiation of a contract or in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate interest of the person responsible is to be able to provide certain content and services for registered users and to make contract processing more efficient and easier.

Direct advertising

a) Purpose of data processing
To the extent permitted by law, we will use the data received from the person concerned in connection with the sale of a good or service for direct advertising for our offer.
Insofar as direct advertising is carried out by service providers who enable the advertising to be sent (participating mail providers or providers of plug-ins), the personal data is passed on to these service providers.

b) Duration of storage
As soon as the data is no longer necessary to achieve the purpose, it is deleted, which is the case if the person concerned has objected to direct marketing or if the lapse of time after the last advertising measure requires this with reference to the right of objection, which is the case after twelve months after the last advertising measure.

c) Legal basis
The legal basis for processing, in particular advertising following a purchase of goods or use of services, is Art. 6 para. 1 lit. f GDPR. The legitimate interest is direct marketing for sales promotion. In addition, on the basis of our user agreement, we are committed to providing you with regular information, which is based on Art. 6 para. 1 lit. b DSGVO.‍

‍Data processing by third parties
Order data processing

(1) It may happen that contracted service providers are used for individual functions of our app. As with any larger company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). They only act in accordance with our instructions and have been contractually obliged within the meaning of Article 28 GDPR to comply with data protection regulations. ‍

Twilio

‍We use the Twilio communication platform from Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA. Twilio allows us to verify phone numbers via SMS.
This is done on the basis of a contractual obligation in accordance with Art. 6 para. 1 lit. b DSGVO or on the basis of Art. 6 para. 1 lit. f GDPR. For data processing via Twilio, we have selected a server location in the EU.
If, despite this selection, personal data should be transferred to the USA, provided that this transfer involves Twilio Group companies, the legal basis is based on binding internal data protection rules (BCR) in accordance with Article 47 GDPR. Details can be found:
https://www.twilio.com/legal/bcr/processor#twilios-binding-corporate-rulesprocessor-policy
For data transfers that are made to companies that are not subject to the Binding Corporate Rules, we base the data transfer on the standard contractual clauses, which we have concluded together with an order processing contract. Details can be found here:
https://www.twilio.com/legal/data-protection-addendum
General data protection regulations at Twilio can be found here:
https://www.twilio.com/legal/privacy
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.‍

IDnow

‍To use investment services via NAO and open a deposit with Baader Bank, you must identify yourself via video. For this, we use the video identification platform of IDnow GmbH, Auenstraße 100, 80469 Munich. We process your personal data in accordance with Art. 6 para. 1 lit. b) and c) GDPR. The IDnow process is approved by the Federal Financial Supervisory Authority (BaFin). Through IDnow, we will record certain data on your valid identity document and store it for five years in accordance with Section 8 Money Laundering Act (“GWG”). This data includes, for example, first and last name, date of birth, full address and nationality. As part of the identity verification process, IDnow also takes a one-time photo of you and of the front and back of your identity document (including security features). The conducted video call with IDnow is also visually and acoustically recorded. To verify the identity card/passport, the required data is read from the document. The photo on the document is then compared with a portrait shot initiated by you.
There is no transfer of personal data to third countries or international organizations. Personal data is stored exclusively on servers in Germany.
Further information on data protection at IDnow is available here:
https://www.idnow.io/de/regulatorik/datensicherheit/
We have concluded a contract with IDnow for order data processing. ‍

OneSignal

‍We use the OneSignal service from OneSignal, 201 San Antonio Circle Suite #140, Mountain View, CA, USA (https://www.onesignal.com) to be able to send you push messages, e.g. via SMS or email. This is done on the basis of a contractual obligation in accordance with Art. 6 para. 1 lit. b DSGVO or on the basis of Art. 6 para. 1 lit. f GDPR. For data processing via OneSignal, we have selected a server location in the EU.
For more information, please see OneSignal's privacy policy:
https://onesignal.com/privacy_policy

Freshdesk

‍We also use the Freshdesk communication tool. The service provider is the American company Freshworks, Inc., 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA.
Freshdesk is a ticket and support system that allows us to connect with you.
The legal basis for processing this data is our legitimate interest in efficiently designing our customer service, responding to your request as quickly as possible and optimizing our range of services in accordance with Article 6 (1) (f) GDPR.
We have concluded a contract with Freshdesk for order processing. This ensures that Freshdesk only uses your data to process inquiries within the framework of applicable European and German data protection standards and does not pass them on to third parties.
For more information, please see the privacy policy of Freshdesk or Freshworks Inc. :
https://www.freshworks.com/privacy/.‍

Sentry

‍We used the service Sentry Inc., 132 Hawthorne Street, San Francisco, California 94107, USA to log errors. Sentry helps us improve the technical stability of our service by monitoring system stability and identifying code errors. The application always connects you to Sentry servers via a proxy server. A proxy server is a communication interface in a network of computers in the form of a physical computer. He works as an intermediary who receives inquiries on one side and then connects to the other side via his own address. As a result, Sentry does not receive any personal data from you.
The Sentry privacy policy can be found at https://sentry.io/privacy/.
Our use of Sentry is based on a legitimate interest in accordance with Art. 6 (1) (f) GDPR, which is not opposed by an overriding interest or right of the user.‍

Customer.io

‍We use the customer.io email tool for email marketing and marketing automation, which is operated by Peaberry Software Inc., 921 SW Washington Street Suite 820, Portland, OR 97205, USA. Customer.io processes content data (e.g. entries in online forms), contact data (e.g. email addresses, telephone numbers) and meta/communication data (e.g. device information, IP addresses) in the EU.
The legal basis for our processing is Art. 6 (1) (a) GDPR. Processing is based on consent.‍

consent

‍I agree — revocable at any time in the future — that NAO processes my aforementioned personal data (content data, contact details and meta/communication data) for the purpose stated there (marketing).

Withdrawal of consent

‍Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
Customer.io's privacy policy can be found at https://customer.io/privacy-policy.html. ‍

RudderStack

‍We use the analytics integration of the RudderStack customer data management platform, which is operated by RudderStack Inc., 96 S. Park Street, 94107 San Francisco, USA. If you have given us your consent in accordance with Article 6 (1) (a) GDPR, RudderStack will set cookies and share your data with Google Analytics via RudderStack to analyze user behavior in the NAO app. For this purpose, RudderStack cookies store user and referral IDs, which enable us to view information about user activity in the NAO app, including pages visited, page categories visited and session duration in Google Analytics. Since personal data is transferred to the USA, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.‍

consent

‍I agree — revocable at any time in the future — that NAO processes my aforementioned personal data (user and referral IDs) for the purpose stated there (analysis of usage behavior).

Withdrawal of consent

‍Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation. Further information on RudderStack's data protection can be found at https://www.rudderstack.com/privacy-policy/ on data processing by Google at https://policies.google.com/privacy?hl=de&gl=de.

Google Firebase

‍The NAO app uses technologies from Google Firebase. Google Firebase is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase is a development platform and offers various services. An overview of services offered by Google Firebase can be found at https://firebase.google.com/terms/.
In some cases, Google Firebase services use so-called “instance IDs.” “Instance IDs” are unique identifiers that are timestamped and make it possible to link different events or processes in connection with the NAO app. This data is used to analyze and optimize user behavior, such as evaluating crash reports. According to Google, instance IDs do not process any personally identifiable data.
More information about the “instance IDs” used and how to manage the affected data can be found at https://firebase.google.com/support/privacy/manage-iids
In connection with Google Firebase, we use the Firebase Analytics service to save certain documents (e.g. onboarding documents) and provide dynamic links.
When using Firebase Analytics in the standard version, the following types of data are processed: number of users and sessions, session duration, operating systems, device models, region, initial launches, app runs, app updates, and in-app purchases.

A full list of events and user properties automatically collected in Google Firebase can be found at https://support.google.com/firebase/answer/6318039 and https://support.google.com/firebase/answer/6317486?hl=de.
We process the data obtained through the use of Firebase Analytics to fulfill the contract in accordance with Article 6 (1) (b) GDPR and due to our overriding interest in the optimal functionality and usability of the NAO app in accordance with Article 6 (1) (f) GDPR.

Insofar as we base our processing of your personal data by Firebase on Art. 6 (1) (f) GDPR, you can object to the collection of data by Google at any time with effect for the future.
Since it cannot be ruled out that processed data will also be transferred to the USA when using Firebase Analytics, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.
You can find more information about data protection at Google Firebase at https://firebase.google.com/support/privacy/

Typeform

‍For the appropriateness check in our app, we use the services of survey provider Typeform. Typeform is a service provided by TYPEFORM S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain. Typeform collects and stores your information when you request data relevant to the appropriateness check in the NAO app. We are responsible for the specially published Typeform forms ourselves and manage the data collected as a result. We delete them from the Typeform servers after we have downloaded them. Typeform collects usage data whenever you use the form. In addition to the information you provided in the Typeform form, Typeform also collects data about the type of device and program used to access a form, such as the IP address, browser type and operating system, device information, as well as your e-mail address and your first and last name. This may also include the user's geographical location determined by the IP address. Typeform stores information about the source that referred the user to the form (e.g. the link on a website or in an email). Typeform uses third-party tracking services that use cookies and page tags (also known as web beacons or web bugs) to collect aggregate and anonymized data.

Typeform is the recipient of your personal data and works for us as an order processor. In this regard, we have concluded an order processing contract with Typeform in accordance with Art. 28 GDPR
For more information, see:
https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data and
https://admin.typeform.com/to/dwk6gt?typeform-source=www.adsimple.de.
Your data will be deleted after processing has been completed in compliance with the legal retention periods.
The legal basis for this processing is the fulfilment of legal obligations under Art. 6 para. 1 lit. c GDPR.

TrustPilot

‍We use Trustpilot, a performance evaluation service provided by Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark. Trustpilot allows users to rate our services. There is no right to publish and no third-party copyrights may be infringed. The data collected in this way, such as name, email address and reference number, is used to authenticate and address the user.
We may contact you via email to invite you to review the service and/or products you have received from us to collect your feedback and improve our service and products. We may also use such reviews in other promotional materials and materials for promotional and promotional purposes (the “purpose”). Since we work with an external company, Trustpilot A/S (“Trustpilot”), to collect customer feedback, we will share your name, email address, and reference number with Trustpilot for this purpose. TrustPilot works for us as an order processor. For this purpose, we have concluded an order processing contract with TrustPilot in accordance with Art. 28 GDPR. If you want to learn more about how Trustpilot processes your data, you can review the company's privacy policy and applicable terms here: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms and https://de.legal.trustpilot.com/end-user-terms-and-conditions.
Your data will be deleted after processing has been completed in compliance with the legal retention periods.
The processing of your data as part of the evaluation process is based on your consent in accordance with Article 6 paragraph 1 letter a GDPR. ‍

consent

‍I agree — revocable at any time in the future — that NAO processes my aforementioned personal data (name, email address, reference number, content data and meta/communication data) for the purpose stated there (evaluation, marketing).‍

Withdrawal of consent

‍Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.‍

Chatarmin

‍We use the WhatsApp solution from chatarmin.com GmbH, Kaiserstraße 89/2/3, 1070 Vienna, Austria to carry out customer communication, send current information and offers and for customer support, provided that you give us your consent in accordance with Art. 6 para. 1 lit. a GDPR. Consent is given via the chat by selecting the “START” button. This consent can be withdrawn at any time by entering “STOP” in the chat. chatarmin.com is a communication tool based on the WhatsApp API. An API (Application Programming Interface) is a programming interface that allows applications to communicate with each other.

In this context, we process the following personal data: telephone number, WhatsApp profile name and chat communication. In this context, your telephone number will also be transmitted to WhatsApp Ireland Limited and other companies affiliated with WhatsApp in third countries. These are currently primarily located in the USA. Since July 2023, there has been a new adequacy decision for the USA, the so-called Data Privacy Framework. WhatsApp LLC is fully certified in accordance with the Data Privacy Framework. Insofar as subcontractors without Data Privacy Framework certification are also used, there are so-called EU standard contractual clauses for data transfer between WhatsApp Ireland Limited and these subcontractors. It cannot therefore currently be ruled out that data may be transferred to a country outside the EU that does not have an adequate level of protection and no suitable guarantees to protect personal data. More information about WhatsApp can be found here: https://www.whatsapp.com/legal/privacy-policy
There is a contract with chatarmin.com GmbH for order processing in accordance with Art. 28 GDPR.‍

consent

‍I agree — which can be revoked at any time in the future — that NAO processes my aforementioned personal data (telephone number, WhatsApp profile name, communication in chat) for the purpose stated there (communication, marketing).‍

Withdrawal of consent

‍Data subjects can withdraw their consent at any time by withdrawing it by saying “STOP” in the chat. The revocation does not affect the lawfulness of processing up to the revocation.

Facebook Conversion API
Purpose of data processing

‍We use the Facebook Conversion API, a server-side event tracking tool, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) to send data about your behavior on our website to Facebook for evaluation. This allows us to display advertisements to you in line with your user behavior on our website. When you visit our website, usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (information about the geographical position of a device or person) as well as e-mail address, telephone number, gender, date of birth, first and last name, address, user IDs are used and transmitted to Facebook.
For more information, please see Facebook's privacy policy at https://de-de.facebook.com/about/privacy/.

responsibility

‍Insofar as personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of data and its transfer to Facebook. The processing carried out by Facebook after the transfer is not part of the joint responsibility. Our joint obligations have been set out in a joint processing agreement. The text of the agreement is available at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook Conversion API and for implementing the tool on our website in a manner that is secure under data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) with regard to the data processed by Facebook directly. If you assert the rights of data subjects with us, we are obliged to forward them to Facebook.

Your data will be deleted after processing has been completed in compliance with the legal retention periods.
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.
Since, when using the Facebook Conversion API, it cannot be ruled out that processed data will also be transferred to the USA, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.

Facebook SDK

‍We use the Software Developer Kit (SDK) from Facebook, a service provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The Facebook SDK is used to analyze advertising campaigns and optimize ads. Pseudonymized data, such as device information, IP address and app interactions, is transmitted to Facebook. This data is used to measure success and enables personalized advertising.
For more information on Meta's processing of personal data and on the potential transfer to the USA, please see Meta's privacy policy: https://www.facebook.com/policy.php.
Your data will be deleted after processing has been completed and taking into account legal retention periods. Data processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future.

Since it cannot be ruled out that processed data will also be transferred to the USA when using the Facebook SDK, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.

consent

‍I agree — revocable at any time in the future — that NAO processes my aforementioned personal data (device information, IP address and app interactions) for the purpose stated there (performance measurement, personalized advertising).

Google Ads

‍We use Google Ads Conversion Tracking, a service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to analyze the effectiveness of our ads. When you click on an ad that was placed via Google, a cookie is saved on your device. This conversion cookie is valid for 30 days and is used to measure the success of our ad campaigns. Google Ads allows us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). In addition, targeted advertisements can be displayed based on user data available on Google (e.g. location data and interests) (target group targeting). We can quantitatively evaluate this data, for example by analyzing which search terms led to the display of our ads and how many ads led to corresponding clicks. The data allows us to draw conclusions about whether a user has reached our application via a Google ad, but without directly identifying the person.
You can find more information about how Google processes your data in Google's privacy policy: https://policies.google.com/privacy
The conversion cookie automatically expires after 30 days. All additional data collected will be deleted after processing has been completed and taking into account legal retention periods.
Data processing is based on your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future.
Since, when using Google Ads, it cannot be ruled out that processed data will also be transferred to the USA, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.‍

consent

‍I agree — which can be revoked at any time in the future — that NAO processes my aforementioned personal data (e.g. location data and interests) for the purpose stated there (performance measurement, personalized advertising).

PostHog

‍We use PostHog, an analytics platform from PostHog Inc, 965 Mission Street, San Francisco, CA 94103 USA, to monitor and optimize the performance and usability of our services. PostHog allows us to collect data about user interactions, such as page views and feature usage. Device and browser information (in particular the IP address and operating system) and a tracking code (pseudonymized user ID) are also processed for this purpose. This information helps us analyze trends, improve our platform, and fix potential issues.
PostHog acts as a data processor in accordance with applicable data protection laws, including the GDPR, and ensures that processing meets the highest standards of confidentiality and security.
You can find more information about how Google processes your data in the PostHog privacy policy: https://posthog.com/privacy
The data collected by PostHog is anonymized (if necessary) and stored until the purpose is achieved or in accordance with legal retention periods and then deleted.
Data processing is based on your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future.
Since it cannot be ruled out that processed data will also be transferred to the USA when using PostHog, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.‍

consent

‍I agree — revocable at any time in the future — that NAO processes my aforementioned personal data (app interactions, device and browser information such as IP address and operating system, pseudonymized user ID) for the purpose stated there (analysis of usage behavior and trends, improvement of the app).

Adjust

‍We use Adjust, a service provided by adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany (“Adjust”), for marketing purposes. Adjust helps us track and improve the performance of our marketing campaigns, display or not display personalized ads, prevent marketing fraud, and attribute customer behavior, such as registrations or other actions, to specific campaigns, affiliate marketing partners, or influencers. For this purpose, Adjust analyses your use of our app. For this analysis, Adjust uses your mobile identifiers such as IDFA or Google Play Services ID, as well as your pseudonymized IP address. Adjust does not forward any clear data such as names, email addresses, or telephone numbers. It also does not collect any specific information about your account, financial transactions, or the like.
For more information on the processing of personal data by Adjust, please see Adjust's privacy policy: https://www.adjust.com/terms/privacy-policy
Your data will be deleted after processing has been completed in compliance with legal retention periods. Adjust is used on the basis of Art. 6 para. 1 lit. f DSGVO, as we have a legitimate interest in optimizing our marketing measures and preventing fraud.
Categories of other recipients
The following categories of other recipients, who are usually contract processors or joint controllers, may have access to your personal data:
— Service providers for operating our app and processing the data stored or transmitted by the systems (e.g. for data center services, payment transactions, IT security). The legal basis for the transfer is then Article 6 (1) (b) or (f) GDPR, unless they are contract processors;
— Government agencies/authorities, insofar as this is necessary to comply with a legal obligation. The legal basis for the transfer is then Article 6 (1) (c) GDPR;
— Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, financial service providers, financial service providers, investment brokers, legal advisors, supervisory authorities, participants in company acquisitions or the formation of joint ventures). The legal basis for the transfer is then Article 6 (1) (b) or (f) GDPR.
(2) In addition, we will only pass on your personal data to third parties if you have given your express consent to do so in accordance with Article 6 (1) (a) GDPR.
(3) If personal data from you is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.
Requirements for the transfer of personal data to third countries
(1) As part of our business relationships, your personal data may be passed on or disclosed to third companies. They may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfill contractual and business obligations and to maintain your business relationship with us. We will inform you of the relevant details of the transfer below at the relevant points.
(2) Through so-called adequacy decisions, the European Commission certifies that some third countries have data protection that is comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). However, in other third countries to which personal data may be transferred, there may be no consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding company regulations, standard contractual clauses issued by the European Commission for the protection of personal data, certificates or recognized codes of conduct. Please contact our data protection officer if you would like to receive more information about this.
Legal obligation to provide certain data
Under certain circumstances, we may be subject to a particular legal or legal obligation to provide the lawfully processed personal data to third parties, in particular public bodies (Art. 6 (1) (c) GDPR).

Your rights
Right to information

‍(1) You have the right, within the scope of Article 15 of the GDPR, to obtain information about the personal data concerning you.
(2) This requires an application from you, which must be sent either by e-mail or by post to the addresses given above (see III. 1.).
Right to object to data processing and withdraw consent
(1) In accordance with Article 21 GDPR, you have the right to object to the processing of personal data concerning you at any time. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.
(2) In accordance with Article 7 (3) of the GDPR, you have the right to withdraw your consent — i.e. your voluntary, informed and unequivocal will to us that you agree to the processing of the relevant personal data for one or more specific purposes — at any time, if you have given such consent. As a result, we are no longer allowed to continue data processing based on this consent in the future.
(3) In this regard, please contact the contact point specified above (see III. 1.).
Right to correct and delete
(1) Insofar as personal data concerning you is incorrect, you have the right, in accordance with Article 16 of the GDPR, to request immediate correction from us. With a request in this regard, please contact the contact point specified above (see III. 1.).
(2) Under the conditions set out in Article 17 of the GDPR, you have the right to request the deletion of personal data concerning you. With a request in this regard, please contact the contact point specified above (see III. 1.). In particular, you have the right to delete the data in question if the data in question is no longer necessary for the purposes of collection or processing, if the data storage period has elapsed, there is an objection (see V. 2.), or if there is unlawful processing.
Right to restrict processing
(1) In accordance with Article 18 of the GDPR, you have the right to request that we restrict the processing of your personal data.
(2) With a request to this effect, please contact the contact point specified above (see III. 1.).
(3) You have the right to restrict processing in particular if the accuracy of the personal data is disputed between you and us; in this case, you have the right to restrict processing for a period of time required to verify the accuracy. The same applies if the successful exercise of a right of objection (see G. 2.) between you and us is still disputed. You also have this right in particular if you have a right to deletion (see G. 3.) and you request restricted processing instead of deletion.

Right to data portability

‍(1) In accordance with Article 20 GDPR, you have the right to receive from us the personal data relating to you, which you have provided to us, in a structured, commonly used, machine-readable format in accordance with the conditions set forth.
(2) With a request to this effect, please contact the contact point specified above (see III. 1.).
Right to lodge a complaint with the supervisory authority
(1) In accordance with Article 77 GDPR, you have the right to complain to the competent supervisory authority about the collection and processing of your personal data.
(2) The competent supervisory authority for NAO can be reached using the following contact details:
Berlin Commissioner for Data Protection and Information Security
Friedrichstraße 219
10969 Berlin
Entrance: Puttkamerstr. 16-18
Phone: +49 30 13889-0
Fax: +49 30 2155050
email: mailbox@datenschutz-berlin.de
(3) The responsible supervisory authority for DonauCapital Wertpapier GmbH can be reached using the following contact details:
Bavarian State Office for Data Protection Supervision
Promenade 18
91522 Ansbach
Telephone: +49 981 180093-0
Fax: +49 981 180093-800
email: poststelle@lda.bayern.de
As of December 1, 2024