Privacy policy

Preamble

isarlend GmbH, operator of the fulfin financing platform (“fulfin”, “we” or “us”), takes the protection of your personal data very seriously. This privacy policy informs you about our data protection practices within the framework of the General Data Protection Regulation (EU Regulation 2016/679; hereinafter “GDPR”). The GDPR obliges us to take additional measures to ensure the protection of your personal data (“data subject”) when processing it. This includes, but is not limited to, the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (Art. 13 and 14 GDPR). This privacy policy describes how fulfin processes your personal data.

1. general information

The company isarlend GmbH is the data controller responsible for the collection and processing of your personal data. Below you will find the contact details of the data controller

Company: isarlend GmbH
Address: Machtlfinger Straße 15, 81378 Munich, Germany
Name of the data protection officer: Dr Alfred Gruber
- E-mail: datenschutz@isarlend.com
- Telephone number: 089 21 52 73 00

2. collection of data via the website, cookies, newsletters, forms and other sources

Personal data is only collected if you provide it to us yourself. Apart from this, no personal data is collected. Any further processing of your personal data will only take place on the basis of your express consent.

2.1 Registration via the website

Our website www.fulfin.com offers optional user registration in order to use our services online. The data you provide in this registration form will only be used for the specific service for which you have registered. Basic information must be completed for a successful registration. We use your registered e-mail address to inform you about important changes to our services or offers.

Data concerned: Contact details (name, email address), access data

Purpose of processing: Provision of online access to the platform, communication about services

Legal basis: Contractual necessity (Art. 6 para. 1 lit. b GDPR)

Categories of recipients: Public authorities in the case of overriding legal provisions; external IT service providers and hosting providers (in particular Amazon Web Services)

Transfers to third countries: Data is processed on servers within the EU Data is only transferred to third countries on the basis of suitable guarantees (EU standard contractual clauses).

Duration of data storage: The user account and all associated data can be deleted by sending a corresponding message to datenschutz@isarlend.com. Statutory retention periods (generally up to 10 years in accordance with HGB, AO) remain unaffected.

2.2 Website log files

When you visit our websites, your browser transmits certain data to our web server for technical reasons. The following data is transmitted during an ongoing connection

Date and time of your enquiry
Name of the requested file
Page from which the file was requested
Access status (file transferred, file not found, etc.)
Type and version of the browser and operating system you are using
IP address of the requesting computer
Amount of data transferred

Processing purpose: Technical security, defence against attacks on our web server

Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR)

Categories of recipients: No transfer to third parties

Transfers to third countries: None

Duration of data storage: After 30 days at the latest, the data is anonymised by shortening the IP address at domain level so that a reference to the individual user can no longer be established. The anonymised data is processed for statistical purposes.

2.3 Enquiry form

Data concerned: Contact details (surname, first name, email address, telephone number); company-related data (company address, commercial register number, financial accounting data); financial information via a secure PSD2 connection (bank account data, transactions); marketing information (optional)

Purpose of processing: Carrying out the review and authorisation process for financing requests

Legal basis: Contractual necessity (Art. 6 para. 1 lit. b GDPR); consent for optional additional information (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Public authorities in the case of overriding legal provisions; external service providers for identity and credit checks (IDnow GmbH, Clarilab GmbH & Co. KG, Verein Creditreform München e.V., SCHUFA); PSD2 connection providers (Tink AB, fino run GmbH); financing partners, insofar as this is necessary for the provision of financing for regulatory reasons; other external bodies insofar as the data subject has given their consent or a transfer is permitted due to an overriding interest

Transfers to third countries: None

Duration of data storage: The user account and all associated data can be deleted by sending a corresponding message to datenschutz@isarlend.com Statutory retention periods (in particular HGB, AO, KWG, GwG) may require longer storage (generally up to 10 years).

2.4 Newsletter

When registering for our newsletter, you provide us with your e-mail address and optionally further information. We use this data exclusively for sending the newsletter. You can unsubscribe at any time using the link provided in the newsletter or by sending us a corresponding message. By unsubscribing, you revoke the use of your e-mail address.

We use your e-mail address, which we receive in connection with the sale of a product or service, exclusively for direct advertising in the form of our newsletter for similar products or services, provided you have not objected to its use.

Data concerned: Email address, optional further contact details

Purpose of processing: Sending the newsletter and direct advertising for our own similar services

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR) or legitimate interests in the case of existing customers (Section 7 para. 3 UWG)

Categories of recipients: Email dispatch service providers (Brevo/Sendinblue GmbH, Google Mail); no other disclosure

Transfers to third countries: Transfers to third countries by the email service providers used are possible; corresponding standard contractual clauses have been concluded.

Duration of data storage: Until you unsubscribe from the newsletter. After that, the data will be deleted, provided there are no statutory retention obligations.

2.5 Consent management – Cookiebot

To obtain and manage the consent of our website visitors to data processing, we use the consent management tool “Cookiebot” from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. It collects data generated by end users who use our website. When an end user gives their consent via the tool, the following data is automatically logged: the anonymised IP address (last three digits set to 0), date and time of consent, user agent of the browser, URL, an anonymous encrypted key and the consent status as proof of consent.

The key and the consent status are stored in the end user’s “cookie consent” cookie. This enables the website to automatically read and follow the consent on all subsequent page requests for up to 12 months.

Data concerned: Anonymised IP address, consent status, browser data, timestamp

Purpose of processing: Obtaining and documenting consent; fulfilment of legal obligations

Legal basis: Fulfilment of legal obligations (Art. 6 para. 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR)

Categories of recipients: Usercentrics A/S (processor)

Transfers to third countries: Processing generally on servers within the EU; transfer to third countries cannot be ruled out in individual cases and then takes place on the basis of suitable guarantees (EU standard contractual clauses)

Duration of data storage: 12 months (proof of consent); otherwise in accordance with statutory retention obligations.

2.6 Applications via the careers page or LinkedIn

This section explains how we collect, use and store your personal data when you apply for a job with us. We collect the data that you provide to us as part of your application. This may include:

Contact and communication data (e.g. name, email address, telephone number)
Application documents (e.g. CV, cover letter, references)
Notes taken during job interviews

Purpose of processing: Checking suitability for a position and making recruitment decisions

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation)

Categories of recipients: Only fulfin employees involved in the recruitment process; HR system Personio (Personio SE & Co. KG, Rundfunkplatz 4, 80335 Munich)

Transfers to third countries: When applying via LinkedIn: Data processing by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (no full control over scope and duration; further information in LinkedIn’s privacy policy). Otherwise: None.

Duration of data storage: Upon recruitment: Storage in the HR system for the duration of the employment relationship. In the event of rejection: Deletion after 6 months at the latest (Art. 6 para. 1 lit. f GDPR). Applicant pool (only with express consent): 2 years.

2.7 Communication by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, we store the content of your enquiry and the associated personal data (name, telephone number, enquiry details) in order to process your enquiry effectively.

Data concerned: Name, contact details, content of the enquiry

Purpose of processing: Processing of enquiries and communication

Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR); where applicable, performance of a contract (Art. 6 para. 1 lit. b GDPR)

Categories of recipients: No disclosure without your consent

Transfers to third countries: None

Duration of data storage: The data will be deleted as soon as the enquiry has been finally processed. Statutory retention obligations remain unaffected.

3. analysis tools and marketing services

The following services are used on the basis of the consent of website visitors (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time via our consent tool (Cookiebot) with effect for the future.

3.1 etracker

We use the web analysis service etracker (Erste Brunnenstraße 1, 20459 Hamburg, Germany) to customise our website. To record and analyse the use of our website, usage information is transmitted to our server and stored for analysis purposes. If you wish to prevent processing for analysis purposes, you can object at any time by clicking on the opt-out cookie.

Data concerned: Usage data (pages viewed, length of visit, click paths), anonymised IP address

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: etracker GmbH (processor)

Transfers to third countries: None (server within the EU/EEA)

Duration of data storage: Anonymisation of the IP address takes place immediately; anonymised analysis data is deleted after 13 months

3.2 Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses “cookies” to help the website analyse how users use the site. This website only uses Google Analytics with prior consent and with shortened IP addresses in order to exclude direct personal references.

Data concerned: Usage data (pages viewed, length of visit, click paths), anonymised IP address, device and browser information

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Google Ireland Limited (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses. All data collection and processing for users in the EU takes place on servers within the EU

Duration of data storage: Raw data is automatically deleted after 14 months.

3.3 Google Ads Conversion Tracking

This website uses Google Ads Conversion Tracking from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, based on the consent of website visitors. This can be used to measure actions that users take after clicking on a Google advert on our website.

Data concerned: Conversion data, cookie identifiers, usage data

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Google Ireland Limited (processor); Google may transfer data to third parties where required to do so by law

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Conversion data is deleted after 90 days.

3.4 Google Tag Manager

We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to integrate and manage various tools and applications on the website. Google Tag Manager only collects and transmits data to the associated tools without accessing the data itself. If you have not consented to the use of any tool, Google Tag Manager will not be used.

Data concerned: No own data collection; management and forwarding of the data of the integrated tools

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR) – insofar as tools are integrated to which you have consented

Categories of recipients: Google Ireland Limited; data is forwarded to the respective integrated tools

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: No own data storage by the Tag Manager.

3.5 Meta Pixel

This website uses Facebook Pixel, a web analysis service of Meta Platforms Ireland Limited (“Meta”), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, based on the consent of website visitors. Meta Pixel uses cookies that enable your use of the website to be analysed. With the help of Facebook Pixel cookies, your user data is matched with your Facebook account data and later used for adverts. The data collected is anonymous to us.

Data concerned: Cookie data, anonymised usage data, conversion events

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Meta Platforms Ireland Limited (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Conversion data is deleted after 180 days.

3.6 LinkedIn Pixel (Insight Tag)

This website uses the LinkedIn Insight Tag of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, based on the consent of website visitors. The LinkedIn Insight Tag uses cookies to collect data about your visit to our website and to measure the effectiveness of our LinkedIn campaigns. LinkedIn does not share any personal data with us, but only provides summarised reports.

Data concerned: URL, referrer URL, anonymised IP address, device and browser characteristics, timestamp

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: LinkedIn Ireland Unlimited Company (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Anonymisation after 7 days; anonymised data is deleted after 90 days.

3.7 Bing/Microsoft Ads (UET)

This website uses Universal Event Tracking (UET) from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, based on the consent of website visitors. The UET tag sets a cookie on your device to enable the collection of certain usage data when you visit our website and to measure the effectiveness of our Bing Ads campaigns.

Data concerned: IP address, browser type, pages viewed, conversion data

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Microsoft Ireland Operations Limited (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Conversion data is deleted after 180 days

3.8 Microsoft Clarity

This website uses Microsoft Clarity, a web analysis tool from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, based on the consent of website visitors. Microsoft Clarity enables the recording of user sessions (session recordings) and the creation of heat maps. Microsoft Clarity does not collect any sensitive input data (e.g. passwords or payment data).

Data concerned: Mouse movements, clicks, scrolling behaviour, anonymised IP address, browser and device information

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Microsoft Ireland Operations Limited (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Session recordings are deleted after 30 days.

3.9 PostHog

This website uses PostHog, a product analysis platform of PostHog Ltd, 20-22 Wenlock Road, London N1 7GU, United Kingdom, based on the consent of website visitors. PostHog enables the analysis of user behaviour on our website, including page views, click events and session recordings. PostHog is hosted in the EU.

Data concerned: Anonymised IP address, browser and device information, user behaviour (clicks, page views), session recordings

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: PostHog Ltd (processor)

Transfers to third countries: Hosting in the EU; a transfer to third countries cannot be completely ruled out

Duration of data storage: Session recordings are deleted after 30 days.

3.10 Amazon Advertising

Based on the consent of website visitors, this website uses tracking pixels and cookies from Amazon Advertising, a service of Amazon Online Germany GmbH, Marcel-Breuer-Str. 12, 80807 Munich, Germany. Amazon Advertising uses cookies to measure the effectiveness of our advertising campaigns on the Amazon platform and to enable targeted advertising.

Data concerned: IP address, browser type, pages viewed, conversion data

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Amazon Online Germany GmbH / Amazon Web Services (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Conversion data is deleted after 90 days.

3.11 OpenAI

This website uses services of OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, based on the consent of website visitors. OpenAI provides AI-supported functions for processing and generating texts. During use, content entered by you (e.g. text entries, questions) and technical usage data (e.g. IP address, time of enquiry, device type) may be transmitted.

Data concerned: Content entered (texts, questions), technical usage data (IP address, timestamp, device type)

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: OpenAI Ireland Ltd (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: Inputs are not stored permanently by default; for details, see OpenAI’s privacy policy

3.12 YouTube

We use the YouTube video embedding function of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, on our website on the basis of consent. The function usually displays videos stored on YouTube in an iFrame on the website. The “Extended data protection mode” option is activated. This means that YouTube does not store any information about visitors to the website. Only when you decide to watch a video is information about it transmitted to YouTube and stored there.

Data concerned: Usage data (videos viewed, interactions), IP address, device and browser information (only after activation of the video)

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

Categories of recipients: Google Ireland Limited (processor)

Transfers to third countries: Data transfer to the USA possible; protection through EU standard contractual clauses

Duration of data storage: In accordance with the Google/YouTube privacy policy; for details see: https://policies.google.com/privacy

4. data processing

To ensure a responsible lending process, we carry out essential checks to comply with legal requirements. This includes the processing of your data for credit checks, identity verification and the prevention of fraud or money laundering. In accordance with Art. 6 para. 1 sentence 1 GDPR, fulfin only processes your personal data if there is a lawful basis for doing so:

Consent: you have clearly consented to the processing of your data for a specific purpose (e.g. verification of credit applications).
Contractual necessity: Your data is necessary to fulfil our obligations arising from a contract with you (e.g. processing submitted credit applications).
Legal obligation: We are legally obliged to process your data (e.g. tax regulations, GwG, KWG).
Important interests: Processing is necessary to protect interests (e.g. fraud prevention).
Legitimate interests: We have a justifiable business reason to process your data which is balanced against your data protection rights (e.g. improving our services).

To protect the transmission of confidential content, fulfin uses SSL/TLS encryption on its website. fulfin employs robust technical controls, including encryption and multi-factor authentication. Data transfers to third countries outside the EU/EEA are only made on the basis of appropriate safeguards (in particular EU standard contractual clauses) or your express consent.

5. knowledge of your data protection rights

We take your data protection rights seriously. You have the following rights in relation to your personal data:

Right to confirmation: you can confirm whether we are authorised to process your personal data.
Right of access (Art. 15 GDPR): You can request a free copy of the personal information we hold about you, together with details of how we use it.
Right to rectification (Art. 16 GDPR): Have inaccurate or incomplete personal data corrected.
Right to erasure (Art. 17 GDPR): You can request the erasure of your personal data in certain circumstances (“right to be forgotten”).
Right to restriction of processing (Art. 18 GDPR): Restrict the processing of your data in certain situations.
Right to data portability (Art. 20 GDPR): You can request your personal data in a transferable format.
Right to object (Art. 21 GDPR): Object to the processing of your data on certain grounds, including profiling.
Right to withdraw consent: Withdraw your consent to the processing of your data at any time.
Right to lodge a complaint: lodge a complaint with a data protection authority if you believe that we have not handled your data correctly.

6 Further information and contact

In addition, you can assert your rights to information, rectification or erasure or to restriction of processing or to exercise your right to object to processing as well as the right to data portability at any time. You can contact us by e-mail or letter here. You also have the right to contact the data protection supervisory authority if you have a complaint.

Data Protection Officer: Dr Alfred Gruber Email: datenschutz@isarlend.com Post: isarlend GmbH, Machtlfinger Straße 15, 81379 Munich, Germany

In order to keep our privacy policy up to date and to reflect any necessary changes, we may update it from time to time. We will clearly highlight the date of the update on this page. We recommend that you check this page regularly to stay informed.