​Privacy Policy

I. General Information

1. Contact Details of the Data Controller
NAO Co-Investment GmbH
Ziegelstraße 1710117 Berlin
Telephone: +49 (0)173 3489 438 
Email: hello@investnao.com

2. Contact Details of Our Data Protection Officer
Name: Protectra GmbH Street: Lerchenweg 3
City, postal code: Monheim am Rhein, 40789
Phone: +49 2173 9930310
e-mail: info@protectra.de

II. Specific Information on the Processing of Personal Data

1. Visiting the Website
‍
a. Purpose of Data Processing
Each time a user accesses a page on our website and each time a file is accessed on the website, access data about this process is stored in a log file. Each record consists of:
(1) the page from which the file was requested,
(2) the name of the file,
(3) the date and time of the request,
(4) the amount of data transferred,
(5) the access status (file transferred, file not found, etc.),
(6) a description of the type of operating system and web browser used,
(7) hostname of the accessing computer,
(8) the client’s IP address.We use this data to operate our website, in particular to determine the load on the website and malfunctions of the website, and to make adjustments or improvements. The client IP address is used to transmit the requested data; once the technical requirement no longer applies, it is anonymized by deleting the last digit block (IPv4) or the last octet (IPv6).
The personal data will be passed on to service providers who perform IT tasks for the operation of the website (such as hosting service providers or plug-in providers).

b. Duration of Storage
The data is stored each time a user accesses a page on our offering and each time our website is accessed, and is deleted as soon as it is no longer required for the purpose for which it was collected, which is the case no longer than two weeks after your visit to the website.

c. Legal basis
The temporary storage and processing of the aforementioned data is based on the legal basis of Article 6 (1) (f) of the EU General Data Protection Regulation (hereinafter "GDPR"). Our legitimate interest lies in making our website available, ensuring its stability and security, and monitoring for misuse.

2. Cookies
‍
a. Purpose of Data Processing
In order to technically enable visits to our website, we transfer so-called cookies to the end device of the data subject. Cookies are small text files that can be used to identify the end device of the data subject, usually by recording the name of the domain from which the cookie data was sent, information about the age of the cookie, and an alphanumeric identification. By storing the cookie on the device used – without interfering with the operating system – it is recognized again and allows us to make any pre-settings immediately available. We use this information to adapt our website and the services offered to your needs and to speed up access to our website.The personal data will be shared with third party providers to analyze the use of our website, insofar as this is necessary for the purposes of the analysis. If cookies are used for tracking purposes, we will inform about this separately in this privacy policy.

b. Duration of Storage
The storage period of various cookies varies, but is a maximum of two years. They are stored on your local device, not on our server, so the actual deletion period depends on how your browser software is configured. Please refer to your browser software's manual for information on how to delete cookies we set on an ad hoc basis or automatically.

c. Legal basis
Strictly necessary cookies are based on the legal basis of Article 6 (1) (f) of the GDPR in order to enable visits to our website; in particular, some functions on our website cannot be used without cookies, as otherwise the user and their previously configured settings would not be recognized when changing pages, language settings would be lost, and searches could not be carried out.The use of non-essential cookies (such as marketing, statistical or third-party cookies) is based on consent given via the cookie banner on our website and is based on the legal basis of Article 6 (1) (a) of the GDPR and, for data transfer to third countries, on Article 49 (1) (a) of the GDPR.

d. Possibility of Prevention
The data subject can block the use of cookies on the used end device or delete them after use. However, under certain circumstances, individual functions of our offering may then not be available. Information on how to block cookies and delete previously stored cookies can be found in the instructions for the browser software.

3. Joining Our Waiting List
‍
a. Purpose of Data Processing
In order to be able to consider your inclusion in the NAO Co-Investment Platform, we offer the option to sıgn up for a waiting list, thus storing your data in our database on our server. For this purpose, with your consent, we store and process the client IP address at the time you fill out the query form, your name, email address, age range, investment behavior, and ınterests for asset classes. We will contact you regarding this after the NAO app goes live. Only then will you have the opportunity to register with our NAO app. We will use your name and email address for the purpose of contacting you. The other information will be used to determine which target group is interested in our offering.

b. Duration of Storage
As soon as the data is no longer necessary to achieve the purpose, it will be deleted, which is the case if the data subject has objected to being contacted, in compliance with the statutory retention periods.

c. Legal Basis
The aforementioned data is processed on the legal basis of Article 6 (1) (f) of the GDPR in order to contact you for information purposes, as requested. Our legitimate interest lies in being able to process the contact request and prevent misuse of the contact request.
‍
4. Contact
‍
a. Purpose of Data Processing
You can contact us by email or phone. We store the data transmitted to us and provided by the data subject to process the request. This data usually includes name, email address, telephone number, the date and time of the request, and a description of the matter. Contract details, if applicable, are included if the request is made in the context of entering into or processing a contract.Insofar as the personal data is sent by email, it will be passed on to service providers who facilitate the sending (participating mail providers, social network providers and plug-in providers).
‍
b. Duration of Storage
We store personal data that we collect and process for the purpose of establishing contact until the expiry of three years at the end of the year after the mutual performance obligations have been fully fulfilled. Insofar as the data is the subject of documents within the meaning of Section 147 Para. 1 Nos. 2, 3 and 5 of the German Fiscal Code (AO) and Section 257 Para. 1 Nos. 2 and 3 of the German Commercial Code (HGB), the data will be deleted after six years at the end of the year, unless shorter retention periods are permitted under other tax laws. If the data is part of documents within the meaning of Section 147 Para. 1 Nos. 1, 4, 4a AO and Section 257 Para. 1 Nos. 1 and 4 HGB, the data will be deleted after ten years at the end of the year. The periods begin at the end of the calendar year in which the data was collected.
‍
c. Legal Basis
The processing of the aforementioned data is carried out on the legal basis of Article 6 (1) (b) of the GDPR in the context of initiation or performance of a contract or in accordance with Article 6 (1) (f) of the GDPR. Our legitimate interest lies in being able to process the contact request and prevent misuse of the contact request.
‍
5. Newsletter
‍
a. Purpose of Data Processing
It is possible to subscribe to a newsletter. When the data subject subscribes to the newsletter, the data entered in the input mask during registration will be transmitted to us. This includes the specified email address, the IP address, and the time and date of registration. Furthermore, as part of the double opt-in procedure, it is collected and stored that and which link was clicked from which IP address and when. The collected data is necessary to send the newsletter and to verify subscription.If the newsletters are sent by email, they will be passed on to service providers who facilitate the sending (participating mail providers or providers of plug-ins or email marketing software).

b. Duration of Storage
The data will be deleted as soon as it is no longer required to achieve the purpose and the data subject has unsubscribed from the newsletter. After this time, it will be retained for ten years from the last newsletter dispatch for the purposes of proof in case of queries regarding existing consents, taking into account the statute of limitations.

c. Legal Basis
The processing of the aforementioned data is carried out on the legal basis of Article 6 (1) (a) of the GDPR and only after prior consent has been given during the registration process. Revoking consent at any time does not affect the legality of the processing of personal data carried out on the basis of the consent before the revocation.

6. Blog
‍
a. Purpose of Data Processing
In our blog, in which we publish various articles on topics related to the offers in our web shop, a user can post public comments.This will be published with the provided name in the post. Providing a username and email address is required; all other information is voluntary. Furthermore, the IP address will be saved.
The storage is necessary in order to be able to defend ourselves against liability claims in the event of a potential publication of illegal content. We need your email address to contact you in case a third party objects to your comment as unlawful.The personal data will be passed on to service providers who perform IT tasks for the blog (such as plug-in providers or anti-spam service providers).

b. Duration of Storage
The data is stored with each comment from a user and deleted as soon as it is no longer required for the purpose of collection, which is the case no longer than three months after the publication of the comment.

c. Legal Basis
The processing of the aforementioned data is carried out on the legal basis of Article 6 (1) (f) of the GDPR. Our legitimate interest lies in making our blog available and preventing misuse of the comment function.

7. Application Process
‍
a. Purpose of Data Processing
Your application data, in particular your name, address(es), email address, telephone number, date of birth, gender, and application documents such as certificates, assessments, education, professional history and areas of experience, and application photo, will be processed solely for the purpose of reviewing your application and potentially initiating a contract. The collected data will only be transferred to your personnel file once an employment contract has been concluded.Personal data will only be passed on to third parties if this is necessary for the purpose of processing the application or employment contract, for example to a human resources service provider.

b. Duration of Storage
We will delete personal data that we process for the purpose of conducting the application process as soon as it is no longer required to achieve the purpose, which is the case no later than six months after we have sent the data subject an acceptance or rejection, unless the data is required to assert, exercise or defend claims in the context of legal disputes.Thereafter, data will only be stored if the data subject has been invited by us to our “applicant database” for future job descriptions and has expressly declared by his consent that he wishes to be included until the declaration of revocation in order to be considered for future vacancies without further submission of their application documents.
‍
c. Legal basis
The processing of the aforementioned data is carried our on the legal basis of Article 88 GDPR in conjunction with Section 26 of the Federal Data Protection Act (BDSG) and Article 6 (1) (b) of the GDPR for the initiation or execution of contractual relationships. Furthermore, we may process personal data from applications to the extent that this is necessary to fulfill legal obligations under Article 6 (1) (c) of the GDPR or to defend against asserted legal claims against us. The legal basis in this case is Article 6 (1) (f) of the GDPR. The legitimate interest is, in particular, a possible burden of proof in proceedings under the General Act on Equal Treatment (AGG).In the event that the data is included in our applicant database after consent has been given, the data will be stored on the basis of Article 6 (1) (a) of the GDPR.

8. Google Analytics

a. Purpose of Data Processing
This website uses Google Analytics, a web analysis service provided by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses so-called “cookies”, text files stored on the end device of the data subject, that help analyze the use of the website. The information generated by the cookie about your use of this website is generally transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymization on this website, the IP address of the data subject will be shortened by Google beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide the website operator with other services related to website activity and internet usage. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other data held by Google unless you are logged into your Google Account at the time of the visit.
‍
Further information about Google’s privacy policy can be found at the following internet address:https://policies.google.com/privacy

b. Duration of Storage
As soon as the data is no longer necessary to achieve the purpose, it will be deleted, which will be the case when the anonymization, which takes place within the European Union, is completed. This takes less than a second.The data sent by us and linked to cookies, user IDs, or advertising IDs is automatically deleted after 14 months. The data, the retention period of which has been reached is automatically deleted once a month.
Further information can be found at https://www.google.com/analytics/terms/de.html and https://policies.google.com/?hl=de .

c. Legal Basis
Processing is carried out on the legal basis of Article 6 (1) (a) of the GDPR only after prior consent.

d. Possibility of Prevention
The data subject can block the use of cookies in the end device or delete them after use. However, under certain circumstances, individual functions of our offering may then not be available. Information on how to block cookies and delete previously stored cookies can be found in the instructions for the browser software. Furthermore, you can prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by installing the browser plug-in available at http://tools.google.com/dlpage/gaoptout?hl=de.

‍9. Zapier
‍
Purpose of Data Processing
To add you to the mailing list, we use Zapier, a service provided by Zapier Inc., 548 Market St #62411, San Francisco, California 94104, USA.The following data is transmitted via Zapier:(1) First name(2) Surname(3) Email address(4) IP address(5) Details of website visits.Personal data transmitted to Zapier will be used by Zapier solely for technical processing and to administer the services. Zapier, as the company that processes personal data on behalf of and at the instruction of the controller, is the sole processor. A data processing agreement has been concluded.
The provider’s privacy policy can be found at:https://zapier.com/privacy

‍Duration of Storage
As soon as the data is no longer necessary to achieve the purpose, it will be deleted.The data sent by us and linked to cookies, user IDs, or advertising IDs is automatically deleted after 14 months. The data, the retention period of which has been reached is automatically deleted once a month.
Further information can be found at: https://help.zapier.com/hc/en-us/articles/8496243229069#privacy-compliance-at-zapier-0-0 .

Legal Basis
Processing is carried out on the legal basis of Article 6 (1) (a) of the GDPR only with prior consent. You can withdraw your consent to the processing of your personal data at any time. In addition to the method described for exercising the rights of the data subject, you can also revoke this consent by adjusting the cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.

10. Typeform
‍
a. Purpose of Data Processing
For the contact form provided on our website, we use the services of the survey provider Typeform. Typeform is a service of TYPEFORM SL, Carrer Bac de Roda 163, 08018 Barcelona, Spain. Typeform collects and stores your information when you sign up for the newsletter. This enables us to provide you with an easy way to contact us. We are responsible for the Typeform forms we publish ourselves and manage the data collected through them. We delete this data from the Typeform servers after we download it. Typeform collects usage data whenever you use the form. Typeform collects data about the type of device and program used to access a form, such as the IP address, browser type and operating system, device information, as well as your email address and your first and last name. This can also include the geographical location of the user determined from the IP address. Typeform stores information about the source that referred the user to the form (e.g. the link on a website or in an email). Typeform uses third-party tracking services that use cookies and page tags (also known as web beacons or web bugs) to collect aggregated and anonymized data.
Typeform is the recipient of your personal data and acts as a processor for us. We have concluded a data processing agreement with Typeform in accordance with Article 28 of the GDPR. The processing of the data specified in this section is neither legally nor contractually required. Without your consent and the transmission of your personal data, we cannot provide you with a contact form. The data will be stored solely for the purpose of transmitting and responding to inquiries. The mandatory information is used to assign and respond to your request.
Further information can be found at:https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data and https://admin.typeform.com/to/dwk6gt?typeform-source=www.adsimple.de .

b. Duration of storage
Your data will be deleted after completion of the processing in compliance with the statutory retention periods.

c. Legal Basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR.
You can unsubscribe from our newsletter at any time, i.e., withdraw your consent. This will also revoke your consent to the delivery of the newsletter by the shipping service provider and the statistical analyses. A separate revocation of the delivery of the newsletter by the shipping service provider or the statistical analysis is not possible. You can unsubscribe via a link in the newsletter itself or by sending a message to the contact details listed above. If you have only subscribed to the newsletter and then unsubscribed, your personal data will be deleted.

11. MailChimp
‍
a. Purpose Processing
The newsletter and certain transaction announcements are sent via MailChimp, a newsletter distribution platform of the US provider The Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection standards. You can find further information at this link:https://mailchimp.com/de/help/about-the-general-data-protection-regulation/ .
According to its own information, the shipping service provider may use this data in pseudonymous form, i.e., without assignment to a specific user, to optimize or improve its own services, e.g., for the technical optimization of the delivery and presentation of the newsletter or for statistical purposes to determine which countries the recipients come from. However, the shipping service provider does not use the data of our newsletter recipients to contact them directly or to pass it on to third parties.

b. Duration of Storage
Your data will be deleted after completion of the processing in compliance with the statutory retention periods.

c. Legal Basis
The legal basis for the processing of the aforementioned data for the purpose of transaction announcements is Article 6 (1) (b) of the GDPR.
The legal basis for sending our newsletter is your consent in accordance with Article 6 (1) (a) of the GDPR. You can unsubscribe from our newsletter at any time, i.e., withdraw your consent. This will also revoke your consent to the delivery of the newsletter by the shipping service provider and the statistical analyses. A separate revocation of the delivery of the newsletter by the shipping service provider or the statistical analysis is not possible. You can unsubscribe via a link in the newsletter itself or by sending a message to the contact details listed above. If you have only subscribed to the newsletter and then unsubscribed, your personal data will be deleted.

12. Webflow

a. Purpose of Data Processing
We use Webflow, a website construction system from the American service provider Webflow Inc., 398 11th St., Floor 2, San Francisco, CA 94103, USA, for our website. Data such as your name, email address, log files, including your IP address are collected and processed in the USA.
Webflow is a tool for building and hosting websites. Webflow stores cookies or other recognition technologies that are necessary to display the page, to provide certain website functions, and ensure security.
Further information can be found in the provider’s privacy policy, available at:https://webflow.com/legal/privacy .We have concluded a contract for order processing with the above-mentioned provider. This is a contract required by data protection law, which ensures that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

b. Duration of Storage
Your data will be deleted after completion of the processing in compliance with the statutory retention periods.

c. Legal Basis
The use of Webflow is based on Article 6 (1) (f) of the GDPR. We have a legitimate interest in ensuring that our website is presented as reliably as possible.The data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here:https://webflow.com/legal/eu-privacy-policy .Through these clauses, Webflow undertakes to comply with European data protection standards when processing relevant data, even if the data is stored, processed and managed in the USA.The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards when processing data in the USA. Every company certified according to the DPF is committed to adhering to these data protection standards. Further information can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/list .

13. Finsweet
‍
a. Purpose of Data Processing
For our website, we use Finsweet's consent technology for our website, a service of the American service provider Finsweet Inc., 2774 Harbor Rd, Merrick, NY, 11566-4608, USA, to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies, and to document this consent in compliance with data protection regulations. The cookie banner is loaded when you visit the website. There you can set your cookie preferences. The cookie tool places a cookie in your browser in order to be able assign the consent you have given or revoked. When loading, your browser connects to the Finsweet server, which informs the Finsweet server that you have accessed this website using your IP address. The following personal data is collected:
‍
- Date and time of retrieval;
- Browser type and version;
- Reference URL;
- IP address;
- Giving consent.

b. Duration of Storage
Your data will be deleted after completion of the processing, your request for deletion, deletion of the cookie by you or cessation of the purpose for storing the data, in compliance with the statutory retention periods.

c. Legal Basis
Finsweet is used on the basis of Article 6 (1) (c) of the GDPR. The cookie tool is used to obtain the legally required consents for the use of cookies.

14. Customer.io

a. Purpose of Data Processing
We use the email tool customer.io for email marketing and marketing automation, which is operated by Peaberry Software Inc., 921 SW Washington Street Suite 820, Portland, OR 97205, USA. Customer.io processes content data (e.g., entries in online forms), contact data (e.g., email addresses, telephone numbers), and meta/communication data (e.g., device information, IP addresses) in the EU. The privacy policy of Customer.io can be found at https://customer.io/privacy-policy.html .
‍
b. Duration of Storage
Your data will be deleted after the completion of processing in compliance with the statutory retention periods.

c. Legal Basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR.
‍
d. Consent
I consent – revocable at any time in the future – to NAO processing my aforementioned personal data (content data, contact data and meta/communication data) mentioned under lit. a. for the purpose stated there (marketing).e. Revocation of consent
You can revoke your consent to the processing of your personal data at any time. You can revoke your consent using the contact details provided. Your data will be processed as long as your consent is given. Declaring your revocation does not affect the legality of the processing carried prior to the revocation.

15. Meta-Pixel
‍
a. Purpose of Data Processing
We use tracking pixels from the social networks Facebook and Instagram from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to create so-called custom audiences, i.e. to segment visitor groups of our online offering, determine conversion rates and then optimize them. This happens in particular when you interact with advertisements that we have placed with Meta Platforms Ireland Limited. When you visit our website, the Meta Pixel is triggered and saves your actions on our website in one or more cookies. These cookies enable Meta to match your user data (e.g. IP address, user ID) with the data in your Facebook user account. Meta then deletes your data. The data collected is not visible to us and is only used to place advertisements. If you are a Facebook user yourself and are logged in, your visit to our website will automatically be assigned to your Facebook user account.Further information can be found in the privacy policy of the Meta-Pixel at https://www.facebook.com/privacy/explanation.

b. Duration of Storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal Basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.Since it cannot be ruled out that processed data will also be transferred to the USA when using Meta-Pixel, additional protective mechanisms are required to ensure the level of data protection required by the GDPR. To ensure this, we have agreed to standard data protection clauses with the provider in accordance with Article 46 (2) (c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this cannot be ensured even by this contractual extension, we will endeavor to obtain additional regulations and commitments from the recipient in the USA.

16. Facebook Conversion API
‍
a. Purpose of Data Processing
We use the Facebook Conversion API, a server-side event tracking tool from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to transmit data about your behavior on our website to Facebook for evaluation. This allows us to show you advertisements tailored to your user behavior on our website. When you visit our website, usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses), location data (information on the geographical position of a device or a person), as well as email address, telephone number, gender, date of birth, first and last name, address, and user IDs are used and transmitted to Facebook.Further information can be found in the privacy policy of the Facebook’s privacy policy at https://de-de.facebook.com/about/privacy/ .

b. Responsibility
To the extent that personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Article 26 of the GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook after forwarding is not part of the joint responsibility. Our joint obligations have been set out in a joint processing agreement. The wording of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook Conversion API and for implementing the tool on our website in a data protection-compliant manner. Facebook is responsible for the data security of Facebook products. You can assert your data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward these to Facebook.

c. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

d. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.Since it cannot be ruled out that processed data will also be transferred to the USA when using the Facebook Conversion API, additional protective mechanisms are required to ensure the level of data protection required by the GDPR. To ensure this, we have agreed to standard data protection clauses with the provider in accordance with Article 46 (2) (c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this cannot be ensured even through this contractual extension, we will endeavor to obtain additional regulations and commitments from the recipient in the USA.

17. Google Tag Manager
‍
a. Purpose of data processing
We use the Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to offer you a good user experience on our website and to be able to tailor our offering to your needs. This is done by embedding code sections (tags) in the source text of our website. The tags are managed via the Tag Manager. This allows us to track user behavior via various functions on our website and thus tailor our offering to your individual needs. According to Google, the data collected as part of the Tag Manager will not be merged with your personal data that may be stored by Google. Google acts as a processor for us with regard to the Tag Manager tool and has contractually guaranteed compliance with data protection standards in accordance with European standards.In any case, your IP address will be collected via a separate cookie set by Google Tag Manager. Information about the hardware and software you use, such as your operating system and browser version, will also be processed. In addition, data about your website visits, the language set on your system and the type of screen, its resolution, as well as the support of scripting languages and the fonts of installed browser plug-ins will be collected. Depending on which other tracking services we use and manage via Tag Manager (e.g. Google Analytics or Meta Pixel), your IP address, among other data, will be transmitted to servers managed by Google or Meta, most of which are located in the USA.Further information can be found in the privacy policy of Google’s privacy policy at: www.google.com/intl/de/policies/privacy.

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far. Since it cannot be ruled out that processed data will also be transferred to the USA when using Google Tag Manager, additional protective mechanisms are required to ensure the level of data protection required by the GDPR. To ensure this, we have agreed to standard data protection clauses with the provider in accordance with Article 46 (2) (c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in the EU. In cases where this cannot be ensured even through this contractual extension, we will endeavor to obtain additional regulations and commitments from the recipient in the USA.

18. Hotjar
‍
a. Purpose of data processing
We use Hotjar, operated by Hotjar Limited, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta, to better understand the needs of our users and to optimize the offering and experience on our website. With the help of Hotjar's technology, we gain a better understanding of our users' experiences (e.g. how much time users spend on which pages, which links they click, what they like and what they don't like, etc.). These insights help us to tailor our offering to our users' feedback. Hotjar uses cookies and other technologies to collect data about the behavior of our users and their end devices, in particular the device's IP address (only recorded and stored in anonymized form during your website use), screen size, device type (unique device identifiers), information about the browser used, location (country only), and preferred language for displaying our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.
Further information on data protection at Hotjar can be found at https://www.hotjar.com/legal/policies/privacy/?tid=331689176146.

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.

19. FinanceAds
‍
a. Purpose of data processing
We work with FinanceAds, operated by financeAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg, Germany, to reach new customers for our services through advertising partners. The advertising partner receives a commission from us if people from this advertising partner reach us and become customers, as well as an additional commission if these customers invest through the NAO app.In order for advertising partners to be able to prove to NAO how many people have been referred, the following types or categories of data may be processed:
‍
- Technical data (e.g. IDs for campaigns, tracking, user/product level assignments)
- Product specifications
- Response data
- Usage data and profiles from web tracking (e.g. usage data recorded in the contractor's web analytics system, in particular users' IP addresses)
‍
In the course of this data processing, an identification number of the mediating advertising partner is stored, as well as the serial number of the advertising material clicked on by the website visitor. The partner identification number is used to allocate the commission to be paid to the mediating partner upon completion of a transaction. The purpose of this data processing is to compensate our advertising partners via FinanceAds based on the aforementioned user interactions (registration as a customer, investment via the NAO app). Further information on data protection at FinanceAds can be found at https://www.financeads.net/aboutus/datenschutz/.

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The use of financeAds is based on Article 6 (1) (f) of the GDPR. Our legitimate interest is direct advertising. The data subject's interest in data protection is protected because no data is stored that allows for a specific personal reference.

20. TrustPilot

a. Purpose of data processing
We use Trustpilot, a service rating service provided by Trustpilot A/S, Pilestræde 58, 1112 Copenhagen, Denmark. Trustpilot allows users to rate our services. There is no right of publication, and no third-party copyrights may be infringed. The data collected in this process, such as name, email address, and reference number, is used to authenticate and address the user.We may contact you by email to invite you to review the service and/or products you have received from us, to collect your feedback and improve our service and products. We may also use such reviews in other marketing materials for advertising and promotional purposes (the “Purpose”). As we work with an external company, Trustpilot A/S (“Trustpilot”), to collect customer feedback, we will share your name, email address and reference number with Trustpilot for this purpose. If you would like to learn more about how Trustpilot processes your data, you can view their privacy policy and applicable terms here: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms and https://de.legal.trustpilot.com/end-user-terms-and-conditions.

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
Your data will be processed as part of the evaluation process based on your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.

21. Adjust
‍
a. Purpose of processing
We use Adjust, a service of adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany (“Adjust”), for marketing purposes. Adjust helps us track and improve the performance of our marketing campaigns, display or not display personalized ads, prevent marketing fraud, and attribute customer behavior, such as registrations or other actions, to specific campaigns, affiliate marketing partners, or influencers. For this purpose, Adjust analyzes your use of our website. For this analysis, Adjust uses your data such as names, email addresses, telephone numbers, IP and/or Mac addresses. Further information can be found in the privacy policy of Adjust at: https://www.adjust.com/terms/privacy-policy

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The use of Adjust is based on Article 6 (1) (f) of the GDPR, as we have a legitimate interest in optimizing our marketing measures and preventing fraud.

22. Google Ads
‍
a. Purpose of processing
We use Google Ads Conversion Tracking on our website, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This tracking allows us to analyze the effectiveness of our advertisements placed via Google. When you click on an ad placed by Google, a conversion tracking cookie is stored on your device. This conversion cookie is valid for 30 days and does not allow direct identification of the user. As long as the cookie is valid, we can track whether a user reached our website via a Google ad. The data collected with conversion cookies helps us measure the success of our advertising measures.Further information can be found in the privacy policy of Google at: https://policies.google.com/privacy.

b. Duration of storage
Cookies expire after 30 days. Any data collected beyond this period will be deleted after processing is complete, in compliance with the statutory retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://policies.google.com/privacy/frameworks?hl=de. Through these clauses, Google undertakes to comply with European data protection standards when processing relevant data, even if the data is stored, processed and managed in the USA.The company is certified according to the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards when processing data in the United States. Every company certified according to the DPF is committed to adhering to these data protection standards. Further information can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/list .

23. Google Ads Customer Match
‍
a. Purpose of processing
We use Google Ads Customer Match on our website, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. As part of Customer Match, with your consent, we upload encrypted user data (e.g., your username, e-mail address, etc.) to our website. You upload personal information (e.g., names, email addresses, postal addresses, or customer-specific IDs) to Google in order to target existing users with relevant advertising. Google compares this data with existing Google accounts and creates target groups (so-called customer match lists) that are used to target ads. After the target groups are created, the encrypted data is automatically deleted by Google.
Further information can be found in the privacy policy of Google at: https://policies.google.com/privacy

b. Duration of storage
The encrypted customer data is deleted after Google has completed the comparison. Google does not store any new addresses or personal data beyond the existing comparison.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://policies.google.com/privacy/frameworks?hl=de.Through these clauses, Google undertakes to comply with European data protection standards when processing relevant data, even if the data is stored, processed and managed in the USA.
‍
‍The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards when processing data in the United States. Every company certified under the DPF is committed to adhering to these data protection standards. Further information is available from the provider at the following link: https://www.dataprivacyframework.gov/list.

24. Microsoft Clarity
‍
a. Purpose of data processing
We use Microsoft Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, to better understand how our website is used and to improve and market our products and services. Microsoft Clarity collects behavioral metrics, heatmaps, and session recordings that help us analyze user interactions with our website. We also use this data to optimize our site, for fraud prevention, security purposes, and targeted advertising.The information collected includes device data (IP address), screen size, device type, browser used, location (country only), and preferred language. This information is transferred to a Microsoft server in the USA and stored there. However, we use Microsoft Clarity with the so-called anonymization function. With this function, Microsoft shortens the IP address within the EU or EEA.For more information about how Microsoft processes your data, please see the Microsoft Privacy Statement at the following link: https://www.microsoft.com/en-us/privacy/privacystatement .

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here:https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses
Through these clauses, Microsoft undertakes to comply with European data protection standards when processing relevant data, even if the data is stored, processed and managed in the USA.The company is certified according to the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards when processing data in the United States. Every company certified according to the DPF is committed to adhering to these data protection standards. Further information can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/list .

25. Reddit Advertising
‍
a. Purpose of data processing
We use tracking technologies from Reddit Netherlands BV, Euro Business Center, Keizersgracht 62, 1015CS, Amsterdam, Netherlands, to display targeted and personalized advertising on the Reddit platform and to create interest-based user profiles. This data helps us optimize future campaigns and ads on Reddit and better tailor advertising campaigns to our target audiences. We also use the data to measure event-based conversions from Reddit ads.The information collected may include, among other things: device data (such as the operating system and browser used), IP address, location information, and information about user interactions with the ads.For more information about how Reddit processes your data, please see Reddit's privacy policy at the following link: https://www.redditinc.com/policies/privacy-policy.

b. Duration of storage
The data will be deleted as soon as it is no longer required for the processing purposes and there are no longer any statutory retention periods.

c. Legal basis
The legal basis for the processing of your personal data is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent is given. Declaring your revocation does not affect the legality of the processing carried out so far.The processing of data by the provider of the "Reddit" platform is the responsibility of the provider. We have no influence over this. Therefore, we recommend that you assert your rights as a data subject against the provider. Of course, you are also free to contact us in this regard.

26. Addrevenue

a. Purpose of data processing
We work together with Addrevenue, Drottninggatan 29, 11151 Stockholm, Sweden, to reach new potential customers for our offer through advertising partners. The advertising partner receives a commission from us if people reach us from this advertising partner and become customers and a further commission if these customers invest via the NAO app.
In order for advertising partners to be able to prove to NAO how many people have been referred, the following data types or data categories may be processed:
‍
- Technical data (e.g. order number (order ID), time stamp)
- Response data
- Usage data from web tracking (e.g. IP addresses as part of the HTTP request; these are not stored in the database and are not processed further, but only temporarily logged in the web server log for approx. 5 days)
‍
In the course of this data processing, in particular an identification number of the referring advertising partner is stored and the serial number of the advertising material you clicked on is recorded. The partner identification number is used to allocate the commission to be paid to the referring partner when a transaction is concluded. The purpose of this data processing is to remunerate our advertising partners via Addrevenue on the basis of the aforementioned user interactions (registration as a customer, investment via NAO app).
Further information on data protection at Addrevenue can be found at https://addrevenue.io/de/privacy-policy.

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods. IP addresses are only stored temporarily (for approx. 5 days) in the web server's log files and are not processed further.

c. Legal basis
The use of Addrevenue is based on Article 6 (1) (f) of the GDPR. Our legitimate interest is direct advertising. The data subject's interest in data protection is safeguarded, as no data is stored that enables a specific personal reference.

27. LinkedIn Insight Tag & Conversions API
‍
a. Purpose of data processing
We use LinkedIn Insight Tag & Conversions API, a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, to measure the effectiveness of our advertising campaigns, perform conversion tracking, enable retargeting and analyze campaign performance. This allows us to understand how users interact with our ads and use this information to optimize our marketing efforts.
The following categories of data are collected as part of this data processing:
‍
- Technical data such as IP address, browser and device information
- Referrer URL and timestamp
- Hashed email address or telephone number (via Conversions API)
- Event names and campaign interactions

You can find more information on data protection at LinkedIn at:
‍https://www.linkedin.com/legal/privacy-policy

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.

28. Reddit Conversion API
‍
a. Purpose of data processing
We use Reddit Conversion API, a service provided by Reddit Netherlands B.V., Euro Business Center, Keizersgracht 62, 1015CS, Amsterdam, Netherlands, to measure the performance of our advertising campaigns, track conversions, perform event-based conversion measurement, enable retargeting and generate analytics. This enables us to better understand the success of our marketing campaigns and improve them in a targeted manner.
The following data categories are processed
- IP address
- Browser and device metadata
- Hashed email address or phone number (via Conversions API)
- Event names and campaign interactionsReferrer URL and timestamp

Further information on data protection at Reddit can be found at: https://www.redditinc.com/policies/privacy-policy

b. Duration of storage
Your data will be deleted after the completion of the processing in compliance with the statutory retention periods.

c. Legal basis
The legal basis for this processing is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent has been given. Declaring your revocation does not affect the legality of the processing carried out so far.The processing of the data by the provider of the "Reddit" platform is the responsibility of the provider. We have no influence on this. With regard to the exercise of your rights as a data subject, it is therefore advisable to assert them against the provider. However, you are of course free to contact us in this regard.

29. Spotify-Pixel & Conversion API
‍
a. Purpose of data processing
We use the Spotify Pixel and the Conversion API from Spotify Ads on our website. The provider is the music streaming service Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. The purpose of data processing is to track conversions such as app installations, registrations or purchases, to analyze the performance of our advertising campaigns, to target users for retargeting measures, to optimize campaigns and to ensure attribution. For this purpose, various data is collected that enables Spotify to measure the effectiveness of advertising and to precisely address target groups. The following data categories are processed:
‍
- IP address
- Device and browser metadata
- Referrer URL and UTM parameters
- Timestamp and URLs visited
- Spotify Ad ID (if available)
- Event names and user actions on the website (e.g. registration, purchase)
- Cookie-based identifiers (if consent has been given)

This data helps us to target campaigns, measure success and better optimize advertisements.
If you are registered with Spotify, you can set which types of advertisements are displayed to you within Spotify by visiting the page set up by Spotify and following the instructions on the settings for usage-based advertising.

b. Duration of storage
Spotify only stores personal data for as long as necessary to provide the Services and for legitimate and essential business purposes. Data may be stored until the Spotify account is deleted or will be automatically deleted after a certain period of time.
For more detailed information on the storage period and deletion rights, please refer to the Spotify Privacy Policy at https://www.spotify.com/de/legal/privacy-policy.We will delete the data as soon as it is no longer required for the processing purposes and there are no longer any statutory retention periods.

c. Legal basis
The legal basis for the processing of your personal data is your consent in accordance with Article 6 (1) (a) of the GDPR. You can revoke your consent to the processing of your personal data at any time. In addition to the method described for exercising your data subject rights, you can also revoke this consent by adjusting your cookie settings accordingly. Your data will be processed as long as your consent is given. Declaring your revocation does not affect the legality of the processing carried out so far.
The processing of data by the provider of the "Reddit" platform is the responsibility of the provider. We have no influence over this. Therefore, we recommend that you assert your rights as a data subject against the provider. Of course, you are also free to contact us in this regard.
‍

III. Rights of the data subject

If personal data is processed by the user on our website, the data subject has the following rights vis-à-vis the controller in accordance with the GDPR.

1. Right to information according to Article 15 of the GDPR
‍
The data subject has the right to the following information:
(a) the purposes of the processing;
(b) the categories of personal data being processed;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
(d) where possible, the envisaged period for which the personal data will be stored, or, where not possible, the criteria used to determine that period;
(e) the existence of a right to request from the controller rectification or erasure of personal data concerning him or her or restriction of processing of personal data concerning him or her or of a right to object to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
(i) where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

We will provide the data subject with a copy of the personal data being processed. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

2. Right to rectification according to Article 16 of the GDPR
‍
The data subject has the right to request the controller to immediately rectify inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.

3. Right to erasure according to Article 17 of the GDPR
‍
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws his or her consent on which the processing is based according to Article 6 (1) (a) or Article 9 (2) (a) of the GDPR, and there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
(d) the personal data were processed unlawfully;
(e) the erasure of personal data is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data were collected in relation to information society services offered pursuant to Article 8 (1) of the GDPR.

4. Right to restriction of processing pursuant to Article 18 of the GDPR
‍
The data subject has the right to request the controller to restrict processing if one of the following conditions applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to assert, exercise or defend legal claims, or
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject.

5. Right to information according to Article 19 of the GDPR
‍
If the data subject has requested the controller to rectify his or her personal data pursuant to Article 16 GDPR, to erase his or her personal data pursuant to Article 17 (1) of the GDPR or to restrict processing pursuant to Article 18 of the GDPR, and if the controller has informed all recipients to whom the data subject’s personal data have been disclosed of the data subject’s request (unless this was impossible or involved disproportionate effort), the data subject has the right to be informed by the controller of the recipients.

6. Right to data portability according to Article of the 20 GDPR
‍
The data subject shall have the right to receive the personal data concerning him or her, which he or she has made available to a controller, in a structured, common and machine-readable format and shall have the right to transmit these data to another controller without hindrance from us, provided that
a) the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) or on a contract pursuant to Article 6 (1) (b) of the GDPR and
b) the processing is carried out using automated procedures.
The rights and freedoms of other persons must not be affected thereby.
When exercising the right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from us to another controller, insofar as this is technically feasible.The exercise of the right to data portability does not affect the right to erasure under Article 17 of the GDPR. The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object according to Article 21 of the GDPR
‍
The data subject has the right to object at any time to the processing of personal data concerning him or her which is based on Article 6 (1) (e) or (f) of the GDPR, for reasons related to his or her particular situation; this also applies to profiling based on these provisions.
To justify this, it is necessary to state reasons related to the data subject's particular situation that speak against processing. We will examine these reasons and cease processing if we conclude that the legitimate or public interest in processing outweighs the data subject's interests in preventing processing. If this is the case, the data will no longer be processed unless we can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or the processing serves to assert, exercise, or defend legal claims.
If personal data is processed for direct marketing purposes, the data subject has the right to object at any time, even without providing further justification, to the processing of personal data concerning him or her for the purposes of such advertising; this also applies to profiling insofar as it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

8. Right to withdraw consent
‍
If processing is based on the consent of the data subject, he or she may revoke this consent at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent up to the time of revocation.
‍
9. Automated decisions in individual cases including profiling according to Article 22 of the GDPR
‍
The data subject has the right not to be subjected to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her.
This does not apply if the decision
a) is necessary for the conclusion or performance of a contract between the data subject and us,
b) is permitted by Union or Member State law to which we are subject and which contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, or
c) with the express consent of the data subject.
These decisions may not be based on special categories of personal data pursuant to Article 9 (1) of the GDPR, unless Article 9 (2) (a) or (g) of the GDPR applies and appropriate measures to protect the rights and freedoms and legitimate interests of the data subject have been taken.
In the cases referred to in points a) and c), we shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on our part, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR
‍
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if he or she considers that the processing of personal data concerning him or her infringes the GDPR.
The supervisory authority to which the complaint was lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

11. Right to an effective judicial remedy pursuant to Article 79 of the GDPR
‍
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.
Any action against us or a processor shall be brought before the courts of the Member State in which we or the processor have an establishment. Alternatively, such action may be brought before the courts of the Member State in which the data subject is habitual, unless we or the processor are an authority of a Member State acting in the exercise of its public powers.

‍As of: 21 July 2025