Privacy Policy

Preamble

We at isarlend GmbH, operator of the liquidity platform fulfin (“fulfin,” “we,” or “us”), take the protection of your personal data very seriously. This Privacy Policy informs you about our data protection practices within the framework of the General Data Protection Regulation (EU Regulation 2016/679; hereinafter, “GDPR”). The GDPR places additional obligations on us to ensure the protection of your personal data (“data subject”) whenever we process it. This includes, but is not limited to, the obligation to transparently inform you about the nature, scope, purpose, duration, and legal basis of such processing (GDPR Articles 13 and 14). This Privacy Policy (“Notice”) outlines how fulfin processes your personal data.

Understanding the Terminology

This privacy notice is based on key definitions outlined in the General Data Protection Regulation (Art. 4 GDPR). Here’s a breakdown of some important terms:

 

        • Personal Data: This refers to any information that can be used to directly or indirectly identify a person. This includes details like name, ID number, online identifiers, location data, and information related to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity. Even information linked to other data or additional knowledge can be considered personal data. Photos, videos, and audio recordings can also contain personal data.
        • Processing: This covers any activity involving personal data, whether automated or manual. Processing includes collecting, recording, organizing, storing, modifying, retrieving, consulting, using, disclosing, aligning, combining, restricting, erasing, or destroying personal data. It also encompasses changes to the purpose for which data was originally collected.
        • Processor: This refers to a person or organization that processes personal data on behalf of the controller, following the controller’s instructions. IT service providers are a common example of processors. Under data protection law, processors are not considered third parties.
        • Controller: This refers to the organization (or individual) that determines how and why personal data is processed. In our case, isarlend GmbH acts as the controller for your personal data.
        • Third Party: This refers to any person or organization other than you (the data subject), the controller, the processor, and any authorized individuals processing data under the controller or processor’s direct responsibility. This can also include other affiliated companies.

 

Consent: This means your voluntary, informed, and unambiguous agreement to the processing of your personal data. You can provide consent through a statement or a clear confirmatory action.

1. General Information

The company, isarlend GmbH is the data controller responsible for the collection and processing of your personal data.

 

Below find the contact information about the controller.

 

        • Company: isarlend GmbH
        • Address: Machtlfinger Straße 9, 81378 München
        • Name of the Data Protection Officer: Samarth Mehrotra

 

2. Recording of Data

We take your privacy seriously and only collect the data we need to provide our services.

 

What information do we collect and how do we use it?

 

Personal data is only collected if you communicate it to us yourself. Apart from that, no personal data is collected. Any processing of your personal data that goes beyond the scope of the statutory permission is only possible on the basis of your express consent.

Here’s a breakdown of the information we collect and where it comes from:

2.1 Registering via Website

Our www.fulfin.com website offers optional user registration to obtain our services online. The data you provide on this registration form will only be used for the specific service you signed up for. Basic information must be filled in for successful signup. We’ll use your registered email address to inform you about important changes to our services or offerings.

2.2 Website Log Files

When you visit our websites, your browser transmits certain data to our web server for technical reasons. The following data are recorded during an ongoing connection for communication between your internet browser and our web server:

 

        • Date and time of your request
        • Name of the requested file
        • Page from which the file was requested
        • Access status (file transferred, file not found, etc.)
        • Type and version of the browser and the operating system you use
        • Full IP address of the requesting computer
        • Quantity of data transferred

 

For technical security, in particular to prevent attacks on our web server, we store these data for a short period of time. It is impossible to discern the identity of individual persons based on this data. After 30 days at the latest, the data is anonymized by shortening the IP address at the domain level, so that it is no longer possible to establish any reference to the individual user. The anonymized data will also be processed for statistical purposes. We don’t compare any data to data in other databases or forward them to third parties, even in excerpts.

2.3 Loan Application Form

Affected data:

Contact details (surname, first name, e-mail address, telephone number), Company-related data (company address, business register number, financial accounting data), Financial info via secure PSD2 connection (bank account details, transactions), Marketing information (optional)

 

Processing Purpose:

Carrying out the loan application review and approval process

 

Legal basis:

Contractual necessity (Art. 6 para. 1 lit. b GDPR), if necessary, consent for optional additional information (Art. 6 para. 1 lit. a GDPR)

 

Categories of recipients:

Public authorities in the event of priority legislation.

External service providers, including but not limited to data processing, identity verification, and credit checks (Creditreform, fino, IDnow, SCHUFA).

Other external bodies in so far as the data subject has given his consent or a transmission is permitted due to a prevailing interest.

 

Third-country transfers:

None

 

Duration of data storage:

The user account itself can be deleted by sending a corresponding message to our email address (see imprint).

2.4 Newsletter

When registering for our newsletter, you provide us with your email address and, on an optional basis, other information. We use this data solely for the purpose of sending you the newsletter. We retain the data that you disclose in your newsletter application until you cancel your subscription to our newsletter. You can unsubscribe at any time via the link in the newsletter intended for this purpose, or by sending us the appropriate notification. By unsubscribing, you revoke the use of your email address.

 

We also use your email address, which we receive in connection with the sale of a product or service, exclusively for direct advertising in the form of our newsletter for products or services that we sell that are similar to the ones you ordered, provided that you have not objected to having your email used in this way. You may object to the use of your email address at any time without incurring any costs other than the transmission costs according to the basic rates. Your objection (and thus the cancellation of our newsletter) can be communicated by sending the appropriate message to our email address (see the Legal Notice).

2.5 Cookies and Cookiebot

The website uses its own cookies to store the settings required to display the content of this website (cookies are data records sent by the web browser to the user’s browser where they are stored for later retrieval). Our cookies do not store any personal data. You can prevent the use of cookies in general if you prohibit your browser from storing cookies.

 

To obtain and manage the consent of our website visitors for data processing, we use the Consent Management Tool “Cookiebot”. It collects data generated by end users who use our website. When an end user gives their consent through the cookie consent tool, the following data is automatically logged in Cookiebot: the anonymized IP address of the end user (the last three digits are set to 0), the date and time of consent, the user agent of the end user’s browser, the URL from which the consent was sent, an anonymous, random, and encrypted key, and the end user’s consent status, which serves as proof of consent.

 

The key and consent status are also stored in the end user’s browser in the “CookieConsent” cookie. This allows the website to automatically read and follow the end user’s consent for all subsequent page requests and future end user sessions for up to 12 months. The key is used to ensure proof of consent and to provide an option to check whether the consent status stored in the end user’s browser is unchanged compared to the original consent.

2.6 Job Applications submitted via Career Page or LinkedIn

This section explains how we collect, use, and store your personal data when you submit a job application to us.

 

We collect the personal data you provide us when you apply for a job. This may include:

 

        • Contact and communication data (e.g., name, email address, phone number)
        • Application documents (e.g., resume, CV, cover letter, references)
        • Notes taken during job interviews

 

We use your data to assess your suitability for a position and make informed hiring decisions. The legal basis for this processing is:

 

        • Section 26 of the New GDPR (Negotiation of an Employment Relationship) according to German Law
        • Article 6(1)(b) GDPR (General Contract Negotiations)

 

We may also request your consent to use your data for other purposes, such as including you in our applicant pool. You can withdraw your consent at any time. Only the fulfin employees involved in the recruitment process will have access to your application data.

 

Applying via Website

 

You can apply through the Careers page on the fulfin website, which is integrated with the HR system Personio. For more information, please refer to the Personio’s Legal notice detailed on https://www.personio.com/legal-notice/ and their Privacy policy detailed on https://www.personio.com/privacy-policy/.

 

Applying via LinkedIn

 

You also have the option to apply via LinkedIn. By clicking the “Apply via LinkedIn” button, a connection to LinkedIn’s servers will be established. LinkedIn Corporation’s address is 2029 Stierlin Court, Mountain View, California 94043, USA. We do not control the data collection and processing by LinkedIn, nor do we have complete information about the data collection scope, processing purposes, or storage periods. For more details, refer to the LinkedIn privacy policy detailed on http://www.linkedin.com/legal/privacy-policy. If you confirm that LinkedIn should transfer your data to us, LinkedIn will provide us with the information you have stored on their platform. This data will then be entered into our HR system Personio.

 

What happens to your data after the application process?

 

        • If you are hired: We will store your data in our HR system to manage your employment relationship.
        • If you are not hired: We may retain your data for up to 6 months based on our legitimate interests (e.g., legal disputes) according to Article 6(1)(f) GDPR. After that, your data will be deleted securely.

 

We offer an applicant pool for interested candidates. Joining is entirely voluntary and separate from your current application. We will only add you to the pool with your explicit consent (Article 6(1)(a) GDPR). You can revoke your consent at any time, and your data will be deleted unless legal requirements prevent it. Data in the applicant pool is deleted after two years.

2.7 Social Media Pages

We do not integrate social media plugins on our website. While you might see icons for social media platforms like Facebook, LinkedIn, Youtube, or X (formerly Twitter), these are simply hyperlinks that direct you to the company profile pages on the respective social media applications. This means we do not collect or transmit any of your personal data to these social media platforms through our website.

2.8 YouTube

We use the YouTube video embedding feature of Google Ireland Limited (“Google”) on our website on the basis of consent. The feature usually displays videos stored on YouTube in an iFrame on the website. The “Enhanced Privacy Mode” option is activated. As a result, YouTube does not store any information about website visitors. Only when you decide to watch a video is information about it transmitted to YouTube and stored there. Your data may be transmitted to the USA. – You have the option to revoke your consent at any time.

2.9 Email, Phone, or Fax Communication

When you contact us by email, phone, or fax, we store your request and related personal data (name, phone number, inquiry details) and use it for the intended purposes and to handle your inquiry effectively. We won’t share this information for any other reasons without your permission.

3. Analytical Tools

3.1 etracker

In order to design our website needs-based, we use the tool etracker. This is a so-called web analysis service. In order to record and analyze the use of our website, usage information is transmitted to our server and stored for analysis purposes. Your IP address is only processed in shortened form for this purpose and thereby anonymized. If you want to prevent processing for analysis purposes, you can object at any time with a click of the mouse. In this case, a so-called opt-out cookie without usage data will be stored in your browser, which means that etracker does not collect any session data.

 

Attention: If you delete your cookies, this will also result in the opt-out cookie being deleted and may need to be reactivated by you.

 

Please let us know if you would like your visit to no longer be recorded: marketing@isarlend.com

3.2 Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited (“Google”) on the basis of the consent of website visitors. Google Analytics uses so-called “cookies”, which are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually also transmitted to a Google server in the USA and stored there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities and to provide the website operator with other services associated with website use and internet use. We would like to point out that this website only uses Google Analytics after prior consent and with a shortened version of the IP addresses in order to exclude direct personal identification.

 

The latest version of Google Analytics doesn’t store individual IP addresses. It might use them for rough location data (country) but discards them immediately, especially for users in the EU. All data collection and processing for users in the EU happens on servers located within the EU. While IP addresses are used for approximate location, Google Analytics 4 offers controls to disable collection of more granular location data.

3.3 Google Ads Conversion Tracking

This website uses Google Ads Conversion Tracking, a web analytics service provided by Google Ireland Limited (“Google”) on the basis of the consent of website visitors. Google Ads Conversion Tracking uses “cookies”, which are text files that are stored on your computer and that enable an analysis of your use of the website. The information generated by the cookie about your use of this website is transmitted to a Google server in the US and stored there. Google will use this information to evaluate your use of the website, to compile reports on website activities for website operators and to provide other services associated with website use and internet use. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google.

3.4 Google Tag Manager

We use Google TagManager from Google LLC (“Google”) on our website, which can be used to integrate and manage various tools and applications on the website. Google Tag Manager only collects and transmits data to the associated tools without having access to the data itself. Therefore, if you have consented to the use of a particular tool that is connected to Google Tag Manager, that tool will be used, and data may be transferred to Google’s servers, including to the United States as a third country. If you have not consented to the use of any tool, Google Tag Manager will not be used.

4. Data Processing

To ensure a responsible lending process, we conduct some essential checks to comply with legal requirements. This includes processing your data for creditworthiness assessments, identity verification, and preventing fraud or money laundering. Adhering to Art. 6 (1) p. 1 GDPR, fulfin only processes your personal data when there is a lawful basis to do so. Here’s an overview of the legal justifications we may rely on:

 

        • Consent: You have clearly agreed to the processing of your data for a specific purpose (e.g, reviewing loan applications)
        • Contractual Necessity: Your data is essential to fulfill our obligations under a contract with you (e.g., processing of submitted loan applications).
        • Legal Compliance: We are required by law to process your data (e.g., tax regulations).
        • Vital Interests: Processing is necessary to protect your life or well-being, or someone else’s (e.g., fraud prevention).
        • Legitimate Interests: We have a justified business reason to process your data, balanced against your privacy rights (e.g., improving our services and product offerings).

 

We will always specify the relevant legal basis for processing your data in each specific situation.

5. Data Storage and Retention

We will delete your personal data when it’s no longer needed. We take data retention seriously and only keep your information for as long as necessary. Here’s how it works:

 

        • We delete your data when we no longer need it for the original purpose. This could be after processing your loan application, fulfilling your contract, or responding to your inquiry.
        • We delete your data if you object to its use. You have the right to object to how we use your data, and if you do, we’ll delete it unless there’s a legal reason to keep it (explained below).

 

Exceptions: When we may keep your data for a limited time. There are limited situations where we might need to keep your data even after it’s no longer needed for the original purpose. These are:

 

        • Legal requirements: German laws like the Commercial Code, Fiscal Code, Banking Act, and Money Laundering Act require us to store certain data for specific periods (usually 2-10 years).
        • Preserving evidence: We might need to keep your data for legal disputes. Depending on the case, this could be for 3 years (standard) or up to 10 years (in specific situations).

 

We are committed to being transparent about how we handle your data. You can find more details about data retention periods and your rights in our Privacy Policy.

6. Data Security

We take your data security seriously and implement appropriate technical and organizational measures to protect your information. At fulfin, safeguarding your personal data is a top priority. We recognize the sensitivity of the information you entrust to us and have established comprehensive protocols to ensure its security.

 

Personal data is used to assess creditworthiness, manage IT system security, improve services, and handle legal matters. This involves exchanging information with the credit agency (ex., SCHUFA) to evaluate credit risks and defaults, ensuring our IT infrastructure is resilient against threats, enhancing our service offerings, and addressing any legal challenges that may arise. Each of these processes is designed to balance business efficiency with stringent privacy standards.

 

To protect the transmission of confidential content, such as loan applications or financial data, Fulfin employs SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption on its website. You can recognize an encrypted connection by the browser’s address line switching from “http://” to “https://” and the appearance of a lock icon. This encryption ensures that any data transmitted between you and Fulfin remains secure and cannot be read by unauthorized third parties.

 

The company also complies with GDPR regulations, securing document exchanges through the fully secured platform to prevent fraud and unauthorized access. Compliance with GDPR not only fulfills legal requirements but also reinforces our commitment to protecting your privacy and data rights. Our platform avoids using insecure communication channels, such as email, for sensitive documents, significantly reducing the risk of data breaches.

 

These measures safeguard against accidental or intentional manipulation, loss, destruction, or unauthorized access by third parties. We consider the latest technological advancements, implementation costs, and the nature, scope, and purpose of the data processing when implementing these security measures. This thorough evaluation ensures that our security practices are both effective and efficient, tailored to the specific needs of our operations.

 

Hosting on accredited AWS services and conducting external penetration tests further ensure security. By leveraging the reliability and security of AWS, Fulfin benefits from a robust infrastructure that is regularly audited and certified. External penetration tests, performed by independent security experts, identify potential vulnerabilities before they can be exploited, allowing us to proactively enhance our defenses.

 

fulfin implements robust technical controls, including encryption and multi-factor authentication, and maintains a comprehensive security program encompassing organizational policies, training, and incident response procedures. Our encryption protocols protect data at rest and in transit, while multi-factor authentication adds an extra layer of security for accessing sensitive systems. We have detailed policies governing data protection, conduct regular training sessions to keep our staff informed about security best practices, and have established procedures to swiftly respond to any security incidents.

7. Data Transfers

We take steps to ensure your data is protected even if transferred to third parties or countries outside the European Union (EU) and European Economic Area (EEA), adhering to Art. 6 Para. 1 in GDPR. These measures include standard contractual clauses approved by the European Commission and, in some cases, Transfer Impact Assessments. Additionally, we may seek your explicit consent for data transfers to specific third countries. This policy does not apply to data transfers to countries deemed secure by the European Commission.

 

Fulfin will only share your personal data with third parties under strict conditions:

 

        • With Your Consent: You have explicitly agreed to the data sharing for a specific purpose.
        • For Our Legitimate Interests: Sharing is necessary for our justified business reasons, and your privacy rights are not overridden.
        • Legal Obligations: We are required by law to disclose your data.
        • Contract Fulfillment: Sharing is essential to perform our contractual obligations with you.

8. Other Data Processing Procedures

Here we included our partner companies that help us provide services you use, and need to process details about you for this reason. We share as little information as we can and encrypt and/or make it impossible for you to be identified by the recipient where possible (for instance by using a User ID rather than your name).

 

        • Our fronting issuing bank partners in Europe
        • Certified and trustworthy PSD2 connection providers such as Tink AB, and fino run GmbH
        • Know Your Customer (KYC) and Anti-Money Laundering (AML) service providers that help us with identity verification or fraud checks such as IDnow GmbH 
        • Cloud computing power and storage providers like Amazon Web Services Inc. (AWS) 
        • Our business intelligence and marketing analytics platform provider such as Supermetrics Group
        • Software companies that we use for emailing you such as Brevo (Sendinblue GmbH) and Google Mail
        • Service providers that help us with the customer support  and operational support
        • Softwares to handle sales funnel, contract management and other loan operations such as Pipedrive OÜ
        • Companies that offer benefits or rewards through special programmes you sign up to via our newsletters. Those are e.g. Hood Media GmbH, IBAN FIRST SA and others
        • People you’ve asked to represent you, such as solicitors
        • Authorities that spot and stop financial crime, money laundering, terrorism, and tax evasion if the law says we have to, or if it’s necessary for other reasons
        • The police, courts or dispute resolution bodies if we have to
        • Other banks to help trace money if you’re a victim of fraud or other crimes or if there’s a dispute about a payment
        • Any other third parties where necessary to meet our legal obligations

9. Know Your Data Privacy Rights

We take your data privacy seriously. You have certain rights regarding your personal information that we hold. Here’s a breakdown of these rights:

 

        1. Right to Confirmation: You can confirm whether we process your personal data.
        2. Right to Access (Art. 15 GDPR): Get a free copy of your personal information stored by us, along with details about how it’s used.
        3. Right to Rectification (Art. 16 GDPR): Have inaccurate or incomplete personal data corrected.
        4. Right to Erasure (Art. 17 GDPR) (“Right to be Forgotten”): Request deletion of your personal data under certain circumstances.
        5. Right to Restriction of Processing (Art. 18 GDPR): Limit how your data is processed in specific situations.
        6. Right to Data Portability (Art. 20 GDPR): Receive your personal data in a transferable format and move it to another service provider if applicable.
        7. Right to Object (Art. 21 GDPR): Object to the processing of your data for specific reasons, including profiling based on your situation.
        8. Right to Withdraw Consent: Revoke your permission for us to process your data at any time.
        9. Right to Lodge a Complaint: File a complaint with a data protection authority if you believe we haven’t handled your data correctly.

10. Further Information and Contacts

In addition, you may invoke your rights to correction or deletion at any time, to restrict processing, to object to processing, and to data portability. Here you will find the option to contact our designated Data Protection Officer Mr. Samarth Mehrotra (Chief Data Officer), by email datenschutz@isarlend.com or send a letter to isarlend GmbH, Machtlfinger Straße 9, 81379 München, Deutschland. You also have the right to contact the data protection supervisory authority for any complaints.

 

To keep our Privacy Notice current and reflect any necessary changes, we may update it from time to time. We’ll clearly highlight the effective date of any updates on this page. We recommend reviewing this page periodically to stay informed.

 

Effective Date: July 16, 2024

Provider and Data Privacy Officer:

The data privacy officer, as defined by the General Data Protection Regulation (GDPR) and other national data protection laws of the member states, as well as other data protection regulations, is:

 

isarlend GmbH
Machtlfinger Street 9
81379 Munich

Germany

 

Email: datenschutz@fulfin.com

 

Represented by:

Dr. Alfred Gruber and Peer Simon

 

Data Protection Officer:

Samarth Mehrotra

 

External Data Protection Consultant:

Dr. Sebastian Kraska

IITR Datenschutz GmbH

 

For questions regarding our privacy policies, please contact us via email to datenschutz@fulfin.com