A. General information on the handling of personal data

This section provides general information on how we process personal data. Details for specific scenarios are outlined in subsequent sections.

1. Controller

The controller for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is

finmid GmbH
c/o WeWork
Dircksenstraße 3
10179 Berlin
privacy@finmid.com

For certain activities carried out on the Platform, such as payment processing and transaction handling, finmid may act as a data processor on behalf of its customers. Further details on this distinction are outlined in the sections below.

2. Data Protection Officer

Our appointed data protection officer is:

Kertos GmbH
Nymphenburger Str. 86
80636 Munich
Germany

You can reach our data protection officer by e-mailing dsb@kertos.io.

3. Cooperation with Third Parties / Data Recipients

In some cases, we use external service providers and partners to process your data, such as for the hosting of our website or Platform. We carefully select them before working with them. The partners are either bound by our instructions within the scope of data processing on our behalf as the data controller, or have made other agreements with us regarding data protection, for example because we process the data as joint controllers. We also work with partners who are professionally bound to confidentiality, such as tax advisors, lawyers and other service providers. You can find more detailed information about the service providers we use in the respective processing activity below.

Within our company, only those persons have access to your personal data who need it for the purposes stated in each case.

4. Data Transfers to Third Countries

We use some services whose providers are located in third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries where the level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include but are not limited to the standard contractual clauses of the European Union.

Where this is not possible, we base the transfer of data on the derogations under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.

Where a data transfer to a third country is planned and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the relevant third country (e.g., intelligence agencies) may gain access to the transferred data in order to record and analyze it, and that enforceability of your rights as a data subject cannot be guaranteed. You will also be informed of this when we obtain your consent via the consent banner.

5. Storage Period

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we have collected the data. We then erase the data without undue delay, unless we still require the data until the end of the statutory limitation period for documentation purposes for claims under civil law or due to statutory retention obligations.

For documentation purposes, we are required to keep contract data for another six years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.

Even after that, we are still required to store some of your data for accounting reasons. We are required to do so because of statutory documentation requirements, in particular under the German Commercial Code and the Fiscal Code. The periods specified therein for retaining documents range from two to ten years. Where applicable, we will inform you of the length of time for which the data will be stored in the following sections relating to individual processing.

6. Your Rights as a Data Subject when Data is Processed

You have the following rights as a data subject:

• Right to withdraw consent
• Right to object to the processing of your personal data (Art. 21 GDPR)
• Right of access to personal data concerning you which we process (Art. 15 GDPR)
• Right to rectification of inaccurate personal data concerning you which we have stored (Art. 16 GDPR)
• Right to erasure of your personal data (Art. 17 GDPR)
• Right to restriction of the processing of your personal data (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

In order to establish your rights described here, you can contact us at any time using the contact details provided. This also applies if you wish to receive copies of safeguards in order to prove an adequate level of data protection. Subject to the respective legal requirements, we will comply with your data protection request.

We will keep your inquiries regarding the establishment of rights under data protection law, and our responses to these, for a period of up to three years for documentation purposes and, where necessary in individual cases, beyond this period if we need to establish, exercise or defend legal claims. The legal basis is Art. 6(1) Sentence 1(f) GDPR, based on our interest in defending ourselves against any civil-law claims under Art. 82 GDPR, avoiding administrative fines under Art. 83 GDPR and fulfilling our accountability under Art. 5 Sentence 2 GDPR.

You have the right to withdraw the consent you gave us at any time. As a result of this, we will cease the data processing based on this consent with future effect. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If your objection is to data processing for direct marketing purposes, you have a general right of objection, which we will implement without requiring you to give reasons.

If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.

Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right, for example, by contacting a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. The competent supervisory authority in Berlin, where we are headquartered, is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin; tel.: +49 30 13889-0, e-mail: mailbox@datenschutz-berlin.de

7. Automated Decision-Making

We do not use automated decision-making or profiling.

8. Data Security and Security Measures

We undertake to treat your personal data confidentially. In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress.

However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, unencrypted data — e.g. when sent by e-mail — may be read by third parties. We have no technical influence on this. It is your responsibility as a user to protect the data you provide against misuse by means of encryption or in any other way.

9. Provision of Personal Data

As a visitor to our website or user of our platform, you are generally not obligated to provide personal data. However, certain functionalities of our services may rely on the collection of data (e.g., connection data for displaying the site correctly or processing requests via contact forms). If you choose not to provide this information, it may limit or impair your ability to fully use certain features of the website or Platform.

B. Provision of the website

1. Essential Information

Every time you use our website, your browser automatically collects and transmits connection data to enable you to visit the site. This connection data comprises what is known as HTTP header information, including the user agent, and includes in particular:

• IP address of the requesting device
• Method (e.g., GET, POST), date and time of the request
• Address of the requested website and path of the requested file
• The previously visited website/file (HTTP referrer)
• Information about the browser used and the operating system
• Version of the HTTP protocol, HTTP status code, size of the file delivered
• Request information such as language, type of content, coding of content, character sets.

It is absolutely necessary to process this connection data to make it possible to visit the website, to guarantee the long-term functionality and security of our systems, and for the general administrative maintenance of our site.

The legal basis for the processing of data is Art. 6(1) Sentence 1(f) GDPR.

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. In the case of recording the data to provide the website, this is the case when the respective session has ended.

2. Hosting with AWS and CDN CloudFront

We host our website with Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (“AWS”). When you visit our site, your personal data is processed on AWS servers. Personal data may also be transferred to the parent company of AWS in the USA. The transfer of data to the USA is based on the adequacy decision of the European Commission for the USA (Amazon.com, Inc. is certified according to the EU-US-DPF) and the EU standard contractual clauses. You can find details here in the AWS Data Processing Addendum.

We also use AWS’s CloudFront content delivery network (“CDN”) on our site. A CDN is an online service used primarily to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected over the Internet. It makes duplicates of a site’s data available on multiple AWS servers around the world. These servers, which are located in non-EU countries, are only accessed if the site is accessed from a network in a non-EU country. This means that if the site is accessed from Germany or the EU, the site is loaded from servers in Germany / the EU. Only if the site is visited from outside the EU, will the content be served from the nearest server outside the EU. Some of the images and files embedded in this site are then loaded from the CloudFront CDN when the page is requested. Through this request, information about your use of our website (such as your IP address) is transferred to and stored on AWS servers in other EU countries. This happens the moment you enter our website.

The use of AWS and the CloudFront CDN is in the interest of increased website reliability, increased protection against data loss, and improved loading speed of this site. This constitutes a legitimate interest within the meaning of Art. 6(1) Sentence 1(f) GDPR.

The data will be erased after it is no longer needed to provide the website or comply with legal requirements.

To learn more about AWS’s privacy practices, please visit: https://aws.amazon.com/de/compliance/gdpr-center/

3. Data Processing when You Contact Us

There are several ways to contact us – using the contact form, by e-mail, phone or mail.

The data collected here – depending on the type of contact you have chosen, this may include your e-mail address, first and last name, telephone numbers, date and time of your inquiry, your request and, if applicable, contractual data if you send us inquiries as part of a contract or contract processing – is used solely for the purpose of communicating with you.

As a rule, we base the processing of your data on Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in responding effectively to requests for information and, where applicable, in establishing or maintaining business relationships. If the purpose of the contact is the conclusion of a contract or if the contact is made in connection with a contract to which you are a party, the legal basis for the processing of personal data is Art. 6(1) Sentence 1(b) GDPR.

If your data is no longer required for the processing and handling of your inquiry because your request has been dealt with, your request has been clarified and there are no legal retention periods or a justified interest in the continued storage, we will routinely erase your data.

The service provider HubSpot Inc. (25 First Street, Cambridge, MA 02141 USA) supports us in the processing of data that reaches us by e-mail or via a contact form. We have concluded a data processing agreement with the provider. Here the transfer of data to the USA is based on the adequacy decision of the European Commission for the USA (Hubspot, Inc. is certified according to the EU-US-DPF) and the EU standard contractual clauses. To learn more about HubSpot’s privacy practices, please visit: https://legal.hubspot.com/privacy-policy

4. Online Appointment Booking with Hubspot Calendar

For the purpose of scheduling appointments, first and last name, company name and e-mail address (and telephone number, if a telephone appointment is desired) and the reason for the appointment are collected and used for this purpose in accordance with Art. 6(1) Sentence 1(b) GDPR.

To provide the online appointment booking feature, we use the service Hubspot Calendar, which is provided by HubSpot Inc. (25 First Street, Cambridge, MA 02141 USA. This means that the above data will be transferred to and stored by that provider for the purpose of organizing appointments. Your data will be erased after the appointment has been held or after the agreed appointment period has expired. We have concluded a data processing agreement with HubSpot Inc. In the event that personal data is transferred by HubSpot Inc. to the USA or other third countries, we rely on on the adequacy decision of the European Commission for the USA (Hubspot, Inc. is certified according to the EU-US-DPF) and standard contractual clauses. To learn more about HubSpot Inc. privacy practices, please refer to: https://legal.hubspot.com/privacy-policy

5. Applicant Data Processing

If you send us an application, we will collect your data and use it for the purpose of potentially selecting you for employment.

In order to receive and process your application, we will collect your personal data, including but not limited to:

• first and last name
• e-mail address
• application documents (e.g. transcripts, resume)
• if applicable, special skills (e.g. for backend and frontend positions)
• date of earliest possible start and salary expectations

The legal basis for the processing of your application documents is Art. 6(1) Sentence 1(b) and Art. 88(1) GDPR in conjunction with Sect. 26(1) Sentence 1 of the German Federal Data Protection Act (BDSG).

In accordance with the Allgemeines Gleichbehandlungsgesetz (AGG), we retain applicant data for 6 months after notifying the candidate of the rejection. This is to safeguard against any potential discrimination claims. After this period, the data is deleted unless the applicant has provided explicit consent for longer storage (e.g., for future job openings via talent pool).

If a candidate is hired, their application data is transferred to their personnel file and will be retained in line with applicable employment laws and internal retention policies for the duration of their employment ship and if necessary afterwards.

The Ashby, Inc. (49 Geary Street, Suite 411, San Francisco, CA, 94108, USA) supports us in the processing of applicant data. We have concluded a data processing agreement with the provider. Here the transfer of data to the USA is based on the adequacy decision of the European Commission for the USA (Ashby, Inc. is certified according to the EU-US-DPF) and the EU standard contractual clauses. To learn more about Ashby’s privacy practices, please visit: https://www.ashbyhq.com/resources/privacy

6. Social Network Profiles

We maintain online presences on social networks in order, among other things, to communicate with customers and other interested parties and to inform them about our services. The respective social networks usually process user data for market research and advertising purposes. In this way, usage profiles can be created based on the users’ interests. For this purpose, cookies and other identifiers are stored on data subjects’ computers. Based on these usage profiles, ads are then shown on the social networks, for example, but also on third-party websites.

In connection with operating our online presences, it is possible that we may access information provided by the social networks, such as statistics about how our online presences are used. These statistics are aggregated and may include, in particular, demographic information (e.g., age, gender, region) as well as data about how you interact with our online presences (e.g., likes) and the posts and content distributed via them. This can also provide us with information about users’ interests and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presence, and to optimize them for our audience. Please refer to the list below for details and links to the social network data that we, as operators of the online presences, can access. The collection and use of these statistics is usually subject to what is known as joint controllership.

The legal basis for this data processing is Art. 6(1) Sentence 1(f) GDPR, based on our legitimate interest in effectively informing and communicating with users, or Art. 6(1) Sentence 1(b) GDPR, in order to stay in contact with and inform our customers and to take steps prior to entering into contracts with interested parties.

If you have an account with the social network, it is possible that we may see your publicly available information and media when we retrieve your profile. In addition, the social network may allow us to contact you. This can be done by means of direct messages or posts. In this respect, communication via the social network is subject to the responsibility of the social network as a messaging and platform service.

The legal basis of the data processing carried out by the social networks, for which they are responsible, can be found in the privacy policy of the relevant social network. The following links also provide you with further information about the respective data processing operations and the possibilities for objecting.

We would like to point out that the most efficient way to assert data protection requests is with the relevant social network provider, as only these providers have access to the data and can take appropriate measures directly. If you contact us with your request, we will forward your request to the provider of the social network. Below is a list of information about the social networks where we maintain online presences:

• X (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
  • Privacy policy: https://twitter.com/en/privacy
  • Opt out: https://twitter.com/settings/account/personalization
• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
  • Operation of the LinkedIn company page as joint controllers on the basis of a Page Insights controller addendum
  • Information about the processed Page Insights data and how to contact LinkedIn in the event of data protection inquiries: https://legal.linkedin.com/pages-joint-controller-addendum
  • Privacy policy: https://de.linkedin.com/legal/privacy-policy
  • Opt out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

C. Cookie Policy

1. Introduction

This Cookie Policy explains how we use cookies and other technologies such as web storage and JavaScript on this website.

2. Used technologies

Our website uses various tools that are offered either by us or by third parties. These include, in particular, tools that use technologies to store information in the end device or to access it (cookies, web storage, JavaScript). In the following, we will inform you about the tools we use, in particular about how the tools work, the providers, the transfer of data to third parties and any data transfers to third countries.

3. Legal Basis

We use the tools necessary for Website operation on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to provide the basic functions of our Websites. In certain cases, these tools may also be necessary for the performance of a contract or in order to take steps prior to entering into a contract, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany pursuant to Section 25(2) TDDDG.

We use all other nonessential (optional) Tools that provide additional functions on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany pursuant to Section 25(1) TDDDG. Data processing using these tools only takes place if we have received your consent in advance. We currently use Google Analytics as an optional tool (see section 6 "Analytics with Google Analytics").

If personal data is transferred to third countries, and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include but are not limited to the standard contractual clauses of the European Union.

Where this is not possible, we base the transfer of data on the derogations under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.

4. Obtaining your consent

We use a necessary tool to obtain and manage your consent. This generates a banner informing you about data processing and giving you the option to consent or reject data processing through the optional tool. This banner appears the first time you visit our website and when you revisit the selection of your preferences to change them or revoke consent.

The data processing is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis is Art. 6 para. 1 lit. c GDPR and Art. 6 para. 1 lit. f GDPR, justified by our interest in meeting the legal requirements for consent management.

5. Withdraw consent and manage settings

You can revoke your consent for certain tools, i.e. for the storage of and access to information in the end device and the processing of your personal data, at any time with future effect. To do so, please visit the Website, open the settings menu, and select cookies preference.

6. Implemented Tool: Analytics with Google Analytics

We use Google Analytics, which is provided by Google Ireland Limited incorporated and operating under the laws of Ireland (Registration Number: 368047 / VAT Number: IE6388047V), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses Web Storage and Cookies to analyse and improve our services based on user behaviour.

We primarily use Web Storage for the purpose of analytics to track user interactions and clicks on the Website. These technologies help us gather valuable information about how users navigate our Website, which pages they visit, and what content they find most interesting. This information is crucial for improving our services and tailoring our content to better meet the needs of our users.

Google Analytics will use this information for the purpose of evaluating your use of the platform, compiling reports on website activity for website operators and providing other services relating to platform activity and internet usage. The data accruing in this context may be transferred by PostHog to a server hosted in Frankfurt, Germany for evaluation and stored there.

We have concluded a data processing agreement with Google for the use of Google Analytics and rely on the adequacy decision of the European Commission for the USA (Google LLC is certified according to the EU-US-DPF) and standard contractual clauses in the event that personal data is transferred to the USA or other third countries.

7. Cookie List

NAME	Service	Purpose	Cookie Type	Duration
CookieConsent	Consent-Management	Stores the user's cookie consent state for the current domain	First-Party	1 year
_ga	Google Analytics	Used to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.	First-Party	2 years
_ga_#	Google Analytics	Used to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.	First-Party	2 years

D. Changes to this Privacy and Cookie Policy

We may update this Privacy and Cookie Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We encourage you to review this Privacy and Cookie Policy periodically to stay informed about how we use cookies.