The controller of the personal data and responsible party in accordance with data protection laws, in particular the EU General Data Protection Regulation is the Website operator: Swarm Capital GmbH Branch Office Berlin, Pestalozzistr. 3 10625 Berlin Germany.
2. Data Processing
The type, scope and purpose of the processing of personal data depends on how and which Swarm Markets services are used. In particular when you use our business banking solutions, we will process specific personal data required for the service. Hereunder, we will show you which information will be collected for different types of engagements – and what we are doing with it.
2.1. Visiting the Website
Nature and purpose of processing:
When you access our website, i.e., when you do not register or otherwise submit information, information of a general nature is automatically collected. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your Internet service provider, your IP address and the like.
In particular, they are processed for the following purposes:
- ensuring a smooth connection setup of the website,
- ensuring a smooth use of our website,
- evaluating system security and stability, and
- to optimize our website.
We do not use your data to draw conclusions about you personally. Information of this kind is statistically evaluated by us anonymously, if necessary, in order to optimize our website and the technology behind it.
Legal basis and legitimate interest:
The processing is carried out in accordance with Art. 6 (1) lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.
Recipients of the data may be technical service providers who act as order processors for the operation and maintenance of our website.
The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is generally the case for data used to provide the website when the respective session has ended.
In the case of storage of data in log files, this is the case after 14 days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are anonymized, so that an assignment of the calling client is no longer possible.
Provision prescribed or required:
The provision of the aforementioned personal data is neither legally nor contractually required. However, without the IP address, the service and functionality of our website is not guaranteed. In addition, individual services and services may not be available or may be limited. For this reason, an objection is excluded.
We use the so-called web fonts for the uniform presentation of fonts. These web fonts are provided by Google Fonts, a service of Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”).
When a page is requested, the visitor’s browser loads the required web font into the visitor’s browser cache to display the texts and fonts correctly.
In order to do this, your browser must connect to the Google servers. This will notify Google that the Website was accessed via your IP address. The use of Google Fonts is used as per our interest of a uniform and attractive display of our online services. The use of Google Fonts is in the interest of a uniform and attractive presentation of our online services.
2.2. Security of the Website
The data subjects with regards to the security of the Website are all Website visitors.
In order to ensure the security of the Website, the data is processed by accessing the Website as server log files. Although these are basically device data, with this data may possibly be made the reference to the Website visitors. These data are matched against existing attack vectors and evaluated when detected attacks.
Data stored in the server log files includes visited websites, date and time of the access, the amount of data sent in bytes, the URL of the previously visited website, the internet browser used, and the operating system used.
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For the server log files, the maximum storage period is 7 days. If data needs to be retained for evidence, it will be exempted until the incident is finally resolved.
The legal basis for the processing is article 6.1, paragraph (f), GDPR (legitimate interest).
The data subjects with regards to the Range Measurement and the optimization of our offer are all the visitors of our Website.
These cookies are only set once you have given us your consent. To grant your consent, we will provide you with a communication field at the beginning of the visit to the Website.
The legal basis for the processing of data using cookies is article 6.1, paragraph (a), GDPR (consent).
Any given consent can be revoked at any time with future effect in the cookie settings on our Website. The cookie settings can be found In the OneTrust Preference Center on this website. The set cookies will be deleted.
You yourself can delete individual cookies or the entire cookie inventory. In addition, you will receive information and instructions on how to delete these cookies or block their storage in advance. Depending on the provider of your browser, you can find the necessary information under the following links:
To administer and implement your consent on our website, we use the consent management solution OneTrust. This service is provided by the OneTrust Technology Limited (Cannon Green, 27 Bush Lane, London EC4R 0AA, UK; “OneTrust”).
OneTrust enables us to collect, manage and document the consent of our visitor for data processing and the use of individual third-party services and various web technologies on the Website.
The legal basis for the processing is art. 6.1 (c) GDPR (compliance with legal obligations).
The following third-party providers are used. The following information is relevant to you only if you have given the appropriate consent:
2.3.2. Google Services
We use the services Google (Universal) Analytics, Google Analytics Remarketing, Google Ads, Google Search Ads 360, and the Google Tag Manager. These are services provided by Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”). Google is based in the third country USA, which basically lacks an EU level of protection. Therefore, Standard Contractual Clauses as appropriate safeguards according to Art. 46 GDPR are completed with Google.
184.108.40.206. Google (Universal) Analytics
On this Website, the anonymization of the IP address takes place. The IP address of the visitors is shortened. Only in certain individual cases is the full IP addressed transmitted to the servers in the USA and shortened there. This shortening of the IP address eliminates the personal reference to the IP address of the visitor.
In accordance with the terms of the agreement we have entered with Google, Google uses the collected data to compile an evaluation of the use of the Website and the website activity across multiple devices and sessions, and provides services related to the use of the internet.
The data collected by Google on behalf of us are used to evaluate the use of the online offer by the individual visitors, e.g. to generate activity reports on the Website in order to improve the online offer.
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.
220.127.116.11. Google Analytics Remarketing
With Google Analytics Remarketing allows us to link the promotional audiences to the cross-device capabilities of Google Ads and Google Campaign Manager. In this way, interest-based, personalized advertisements that were adapted depending on the previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of devices of the visitor (e.g. tablet or PC). This assumes that the visitor has given Google the appropriate consent. If this is the case, Google links the web and app browsing history to the personal Google Account for this purpose.
To support this feature, Google Analytics collects Google-authenticated IDs of the visitors that are temporarily associated with our Google Analytics data to define and create audiences for cross-device advertisement promotion.
Website visitors who have a Google account can permanently opt out of cross-device remarketing / targeting by disabling the personalized ads in the Google Account following this link:
18.104.22.168. Google Ads (previously AdWords) and Conversion-Tracking
This Website uses as part of Google Ads the so-called conversion tracking. When a visitor clicks on an advertisement provided by Google, a conversion tracking cookie is set on your browser. These cookies expire after 30 days and are not used for the personal identification of the visitor. If the visitor visits certain pages in this Website and the cookie has not expired yet, we may recognize that the visitor clicked on the above-mentioned advertisement and was redirected to this page.
With the help of the conversion cookies, the gathered data is used to generate conversion statistics for us as Google Ads customers. We learn the total number of visitors who have clicked on their advertisement and were thus redirected to a conversion tracking tag page. We do not receive any data that personally identifies the visitors.
You can set your internet browser so that you are informed about the cookie settings and so as to allow cookies only in individual cases and to exclude some cookies or generally exclude all cookies and set the automatic deletion of cookies when you close the internet browser. Please note that disabling cookies may limit the functionalities of the Website. The same functionality applies to the next section.
22.214.171.124. Google Search Ads 360 (previously DoubleClick Search)
Analog to the previous paragraph; using Search Ads 360 allows Google and its partner sites to serve ads based on previous visits to our or other sites on the Internet. The data collected in this context may be transferred by Google to a server in the USA for evaluation and stored there. Unlike Google Ads, which is limited to the Google Search Network, Google Search Ads 360 allows to traffic ads and keywords to multiple supported search engines.
126.96.36.199. Google Tag Manager
Google Tag Manager manages Google Analytics tracking (see above). Google Tag Manager itself does not collect personally identifiable information.
2.3.3. Facebook Pixel & Facebook Remarketing
We use the Custom Audiences remarketing feature of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland, “Facebook”). Facebook is based in the third country USA, which basically lacks an EU level of protection. However, we use standard contractual clauses which offer an appropriate level of protection of personal data in accordance with articles 45 and 28 GDPR.
This function is used to target visitors with a Facebook user account with interest-based advertisements in the social network Facebook.
For this purpose, the Facebook Remarketing Tag has been implemented on this Website. Through the use of this tag, a direct link to the Facebook servers is made when visiting the Website and transmits to the Facebook servers which pages of our Website were accessed by visitors. Facebook assigns this data to your Facebook user account, if there is such an account. Within Facebook, visitors of our Website who are also Facebook members are then shown personalized, interest-based Facebook advertisements.
As a visitor of our Website and Facebook user, you can disable the Custom Audiences remarketing feature using the following link: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.
2.3.4. LinkedIn Ads
We use the LinkedIn Ads feature of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland, “LinkedIn”). LinkedIn is based in the third country USA, which basically lacks an EU level of protection. However, we use standard contractual clauses which offers an appropriate level of protection of personal data in accordance with article 28 GDPR.
This function is used to target visitors with a LinkedIn user account with interest-based advertisements in the social network LinkedIn.
For this purpose, a remarketing tag has been implemented on this Website. Using this tag, a direct link to the LinkedIn servers is made when visiting the Website and transmits to the LinkedIn servers which pages of our Website were accessed by visitors. LinkedIn assigns this data to your LinkedIn user account, if there is such an account. Within LinkedIn, visitors of our Website who are also LinkedIn members are then shown personalized, interest-based LinkedIn advertisements and sponsored posts/messages.
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.
We use the affiliate program of financeAds GmbH & Co. KG (Karlstraße 9, 90403, Germany; “FinanceAds“). The script enables us to pay advertising network partners a so-called lead or sale commission in the event of successful registration or subscription. The script will only be executed for users who have accessed our Websites from an affiliate partner in the FinanceAds network when the user accesses pages that are relevant for the commission. For this purpose, so-called Finance Ads parameters are stored locally in a cookie in the user’s browser and are read out script-based for billing-relevant calls to our website. The evaluation is carried out using pseudonymous data records and only for the aforementioned purposes.
2.4. Communication and Social Media
The data subjects with regards to the newsletter are the newsletter subscribers.
The Swarm Markets Newsletter can be subscribed to through our Website. The newsletter is a separate, free information service that can be used independently of any existing customer relationship with Swarm Markets.
The subscriber has the possibility to agree to receive via e-mail information regarding current offers or events in the form of a newsletter from us. For the newsletter service, we need the e-mail address in order to send the newsletter, as well as the name and last name to be able to address you personally and avoid abuse. After registering for the newsletter, the subscriber will receive an e-mail. This e-mail has a link with which the subscriber must confirm the registration to the newsletter service. We will send the newsletter only after the conformation has taken place (double opt-in).
The subscriber can unsubscribe from the newsletter at any time. Each newsletter contains information to unsubscribe from the newsletter with future effects. Alternatively, the request to unsubscribe can be sent to us via e-mail at any time to [email protected].
The legal basis for the processing is article 6.1 (a) GDPR (consent).
For the distribution, management and statistics of the newsletter we are using Intercom.
We use Mandrill, a service provided by The Rocket Science Group LLC d/b/a MailChimp (675 Ponce de Leon Ave. NE, Suite 5000, Atlanta, GA, 30308, USA, “MailChimp”), for the provision, administration and distribution of our newsletter. Mailchimp is based in the third country USA, which basically lacks an EU level of protection. However, we use standard contractual clauses and thereby provides a appropriate level of data protection according to article 28 and 48 GDPR.
This service enables us to internally manage a database of the e-mails and telephone numbers to communicate with subscribers. The service also manages data regarding when an e-mail was read by a subscriber and when a subscriber interacted with the incoming e-mail, for example by clicking on the links included in such e-mail. This is done by using the so-called web beacons, also known as tracking pixels. Tracking pixels are small image files that allow us to evaluate user behavior.
MailChimp transmits personal data to external service providers in order to offer its services. MailChimp processes personal data in accordance with European privacy standards.
You can object to this tracking at any time by unsubscribing from the newsletter as described above. In the event that you de-activate the display of images in your e-mail program by default, the evaluation by MailChimp described above is not possible. In this case, the newsletter will not be fully displayed, and you will not be able to take advantage of all its features.
2.4.2. E-Mail- and App-Notifications
The data subjects with regards to the notifications are customers and prospective customers.
In the context of our contractual relationships, we contact our customers to provide legally required information, to inform them about new features about the services and products we are offering, present these, and to give the opportunity to voice feedback in term to improve our services.
In the case of prospective customers who showed interest in our products and services, we contact the parties to assist in the sign-up and account creation, as well as to support and remind about open steps in the registration and identification processes. The status of prospective customer is maintained for 3 months, after which the prospective customer has either completed the account creation or the incomplete registration will be deleted.
The legal basis for the processing is article 6.1 (b) GDPR (contractual relationship).
More information regarding our customers and our customer services can be found below (see section 2.5)
For the distribution, execution, management and statistics of the mailings we are using Intercom and HubSpot.
These services enable us to internally manage a database of the contact data to communicate with our customers and prospective customers. The services also manage data regarding when an e-mail was read by a recipient and when a recipient interacted with the incoming e-mail, for example by clicking on the links included in such e-mail. This is done by using the so-called web beacons, also known as tracking pixels. Tracking pixels are small image files that allow us to evaluate user behavior.
In the event that you deactivate the display of images in your e-mail program by default, the evaluation by the services described above is not possible. In this case, the e-mails will not be fully displayed, and you will not be able to take advantage of all its features.
2.4.3. Social Media
The data subjects with regards to social media are website visitors, who also are in particular members of the respective social media.
For marketing purposes, we are active on social media and provide information regarding current news, events and other information which may be of interest to you. Additionally, we will inform you about news and products from our portfolio companies. If you contact the respective page or account or our company in a social network, we will process the personal data that you provide to us in order to establish or maintain contact with you in this network on the bases of our legitimate interest (article 6.1 (f) GDPR).
We do not use scripted social media plugins to share data from our Website through social media. rather, our share buttons only contain a link to the social media (e.g. sharer.php for Facebook). As a result of this, we do not process your personal data in this context. In addition, it is ensured that your personal data such as your (possibly truncated) IP address, whole cookies or other information is only transmitted to the social media and thus possibly also to servers in the USA, if you press the relevant button. This also applies to the links to our social media pages that we have implements on our Website. It is possible that a social media provider can link your visit to our services with your user account.
For the above-mentioned purposes, we use the following social media (you can find more information in the links to the respective privacy policies included below):
2.5. Services for registered users
The data subjects with regards to the services we offer for registered users are our customers. Between entering and completing the registration process, data subjects are considered potential customers.
Swarm Markets is a service provider for small and medium enterprises. Currently, the service portfolio focuses on the provision of banking solutions for business customers.
We process data which is required on the one hand for the provision of our services itself and on the other hand data for which statutory obligations, such as banking, commercial, tax and storage obligations exist. These are general data concerning the bank account, transaction data concerning the account management, but also personal data like names and e-mail addresses of beneficial owners, authorized representatives etc.
Further, Swarm Markets might contact existing customers occasionally, to inform about new services and to get feedback to improve existing services.
The legal bases for the services for registered users are article 6 paragraph 1 (f) GDPR (legitimate interest), article 6 paragraph 1 (b) GDPR (performance of a contract), and article 6 paragraph 1 (c) GDPR (compliance with legal obligation).
2.5.1. Account registration
To register for an Account with Swarm Markets, several general data are collected. These data include besides the legal form of your business and the country your e-mail address.
2.5.2. Account management
Swarm Markets uses Swarm Markets GmbH while managing your bank account and provides you with a dashboard, your account overview and all functions connected to the bank account. Swarm Markets GmbH processes your transaction data like account number, references, account balance, account activity to deliver functions like statistics, and to operate the account with transactions etc.. As our customers are legal persons, most of the data are not considered personal data, for example references and transaction data may however contain personal data and are treated as such.
For the account management, Swarm Markets GmbH may further process personal data like names and e-mail addresses of beneficial owners or authorized representatives. In certain cases, Swarm Markets GmbH is collecting data according to statutory obligations (GWG, BGB) and transferring the data to Swarm Markets.
2.5.3. Customer service
Customers and prospective customers can take advantage of our accompanying services. For this, we process the personal data stored in the context of the customer relationship and the personal data provided by the data subjects to the customer care services.
2.5.4. Product Loan
As a tipster, we enable our business banking customers to compare different loan offers, which can be applied for and concluded directly with the relevant credit institutions and which are provided by them. For this purpose, we process data required for the product comparison and the selection of suitable offers from partner credit institutions.
The legal basis is Article 6 paragraph 1 (f) GDPR (legitimate interest). Swarm Markets collects the data on the basis of the mutual interest in enabling Swarm Markets customers to obtain a loan. The collected data will be stored for the duration of the customer relationship with Swarm Markets in order to optimize the service and to provide an application history for the customer.
The personal data collected by Swarm Markets to provide the settlement will not be automatically transferred to the credit institutions. The corresponding offers are therefore not individually calculated and are not binding. In order to be able to display only relevant financing offers to the Customer, a superficial, internal credit assessment is carried out on the basis of the account turnover data. No data is transmitted to third parties in the process.
Depending on the customer selection of a loan offer, either
- Swarm Markets does not transfer the personal data to the selected partner credit institution. Via a link, the customer is directly forwarded to the website of the credit institution, where the financing can be applied for independently, and the associated data is collected directly. Or
- the transmission of a loan request including all personal data provided for this purpose to the selected partner credit institution takes place. In addition, the partner credit institution will transmit the data directly to a credit agency for the purpose of credit assessment. The legal basis for the transmissions is Article 6 paragraph 1 (a) GDPR (consent).
The general terms and conditions and data protection declarations of the respective credit institutions apply to the conclusion and provision of financing.
2.5.5. Termination of the business relationship
When the business relationship between Swarm Markets and the customer is terminated, Swarm Markets is obliged to store your data according to statutory retention periods. When these storage requirements are fulfilled, Swarm Markets will delete your data. Data that does not fall under storage obligations will be deleted immediately.
2.6. Application Process – Careers at Swarm Markets
The data subjects with regards to the application process at Swarm Markets are all applicants and candidates.
For the recruitment process we use the services of Greenhouse Software, Inc., 18 W 18th Street, 11th Floor New York, NY 10011 (hereinafter: “Greenhouse”). Greenhouse is a webservice implemented in the Swarm Markets Website. By submitting your application through the form in the career section of the Swarm Markets website, the entered personal data and uploaded documents are transmitted to Greenhouse. Greenhouse provides the career portal, where all applicant data can be stored, administered, and deleted according to data protection and security requirements. The collection and processing of your personal data for the recruitment as well as the transmission to Greenhouse is necessary to take steps at your request prior to entering into a contract, Art. 6 Para. 1 b) GDPR. Furthermore, it is Swarm Markets’s legitimate interest to facilitate recruitment and to ensure the data privacy by encrypted processing, Art. 6 Para. 1 f) GDPR.
We kindly ask for your understanding that due to data privacy reasons we cannot process applications received outside of Greenhouse.
2.6.1. Personal data of job applicants
If you apply for a position at Swarm Markets, we process your personal data to facilitate the entire job application procedure on the legal grounds of Art. 6 Para. 1 b) and f) GDPR. After the procedure we will delete your personal data as soon as possible, unless we have informed you that we require it for other purposes.
The following categories of personal data can be processed for the job application procedure:
- Any personal data that you provide through our job application form including, but not limited to: Full name, email address, phone number, location, resume/CV, cover letter, picture, degree, educational data LinkedIn profile, visa information
- Statuses, notes and planning related to your job application, and
- Email communications.
We will store the application including the provided personal data in the recruitment process for a period of 6 months after the hiring decision for preventive reasons.
Under European data protection law, we are required to inform you that withholding personal data in your job application can give you a disadvantage in comparison to other candidates who are applying for the same role.
Information regarding the controller of the data can be found in section 1 of this policy. Information on how to exercise the rights of data subjects can be found in section 3 of this policy.
3. Your Rights Against the Controller / responsible party – Rights of data subjects
If your personal data is being processes, you are data subject as defined by the GDPR. Consequently, you have the rights described in articles 15 to 21 GDPR in relation to the controller. In order to exercise your rights or to obtain further information on data protection regarding Swarm Markets GmbH, please contact our data protection officer by sending an e-mail to [email protected].
3.1. Right of Access
In accordance with article 15 GDPR, you have the right to request confirmation from the controller as to whether your personal data is being processed. If this is the case, you also have the right to receive free information regarding all your personal data being processed by Swarm Markets and the right to receive a copy of such personal data.
Additionally, in accordance with article 19 GDPR, you have the right to request the controller information regarding the recipients to whom your personal data has been forwarded to.
In accordance with article 16 GDPR, you have the right to request the rectification for your personal data if it is either incorrect or incomplete.
3.3. Deletion of stored data
If your request does not conflict with a legal obligation to retain data, you have the right to have your personal data deleted in accordance with article 17 GDPR. Your personal data stored with the controller will be deleted if such data is no longer needed for its intended purpose and is not subject to any statutory retention period. If the deletion cannot be carried out due to a legal obligation to retain such data, the processing of the personal data will be restricted, in which case the data shall be stored and not processed for any purpose. The deletion of your data implies that the services of Swarm Markets can no longer be used in full or not at all.
Swarm Markets is obliged to delete personal data immediately if the processing is not required and for any of the following reasons:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- You have revoked your consent to processing and there is no other legal basis for processing;
- You have objected to the processing pursuant to article 21(1) GDPR and there is no overriding legitimate basis for the processing, or you have objected to the processing pursuant to article 21(2) GDPR;
- The personal data was processed unlawfully;
- The deletion of your personal data is required to fulfill a legal obligation under German or European law.
If Swarm Markets has made your personal data public and is required to delete it, we will take appropriate measures to inform our data processors who process your personal data of your request, so that, taking into account the available technology and implementation costs, they delete your personal data, links to or copies of such personal data. The measures are taken only to the extent that the processing is not required.
3.4. Restriction of Processing
In accordance with article 18 GDPR, you have the right to as the controller to limit the processing of your personal data is one of the following conditions is met:
- You have contested the accuracy of the personal data. In this case the processing is restricted for a period of time which enables the controller to verify the accuracy of your personal data;
- The processing is unlawful, and you have opposed to the deletion of personal data and instead requested a restriction on the use of your personal data;
- The controller no longer needs your personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of a legal claim;
- You have objected to the processing under article 21 (1) GDPR and the verification of whether the legitimate basis of the controller override those of the data subject are still pending.
If the processing of personal data has been restricted in accordance with the conditions above, the processing of such data may only take place- with the exception of storage – with your consent or for the purpose of establishing, exercising or defending rights or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the processing is restricted, Swarm Markets will notify you before the restriction is lifted.
3.5. Data Portability
You have the right, in accordance with article 20 GDPR, to receive your personal data which you have made available to the controller, in a structured, common and machine-readable format.
Additionally, you have the right to transfer your personal data by yourself or through us directly to another controller, as far as this is technically possible and the rights and freedoms of third parties are not affected.
3.6. Right to Object
In accordance with article 21 GDPR, you have the right to object at any time to the processing of your personal data which is based on points (e) or (f) of article 6.1 GDPR.
If you would like a correction, blocking, deletion or information regarding your personal data we store, or if you have questions regarding the collection, processing or use of your personal data, or if you wish to revoke your consent, please contact the data protection officer by sending an e-mail to: [email protected].
3.7. Revocation of your Consent
4. Submitting a Complaint to the Supervisory Authority
Finally, in accordance with article 77 GDPR, you have the right to file a complaint with the supervisory authority responsible for the controller:
Berlin Commissioner for Data Protection and Freedom of Information Friedrichstrasse 219 Visitors: Puttkamerstrasse 16-18 10969n Berlin, Germany Telephone: 030 13889-0 E-mail: [email protected] Internet: www.datenschutz-berlin.de