Privacy statement

II. SPECIFIC INFORMATION ON THE PROCESSING OF PERSONAL DATA

1. Visiting the website

a. Purpose of data processing
Each time a user accesses a page of our website and every time a file stored on the website is accessed, access data about this process is stored in a log file. Each data set consists of:

1. the page from which the file was requested
2. the name of the file,
3. the date and time of the request,
4. the amount of data transferred,
5. the access status (file transferred, file not found, etc.),
6. a description of the type of operating system and web browser used,
7. host name of the accessing computer,
8. the client IP address.

We use this data to operate our website, in particular to determine website load and website malfunctions and to make adjustments or improvements. The client IP address is used for the purpose of transmitting the requested data; it is anonymized by deleting the last block of digits (Ipv4) or the last octet (Ipv6) after the technical requirement has disappeared. The personal data is passed on to service providers who perform IT tasks for the purpose of website operation (such as hosting service providers or providers of plug-ins).

b. Storage period
The data is stored every time a user accesses a page of our website and every time our website is accessed and is deleted as soon as it is no longer required for the purpose of collection, which is the case no later than two weeks after your visit to the website.

c. Legal basis
The temporary storage and processing of the above data is based on the legal basis of Article 6 (1) (f) of the EU General Data Protection Regulation (hereinafter “GDPR”). The legitimate interest lies in making our website available, ensuring stability and security, and verifying misuse.

2nd cookies

a. Purpose of data processing
In order to technically make it possible to visit our website, we transfer so-called cookies to the device of the person concerned. Cookies are small text files that can identify the data subject's terminal device, usually by recording the name of the domain from which the cookie data was sent, information about the age of the cookie and an alphanumeric identifier. By saving the cookie on the device used — without interfering with the operating system — it is recognized again and allows us to immediately make any default settings available. We use this information to adapt our website and the services offered to your needs and to speed up access to our website. The personal data is passed on to third parties to analyze the use of our website, insofar as this is necessary for the purposes of analysis. Insofar as cookies are used for tracking purposes, we will provide information about this separately in this privacy policy.

b. Storage period
The storage period of the various cookies varies, but is a maximum of two years. They are stored on your local device, not on our server, which is why the actual deletion time depends on how your browser software is configured. For information on how you can delete cookies set by us on a case-by-case basis or automatically, please refer to the operating instructions for your browser software.

c. Legal basis
Strictly necessary cookies are based on the legal basis of Article 6 (1) (f) GDPR to enable you to visit our website; in particular, some functions on our website cannot be used without cookies, as otherwise the user and the settings he has already made would not be recognized when changing pages, language settings would be lost and searches could not be carried out. The use of unnecessary cookies (such as marketing, statistical or third-party cookies) is based on consent given by means of the cookie banner on our website and based on the legal basis of Article 6 (1) (a) GDPR and, for data transfer to third countries, on Article 49 (1) (a) GDPR.

d. Prevention option
The person concerned can block the use of cookies in the terminal device used or delete them after use. However, individual functions of our offer may then not be usable. How to block cookies and delete cookies that have already been saved can be found in the browser software instructions.

3. Inclusion on our waiting list

a. Purpose of data processing
In order to be able to consider you for membership in the NAO CO investment platform, we offer you to sign up for a waiting list and therefore store your data in our database on our server. With your consent, we store and process client IP addresses at the time of filling out the query mask, name, email address, age range, investment behavior and interests for asset classes. We will contact you about this after the NAO app goes live so that you can register with our NAO app. We use your name and email address for the purpose of contacting you. The other information is used to find out which target group is interested in our offer.

b. Storage period
As soon as the data is no longer necessary to achieve the purpose, it will be deleted, which is the case if the person concerned has objected to the contact, in compliance with the legal storage periods.

c. Legal basis
The processing of the above data is based on the legal basis of Art. 6 para. 1 lit. f DSGVO in order to contact you — as requested — for information purposes. Our legitimate interest is to be able to process the contact request and to be able to prevent misuse of the contact request.

4. Contact

a. Purpose of data processing
You can contact us via email or telephone. We store the data transmitted to us and provided by the person concerned to process the request. This data regularly includes name, e-mail address, telephone number, date and time of the request and the description of the request, possibly contract data if the request is made as part of the conclusion or processing of a contract. Insofar as the personal data is sent by e-mail, it is passed on to service providers who enable the sending (participating mail providers, providers of social networks and providers of plug-ins).

b. Storage period
We store personal data that we collect and process for the purpose of making contact with each other until three years have elapsed at the end of the year after full performance of the reciprocal performance obligations. Insofar as the data is the subject of documents within the meaning of Sections 147 Paragraph 1 No. 2, 3 and 5 AO, 257 Paragraph 1 No. 2 and 3 HGB, the data will be deleted at the end of six years to the end of the year, unless shorter retention periods are permitted under other tax laws. If the data is part of documents within the meaning of Sections 147 Paragraph 1 No. 1, 4, 4a AO, 257 Paragraph 1 No. 1 and 4 HGB, the data will be deleted at the end of the year. The deadlines begin at the end of the calendar year in which the data was collected.

c. Legal basis
The processing of the above data is carried out on the legal basis of Art. 6 para. 1 lit. b DSGVO as part of contract initiation or performance of a contract or in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to be able to process the contact request and to be able to prevent misuse of the contact request.

5th newsletter

a. Purpose of data processing
It is possible to sign up for a newsletter. If the person concerned signs up for the newsletter, the data stored there by the person concerned when registering will be sent to us from the input form. These are the specified email address, IP address, time and date of registration. Furthermore, as part of the double opt-in process, it is collected and stored that and which link was clicked on from which IP address and when. The data collected is required in order to be able to send the newsletter and to confirm a subscription. If the newsletters are sent by e-mail, they are passed on to service providers that enable delivery (participating mail providers or providers of plug-ins or email marketing software).

b. Storage period
The data will be deleted as soon as the data is no longer required to achieve the purpose and the person concerned has unsubscribed from the newsletter. According to this, they are stored for ten years from the last newsletter dispatch for the purpose of providing proof in the event of queries about existing consents, taking into account the limitation period.

c. Legal basis
The processing of the above data takes place on the legal basis of Art. 6 para. 1 lit. a GDPR only with prior consent as part of the registration process. Withdrawal of consent at any time does not affect the lawfulness of the processing of personal data carried out on the basis of the consent up to the withdrawal.

6th blog

a. Purpose of data processing
In our blog, in which we publish various articles on topics related to the offers of our web shop, a user can make public comments. This will be published with the specified name in the article. Username and email address are required, all other information is voluntary. Furthermore, the IP address is stored. The storage is necessary to be able to defend us against liability claims in cases of possible publication of illegal content. We need your email address to contact you if a third party complains about your comment as unlawful. The personal data will be passed on to service providers who perform IT tasks for the blog (such as providers of plug-ins or anti-spam service providers).

b. Storage period
The data is stored for each comment made by a user and deleted as soon as it is no longer required for the purpose of collection, which is the case no later than three months after publication of the comment.

c. Legal basis
The processing of the above data is carried out in accordance with Art. 6 para. 1 lit. f DSGVO. The legitimate interest lies in making our blog available and in being able to prevent misuse of the comment function.

7. Application process

a. Purpose of data processing
Your application data, in particular the name, address (es), e-mail address, telephone number, date of birth, gender and application documents such as certificates, assessments, education, professional career and main areas of experience and application photo, are processed solely for the purpose of verifying the application and possible initiating a contract. The collected data is only transferred to the personnel file when an employment contract is concluded. The personal data is only passed on to third parties if this is necessary for the purpose of carrying out the application or employment contract, for example to a service provider from the personnel sector.

b. Storage period
We delete personal data that we process for the purpose of carrying out the application process as soon as they are no longer required to achieve the purpose, which is the case no later than six months after we have sent the person concerned an acceptance or rejection, unless the data is required to assert, exercise or defend claims in the context of a legal dispute. Thereafter, storage will only take place if the person concerned has been invited by us to our “applicant database” for future job descriptions and has expressly stated with his consent that he wishes to be included until the cancellation is declared, in order to be considered when filling positions in the future without further transmission of his application documents.

c. Legal basis
The processing of the above data is carried out on the legal basis of Art. 88 DSGVO in conjunction with § 26 BDSG and Art. 6 para. 1 lit. b DSGVO to initiate or implement contractual relationships. We may also process personal data from applications insofar as this is necessary to fulfill legal obligations under Art. 6 para. 1 lit. c DSGVO or to defend against asserted legal claims against us. The legal basis is then Article 6 (1) (f) GDPR. The legitimate interest is in particular a possible burden of proof in proceedings under the General Equal Treatment Act (AGG). If the data is included in our applicant database after consent has been given, the storage is based on Art. 6 para. 1 lit. a DSGVO.

8. Google Analytics

a. Purpose of data processing
This website uses Google Analytics, a web analysis service from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses so-called “cookies”, text files that are stored on the data subject's device and which enable an analysis of the use of the website. The information generated by the cookie about the use of this website is usually also transmitted to a Google server in the USA and stored there. However, due to the activation of IP anonymization on this website, Google will abbreviate the IP address of the person concerned beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. On behalf of the operator of this website, Google will use this information to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and Internet usage to the website operator. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be combined with other Google data, unless you are logged into your Google account at the time of access. You can find more information about Google's privacy policy at the following Internet address https://policies.google.com/privacy.

b. Storage period
As soon as the data is no longer necessary to achieve the purpose, it is deleted, which is the case when the anonymization, which takes place within the European Union, has been completed. This takes less than a second. The data sent by us and linked to cookies, user IDs (e.g. user ID) or advertising IDs is automatically deleted after 14 months. Data whose storage period has been reached is automatically deleted once a month. For more information, see https://www.google.com/analytics/terms/de.html and https://policies.google.com/?hl=de.

c. Legal basis
Processing is carried out on the legal basis of Art. 6 para. 1 lit. a GDPR only with prior consent.

d. Prevention option
The person concerned can block the use of cookies in the terminal device used or delete them after use. However, individual functions of our offer may then not be usable. How to block cookies and delete cookies that have already been saved can be found in the browser software instructions. You can also prevent the collection of data generated by the cookie and related to the use of the website (including the IP address) by Google and the processing of this data by Google by using the http://tools.google.com/dlpage/gaoptout?hl=de install the available browser plug-in.

9th Zapier

a. Purpose of processing
Zapier, a service provided by Zapier Inc., 548 Market St #62411, San Francisco, California 94104, USA, is used to subscribe to the mailing list. The following data is transferred via Zapier:

1. First name
2. surname
3. email address
4. IP address
5. Website visit details.

Personal data transmitted to Zapier is only used by Zapier for technical processing and administration of the services. Zapier, as the company that processes personal data on behalf of and on the instructions of the person responsible, is only the contract processor. There is an agreement on order data processing. The provider's privacy policy can be viewed at: https://zapier.com/privacy

‍b. Storage period
As soon as the data is no longer necessary to achieve the purpose, it is deleted. The data sent by us and linked to cookies, user IDs (e.g. user ID) or advertising IDs is automatically deleted after 14 months. Data whose storage period has been reached is automatically deleted once a month. For more information, see https://help.zapier.com/hc/en-us/articles/8496243229069#privacy-compliance-at-zapier-0-0.

c. Legal basis
Processing is carried out on the legal basis of Art. 6 para. 1 lit. a GDPR only with prior consent. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising the rights of data subjects as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

10. Typeform

a. Purpose of processing
For the contact form available on our website, we use the services of the survey provider Typeform. Typeform is a service provided by TYPEFORM S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain. Typeform collects and stores your information when you sign up for the newsletter. This enables us to provide you with an easy contact option. We ourselves are responsible for the specially published Typeform forms and manage the data collected as a result. We delete them from the Typeform servers after we have downloaded them. Typeform collects usage data whenever you use the form. Typeform collects data about the type of device and program used to access a form, such as the IP address, browser type and operating system, device information, as well as your email address and your first and last name. This may also include the user's geographical location determined by the IP address. Typeform stores information about the source that referred the user to the form (e.g. the link on a website or in an email). Typeform uses third-party tracking services that use cookies and page tags (also known as web beacons or web bugs) to collect aggregate and anonymized data. Typeform is the recipient of your personal data and works for us as an order processor. For this purpose, we have concluded an order processing contract with Typeform in accordance with Art. 28 GDPR. The processing of the data provided under this section is not required by law or contract. Without your consent and the transmission of your personal data, we cannot provide you with a contact form. The data is stored exclusively for the purpose of transmitting inquiries and answering them. The mandatory information is used to identify and answer your request.Further information can be found at: https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data and https://admin.typeform.com/to/dwk6gt?typeform-source=www.adsimple.de.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can unsubscribe from our newsletter at any time, i.e. withdraw your consent. At the same time, your consent to its dispatch by the shipping service provider and the statistical analyses expire. A separate cancellation of the shipment by the shipping service provider or the statistical evaluation is not possible. The revocation can be made via a link in the newsletter itself or by sending a message to the contact options above. If you have only signed up for the newsletter and cancelled this subscription, your personal data will be deleted.

11. MailChimp

a. Purposes of data processingNewsletters and certain transaction announcements are sent using MailChimp, a newsletter delivery platform from the US provider The Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The shipping service provider's privacy policy can be viewed at this link. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection standards. You can find further information about this under this link: https://mailchimp.com/de/help/about-the-general-data-protection-regulation/. According to its own information, the shipping service provider can use this data in pseudonymous form, i.e. without attribution to a user, to optimize or improve its own services, e.g. to technically optimize the delivery and presentation of the newsletters or for statistical purposes to determine which countries the recipients come from. However, the shipping service provider does not use the data of our newsletter recipients to write to them themselves or pass them on to third parties.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The legal basis for processing the above data for the purpose of transaction announcements is Art. 6 para. 1 lit. b GDPR. The legal basis for sending our newsletter is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can unsubscribe from our newsletter at any time, i.e. withdraw your consent. At the same time, your consent to its dispatch by the shipping service provider and the statistical analyses expire. A separate cancellation of the shipment by the shipping service provider or statistical evaluation is not possible. The revocation can be made via a link in the newsletter itself or by sending a message to the contact options above. If you have only signed up for the newsletter and cancelled this subscription, your personal data will be deleted.

12th Webflow

a. Purpose of data processing
For our website, we use Webflow, a website builder system from the American service provider Webflow Inc., 398 11th St., Floor 2, San Francisco, CA 94103, USA. Data such as name, email address, log files including your IP address are collected and also processed in the USA. Webflow is a tool for building and hosting websites. Webflow stores cookies or other recognition technologies that are necessary to display the page, to provide certain website features, and to ensure security. For more information, see the provider's privacy policy, available at: https://webflow.com/legal/privacy. We have concluded a contract for order processing with the above-mentioned provider. This is a contract required by data protection law, which ensures that it only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
Webflow is used on the basis of Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in presenting our website as reliably as possible. Data transmission to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://webflow.com/legal/eu-privacy-policy. Through these clauses, Webflow undertakes to comply with European data protection standards when processing relevant data, even if the data is stored, processed and managed in the USA. The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.

13th Finsweet

a. Purpose of data processing
For our website, we use consent technology from Finsweet, a service provided by the American service provider Finsweet Inc., 2774 Harbor Rd Merrick, NY, 11566-4608, USA, to obtain your consent to store certain cookies on your device or to use certain technologies and to document this in accordance with data protection regulations. The cookie banner is loaded when the website is accessed. There, you can set your cookie preferences. The cookie tool sets a cookie in your browser in order to be able to assign the consents given or their revocation to you. When loading, your browser connects to the Finsweet server, which gives the Finsweet server the information that you have accessed this website with your IP address. The following personal data is collected: - date and time of retrieval; - browser type and version; - reference URL; - IP address; - granting of consent.

b. Storage period
Your data will be deleted after processing has been completed, your request for deletion, deletion of the cookie by you or the purpose for data storage ceases to exist in compliance with the legal retention periods.

c. Legal basis
Finsweet is used on the basis of Art. 6 para. 1 lit. c GDPR. The cookie tool is used to obtain the legally required consent for the use of cookies.

14. Customer.io

a. Purpose of data processing
We use the customer.io email tool for email marketing and marketing automation, which is operated by Peaberry Software Inc., 921 SW Washington Street Suite 820, Portland, OR 97205, USA. Customer.io processes content data (e.g. entries in online forms), contact data (e.g. email addresses, telephone numbers) and meta/communication data (e.g. device information, IP addresses) in the EU. Customer.io's privacy policy can be found at https://customer.io/privacy-policy.html.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR.

‍d. Consent
I agree — revocable at any time in the future — that NAO processes my personal data (content data, contact details and meta/communication data) mentioned under lit. a. (marketing).
‍e. Withdrawal of consent
You can withdraw your consent to the processing of your personal data at any time. The revocation can be made via the contact options provided. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

15. meta pixels

a. Purpose of data processing
We use tracking pixels from the Facebook and Instagram social networks from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland to create so-called custom audiences, i.e. to segment groups of visitors to our online offering, to determine conversion rates and then optimize them. This happens in particular when you interact with advertisements that we have placed with Meta Platforms Ireland Limited. When you visit our website, the meta pixel is triggered and stores your actions on our website in one or more cookies. These cookies enable Meta to compare your user data (e.g. IP address, user ID) with the data from your Facebook user account. Meta then deletes your data again. The data collected is not visible to us and can only be used when advertising is placed. If you are a Facebook user yourself and are logged in, your visit to our website is automatically associated with your Facebook user account. For more information, see the Meta Pixel privacy policy at https://www.facebook.com/privacy/explanation.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. Since the use of meta-pixels cannot be ruled out that processed data will also be transferred to the USA, further protection mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.

16. Facebook Conversion API

a. Purpose of data processing
We use the Facebook Conversion API, a server-side event tracking tool, from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to send data about your behavior on our website to Facebook for evaluation. This allows us to display advertisements to you in line with your user behavior on our website. When you visit our website, usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (information about the geographical position of a device or person) as well as e-mail address, telephone number, gender, date of birth, first and last name, address, user IDs are used and transmitted to Facebook. For more information, please see Facebook's privacy policy at https://de-de.facebook.com/about/privacy/.

b. Responsibility
Insofar as personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of data and its transfer to Facebook. The processing carried out by Facebook after the transfer is not part of the joint responsibility. Our joint obligations have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook Conversion API and for implementing the tool on our website in a manner that is secure under data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) with regard to the data processed by Facebook directly. If you assert the rights of data subjects with us, we are obliged to forward them to Facebook.

c. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

d. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. Since, when using the Facebook Conversion API, it cannot be ruled out that processed data will also be transferred to the USA, further protective mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.

17. Google Tag Manager

a. Purpose of data processing
We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to offer you a good user experience on our website and to be able to personalize our offer. We do this by embedding code sections (tags) into the source code of our website. The tags are managed via the Tag Manager. This allows us to record (track) user behavior via various functions of our website and thus individually adapt our offer. According to its own statements, Google does not combine the data collected as part of Tag Manager with your personal data, which may be stored by Google. Google acts as an order processor for us with regard to the tag manager tool and has contractually guaranteed compliance with data protection in accordance with European standards. In any case, your IP address is collected via a separate cookie set by Google Tag Manager. Information about the hardware and software you use, such as which operating system you use and which browser you use and its version, is also processed. In addition, data is collected about your website visits, the language set on your system and the type of screen, its resolution, as well as the support for scripting languages and the fonts of installed browser plug-ins. Depending on which other tracking services we use and manage via Tag Manager (e.g. Google Analytics or Meta-Pixel), in addition to other data, your IP address is transmitted to servers managed by Google or Meta, most of which are located in the USA. Further information on data protection at Google can be found at www.google.com/intl/de/policies/privacy.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. Since, when using Google Tag Manager, it cannot be ruled out that processed data will also be transferred to the USA, further protective mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this contractual extension also cannot ensure this, we will endeavour to obtain further regulations and promises from the recipient in the USA.

18th Hotjar

a. Purpose of data processing
We use Hotjar, which is operated by Hotjar Limited, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta, to better understand the needs of our users and to optimize the offer and experience on our website. Hotjar's technology gives us a better understanding of our users' experiences (e.g. how much time users spend on which pages, which links they click on, what they like and dislike, etc.). These insights help us to tailor our offerings to feedback from our users. Hotjar works with cookies and other technologies to collect data about the behavior of our users and about their devices, in particular the IP address of the device (only collected and stored in anonymized form during your use of the website), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf. Further information on data protection at Hotjar can be found at https://www.hotjar.com/legal/policies/privacy/?tid=331689176146.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

19th FinanceAds

a. Purpose of data processing
We work with FinanceAds, operated by FinanceAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany, to reach new prospects for our offer through advertising partners. The advertising partner receives a commission from us if people from this advertising partner come to us and become customers and a further commission if these customers invest via the NAO app. In order for advertising partners to be able to prove to NAO how many people have been referred, the following types of data or categories of data can be processed:

• Technical data (e.g. IDs for campaigns, tracking, user/product level associations)
• Product specifications
• Response data
• Usage data and profiles from web tracking (e.g. usage data recorded in the contractor's web analytics system, in particular user IP addresses)

In the course of this data processing, in particular, an identification number of the referring advertising partner is stored and the serial number of the advertising material clicked on by the website visitor is recorded. When a transaction is concluded, the partner identification number is used to allocate the commission to be paid to the mediating partner. The purpose of this data processing is to remunerate our advertising partners via FinanceAds based on the aforementioned user interactions (registration as a customer, investment via NAO app). Further information on data protection at FinanceAds can be found at https://www.financeads.net/aboutus/datenschutz/.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
FinanceAds is used on the basis of Art. 6 para. 1 lit. f DSGVO. Our legitimate interest is direct marketing. The data subject's interest in data protection is maintained, as no data is stored that enables a specific personal reference.

20th TrustPilot

a. Purpose of data processing
We use Trustpilot, a performance evaluation service provided by Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark. Trustpilot allows users to rate our services. There is no right to publish and no third-party copyrights may be infringed. The data collected in this way, such as name, email address and reference number, is used to authenticate and contact the user. We may contact you via email to invite you to rate the service and/or products you have received from us in order to obtain your feedback and improve our service and products. We may also use such reviews in other promotional materials and materials for promotional and promotional purposes (the “purpose”). Since we work with an external company, Trustpilot A/S (“Trustpilot”), to collect customer feedback, we will share your name, email address, and reference number with Trustpilot for this purpose. If you want to learn more about how Trustpilot processes your data, you can review the company's privacy policy and applicable terms here: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms and https://de.legal.trustpilot.com/end-user-terms-and-conditions.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
The processing of your data as part of the evaluation process is based on your consent in accordance with Article 6 paragraph 1 letter a GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

21. Adjust

a. Purpose of processing
We use Adjust, a service provided by adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany (“Adjust”), for marketing purposes. Adjust helps us track and improve the performance of our marketing campaigns, display or not display personalized ads, prevent marketing fraud, and attribute customer behavior, such as registrations or other actions, to specific campaigns, affiliate marketing partners, or influencers. For this purpose, Adjust analyses your use of our website. For this analysis, Adjust uses your data such as names, email addresses, telephone numbers, IP and/or MAC addresses.
For more information on the processing of personal data by Adjust, please see Adjust's privacy policy: https://www.adjust.com/terms/privacy-policy.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods.

c. Legal basis
Adjust is used on the basis of Article 6 (1) (f) GDPR, as we have a legitimate interest in optimizing our marketing measures and preventing fraud.

22. Google Ads

a. Purpose of processing
On our website, we use Google Ads Conversion Tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This tracking enables us to analyze the effectiveness of our ads placed via Google. When you click on an ad placed by Google, a conversion tracking cookie is stored on your device. This conversion cookie is valid for 30 days and does not allow the user to be directly identified. As long as the cookie is valid, we can track whether a user has reached our website via a Google ad. The data collected with conversion cookies helps us measure the success of our advertising efforts. For more information on data processing by Google, please see Google's privacy policy: https://policies.google.com/privacy.

b. Storage period
The cookies lose their validity after 30 days. The additional data collected will be deleted after processing has been completed, taking into account the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. Data transmission to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks?hl=de. Through these clauses, Google undertakes to comply with the European level of data protection when processing relevant data, even if the data is stored, processed and managed in the USA. The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.

23rd Google Ads Customer Match

a. Purpose of processing
On our website, we use Google Ads Customer Match, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. As part of Customer Match, we upload encrypted user data (such as names, email addresses, postal addresses, or customer-specific IDs) to Google with your consent in order to target existing users with relevant advertising. Google compares this data with existing Google accounts and uses it to create target groups (so-called customer match lists), which are used to target ads. After creating the target groups, the encrypted data is automatically deleted by Google. For more information about data processing by Google, please see Google's privacy policy: https://policies.google.com/privacy

‍b. Storage period
The encrypted customer data is deleted by Google after the reconciliation. Google does not store any new addresses or personal data that goes beyond the existing reconciliation.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. Data transmission to the USA is based on the standard contractual clauses of the EU Commission.
Details can be found here: https://policies.google.com/privacy/frameworks?hl=de. Through these clauses, Google undertakes to comply with the European level of data protection when processing relevant data, even if the data is stored, processed and managed in the USA.

‍The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.

24th Microsoft Clarity

a. Purpose of data processing
We use Microsoft Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, to better understand the use of our website and to improve and market our products/services. Microsoft Clarity collects behavioral metrics, heat maps, and session recordings that help us analyze user interactions with our website. In addition, we use this data to optimize our site, prevent fraud, for security purposes and for targeted advertising. The information collected includes device data (IP address), screen size, device type, browser used, location (country only) and preferred language. This information is transferred to a Microsoft server in the USA and stored there. However, we use Microsoft Clarity with the so-called anonymization function. With this function, Microsoft already abbreviates the IP address within the EU or the EEA. Further information about how Microsoft processes your data can be found in the Microsoft privacy policy at the following link: https://www.microsoft.com/en-us/privacy/privacystatement.

b. Storage period
The data will be deleted after processing has been completed, taking into account the legal retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clausesDurch Microsoft undertakes to comply with the European level of data protection when processing relevant data, even if the data is stored, processed and managed in the USA. The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/list.

25th Reddit Advertising

a. Purpose of data processing
We use tracking technologies from Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015CS, Amsterdam, Netherlands to display targeted and personalized advertising on the “Reddit” platform and to create interest-based user profiles. This data helps us optimize future campaigns and ads on Reddit and better tailor advertising campaigns to our target groups. We also use the data to measure event-based conversions of Reddit ads. The information collected may include: device data (such as operating system and browser used), IP address, location information, and information about user interactions with the ads. For more information about how Reddit processes your data, see Reddit's privacy policy at the following link: https://www.redditinc.com/policies/privacy-policy.

b. Storage period
The data will be deleted as soon as they are no longer required for processing purposes and there are no longer any legal retention periods.

c. Legal basis
The legal basis for processing your personal data is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising the rights of data subjects as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the withdrawal, the lawfulness of the processing carried out so far is not affected. The processing of the data by the provider of the “Reddit” platform is the responsibility of the provider. We have no influence on this. With regard to the exercise of your rights as a data subject, it is therefore recommended to assert your rights against the provider. However, you are of course also free to contact us in this regard.

26th Addrevenue

a. Purpose of data processing
We work with Addrevenue, Drottninggatan 29, 11151 Stockholm, Sweden, to reach new prospects for our offer through advertising partners. In doing so, the advertising partner receives a commission from us if people from this advertising partner come to us and become customers and a further commission if these customers invest via the NAO app. In order for advertising partners to be able to prove to NAO how many people have been referred, the following types of data or categories of data can be processed:

• - Technical data (e.g. order number (Order ID), time stamp)
• Response data
• Usage data from web tracking (e.g. IP addresses as part of the HTTP request; these are not stored in the database and are not processed further, but are only temporarily logged in the web server log for approx. 5 days)

In the course of this data processing, in particular, an identification number of the referring advertising partner is stored and the serial number of the advertising material you have clicked on is recorded. When a transaction is concluded, the partner identification number is used to allocate the commission to be paid to the mediating partner. The purpose of this data processing is to remunerate our advertising partners via Addrevenue based on the aforementioned user interactions (registration as a customer, investment via NAO app). Further information on data protection at Addrevenue can be found at https://addrevenue.io/de/privacy-policy.

b. Storage period
Your data will be deleted after processing has been completed in compliance with the legal retention periods. On the server side, IP addresses are only stored briefly (for approx. 5 days) in the web server's log files and are not processed further.

c. Legal basis
Addrevenue is used on the basis of Art. 6 para. 1 lit. f DSGVO. Our legitimate interest is direct marketing. The data subject's interest in data protection is maintained, as no data is stored that enables a specific personal reference.

27th LinkedIn Insight Tag & Conversions API

a. Purpose of data processing
We use LinkedIn Insight Tag & Conversions API, a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, to measure the effectiveness of our advertising campaigns, perform conversion tracking, enable retargeting, and create analyses of campaign performance. This allows us to understand how users interact with our ads and use this information to optimize our marketing efforts. As part of this data processing, the following categories of data are collected:

• Technical data such as IP address, browser and device information
• Referrer URL and timestamp
• Hashed email or phone number (via Conversions API)
• Event names and campaign interactions

Further information on LinkedIn's privacy policy can be found at: https://www.linkedin.com/legal/privacy-policy.

b. Storage period
Your data will be deleted after processing has been completed and in compliance with the legal retention periods.

c. Legal basis
The legal basis for processing your personal data is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

For more information about LinkedIn's privacy policy, please visit: https://www.linkedin.com/legal/privacy-policy

b. Storage period
Your data will be deleted after processing has been completed and in compliance with the legal retention periods.

c. Legal basis
The legal basis for processing your personal data is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

28th Reddit Conversion API

a. Purpose of data processingWe use Reddit Conversion API, a service provided by Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015CS, Amsterdam, the Netherlands, to measure the performance of our advertising campaigns, track conversions, perform event-based conversion measurements, enable retargeting and create analyses. This allows us to better understand the success of our marketing campaigns and improve them in a targeted manner.

The following categories of data are processed:

• IP address
• Browser and device metadata
• Hashed email or phone number (via Conversions API)
• Event names and campaign interactions
• Referrer URL and timestamp

For more information about Reddit's privacy policy, please visit: https://www.redditinc.com/policies/privacy-policy

b. Duration of storageYour data will be deleted after processing has been completed, taking into account legal retention periods.

c. Legal basis
The legal basis for processing your personal data is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

The processing of data by the provider of the “Reddit” platform is the responsibility of the provider. We have no influence on this. With regard to the exercise of your rights as a data subject, it is therefore recommended to assert your rights against the provider. However, you are of course also free to contact us in this regard.

29th Spotify Pixel & Conversion API

a. Purpose of data processing
We use the Spotify Pixel and the Spotify Ads Conversion API on our website. The provider is the music streaming service Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. The purpose of data processing is to track conversions such as app installations, registrations or purchases, to analyze the performance of our advertising campaigns, to target users for retargeting measures, and to optimize campaigns and ensure attribution. For this purpose, various data is collected, which enables Spotify to measure the effectiveness of advertising and to address target groups precisely. The following categories of data are processed:

• IP address
• Device and browser metadata
• referrer URL and UTM parameters
• Timestamps and URLs visited
• Spotify Ad ID (where available)
• Users' event names and actions on the website (e.g. registration, purchase)
• Cookie-based identifiers (if consent has been given)

This data helps us to target campaigns, measure success and better optimize advertisements. If you are registered with Spotify, you can set what types of ads are shown to you within Spotify by visiting the page set up by Spotify and following the instructions on the settings for usage-based advertising.

b. Storage period
Spotify only stores personal data for as long as is necessary to provide the services and for legitimate and essential business purposes. Data can be stored until the Spotify account is deleted or is automatically deleted after a certain period of time. More detailed information on the storage period and deletion rights can be found in the Spotify privacy policy at https://www.spotify.com/de/legal/privacy-policy. We delete the data as soon as they are no longer required for processing purposes and there are no longer any legal retention periods.

c. Legal basis
The legal basis for processing your personal data is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising the rights of data subjects as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected. The processing of data by the provider of the “Spotify” platform is the responsibility of the provider. We have no influence on this. With regard to the exercise of your rights as a data subject, it is therefore recommended to assert your rights against the provider. However, you are of course also free to contact us in this regard.

30. Viral Loops

a. Purpose of data processing
We use Viral Loops software from Viral Loops Ltd., 21 Aylmer Parade Aylmer Road, London, England, an online platform for viral marketing and referral marketing (“Viral Loops”). We use Viral Loops to carry out various viral campaigns and referral marketing campaigns (e.g. sweepstakes, waiting lists, friend invitations). As part of these campaigns, personal data (e.g. name, email address) is collected in order to get in touch with participants and implement the campaign.

b. Storage period
The data will be deleted as soon as they are no longer required for processing purposes and there are no longer any legal retention periods. The duration of storage of personal data by Viral Loops may vary depending on the type of data processed. Detailed information can be found in the Viral Loops privacy policy at: https://viral-loops.com/privacy‍

c. Legal basis
The legal basis for processing your personal data is your consent in accordance with Article 6 (1) (a) GDPR. You can withdraw your consent to the processing of your personal data at any time. In addition to exercising data subject rights as described above, this consent can also be withdrawn by adjusting the cookie settings accordingly. Your data will be processed as long as you have given your consent. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

III. RIGHTS OF THE PERSON CONCERNED

If personal data is processed by the user on our website, the data subject (data subject) has the following rights vis-à-vis the person responsible in accordance with the GDPR.

1. Right to information under Article 15 GDPR

‍The person concerned has the right to the following information:
a) the purposes of processing;
b) the categories of personal data that are processed;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
e) the existence of a right to correct or delete personal data concerning you or to restrict processing by the person responsible or a right to object to this processing;
f) the existence of a right to lodge a complaint with a supervisory authority;
g) if the personal data are not collected from the data subject, all available information about the origin of the data;
h) the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and — at least in these cases — meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
i) If personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate guarantees in accordance with Article 46 GDPR in connection with the transfer. We provide the data subject with a copy of the personal data that is the subject of the processing. For all further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

2. Right to correction under Article 16 GDPR

‍The data subject has the right to obtain from the person responsible the correction of incorrect personal data concerning him or her without undue delay. Taking into account the purposes of processing, the data subject has the right to request the completion of incomplete personal data — including by means of a supplementary statement.

3. Right to deletion in accordance with Art. 17 GDPR

‍The data subject has the right to request that the person responsible delete personal data concerning him immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws the consent on which the processing was based in accordance with § Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing;
c) the data subject objects to processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for processing, or the data subject objects to processing in accordance with Article 21 (2) GDPR;
d) the personal data were processed unlawfully;
e) the deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject;
f) The personal data was collected in relation to information society services offered in accordance with Article 8 (1) GDPR.

4. Right to restrict processing under Article 18 GDPR

‍The data subject has the right to request that the person responsible restrict processing if one of the following conditions is met:
a) the accuracy of the personal data is disputed by the data subject, for a period of time which enables the person responsible to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject refuses to delete the personal data and instead requests that the use of the personal data be restricted;
c) the controller no longer needs the personal data for processing purposes, but the data subject needs them to assert, exercise or defend legal claims, or
d) the data subject has objected to processing in accordance with Article 21 (1) GDPR as long as it is not yet clear whether the legitimate reasons of the controller outweigh those of the data subject.

5. Right to be informed in accordance with Art. 19 GDPR

‍If the data subject has claimed a correction in accordance with Article 16 GDPR, a deletion under Article 17 (1) GDPR or a restriction of processing under Article 18 GDPR with regard to his personal data, and has the controller informed all recipients to whom the data subject's personal data has been disclosed of the data subject's request (unless this was impossible or involved disproportionate effort), the data subject has the right to be notified by the controller about the recipients to be informed.

6. Right to data portability in accordance with Article 20 GDPR

‍The data subject has the right to receive the personal data concerning him, which he has provided to a person responsible, in a structured, common and machine-readable format, and he has the right to transfer this data to another person responsible without hindrance by us, provided that
a) the processing is based on consent in accordance with Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a or on a contract in accordance with Art. 6 para. 1 lit. b GDPR and
b) processing is carried out using automated procedures.
The rights and freedoms of other persons must not be affected as a result.
When exercising the right to data portability in accordance with paragraph 1, the person concerned has the right to have the personal data transmitted directly from us to another person responsible, insofar as this is technically feasible. The exercise of the right to data portability does not affect the right of deletion under Article 17 GDPR. The right to data portability does not apply to processing that is necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority vested in the person responsible.

7. Right to object under Article 21 GDPR

‍The data subject has the right, for reasons arising from his particular situation, to object at any time to the processing of personal data concerning him based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. As a justification, it is necessary to state reasons arising from the particular situation of the person concerned and which speak against processing. We will review these reasons and stop processing if we come to the conclusion that the balancing of the legitimate or public interest in processing against the interests of the data subject in failing to do so is now in favor of the interests of the data subject. If this is the case, the data will no longer be processed unless we can demonstrate compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims. If personal data is processed for direct marketing, the data subject has the right to object to the processing of personal data concerning him or her for the purpose of such to advertise; this also applies to profiling, insofar as it is associated with such direct advertising. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

8. Right to withdraw consent

‍If processing is based on the consent of the person concerned, he can withdraw this consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the withdrawal.

9. Automated decisions in individual cases including profiling in accordance with Art. 22 GDPR

The data subject has the right not to be subject to a decision based exclusively on automated processing — including profiling — which has legal effect on him or significantly affects it in a similar way. This does not apply if the decision
a) is necessary for the conclusion or performance of a contract between the person concerned and us,
b) is permitted by Union or Member State legislation to which we are subject and that legislation contains appropriate measures to protect the rights and freedoms and legitimate interests of the person concerned, or
c) with the express consent of the person concerned. These decisions must not be based on special categories of personal data in accordance with Article 9 (1) GDPR, unless Article 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of the data subject.
In the cases referred to in points a) and c), we take appropriate measures to protect the rights and freedoms as well as the legitimate interests of the person concerned, which includes at least the right to obtain the intervention of a person on our side, to state their own position and to challenge the decision.

10. Right to lodge a complaint with a supervisory authority in accordance with Article 77 GDPR

‍Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if the person concerned believes that the processing of personal data relating to them is contrary to the GDPR. The supervisory authority with which the complaint was lodged shall inform the complainant of the status and results of the complaint including the possibility of a judicial remedy under Article 78 GDPR.

11. Right to an effective judicial remedy under Article 79 GDPR

Without prejudice to any available administrative or extrajudicial remedy, including the right to lodge a complaint with a supervisory authority in accordance with Article 77 GDPR, any data subject has the right to an effective judicial remedy if they believe that their rights under the GDPR have been infringed as a result of processing of their personal data not in accordance with the GDPR. The courts of the Member State in which we have jurisdiction over lawsuits against us or against a processor are or contract processors have a branch. Alternatively, such actions may also be brought before the courts of the Member State in which the person concerned resides, unless we or the processor is an authority of a Member State which has acted in the exercise of its sovereign powers.