LAST UPDATE: MAY 27, 2019

Our mission is to bring investor relationship management to the digital age. On the one hand the platform allows investors to track and support their investments and on the other hand helps startups to streamline and simplify their investors reporting.

We treat the platform’s content with highest responsibility and do everything to protect respective user information. We will not use or share your personal information without your consent. This document, “Privacy Policy”, describes the practices we apply to protect the data we have collected on our platform investory.io.

This Privacy Policy informs you about:

Please note that this Privacy Policy applies to our services offered through our website (investory.io) as well as our external online presence (collectively referred to as “Service(s)”). Privacy related terms used in this document relate to the definitions laid out in Article 4 of the GDPR (http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm). We aim to make this policy as simple as possible, however if you don’t understand something or need clarifications, feel free to contact us!

This policy applies to users who consent to use or access the offered Services on or after the Effective Date. If you do not consent to this Privacy Policy when asked, please exit, and do not access or use, the Service.

Investory Onlineplattform GmbH
Hintere Achmühlerstr. 1a
6850 Dornbirn
Austria
CEO: Guillermo Falco
Contact: support@investory.io

Visitors and users of our service offering (collectively referred to as “Users”).

According to Article 13 GDPR we have to inform you of the legal basis of our data processing. For obtaining consent the legal basis is listed in Article 6 (1) and Article 7, for the data processing in the course of our service offering and contractual provisions Article 6 (1) and for the compliance with regulatory responsibilities as well as our legitimate interest Article 6 (1) of the GDPR is the basis of data processing.

In accordance with Article 32 of the GDPR, we protect personal data based on state-of-the-art security measures. The appropriateness of the technical and organizational security measures is evaluated, based on the risk to the rights and freedoms of our users, probability of occurrence, implementation costs and the type and purpose of processed data.

We have security measures in place to ensure the confidentiality, integrity and availability of processed data. These measures apply to physical access as well as when entering, transferring and storing data. In addition, we have setup processes to ensure our users rights to delete and export their information. Furthermore, security measures are also deployed during the development, hardware/software selection and design of our service offering. For more details please also see our security policy here.

We only work with and transfer data to third parties in the course of our Service offering (commissioned data processing), when there is a legal basis to do so. Either you have given us consent, we need to meet regulatory obligations or based on legitimate interests (e.g. freelancer or other external service providers).

If we commission third parties with the processing of data, we do so according to Article 28 of the GDPR.

Our Service is hosted and operated in Europe (Germany), with development, support and maintenance operations in other countries inside the European Union (“EU”), through us and our service providers. If we transfer data to non-EU countries, we do so only to fulfil contractual obligations, with your consent or based on legitimate interests. We transfer data to non-EU countries only in case the conditions outlined in in Article 44 GDPR are adhered to. For example, transfer and processing outside of Europe is done based on special guarantees that the same data protection level is kept in the non-EU country (e.g. in the USA through the “Privacy Shield” agreement) or we specify these requirements in special contractual obligations.

Data we are processing, can be deleted or limited in accordance to Article 17 and 18 of the GDPR. If not mentioned anywhere else, we delete data when or if they are no longer necessary for the completion of the initial purpose and there is no requirement to keep data for legal purposes. In case data is necessary for legal purposes or there is a regulatory retention period, processing of this data will be limited (e.g. data that needs to be retained due to tax or trade laws).

In Austria the retention of data is limited to 7 years in case of financial and business data (see § 132 (1) BAO).

In the following a record of processing activities is provided. This extensive list is meant to provide a overview of the most relevant data processing activities we employ.

In addition to the data we process through our Service, we also process data in the course of normal business operations:

We use hosting service providers for the following purposes:

The hosting provider processes data based on legitimate interest of our Users, to ensure the efficient and secure offering of our Services in accordance with Article 6 (1) and Article 28 GDPR. Hosting is provided by Amazon Web Services, a hosting provider of Amazon.com, Inc, 2021 Seventh Ave,Seattle, Washington 98121, USA. The privacy policy of the hosting service provider can be viewed here: https://aws.amazon.com/de/privacy/

The Amazon.com, Inc is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active).

We and some of our third-party providers store data about access to our systems due to legitimate interests defined in Article 6 (1) GDPR. In these logs data like names, accessed sites, data and time of access, system type and system versions as well as referrer URL and IP-Address may be temporarily stored.

These logs are used for security or maintenance purposes (e.g. to investigate issues or abuse situations) and will be deleted regularly. Data that might be used as evidence, might be stored until the case is resolved.

We process basic data (e.g., names and addresses as well as contact information of users), contract data (e.g., services provided, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Article 6 (1) GDPR.

The storage of this data is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. A transfer of these data to third parties does not take place, unless it is necessary for the prosecution of our claims or there is a legal obligation in accordance with Article 6 GDPR.

We process usage data (e.g., the visited web pages of our online offering, interest in our products) for each user to provide relevant information based on their behavior (e.g. to send instructions, tips or guides based on their usage).

The deletion of this data takes place after expiration of legal warranty and comparable obligations, the necessity of the storage of the data is checked every three years; in the case of legal archiving obligations, the deletion takes place after its expiration. Information in the customer’s account remains until it is deleted.

We process data in the context of administrative tasks and organization of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of offering our Services in accordance with Article 6 of the GDPR. The purpose and interest in processing lies in administration, financial accounting, office organization, data archiving, that is, tasks that serve to maintain our business, perform our duties and provide our services. The deletion of the data in terms of contractual performance and contractual communication corresponds to the information provided in these processing activities.

We may disclose or transmit data to the financial administration, consultants, such as tax accountants or auditors, and other fee agents and payment service providers.

Furthermore, based on our business interests, we store information about suppliers, promoters and other business partners, e.g. for later contact. We generally store this company-related data permanently.

In order to operate our business economically, to be able to recognize market trends, customer and user requirements, we analyze data on business transactions, contracts, inquiries, etc. We process basic data, communication data, contract data, payment data, usage data, metadata on the basis of Article 6 GPDR, whereby the users affected include customers, prospects, business partners, visitors and users of the Service

The analyses are carried out for the purpose of business analysis, marketing and market research. In doing so, we can provide the profiles of registered users with information, e.g. take into account their services. The analyses serve us to increase the user-friendliness, the optimization of our offer and the business economics. The analyses are for us alone and will not be disclosed externally unless they are anonymized and aggregated.

If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the users, otherwise after two years from the conclusion of the contract. Incidentally, the overall business analyses and general trend provisions are created anonymously wherever possible.

We process the applicant data only for the purpose and in the context of the application process in accordance with the legal requirements. The processing of the applicant data takes place in order to fulfill our (pre-) contractual obligations in the context of the application process based on our legitimate interest (see Article 6 GDPR) or if the data processing is required in the context of legal proceedings.

The application process requires applicants to provide us with their applicant data. The necessary applicant data include the information on the person, postal and contact addresses and the application documents, such as cover letter, CV and the certificates. In addition, applicants can voluntarily provide us with additional information.

By submitting the application to us, the applicants agree to the processing of their data for the purposes of the application process in accordance with the nature and scope set forth in this Privacy Policy. Insofar as special categories of personal data according to Article 9 (1) GDPR are voluntarily communicated within the application procedure, their processing is additionally carried out in accordance with Article 9 (2) GDPR (e.g., health information such as disability or ethnic origin).

Applicants can send us their applications via e-mail. However, please note that e-mails are generally not sent in encrypted form and that applicants themselves must provide encryption. We can therefore take no responsibility for the transmission of the application between the sender and the reception on our server and therefore recommend rather to use encryption or the postal delivery. Instead of applying via e-mail, applicants have the opportunity to send us the application by post.

The data provided by the applicants may be further processed by us in the event of a successful application for employment. Otherwise, if the application is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which the applicants are entitled to at any time.

The deletion is scheduled after a period of a few months, so that we can answer any follow-up questions to the application. Invoices for any reimbursement of travel expenses are archived in accordance with the tax regulations.

Users can create a user account. As part of the registration, the required mandatory information is communicated to the users and based on Article 6 (1) GDPR processed for purposes of providing the user with an investory account. The processed data includes in particular the login information (name, password and an e-mail address).

The data entered during registration will be used for the purpose of accessing their account.

Users may be sent information relevant to their user account, e.g. technical changes will be sent by e-mail. If users have terminated their data, their entire account will be deleted, except there is regulatory required retention period. It is the responsibility of the users to secure their data before deletion. We are entitled to irretrievably delete all user data stored during the term of the usage.

During the registration or sign-up process, we may save information about you like the IP address and the time of registration/login. The storage is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. A transfer of this data to third parties does not take place, unless it is necessary for the prosecution of our claims or we have a legitimate interest in accordance with Article 6 (1) GDPR.

When contacting us (for example, by contact form, e-mail, telephone or via social media) your information may be processed to maintain contact in accordance with Article 6 (1) GDPR. User information may be stored in a Contact Management System, in a Customer Relationship Management System (“CRM System”) or comparable system. We delete requests, if they are no longer required.

Comments and Posts

If users leave comments or other contributions, their IP addresses may be stored based on our legitimate interests in accordance with Article 6 (1) GDPR. If someone leaves illegal content in comments and contributions (insults, prohibited political propaganda, etc.), we may be prosecuted for the comment or post ourselves and are therefore interested in the identity of the author.

Furthermore, we reserve the right to process the information of users for the purpose of spam detection. The data provided in the comments and contributions are stored by us permanently until the users’ objects or requests deletion.

We and our third-party service providers collect information about you, your device, and your use of the Service through cookies, clear gifs (a.k.a. web beacons/pixels), and other tracking tools and technological methods (collectively, “Tracking Tools”).

Tracking Tools collect information such as computer or device operating system type, IP address, browser type, browser language, mobile device ID, device hardware type, the website or application visited or used before or after accessing our Service, the parts of the Service accessed, the length of time spent on a page or using a feature, and access times for a webpage or feature.

These Tracking Tools help us learn more about our users and analyze how users use our Service, such as how often users visit our Service, what features they use, what pages they visit, what emails they open, and what other sites or applications they used prior to and after visiting the Service.

Like many websites and mobile applications, we collect certain information through the use of “cookies,” which are small text files that are saved by your browser when you access our Service.

Cookies can either be “session cookies” or “persistent cookies”. Session cookies are temporary cookies that are stored on your device while you are visiting our Website or using our Service, whereas “persistent cookies” are stored on your device for a period of time after you leave our Website or Service. We use persistent cookies to store your preferences so that they are available for the next visit, and to keep a more accurate account of how often you visit our Service, and how your usage behavior varies over time.

We also use persistent cookies to measure the effectiveness of advertising efforts. Through these cookies, we may collect information about your online activity after you leave our Service.

If you don’t want to use or store Cookies, please deactivate this option in your browser settings. Existing Cookies can be deleted manually. However, please be aware that this might lead to a reduction of our online offering experience.

A general objection to the use of Cookies or tracking tools for our Service cannot be given, due to the amount and pervasiveness of them. For more information on these topics, see http://www.youronlinechoices.com/.

In the following, we inform you about the contents of our newsletter(s) as well as the consent, sending and evaluation procedures as well as your right of objection. By consenting to this Privacy Policy, you agree to receive newsletter according to the outlined processes.

Content of the newsletter:

We only send newsletters, e-mails and other electronic notifications that contain information about our Services and accompanying information (such as instructions), offers, promotions and our company.

Double opt-in and logging:

Consent for our newsletter is given in the registration via a so-called double-opt-in procedure. After registration, you will receive an e-mail asking you to confirm your registration. This step is necessary so that we can confirm ownership of this e-mail address. During registration we will save your consent to this Privacy Policy. You may request for cancellation of receiving newsletters at any time, provided that you can confirm ownership (via reply or unsubscribe option).

Newsletters may be sent by MailChimp, a mail-order service provider of Rocket Science Group, LLC, 675 Ponce De Leon Ave # 5000, Atlanta, GA 30308, USA. The privacy policy of the shipping service provider can be viewed here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The email service provider is based on our legitimate interests according to Article 6 (1) GDPR.

The email service provider may use the data of the recipients in pseudonymous form, without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of email sending and the presentation of newsletters or for statistical purposes. However, the email service provider does not use the data of our newsletter recipients to address them themselves or to pass the data on to third parties.

Newsletters may be sent by the customer relationship service Intercom, Inc, 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States. You can view the privacy policy of the customer relationship service provider here: https://docs.intercom.com/pricing-privacy-and-terms/privacy/intercom-inc-privacy-policy. Intercom Inc is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TNQvAAO&status=Active). The customer relationship service provider is used, based on our legitimate interests according to Article 6 (1) GDPR.

The customer relationship service provider may use the data of the recipients in pseudonymous form, without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of relationships and the presentation of newsletters or for statistical purposes. However, the customer relationship service provider does not use the data of our newsletter recipients to address them themselves or to pass the data on to third parties.

Bugs and general errors are automatically collected and sent to Bugsnag, Inc, 939 Harrison St, San Francisco, CA 94107, United States. You can view the privacy policy of the bugtracking service provider here: https://docs.bugsnag.com/legal/privacy-policy/. Bugsnag Inc, is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TSeVAAW&status=Active). The bugtracking provider is used based on our legitimate interests according to Article 6 (1) GDPR.

The bugtracking service provider may store data of users in pseudonymous form, without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of relationships and the presentation of newsletters or for statistical purposes. However, the bugtracking service provider does not use the data of our bugs to address them themselves or to pass the data on to third parties.

The newsletters may contain a so-called “web-beacon”, a pixel-sized file that is retrieved from the server when opening the newsletter from our server, or if we use an email service provider. This call will initially collect technical information, such as information about the browser and your system, as well as your IP address and time of retrieval.

This information is used to improve the technical performance of services based on their specifications or audience and their reading habits, based on their locations (which can be determined using the IP address) or access times. Statistical surveys also include determining if the email will be opened, when they will be opened, and which links will be clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our goal nor, if used, that of the email service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

Based on our legitimate interests (e.g. interest in the analysis, optimization and improvement of our Service) we use the plugin Jetpack, which includes Visitor Access Statistical Evaluation and Spam protection developed by from Automattic Inc., 60 29th Street # 343, San Francisco, CA 94110, USA. Automattic Inc is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active). Jetpack uses so-called “cookies”, text files that are stored on your computer and that allow an analysis of the use of the website by you.

The information generated by the cookie about your use of this online offer is stored on a server in the USA. Here, user profiles of the users can be created from the processed data, these being used only for analysis and not for advertising purposes. For more information, see the Automattic Privacy Policy: https://automattic.com/privacy/ and Jetpack Cookies: https://jetpack.com/support/cookies/.

We use Google Analytics based on our interest to analysis, optimize and improve our Service. Google Analytics is a web analytics service provided by Google LLC (“Google”). Google uses cookies to generate information about the use of our online Services and are usually transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google may use this information on our behalf to evaluate the use of our online Service by users, to compile reports on the activities and to provide us with further services related to the usage. It is possible to create pseudonymous usage profiles of the users based on the processed data.

We only use Google Analytics with activated IP anonymization. This means that the IP address of the users will be shortened by Google from member states of the European Union or in other countries. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.

The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly.

For more information about Google’s data usage, hiring and disparaging options, please read Google’s Privacy Policy (https://policies.google.com/technologies/ads) and Google’s Ads Settings (https://adssettings.google.com/authenticated).

The personal data of users will be deleted or anonymized regularly.

We use Mixpanel based on our interest to analysis, optimize and improve our Service. Mixpanel is a web analytics service provided by Mixpanel Inc (“Mixpanel”). Mixpanel uses cookies to generate information about the use of our online Services and are usually transmitted to a Mixpanel server in the USA and stored there. Mixpanel is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation https://www.privacyshield.gov/participant?id=a2zt0000000TOacAAG&status=Active).

Mixpanel may use this information on our behalf to evaluate the use of our online Service by users, to compile reports on the activities and to provide us with further services related to the usage. It is possible to create pseudonymous usage profiles of the users based on the processed data.

The personal data of users will be deleted or anonymized regularly.

Based on our legitimate interests (e.g. interest in the analysis, optimization and improvement of our Service) we use the so-called “Facebook pixel” of the social network Facebook, by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are located in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (“Facebook”).

Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

With the help of the Facebook pixel, it is possible for Facebook to identify the visitors to our Service as a target group for display of advertisements (so-called “Facebook ads”). With the help of the Facebook pixel, we also want to make sure that our Facebook ads are in line with the interest of our users. We are also able to understand the effectiveness of the Facebook ads for statistical and market research purposes, in which we see whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”).

The processing of the data by Facebook is part of Facebook’s data usage policy. Accordingly, general notes on how to display Facebook Ads, in Facebook’s Data Usage Policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook Pixel and how it works, visit the help section of Facebook: https://www.facebook.com/business/help/651294705016616.

You may object to the capture by the Facebook Pixel and use of your data to display Facebook Ads. To set which types of ads you see within Facebook, you can go to a special page set up by Facebook and follow the instructions for the usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform independent, meaning they are adopted for all devices, such as desktop computers or mobile devices.

You can also opt-out of using Cookies for tracking and promotional purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and in addition the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

We maintain online presence within social networks and platforms in order to communicate with customers, prospects and users active there and to inform them about our services. When communicating through the respective networks and platforms, the terms and conditions and the data processing guidelines of these networks and platforms apply.

We incorporate the fonts (“Google Fonts”) provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

If users choose so, they can opt-in to give access to their bank accounts trough our dedicated banking api provider Saltedge. Saltedge Inc., 40 King Street West, Suite 2100, Canada. Saltedge Inc, complies with the European data protection standard as documented in their privacy policy (https://www.saltedge.com/pages/privacy_policy). Saltedge uses so-called “tokens”, text files that are temporarily stored, to provide us access to your bank account. We as investory never know or store bank account login data.

For part of our users (currently investors), there is an option to exchange or keep track of information by posting notes. To keep track of posted notes and to be able to notify other users, we use Stream.io as feed/notification provider. While this functionality is currently limited to one use case, we may expand the usage in the future. Stream.io does not receive personal identifiable information from investory, but users can choose to share such information on their own. Stream.io Inc, 1215 Spruce Street, Suite 301, Boulder, CO 80302, United States, complies with the European data protection standard as documented in their privacy policy (https://getstream.io/legal/privacy/).

If users choose so, they can opt-in to subscribe to a paid plan by providing payment information, which is managed by our dedicated payment service Stripe. Stripe’s services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland. In providing Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc., in the U.S. To ensure the adequate protection of personal data, they have certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. For more information, please read their Stripe Privacy Shield Policy. In addition to Privacy Shield, Stripe continues to employ additional compliance measures to ensure an adequate level of protection of personal data transferred outside the European Economic Area.