‍

Data protection information

Vinlivt Application Privacy Policy

Data protection information

In the following, you will find information about the processing of your personal data by the Vinlivt application from Vinlivt GmbH, hereinafter referred to as Vinlivt, and the rights and obligations to which you are entitled under data protection law.

You should definitely know that:

At Vinlivt, data protection is a top priority and mindful. We develop the Vinlivt application in accordance with all legal and regulatory requirements and are also constantly testing them in our development process. A trusting relationship with our customers and partners is our highest standard, which we always want to live up to. We promise that we will never sell or share personal information with third parties without your consent.

We work for you on the best financial app/ application and your financial home (financial home). We use personal data such as: highly sensitive bank details, contract data or even health data exclusively for your benefit and to guarantee your financial security.

‍

Who is a data protection officer:

You can contact the data protection officer as follows:

Dipl.-Kfm. Guido Babinsky

email: datenschutz@vinlivt.de

You can contact our data protection officer directly at any time if you have any questions or suggestions regarding data protection.

‍

Responsible person within the meaning of the GDPR is:

Vinlivt GmbH

Rofanstraße 8, 81825 Munich, Germany

Telephone: +49 89 127 646 87

email: hello@vinlivt.de

Representative of the person responsible: Dariusz Borowski & Uwe Laetsch

You can contact our data protection officer at: datenschutz@vinlivt.de

‍

Data categories used and their origin:

We only use personal data after and with your active consent, as well as through your use of our Vinlivt application. Accomplished with your registration, consent and use of the application. Also downloading our application in connection with the provision of Vinlivt Services.

The scope of the collection, processing and use of this data by us depends on the services provided by Vinlivt Services. This is usually the following data:

• Personal details: title, first and last name, date of birth, email address and postal address

• Bank details including IBANs and BICs

• Account turnover data of the bank accounts connected by you, names of recipient and sender, amount, purpose, etc.

• Customer's personal identification number, tax number, etc.

• Enriched information from financial analysis, such as recognized contracts, income and expenditure categorizations, and personal retirement and financial tips

• Other information you provide from the pension check, which must be requested as part of the brokerage of contracts or products, for example: employment, marital status, tax bracket, number of children, other financial interests, etc.

As part of processing your personal data, we distinguish between personal data that we collect directly and personal data that we obtain from other sources. We collect the personal data that you give us when you download our Vinlivt application or when using the Vinlivt service, as well as data that is transferred via an interface with your bank and, if applicable, data that we request from you with appropriate consent in order to properly carry out the Vinlivt services and checks. Please refrain from submitting your data if you do not agree to it being processed. In this case, there will be no further processing of the data.

The transfer of personal data from other sources, in particular your bank and turnover data, is carried out by means of authentication by you at your selected bank using your login details, such as account login and strong authentication (SCA) by customers. After successful authentication, your account and turnover data will be transferred by your bank and the financial analysis will start.

Personal data, account turnover data and financial analysis data are stored in encrypted form at a data center in Germany/Frankfurt. An order processing contract was also concluded with the operator of the data center. When it comes to encryption, we use the world's most secure encryption methods combined with a randomly generated key for every customer. All data is transmitted via an encrypted SSL connection.

Access to personal data:

We have built our systems according to the principles of data economy, the need-to-know principle and privacy by design and ensure that our employees only have access to the personal data that is absolutely necessary so that we can provide our services in the best possible way. In principle, our employees have no access to all your personal data that is available in the Vinlivt application, in particular personal data, sales data and financial analysis data. This data is stored in encrypted form in a data center in Frankfurt. Only our technical systems have the appropriate code to be able to decrypt and process them.

Excluded from the principles of data economy and privacy by design, personal data may be viewed by us in the following cases:

• When you contact our support

• If you provide us with personal data within the application with explicit consent, e.g. to optimize contract acceptance or obtain offers

• By submitting documents and photos via the upload function and contract check

• If you want to purchase a product from a financial partner (such as insurance or pension products) via the Vinlivt application and have explicitly agreed to the data transfer

• If you have agreed to receive advice from a financial expert from our affiliated financial partners via the Vinlivt application, all related data (in particular personal data and data relating to your insurance and financial contracts) can be viewed via a web UI (Vinhub Messenger) by financial experts and insurance advisors of the financial partners so that they can advise and assist you with questions and problems

• If we are required to do so by regulation, for example to meet regulatory requirements to combat money laundering and terrorist financing

• To ensure proper processing when arranging, concluding and/or managing term contracts and financial products, employees can access the personal data necessary to carry out the transactions, such as master data, order status or contract number

Purpose for processing personal data:

We collect personal data in order to provide, at your request, our Vinlivt application optimally suited to your needs, with which you can, for example, manage accounts and contracts and receive individualized retirement, insurance or financial tips. Art 6 (1) b) GDPR.

The data is collected:

• For providing a desktop and mobile application with a multi-bank account login (Tink Open Banking Technology)

• To retrieve your current account balances and account turnover data to automatically create a digital contract folder based on account transactions

• For identifying independent recommendations of pension and financial tips as well as contract optimizations and benefit adjustments (pension check)

• For preparing financial analyses, pension forecasts and a digital budget book

• To answer inquiries for the provision of the Vinlivt application (precautionary check)

• To manage contracts, for example: insurance contracts, gym contracts, subscriptions and much more

• Implementation of contract optimizations and performance and/or contribution adjustments

• For concluding and managing pension and financial products with our cooperation partners, such as our affiliated financial partners

• To transfer to service providers for the purpose of carrying out an identity verification in accordance with money laundering, where necessary

• To meet regulatory requirements to which we are subject as a payment institution, in particular to combat money laundering and terrorist financing

• We process personal data if this is necessary, at your request, to fulfill and/or terminate the contract concluded as a result or another contract to which you are a party.

• For the purpose of providing the contractually agreed service, we in particular create a file to identify you when you contact us.

• In order to fulfill the contract, needs analyses are also prepared, your contract is administered and serviced, or these processes are improved.

• To comply with our legal obligations, art 6 (1) c) GDPR.

• We may collect and process your personal data to comply with legal obligations to which we are subject. This includes, for example, compliance with regulatory control and reporting obligations in accordance with the Second Payment Services Directive, to which we are subject as a third-party provider of account information services.

• Also the proper processing of financial products that we offer you in cooperation with our cooperation partners, such as our financial partners.

• To protect our legitimate interests and the interests of other responsible parties or third parties in data processing, Art. 6 (1) f) GDPR.

• We also collect and process your personal data to protect our legitimate interests or the legitimate interests of third parties, insofar as data processing is necessary to protect these legitimate interests.

• In addition, we have a legitimate interest in informing you about our improved internal processes regarding the execution of the existing contractual relationship and similar products and services.

• In addition, we have a legitimate interest in providing you with promotional information, unless you object to receiving such advertising information as: carrying out campaigns to attract new customers, generate new customers, win back customers.

• In addition, we may process data for the purposes of market or opinion research or needs analyses and provide information on the contractual relationships with our cooperation partners for proper processing.

• Data processing is also carried out to assert legal claims or defend against legal claims.

• To process your data based on your consent, Art. 6 (1) a) GDPR.

• If you have given us your express consent, we will process your data in accordance with the purposes stated there.

These are:

• Submission of promotional information, such as regular information via e-mail

• Optimizing our financial analyses and tips, such as improved recognition of contracts based on account transactions and user behavior

• Implementation of contract optimization, such as the termination of a contract or the conclusion of a new insurance or financial product

Transfer of data to third parties:

Data will not be passed on to third parties without your explicit permission, unless we have made this clear to us by you beforehand. This may be the case when brokering, concluding and/or managing term contracts and financial products with our cooperation partners. If you commission us to mediate, conclude and/or manage, we will transfer the necessary data to the appropriate provider (s). Only the information that is actually necessary for the execution of the respective order is transmitted. This usually includes name, address, date of birth, account information for direct debit and information about the provider's desired product — but does not include details of sales data. Account and turnover data will only be transmitted to cooperating partners if you personally conclude financial products, provided that this data is necessary as a prerequisite for determining your credit rating and you have agreed to the transfer. When executing the exchange orders, Vinlivt may work with vicarious agents and partners who receive the necessary order data for the purpose of properly executing the exchange order.

If an identity verification is required by a cooperation partner/financial partner to apply for the conclusion of a contract, we will transfer the data required by you and provided as part of the conclusion process to an external service provider who is responsible for carrying out the identity verification process. Identity verification is carried out using an identification process, such as video identification and/or qualified electronic signature, which fully meets the requirements of the Money Laundering Act, the data protection guidelines and the respective supervisory authority, such as BaFin. The legal basis for transmitting the data in this step is the Money Laundering Act (GwG) and Art. 6 (1) b) GDPR, as your identification in accordance with money laundering is a prerequisite for concluding the respective contract with the cooperation partner.

An up-to-date overview of the cooperation partners/financial partners, as well as the external service providers used to carry out the identity verification, can be obtained from us via a request to hello@vinlivt.de

Further data collection by Vinlivt:

So that we can further optimize and improve the Vinlivt application for you, we use third-party providers who help us understand which features and areas are being used, or may be faulty. This allows us to plan, develop and optimize better software improvements. This gives you control over what happens with your data and how you help us optimize it. Within the Vinlivt application, you can view and manage all legal information at any time under Privacy and Terms and Conditions. It can transfer your personal data to anyone to whom we assign rights resulting from the contractual relationship with you. Among other things, your data may also be transferred to other third parties for other purposes permitted under the General Data Protection Regulation, such as legal or tax service providers or regulatory authorities.

Third party Vinlivt application providers:

web hosting

We use external services for web hosting. These services may have access to personal data that is processed as part of the use of our online offering. Your encrypted data is stored in a data center in Germany/Frankfurt.

Web server log files

We process your personal data in order to be able to display our online offering to you and to ensure the stability and security of our online offering. Information such as the requested element, accessed URL, operating system, date and time of the request, browser type and version used, IP address, protocol used, amount of data transferred, user agent, referrer URL, time zone difference to Greenwich Mean Time (GMT) and/or HTTP status code are stored in so-called log files (access log, error log, etc.). If we have asked you for your consent and you have given it, the legal basis for processing is Art. 6 para. 1 lit. a GDPR. If we have not asked you for your consent, the legal basis for processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the proper display of our online offering and ensuring the stability and security of our online offering.

Google Tag Manager

We use Google Tag Manager. This is a solution that allows us to manage so-called website tags via an interface and thus integrate Google Analytics and other Google marketing services into our online offering, for example. The tag manager itself, which implements the tags, does not process any user data. With regard to the processing of user data, reference is made to the following information about Google services.

Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html

Google Analytics

We use Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland “Google”. Google uses cookies. The information generated by the cookie about the use of the online offer by users is usually transmitted to a Google server in the USA and stored there. Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on activities within this online offering and to provide us with other services related to the use of this online offer and Internet usage. Pseudonymous user profiles of users can be created from the processed data. We only use Google Analytics with activated IP anonymization. This means that the IP address of users is abbreviated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. The IP address transmitted by the user's browser is not combined with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and related to their use of the online offer and from processing this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

If we ask users for consent, for example as part of a cookie consent), the legal basis for this processing is Article 6 (1) lit. a. GDPR. Otherwise, user data is processed on the basis of our legitimate interests, i.e. the interest in the analysis, optimization and economic operation of our online offering within the meaning of Article 6 (1) (f) GDPR). For more information on Google's use of data, settings and objection options, please see Google's privacy policy (https://policies.google.com/privacy) and in the settings for displaying advertising by Google (https://adssettings.google.com/authenticated). User data is deleted or anonymized after 14 months.

Google Universal Analytics

We use Google Analytics in the form of “universal analytics.” “Universal Analytics” means a Google Analytics process in which user analysis is carried out on the basis of a pseudonymous user ID and thus creates a pseudonymous profile of the user with information from the use of various devices, so-called “cross-device tracking”.

Target group building with Google Analytics

We use Google Analytics to display ads placed within Google and its partners within web services only to users who have also shown an interest in our online offering or who have specific characteristics, such as interests in specific topics or products, which are determined on the basis of the websites visited, which we transmit to Google so-called “remarketing” or “Google Analytics audiences.” With the help of Remarketing Audiences, we also want to ensure that our ads meet the potential interest of users.

Data in third countries:

Data is transferred to third countries for the following purposes:

Notifications, specifically so-called push notifications. To help you manage your accounts and contracts in the best possible way, we send you helpful push notifications to your smartphone, such as a cancellation reminder when contracts expire. To provide this feature, we use technology from Amazon Simple Notification Service (Amazon SNS), P.O. Box 81226, Seattle, WA 98108, U.S.A. The push notifications are provided by Application Inc. (“Application”), One Infinite Loop, Cupertino, California 95014, USA or Google Firebase (“Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA sent to your smartphone.

Online offers on social media

We maintain online offers within social networks and platforms in order to communicate with customers, interested parties and users active there and to inform them about our services there. We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. Furthermore, user data is usually processed for market research and advertising purposes. For example, user profiles can be created from user behavior and the resulting interests of users. The user profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably match the interests of users. For these purposes, cookies are usually stored on users' computers, in which user behavior and interests are stored. In addition, data can also be stored in the user profiles regardless of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them).

User data is processed on the basis of our legitimate interests in effectively informing users and communicating with users in accordance with Article 6 (1) (f) GDPR. If users are asked for consent to data processing by the respective platform providers, the legal basis for processing is Article 6 (1) lit. a., Article 7 GDPR. For a detailed description of the respective processing and opt-out options, we refer to the information provided by the providers linked below. Even in the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively with the providers. Only the providers have access to user data and can directly take appropriate measures and provide information. Should you still need help, feel free to contact us at any time.

• Facebook, pages, groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) based on an agreement on joint processing of personal data — privacy information: https://www.facebook.com/about/privacy/, specifically for pages: https://www.facebook.com/legal/terms/information_about_page_insights_data, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

• Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, IR-Land) — Data Protection Information: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

• Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) — Privacy Statement/ Opt-Out: http://instagram.com/about/legal/privacy/.

• Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) — Data Protection Information: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

• Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) — privacy information/opt-out: https://about.pinterest.com/de/privacy-policy.

• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) — privacy information https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.

• Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) — Privacy Statement/ Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.

• Wakalet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) — Privacy Information/Opt-Out: https://wakelet.com/privacy.html.

• Soundcloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) — data protection information/opt-out: https://soundcloud.com/pages/privacy.

Customer Support:

As a customer, you have the option to contact us via various channels, such as: email, Instagram, YouTube, Facebook, LinkedIn, contact form. We only process personal data for as long as is necessary to fulfill our contractual and legal obligations. Among other things, data processing is necessary for contract execution and execution, including the defense and enforcement of civil claims within the relevant limitation periods. The limitation periods may be up to thirty years under Sections 195 et seq. of the German Civil Code; the regular limitation period is three years. In addition, tax, commercial, tax and other legal storage obligations must be observed. The storage and documentation periods provided for there are six to ten years plus the statute of limitations of a further four years. In order not to violate legal regulations or to lose the opportunity to assert a claim or defend ourselves against such a claim, we reserve the right to delete the data only after the last period that legitimizes data storage has elapsed.

User rights:

You have the right to:

• To request information about whether and, if so, which personal data concerning you is being processed, Art. 15 GDPR; you can download information about all your processed data at any time in the “More” -> “Legal Information” -> “GDPR Information” tab.

• to request the correction of incorrect or the completion of incomplete personal data, Art. 16 GDPR;

• to require us to delete personal data concerning you immediately, provided that the conditions set out in Article 17 GDPR are met;

• to request the restriction of the processing of your personal data, insofar as Article 18 GDPR provides for this;

• to receive the personal data concerning you in a format that meets the requirements of Art. 20 (1) GDPR;

• for data portability under the conditions set out in Art. 20 (1) a), b) GDPR;

• not to be subject to a decision based exclusively on automated processing — including profiling — if a decision was only made in an automated process and that decision significantly affects you.

• In the event of a rejection, we will manually review the decision once again after you have informed us of your considerations and objections to the decision made in the automated process and requested the manual review, Art. 22 (1), (3) GDPR. In addition, you are entitled to view the criteria for the decision.

Objection to processing of personal data:

If we process your data to protect legitimate interests, you can object to this processing for reasons arising from your particular situation. You have the right to object to the processing of your personal data for direct marketing purposes without giving reasons; this also applies to profiling insofar as it is associated with such direct marketing. We will then no longer process your personal data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. To object to the processing of your data, you can permanently and irrevocably delete your account within the Vinlivt application at any time.

Where can you complain?

If you believe that the processing of your personal data by us is unlawful or that we may violate data protection law for other reasons, you can complain to the supervisory authority BFDI responsible for us:

https://www.bfdi.bund.de/DE/

Are you required to provide your data?

When downloading our application and using our services, you must provide the personal data that is necessary to establish, carry out and fulfill the associated obligations or which we are legally obliged to collect. Without this data, we will not be able to provide you with our service.

Does automated individual case decision based processing or profiling measures take place?

Vinlivt is your personal financial assistant and automatically checks whether there are optimization options for your pension, pension and finances as well as contracts. Just like a real financial advisor, he needs as good a picture of you as possible in order to be able to give you recommendations tailored to your personal situation. For this purpose, pseudonymized user profiles are created based on your general profile and enriched financial analysis data, including year of birth, zip code, contracts, turnover categorizations and personal retirement and financial tips. These user profiles cannot be linked to a person. Personal data, such as IBANs or contract numbers, is made unrecognizable before user profiles are created. For example, IBAN DE30 5007 0010 0123 4567 89 becomes IBAN XX00 0000 0000 0000 0000 00. These user profiles are used to provide you with retirement and financial tips that are individually tailored to you.

Vinlivt newsletter

We only send newsletters, emails and other electronic notifications with promotional information with the consent of the recipients or legal permission. If the content of the newsletter is specifically described as part of a subscription to the newsletter, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and us. Signing up for our newsletter is a double opt-in process. After registration, users receive an email asking them to confirm their registration. This confirmation is necessary so that no one can log in with foreign e-mail addresses. Subscriptions to the newsletter are logged in order to be able to prove the registration process in accordance with the necessary requirements. This includes saving the time of registration and confirmation, as well as the IP address. Changes to your data stored with the shipping service provider are also logged. To sign up for the newsletter, it is sufficient to provide an email address and your name.

The newsletter and the associated performance measurement are based on the consent of the recipients in accordance with Article 6 (1) (a), Article 7 GDPR in conjunction with Section 7 (2) No. 3 UWG or, if consent is not required, on the basis of our legitimate interests in direct marketing in accordance with Article 6 (1) (f) GDPR in conjunction with Section 7 (3) UWG. The registration process is logged on the basis of our legitimate interests in accordance with Article 6 (1) (f) GDPR. We are interested in using a user-friendly and secure newsletter system (Mailerlite) that both serves our business interests and meets user expectations and also allows us to prove consent. Users can unsubscribe from our newsletter at any time, i.e. withdraw their consent. A link to unsubscribe from the newsletter can be found at the end of each newsletter. Based on our legitimate interests, we store the unsubscribed email addresses in the form of a blacklist for up to three years before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time.

https://www.mailerlite.com/legal/privacy-policy

‍