Privacy Policy

Preamble

isarlend GmbH, operator of the fulfin liquidity platform (“fulfin”, “we” or “us”), takes the protection of your personal data very seriously. This privacy policy informs you about our data protection practices within the framework of the General Data Protection Regulation (EU Regulation 2016/679; hereinafter “GDPR”). The GDPR obliges us to take additional measures to ensure the protection of your personal data (“data subject”) when processing it. This includes, but is not limited to, the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (Art. 13 and 14 GDPR). This Privacy Policy describes how fulfin processes your personal data.

Understanding of the term

This privacy policy is based on the basic definitions of the General Data Protection Regulation (Art. 4 GDPR). Here is an overview of some important terms:

  • Personal data: This refers to any information that can be used to directly or indirectly identify an individual. This includes details such as name, identification number, online identifiers, location data and information relating to the physical, physiological, genetic, psychological, economic, cultural or social identity of a person. Information that is linked to other data or additional knowledge can also be considered personal data. Photos, videos and audio recordings may also contain personal data.
  • Processing: This includes any activity performed with personal data, whether automated or manual. Processing encompasses the collection, recording, organization, storage, adaptation, reading, retrieval, use, disclosure, alignment, combination, restriction, deletion, or destruction of personal data. This also includes any change in the original purpose for which the data was collected.
  • Processor: This refers to a person or organization that processes personal data on behalf of the controller and according to their instructions. IT service providers are a common example of processors. Under data protection law, processors are not considered third parties.
  • Controller: This refers to the organization (or individual) that decides how and why personal data is processed. In our case, isarlend GmbH acts as the controller for your personal data.
  • Third party: This refers to any person or organization other than you (the data subject), the controller, the processor, and any other person who is authorized to process personal data under the direct responsibility of the controller or processor. This can also include other affiliated companies.
  • Consent: This means your voluntary, informed, and unambiguous agreement to the processing of your personal data. You may give consent through a statement or a clear affirmative action.

1. General Information

The company isarlend GmbH is the data controller responsible for collecting and processing your personal data. Below you will find the contact details of the controller.

Company: isarlend GmbH
Address: Machtlfinger Straße 9, 81378 Munich
Data Protection Officer: Mr. Samarth Mehrotra
Email: datenschutz@isarlend.com
Phone number: 089 215375920

2. Data Collection

We take your privacy seriously and only collect the data necessary to provide our services.

What information do we collect and how do we use it?

Personal data is only collected when you voluntarily provide it to us. Apart from that, no personal data is collected. Any further processing of your personal data is carried out only on the basis of your explicit consent. Here is an overview of the information we collect and its source:

2.1 Registration via Website

Our website https://www.fulfin.com/ offers optional user registration to use our services online. The data you provide in this registration form will be used only for the specific service you signed up for. Basic information is required for successful registration. We use your registered email address to inform you of important changes to our services or offers.

2.2 Website Log Files

When you visit our websites, your browser automatically transmits certain data to our web server for technical reasons. During an ongoing connection between your browser and our web server, the following data is transmitted:

For technical security reasons, especially to prevent attacks on our web server, we store this data for a short period. It is not possible to identify individual persons based on this data. After no more than 30 days, the data is anonymized by shortening the IP address at the domain level, so that a reference to an individual user is no longer possible. The anonymized data is also processed for statistical purposes. We do not compare this data with data in other databases and do not pass it on to third parties, not even in excerpts.

2.3 Loan Request Form

Data concerned:

  • Contact details (last name, first name, email address, phone number)
  • Company data (company address, commercial register number, accounting data)
  • Financial information via a secure PSD2 connection (bank account details, transactions)
  • Marketing information (optional)

Purpose of processing: Conducting the loan request review and approval process

Legal basis: Contractual necessity (Art. 6 para. 1 lit. b GDPR), if applicable, consent for optional additional information (Art. 6 para. 1 lit. a GDPR)

Categories of recipients:

  • Public authorities if required by law
  • External service providers, including but not limited to data processing, identity verification, and credit checks (Creditreform, fino, IDnow, SCHUFA)
  • Other external parties, provided the data subject has given consent or the transfer is permissible due to overriding interests

Transfers to third countries: None

Data retention period: The user account and all associated data can be deleted by sending a request to our email address (see imprint).

2.4 Newsletter

When you sign up for our newsletter, you provide us with your email address and optionally other information. We use this data solely to send the newsletter. We store the data you provide in your newsletter registration until you cancel your subscription. You can unsubscribe at any time via the link provided in the newsletter or by notifying us directly. By unsubscribing, you withdraw your consent to use your email address.

We use your email address, which we received in connection with the sale of a product or service, exclusively for direct advertising in the form of our newsletter for similar products or services, unless you have objected to the use of your email address. You can object to the use of your email address at any time without incurring any costs other than the transmission costs according to the basic rates. You can notify us of your objection (and thus unsubscribe from our newsletter) by sending a message to our email address (see imprint).

2.5 Cookies and Cookiebot

Our website uses cookies to store the settings required to display the contents of this website (cookies are data records sent from the web server to the user’s browser and stored there for later retrieval). Our cookies do not store any personal data. You can generally prevent the use of cookies by configuring your browser not to store cookies.

To collect and manage user consent for data processing, we use the consent management tool “Cookiebot”. It collects data generated by end users using our website. When a user gives consent via the cookie consent tool, the following data is automatically logged by Cookiebot: the anonymized IP address of the user (last three digits set to 0), date and time of consent, browser user agent, URL from which the consent was submitted, an anonymous encrypted key, and the consent status used as proof of consent.

The key and consent status are also stored in the user’s “CookieConsent” cookie. This allows the website to automatically read and comply with the user’s consent during future visits and page requests for up to 12 months. The key is used to ensure proof of consent and provide a verification option to check whether the consent status stored in the browser is unchanged from the original consent.

2.6 Applications via Career Page or LinkedIn

This section explains how we collect, use, and store your personal data when you apply for a job with us.

We collect the personal data you provide to us as part of your application. This may include:

  • Contact and communication data (e.g. name, email address, phone number)
  • Application documents (e.g. resume, cover letter, references)
  • Notes taken during interviews

We use your data to assess your suitability for a position and make informed hiring decisions. The legal basis for this processing is:

  • § 26 BDSG (initiation of an employment relationship) under German law
  • Art. 6 para. 1 lit. b GDPR (general contract negotiations)

We may also obtain your consent to use your data for other purposes, e.g. to include you in our applicant pool. You can revoke your consent at any time. Only fulfin employees involved in the hiring process have access to your application data.

Application via Website

You can apply through the career page on the fulfin website, which integrates the Personio HR system. For more information, see Personio’s imprint at https://www.personio.com/legal-notice/ and their privacy policy at https://www.personio.com/privacy-policy/.

Application via LinkedIn

You can also apply via LinkedIn. By clicking the “Apply via LinkedIn” button, a connection to LinkedIn’s servers is established. LinkedIn Corporation’s address is 2029 Stierlin Court, Mountain View, California 94043, USA. We do not control LinkedIn’s data collection and processing and do not have complete information about the extent of data collection, purposes of processing, or retention periods. For details, see LinkedIn’s privacy policy at http://www.linkedin.com/legal/privacy-policy. If you confirm that LinkedIn should send your data to us, LinkedIn provides the data stored on their platform. This data is then transferred to our HR system Personio.

What happens to your data after the application process?

  • If you are hired: We store your data in our HR system to manage your employment relationship.
  • If you are not hired: We may store your data for up to 6 months based on our legitimate interests (e.g. legal disputes) according to Art. 6 para. 1 lit. f GDPR. Afterwards, your data will be deleted.

We offer interested candidates an applicant pool. Joining is entirely voluntary and separate from your current application. We will include you only with your explicit consent (Art. 6 para. 1 lit. a GDPR). You can withdraw your consent at any time and your data will be deleted unless legal requirements prevent this. Data in the applicant pool is deleted after two years.

2.7 Social Media Pages

We do not integrate social media plugins on our website. The icons for social media platforms such as Facebook, LinkedIn, YouTube, or X (formerly Twitter) you see on our website are merely hyperlinks that take you to our company and staff profiles on the respective platforms. This means we do not transmit or collect any of your personal data through our website on these platforms.

2.8 YouTube

We use the YouTube video embedding function of Google Ireland Limited (“Google”) on our website based on consent. This function usually displays videos stored on YouTube in an iFrame on the website. The “enhanced privacy mode” option is enabled, meaning YouTube does not store any information about website visitors. Only when you choose to watch a video is information transmitted to YouTube and stored there. Your data may be transferred to the USA. You may withdraw your consent at any time.

2.9 Communication via Email, Phone, or Fax

If you contact us via email, phone, or fax, we store your inquiry and the associated personal data (name, phone number, inquiry details) and use it for the intended purpose of handling your request effectively. We will not share this information for other purposes without your permission.

3. Analytics Tools

3.1 etracker

To tailor our website to your needs, we use the tool etracker. This is a so-called web analytics service. In order to collect and analyze usage of our website, usage information is transmitted to our server and stored for analytical purposes. Your IP address is processed only in a shortened form for this purpose and thereby anonymized. If you wish to prevent processing for analytical purposes, you can object at any time by clicking. In this case, an opt-out cookie without usage data will be stored in your browser, which prevents etracker from collecting session data. Please note: if you delete your cookies, the opt-out cookie will also be deleted and may need to be reactivated by you. Please let us know if you do not want your visit to continue being tracked: marketing@isarlend.com.

3.2 Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited (“Google”) based on the consent of website visitors. Google Analytics uses so-called “cookies,” text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually also transmitted to a Google server in the USA and stored there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet usage to the website operator. We point out that this website uses Google Analytics only after prior consent and only in a shortened form of IP addresses to prevent any direct personal identification. The latest version of Google Analytics does not store individual IP addresses. It may use them for approximate location data (country) but discards them immediately, especially for users in the EU. All data collection and processing for users in the EU take place on servers within the EU. While IP addresses are used for approximate location data, Google Analytics 4 provides controls to disable the collection of more precise location data.

3.3 Google Ads Conversion Tracking

This website uses Google Ads Conversion Tracking, a web analytics service provided by Google Ireland Limited (“Google”) based on the consent of website visitors. Google Ads Conversion Tracking uses “cookies,” text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is transmitted to a Google server in the USA and stored there. Google will use this information to evaluate your use of the website, compile reports on website activity for the website operator, and provide other services related to website and internet usage. Google may also transfer this information to third parties if required by law or if third parties process this data on behalf of Google.

3.4 Google Tag Manager

We use Google Tag Manager by Google LLC (“Google”) on our website, which can be used to integrate and manage various tools and applications on the website. Google Tag Manager collects and transmits data only to the associated tools without accessing the data itself. Therefore, if you have consented to the use of a specific tool linked to Google Tag Manager, that tool will be used and data may be transferred to Google servers, including those in the USA as a third country. If you have not consented to the use of a tool, Google Tag Manager will not be used.

4. Data Processing

To ensure a responsible credit issuance process, we conduct several essential checks to comply with legal requirements. This includes processing your data for creditworthiness checks, identity verification, and the prevention of fraud or money laundering. In accordance with Art. 6 (1) Sentence 1 GDPR, fulfin processes your personal data only when there is a lawful basis for doing so. Here is an overview of the legal grounds we rely on:

  • Consent: You have clearly agreed to the processing of your data for a specific purpose (e.g., review of loan applications).
  • Contractual necessity: Your data is required to fulfill our obligations under a contract with you (e.g., processing submitted loan applications).
  • Legal obligation: We are legally required to process your data (e.g., tax regulations).
  • Vital interests: Processing is necessary to protect your vital interests or those of another person (e.g., fraud prevention).
  • Legitimate interests: We have a legitimate business reason to process your data, which is balanced against your data protection rights (e.g., improving our services and product offerings).

We will always specify the relevant legal basis for the processing of your data in each specific situation.

5. Data Retention and Storage

We delete your personal data when it is no longer needed. We take data retention seriously and only keep your information for as long as necessary. Here’s how it works:

  • Purpose-based: We delete your data when it is no longer needed for the original purpose. This may be after processing your loan application, fulfilling your contract, or responding to your inquiry.
  • Objection: We delete your data if you object to its use. You have the right to object to the use of your data, and if you do so, we will delete it unless there is a legal reason to retain it (see below).

Exceptions: There are situations where we may need to retain your data even after the original purpose has expired. These include:

  • Legal requirements: German laws such as the Commercial Code, Fiscal Code, Banking Act, and Anti-Money Laundering Act require us to retain certain data for specific periods (generally 2–10 years).
  • Preservation of evidence: We may need to retain your data for legal disputes. Depending on the case, this can be for 3 years (standard) or up to 10 years (in special situations).

We are committed to being transparent about how we handle your data. For more details on retention periods and your rights, please refer to this privacy policy.

6. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it. At fulfin, the protection of your personal data is a top priority. We understand the sensitivity of the information you entrust to us and have established comprehensive protocols to ensure its security.

Personal data is used to assess creditworthiness, ensure IT security, improve services, and manage legal matters. This includes exchanging information with credit agencies (e.g., SCHUFA) to assess credit risks and defaults, securing our IT infrastructure against threats, enhancing our service offerings, and managing legal challenges. Each of these processes is designed to align business efficiency with strict data protection standards.

To protect the transmission of confidential content such as loan applications or financial data, fulfin uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption on its website. You can recognize an encrypted connection by the browser address changing from “http://” to “https://” and a lock icon being displayed. This encryption ensures that data transmitted between you and us is secure and cannot be read by unauthorized third parties.

fulfin also complies with GDPR regulations by conducting document exchanges via fully secured platforms to prevent fraud and unauthorized access. Compliance with the GDPR not only fulfills legal requirements but also underscores our commitment to protecting your privacy and data rights. Our platform avoids using insecure communication channels, such as email, for sensitive documents, which significantly reduces the risk of data breaches.

These measures protect against accidental or intentional manipulation, loss, destruction, or unauthorized access by third parties. We consider the latest technology, implementation costs, and the nature, scope, and purpose of data processing when implementing these security measures. This thorough evaluation ensures that our security practices are both effective and efficient and tailored to the specific needs of our business processes.

Hosting on accredited AWS services and conducting external penetration tests further ensure security. By leveraging the reliability and security of AWS, fulfin benefits from a robust infrastructure that is regularly audited and certified. External penetration tests, conducted by independent security experts, identify potential vulnerabilities before they can be exploited, allowing us to proactively improve our defenses.

fulfin employs robust technical controls, including encryption and multi-factor authentication, and maintains a comprehensive security program that includes organizational policies, training, and incident response procedures. Our encryption protocols protect data at rest and in transit, while multi-factor authentication adds an additional layer of security for access to sensitive systems. We have detailed data protection policies, conduct regular training to inform our staff about security best practices, and have procedures in place to respond quickly to security incidents.

7. Data Transfers

We take measures to protect your data even when it is transferred to third parties or to countries outside the European Union (EU) and the European Economic Area (EEA), in accordance with Article 6(1) GDPR. These measures include standard contractual clauses approved by the European Commission and, in some cases, transfer impact assessments. Additionally, we may obtain your explicit consent for data transfers to specific third countries. This policy does not apply to transfers to countries deemed safe by the European Commission.

fulfin will only share your personal data with third parties under strict conditions:

  • With your consent: You have expressly agreed to the data sharing for a specific purpose.
  • For our legitimate interests: The sharing is necessary for our legitimate business purposes, and your data protection rights are not overridden.
  • Legal obligations: We are legally required to disclose your data.
  • Contract performance: The sharing is necessary to fulfill our contractual obligations to you.

8. Information About Other Data Processing Activities

Here are our partner companies that help us provide the services you use and need to process your data for this purpose. We share as little information as possible and, wherever possible, encrypt the data and/or ensure that the recipient cannot identify you (e.g., by using a user ID instead of your name).

  • Our fronting issuing bank partners in Europe
  • Certified and trusted PSD2 connectivity providers such as Tink AB and fino run GmbH
  • KYC and AML service providers who help us verify identities or check for fraud, such as IDnow GmbH
  • Cloud computing service and storage providers such as Amazon Web Services Inc. (AWS)
  • Our business intelligence and marketing analytics platform provider, such as Supermetrics Group
  • Software providers we use to send emails, such as Brevo (Sendinblue GmbH) and Google Mail
  • Service providers who assist us with customer service and operational support
  • Software for managing the sales process, contract management, and other credit operations such as Pipedrive OÜ
  • Companies offering benefits or rewards through special programs you sign up for via our newsletter, e.g., Hood Media GmbH, IBAN FIRST SA, and others
  • Individuals acting on your behalf, such as lawyers
  • Authorities investigating and combating financial crime, money laundering, terrorism, and tax evasion, when required by law or other necessary reasons
  • The police, courts, or dispute resolution bodies, when we are obliged to
  • Other banks to track funds if you have been the victim of fraud or other crimes, or if there is a dispute over a payment

Other third parties, as required to fulfill our legal obligations

9. Understanding Your Data Protection Rights

We take your data protection rights seriously. You have certain rights regarding your personal information that we store. Here is an overview of those rights:

  1. Right to confirmation: You can ask whether we are processing your personal data.
  2. Right of access (Art. 15 GDPR): You can request a free copy of the personal data we store, along with details about how it is used.
  3. Right to rectification (Art. 16 GDPR): Have inaccurate or incomplete personal data corrected.
  4. Right to erasure (Art. 17 GDPR) (“Right to be forgotten”): You can request the deletion of your personal data under certain circumstances.
  5. Right to restrict processing (Art. 18 GDPR): Limit the processing of your data in certain situations.
  6. Right to data portability (Art. 20 GDPR): You can request your personal data in a transferable format to move it to another service provider.
  7. Right to object (Art. 21 GDPR): Object to the processing of your data for specific reasons, including profiling based on your situation.
  8. Right to withdraw consent: Withdraw your consent to data processing at any time.
  9. Right to lodge a complaint: File a complaint with a data protection authority if you believe we have mishandled your data.

10. Further Information and Contacts

You may also exercise your rights to rectification or erasure, restriction of processing, objection to processing, and data portability at any time. You can contact our Data Protection Officer, Mr. Samarth Mehrotra (Chief Data Officer), by email at datenschutz@isarlend.com or by mail at isarlend GmbH, Machtlfinger Straße 9, 81379 Munich, Germany. You also have the right to contact the data protection supervisory authority in case of complaints.

To keep our privacy policy up to date and reflect necessary changes, we may update it from time to time. We will clearly highlight the date of the update on this page. We recommend checking this page regularly to stay informed.

Effective date: July 16, 2024

Provider and Controller

The controller within the meaning of the General Data Protection Regulation (“GDPR”) and other national data protection laws of the Member States as well as other data protection regulations is:

isarlend GmbH
Machtlfinger Straße
81379 Munich
Germany

Email: datenschutz@fulfin.com

Represented by:
Dr. Alfred Gruber and Peer Simon

External Data Protection Service Provider:

Dr. Sebastian Kraska
IITR Datenschutz GmbH

Data Protection Officer:
Samarth Mehrotra

If you have any questions regarding our privacy policy, please contact us by email at datenschutz@isarlend.com.