Data Protection Declaration

Last update: October 2023

Provision of information pursuant to Art 13 of the General Data Protection Regulation 2016/679/EU ("GDPR") regarding the processing of personal data in the context of visiting and using the website https://www.moneycare.io/ ("Website") as well as in the context of interacting with our social media and third-party platform presences outlined under point 9.

Thank you for your interest in our website. The protection of your privacy is of high priority to us. Consequently, we only process your personal data on the basis of legal requirements set by the GDPR in conjunction with the Austrian Data Protection Act (Datenschutzgesetz) as well as other relevant legal provisions.

In general, you are not obligated to provide data due to statutory or contractual requirements. Data processed automatically when accessing the Website are either not personal data or are stored only for short periods (cf. point 6.1). However, if you decide to contact us via the contact options presented on the Website respectively in the course of this Data Protection Declaration, you have to provide us certain of your data being necessary for the processing of your respective request (cf. point 6.2). Furthermore, in cases where you wish to make use of further services offered via our Website (i.e., booking training courses within our "Impact Academy"), you have to provide us any data deemed necessary for contract conclusion and execution in the respective case. Should you refuse disclosure of your relevant data for the respective purpose, we may not be able to process your request or render our services to you. The individual processing activities in the context of accessing and using our Website are highlighted in detail under point 6.

1. Definitions

Data protection laws are generally relevant in case any processing of personal data is concerned. The terms used within the scope of this Data Protection Declaration are defined in and by the GDPR. As such, the broad definition of processing (Art 4 item 2 GDPR) of personal data means any operation or set of operations performed on personal data. Any information allowing us or third parties to potentially identify you in person can be considered your personal data, which makes you a data subject (Art 4 item 1 GDPR) within this context.

The following terms are particularly relevant for a better understanding of this Data Protection Declaration:

2. Information on the controller and contact details

Controller in the sense of Art 4 item 7 GDPR:

money:care GmbH ("we")

Seilerstätte 24 (4th floor)

1010 Vienna

Austria

Contact Details:

Email: office@moneycare.io

3. Links to third-party sites

On our Website and in this Data Protection Declaration, we use links to websites of third parties, i.e., links to our presences in social networks or to companies' presences depicted in the course of our "Impact Check". If you click on one of these links, you will be forwarded to the respective website. For the operators of these websites, it is only evident that you have accessed our Website beforehand. However, please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party! Accordingly, we refer you, in general, to the separate data protection declarations of these websites. For further information on our processing of your data in connection with our social media or third-party platform presences, please review point 9.

4. Rights of the data subject

You may decide to exercise any of the following rights concerning our processing of your personal data at any time free of charge by means of a notification being sent to one of the contact options outlined under point 2; we shall then answer your request as soon as possible and within one (1) month at the latest (in exceptional cases, restrictions on these rights are possible, for instance, if otherwise the rights of third parties would be affected):

• access to and further information concerning your individual data processed by us (right of access, Art 15 GDPR);
• rectification of wrongly recorded data or data that have become inaccurate or incomplete (right to rectification, Art 16 GDPR);
• erasure of data which (i) are not necessary in light of the purpose of data processing, (ii) are processed unlawfully, (iii) must be erased due to a legal obligation or an objection to the processing (right to erasure, Art 17 GDPR);
• temporary restriction of processing under certain circumstances (right to restriction of processing, Art 18 GDPR);
• withdrawal of consent (for definitions see point 6) granted for the processing of your personal data at any time; however, please note that the withdrawal of your consent does not retroactively affect the lawfulness of data processing based on such consent – it solely affects subsequent processing activities (right to withdraw; Art 7 para 3 GDPR);
• objection to any processing of your data being based on our legitimate interest (for definitions see point 6) on grounds relating to your particular situation or being executed for direct marketing purposes (right to object; Art 21 para 1 and 2 GDPR);
• transfer of your personal data which are processed for the performance of a contract or on the basis of your consent in a machine-readable format to you or directly to another controller upon request (right to data portability; Art 20 GDPR);
• right to lodge a complaint with a supervisory authority in respect of our processing of your data; in Austria, a complaint has to meet the requirements laid out in § 24 Austrian Data Protection Act and has to be directed to the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, email: dsb@dsb.gv.at , Phone: +43 1 52 152-0 (for the simplification of this process, the Austrian Data Protection Authority provides forms at: https://www.dsb.gv.at/dokumente [German only]).

5. Transfer of your data; recipients

For the purposes executing the data processing activities as indicated in the course of this Data Protection Declaration, we may transfer your personal data to the following recipients or make them available to them:

Within our organisation, your data will only be provided to those entities or employees who need them to fulfil their respectively our respective obligations. Furthermore, (external) processors engaged by us receive your data if they need these data to provide their respective services (whereby the mere possibility to access personal data is sufficient).

Within the context of our Website, the following processors may have access to your personal data:

• Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (as our hosting provider – cf. point 6.1);
• Trivity OG, Stumpergasse 22, 1060 Vienna, Austria (as service provider regarding development and ongoing support in respect of our Website);
• MailerLite Limited, Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland (as service provider in regards to the delivery of requested emails – cf. point 6.3);
• Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (as service provider in regards to the technical execution of payments – cf. point 6.5);
• Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland (as provider of services being implemented into our Website – cf. point 8.3.1 [i]).

Additionally, we may transfer your data to independent controllers, as far as this is deemed necessary, we are legally obliged to do so or you have provided your respective consent. This includes, in particular, the recipients outlined under point 10 as well as, potentially, our tax consultant, Simplify Tax Steuerberatung GmbH, Mommsengasse 33 Top 2+5, 1040 Vienna, Austria.

Lastly, we are joint controllers in the sense of Art 26 GDPR with the service providers described under point 9 when accessing and interacting with our respective social media or platform presences.

6. Data processing operations

In the subsequent section, data processing operations that may occur when accessing or using our Website are described in detail. Within this context, we provide you with information on the essential elements of each data processing operation, namely (a) type and extent ( when and how), (b) purpose (why) as well as (c) the storage period of your data (how long).

Moreover, we inform you about the legal basis which we use to justify the respective data processing operation as required by the GDPR. The following chart provides you with a first overview of possible legal bases, which we use in this regard:

6.1 Processing of traffic data; server log files

a) Type and extent of data processing: You can visit our Website without providing any personal information. However, out of technical necessity, so-called "traffic data" are processed automatically when a website is accessed. Within this context, in particular, the following categories of traffic data can be transferred to the server that is requested to provide a respective website or file:

• (i) implicit access data (automatic, inevitable and unsolicited transmission): IP address used, user agent (browser type/version used), accessed site (URL), previously visited website (referrer URL), time of the access request, language settings.
• (ii) explicit access data (transmission where provided for in the source code of the respective service): screen resolution, colour depth, time zone, touchscreen support, browser plugins.
• Traffic data will be stored by us in so-called "server log files". Hosting provider of our Website is Microsoft Ireland Operations Limited (cf. point 5). Traffic data may also be transferred to providers of third-party services embedded into our Website (cf. point 8.). Moreover, we process your IP address in order to determine the frequency of "Impact Checks" carried our (cf. point 6.4).

(b) Legal basis and purpose: The purpose of this data processing operation is to establish and maintain technical security with regards to our Website. The processing is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the "right to object", see point 4) in achieving the mentioned purpose.

(c) Storage period: Server log files are stored for a period of thirty (30) days and subsequently automatically erased.

6.2 Contacting; contact form

(a) Type and extent of data processing: When contacting us via the contact form provided on our Website, we will use your data as indicated in order to process your contact request and deal with it. Certain additional information may be provided voluntarily. The data processing involved is necessary to issue a response in respect of your request. Moreover, the respective elucidations of this point apply accordingly to the processing of data being entailed by direct contact requests executed via contact details provided on our Website, without making use of the contact form.

(b) Legal basis and purpose: Purpose of the data processing is to enable us an exchange with users of the Website. We answer your request on the basis of our legitimate interest (Art 6 para 1 lit f GDPR; for the "right to object" see point 4) in maintaining a properly functioning contact system, which is a prerequisite for the provision of any services. As far as your request is based on an existing contractual relationship with us or you are interested in establishing said contractual relationship, the processing is based on the performance of the corresponding contract, or on taking steps prior to entering into a contract with you at your request (Art 6 para 1 lit b GDPR).

(c) Storage period: We delete your requests as well as your contact data if the request has been answered conclusively. Your data are, in general, stored for a period of sixty (60) days and subsequently erased if we do not receive follow-up requests and if the data must not be further processed for different purposes (e.g., for the fulfilment of our legal documentation obligations – cf. point 6.6).

6.3 Event-related delivery of emails

(a) Type and extent of data processing: Via the Website, you may have different options to subscribe to one-time or recurring promotional emails. This may, for instance, relate to requests for the appointment of a demonstration of our enterprise solution AI tool, for a notification regarding the addition of certain companies in respect of our "Impact Check" or, if available, a subscription for our newsletter. For this purpose, you have to provide us the data as indicated in the relevant form (in particular, your email address); certain additional information (e.g., for personalisation) may be provided voluntarily. Promotional communication will solely be sent to email addresses having been indicated by interested users themselves. If you no longer wish to receive previously requested emails, you can of course unsubscribe at any time (withdraw your consent) by notifying us via the contact address specified under point 2 or by clicking on a respective link potentially provided in the course of each email. In order to increase performance and reach of our advertising measures, we also use email deliveries for statistical evaluations. By doing so, we are able to analyse opening and click behaviour as well as information on the technical deliverability of emails. Furthermore, we are able to detect if certain predefined actions are carried out after opening/clicking on an email (conversion rate). For delivery of the newsletter and statistical evaluations, we use the newsletter service "MailerLite", which is operated by MailerLite Limited (cf. point 5). Hence, your voluntarily provided data will be saved on servers of the respective service provider; in order to provide our newsletter service to the extent described above.

(b) Legal basis and purpose: The data mentioned above are processed in the form of the requested subscription for the purposes of direct marketing and are necessary to send the respective emails. Email communication or other electronic advertisements will in no case be sent without your prior consent (Art 6 para 1 lit a GDPR, for the "right to withdraw" see point 4) which we obtain from you directly on our Website. Subsequent to receiving your consent, we send an email to the email address provided, in order to confirm your subscription. All statistical evaluations are based on our legitimate interest (Art 6 para 1 lit f GDPR; for the "right to object" see point 4) in creating a cost efficient statistic, that is easy to handle and useful for marketing purposes.

(c) Storage period: All data having been collected for the delivery of the newsletter are stored for the duration of the respective consent declaration. Statistical data generated from email delivery will solely be used to create an overall performance statistic and will not be stored in a personal form that would allow attribution to a specific data subject.

6.4 Registering of a user account

(a) Type and extent of data processing: Several functions on our Website can be (partially) used free of cost. However, it may be necessary to register a user account with us in order to utilise additional/extended services. This applies to the following cases:

• (i) looking up more than three (3) entities in the course of our "Impact Checks" (to verify the frequency of your requests within that context, we store your IP address and place a cookie on your end device) as well as creating personal check lists;
• (ii) making use of our fee-based service offers in the course of the "Impact Academy" (cf. point 6.5).
• In order to create a user account, you have to provide us certain data. Necessary indications are highlighted accordingly; certain additional information may be provided voluntarily. As an alternative to the manual indication of your data, registration of a user account respectively logging in afterwards may be executed via a third-party you have already registered with (cf. point 10). If applicable, we may also process data relating to your preferences determined in the course of using our services by means of a preference catalogue within your respective user account.

(b) Legal basis and purpose: Processing of your data in the context of registering a user account serves the purpose that we can pursue our business activity and provide our services accordingly; it is necessary for the performance of the respective contract concluded with us respectively to take steps at your request prior to entering into a contract (Art 6 para 1 lit b GDPR). This includes – on the one hand – the contract regarding the extended use of our free-of-charge "Impact Check" in exchange for the information provided in the course of creating a user account (which allows us to better understand the use of our services); on the other hand, making use of our services relating to the "Impact Academy" (cf. point 6.5).

(c) Storage period: In principle, user accounts will be kept by us until the respective user requests for deletion.

6.5 Training courses (Impact Academy)

(a) Type and extent of data processing: In case you wish to make use of our fee-based service offers in regards to the "Impact Academy", you have to create a user account first (cf. point 6.4). Afterwards, you may book the respective training offer directly within your user account under consideration of the information provided by us in this regard and subsequently use the service. Processing of your payment in this regard is executed automatically via the portal of our payment service provider Stripe Payments Europe Limited (cf. point 5), acting as our processor. Stripe Payments Europe Limited may utilise further processors (sub processors) to render its services; in particular, US based group company Stripe, Inc. (California, USA). Any such potential transfer of your data in the legal sphere of the US is usually based on the adequacy decision of the EU Commission in the sense of Art 45 GDPR concerning the "EU-US Data Privacy Framework" – you may check the respective certification of Stripe, Inc. under https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TQOUAA4&status=Active . In principle, we process your data within you within your user account – however, please be aware that certain offers/functions in respect of the "Impact Academy" can be outsourced by us, wherefore you may also have to access third-party services in order to make full use of our offer (cf. point 3). This particularly concerns the platform "Discord" (cf. point 9.4).

(b) Legal basis and purpose: Processing of your data in the course of our fee-based services serves the purpose that we can pursue our business activity and provide our services accordingly; it is necessary for the performance of the respective contract concluded with us respectively to take steps at your request prior to entering into a contract (Art 6 para 1 lit b GDPR).

(c) Storage period: Your contract- and use-related data are stored by us for a period of two (2) years and erased afterwards as long as there are no follow-up requests. Longer storage periods for certain data may be required in the context of our legal documentation obligations (cf. point 6.6) as well as due to the probable execution of legal claims. Regarding our general retention of user accounts, please review point 6.4.

6.6 Legal retention and documentation obligations

(a) Type and extent of data processing: In general, we do not store your data for longer than absolutely necessary. However, in some cases, we are subject to legal obligations that do not allow us to erase your data immediately. This concerns, for instance, your accounting data, which have to be stored by us, among other things, because of retention and documentation periods set by relevant fiscal and commercial law.

(b) Legal basis and purpose: We process your data in this context on the basis of Art 6 para 1 lit c GDPR (legal obligation). This processing of your data is conducted for the purpose of complying with our own statutory duties.

(c) Storage period: Due to legal retention and documentation obligations, which are arising under fiscal and commercial law, your data are generally stored for a period of seven (7) years. In case the data in question are relevant for a pending (tax) proceeding, they might be stored for longer. As a result of other legal requirements, storage periods may deviate for certain data.

6.7 Functional third-party implementations

(a) Type and extent of data processing: Due to third-party software which is embedded into our Website, additional data processing activities may be initiated for different purposes. The specific services and their functionality are briefly described under point 8.2; further information can be found in detailed descriptions under point 8.3.

(b) Legal basis and purpose: Within the framework of the respective service, we use collected data in order to expand our services or make them more attractive/effective. The relevant legal basis is stated in the description of the respective service.

(c) Storage period: We store generated data in accordance with the requirements and possibilities stipulated by the relevant service for as long as it is necessary to fulfil the respective processing purpose.

7. Storage and similar technologies; consent tool

On our Website we us the following technologies for different purposes. If information is stored on your end device by doing so, they are called storage technologies , and are subject to particular data protection regulations. If they are not technically necessary for the functioning of our Website, we need to collect your consent prior to their use. Additionally, we use other technology for similar purposes and further process data collected in that regard by using storage technologies. Storage technologies are also used in the in the scope of third-party services described under point 8.

7.1 Cookies

If you give us your consent (Art 6 para 1 lit a GDPR; for the "right to withdraw", see point 4 as well as point 7.3), so-called "cookies" are used on our Website; in case you decline to provide us with your consent, we shall limit our use of cookies to those cookies being technically necessary and essential for the proper functioning of our Website (see below) and process your data on the basis of our accompanying legitimate interest (Art 6 para 1 lit f GDPR), as far as personal data are involved (for the "right to object", see point 4). Cookies are small data sets that are stored on your end device by your respective browser. They are placed by a web server and sent back to it as soon as a new connection is established in order to recognise the user and his settings. In this sense a cookie assigns a specific identity consisting of numbers and letters to your end device. Cookies can fulfil different purposes, e.g., helping to maintain the functionality of websites with regard to state of the art functions and user experience. The actual content of a specific cookie is always determined by the website that created it. Cookies always contain the following information:

• name of the cookie;
• name of the server the cookie originates from;
• ID number of the cookie;
• an end date at the end of which the cookie is automatically deleted.

Cookies can be differentiated according to type and purpose as follows:

• Necessary cookies: Technically necessary (also: essential) cookies are required for the proper functioning of websites by enabling basic functions, such as site navigation and access to protected areas. Without such cookies, a website regularly fails to be fully functional. Necessary cookies are always first-party cookies. They can only be deactivated in the settings of your browser by rejecting all cookies without exception (see below) and are also used on our Website legally permissible without obtaining prior consent.
• Preference cookies: Preference cookies allow websites to remember information which affects their appearances or behaviour, for example, your preferred language or the region you are located in.
• Analytics cookies: Analytics cookies help website operators to understand how users interact with websites by collecting information anonymously and analysing it. Such cookies are thus used to collect information on user behaviour. In particular, the following information may be stored: accessed sub-pages (duration and frequency); order of pages visited; search terms used having led to the visit of the respective website; mouse movements (scrolling and clicking); country and region of access. These cookies allow to determine what a user is interested in and thereby adapt the content and functionality of a website to individual user needs.
• Tracking cookies: Tracking cookies are used to track users on websites. Their purpose is to display advertisements which are relevant and attractive for the individual user an hence valuable for publishers and third-party advertisers. This is possible by means of analysing your user behaviour and determining interests on the basis of which tailored advertising becomes possible.
• Plugin cookies: Such cookies originate from third-party platforms or services; they are necessary to display content of such third-party platform/service which is embedded into a website. They may be used by the respective third-party provider for analytic or tracking purposes as well (in particular, where an account is maintained with the respective platform/service).

With regard to the storage period cookies can be further differentiated as follows:

• Session cookies: Such cookies will be deleted without any action on your part as soon as you close your current browser session.
• Persistent cookies: Such cookies (e.g., to save your language settings) remain stored on your end device until a previously defined expiration date or until you have them manually removed.

Furthermore, cookies may be differentiated by their subject of attribution:

• First-party cookies: Such cookies are used by ourselves and placed directly from our Website. Browsers generally do not make them accessible across domains which is why the user can only be recognised by the page from which the cookie originates.
• Third-party cookies: Such cookies are not placed by the website operator itself, but by third parties when visiting a specific website, in particular, for advertising purposes (e.g., to track surfing behaviour). They allow, for example, to evaluate different page views as well as their frequency.

Most browsers automatically accept cookies. With respect to providing or withdrawing your consent through our consent tool, see point 7.3. Moreover, you have the option to customise your browser settings so that cookies are either generally declined or only allowed in certain ways (e.g., limiting refusal to third-party cookies). However, if you change your browser's cookie settings, our Website may no longer be fully usable. Via the browser settings, you also have the option to delete the entirety of cookies already stored on your end device. This corresponds to a withdrawal of your consent (for the "right to withdraw" see point 4) as well.

Specifically, we use the following cookies:

7.2 Local storage; session storage

If you have given us your explicit consent (Art 6 para 1 lit a GDPR; for the "right to withdraw", see point 4), we use storage capacity of your browser software in order e.g., to enhance the usability of our Website, its user-friendliness and our service in general (for example to save your language settings). Therefore, we use the so-called local storage or session storage to store certain data on your end device, whereby your browser software maintains a separate local storage or session storage for each domain. Besides yourself, only we are able to access the data we are processing in this context. If technically necessary for the functioning of our Website, certain information may be stored in the local storage or session storage without your consent. Under no circumstances, third parties/websites will be able to access/read any of such data; however, the data may be stored on your end device by our partners (third-party service providers). In contrast to "cookies", this method is safer and faster because data are not transferred automatically to the respective server with every HTTP request, but stored by your browser software. Additionally, a greater volume of data (at least 5 megabytes) can be stored, whereas cookies have a maximum storage capacity of 4096 Bytes.

Since their functionality is similar to that of cookies, point 7.1 applies correspondingly. Please be aware that information in the local storage does not have a predefined expiration date (similar with persistent cookies). In contrast, information in the session storage is stored only for the duration of respective browser session (similar to session cookies).

With respect to providing or withdrawing your consent through our consent tool , see point 7.3. The manual erasure of data from the local or session storage can be achieved similarly to the manual erasure of cookies through the browser settings of most browsers since common browsers combine settings for cookies, local storage and session storage, collectively referring to website data (e.g., "cookies and other website data"); therefore please review point 7.1 for the full picture. If cookies and other website data are combined accordingly by your browser software, disabling cookies also disables access to the local storage or session storage (which therefore can lead to usability limitations). Disabling JavaScript can also prevent websites from accessing the local or session storage. However, this may result in severe usability limitations.

Specifically, we do not use any local/session storage objects at the moment.

7.3 Consent tool

Where necessary, and in order to ensure that you have given us your prior consent regarding the use of storage technologies, a consent tool appears automatically when accessing our Website. Through the options provided therein, you can select your preferences. To save your preferences, a technically necessary cookie is placed on your end device. If you do not provide us with your consent, certain parts of our Website may be unusable.

7.4 Tracking pixel

Apart from cookies, we also use so-called tracking pixels (also: pixel tags or web beacons) to collect certain data via our Website. Tracking pixels are transparent images which are practically invisible as they consist of a single pixel. The tracking pixel is placed on a server and loaded therefrom as soon as a respective subpage of our Website is accessed. They allow us to track that a subpage is accessed as well as any subsequent user activity on this page, in order to place targeted marketing. By means of the tracking pixel , in particular, the following information can be collected: (i) operating system used; (ii) browser type/version used; (iii) time of access; (iv) user behaviour on the visited page; (v) IP address and approximate location of the user.

Tracking pixels are used on our Website on the basis of our legitimate interests (Art 6 para 1 lit f GDPR; for the "right to object" see point 4) in analysing user accesses in a state of the art manner; in certain cases, we may also obtain your prior consent (Art 6 para 1 lit a GDPR; for the "right of withdrawal" see point 4). As a tracking pixel is merely an image loaded from a server, its lifetime is limited to your current browser session. However, information collected via a tracking pixel may be subsequently stored in cookies (see point 7.1).

8. Third-party services

8.1 General explanations

Purpose of processing: In order to optimise our Website for its intended purposes, provide necessary or useful functions in regards to an economically viable pursuit of our business activity as well as to make available services to users that are usually expected in our line of business, we utilise a variety of services on our Website which are rendered by third-party service providers and subsequently described below.

Processing roles: Unless stated otherwise, the respective third-party service provider acts as our processor and subsequently provides its services in our name and on the basis of a corresponding agreement. However, some of the engaged third-party service providers may (also) receive data as independent controllers for their own purposes, in particular for the optimisation of their services. Regardless of their specific processing role, they are in any case considered recipients of some of your data, since the use of the respective service on our Website requires the processing of your data by the corresponding service provider.

Necessary processing: From a purely technical perspective, certain traffic data are transferred when visiting any website, and may be transferred to implemented services as well (cf. point 6.1). Any such transmission of traffic data that is technically necessary is based on our legitimate interest (Art 6 para 1 lit f GDPR) in integrating the respective services with adequate effort into our Website (for the "right to object", see point 4). Any further use of traffic data within this context is grounded on a separate legal basis pursuant to the specific information provided below.

8.2 Overview and brief summary

Subsequently, you can find a brief summary of services used as well as accompanying basic legal information.

If you press on the name of one of the services, you will be transferred to the data protection declaration of the respective service provider. Please be aware that accessing third-party sites results in additional processing of your data in the sphere of the respective third party (cf. point 3).

8.3 Individual third-party services

Google services

The following services are provided by Google Ireland Limited, Barrow Street, Dublin 4, Ireland ("Google Ireland").

Google Ireland intends to process data of users of the EEA region, where possible, in data centres situated in Europe; however, an outsourcing of processing activities to third parties such as group companies may take place, wherefore a processing of your data in the US, in particular by Google LLC (California, USA), is possible; any such potential transfer is usually based on the adequacy decision of the EU Commission in the sense of Art 45 GDPR concerning the "EU-US Data Privacy Framework". You may check the respective certification of Google LLC under: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active. An overview of Google's data centres can be viewed at: https://www.google.com/about/datacenters/inside/locations/?hl=en.

For further information on data usage by Google Ireland and affiliated companies as well as your options in terms of settings and objection, please review the data protection declaration of Google under https://policies.google.com/privacy?hl=en.

(i) Google Analytics

We use a web analysis and online marketing tool "Google Analytics", which enables us to analyse how you use this Website. The tool tracks, for example, the time users spend on a subpage of our Website or which links are being clicked by them. Also Google Analytics enables us to track when website users meet certain predefined criteria (so-called conversions) through their actions. The tracking takes place via JavaScript libraries provided by Google Ireland. Google Analytics uses cookies (respectively similar storage technologies; see point 7). In the context of the application of Google Analytics your traffic data (see point 6.1) are transferred to and stored on Google servers (however, your IP address will only be stored in a shortened form).

Based on our instructions, Google Ireland will use the information collected to analyse the use of our Website, draft reports on website activities and provide us with further services connected to the use of our Website and the Internet.

The use Google Analytics is based on your prior consent (Art 6 para 1 lit a GDPR; for the "right to withdraw" see point 4). The data concerning the use of our Website are deleted automatically after a storage period of twenty-four (24) months set by us in the Google Analytics settings.

(ii) Embedding of YouTube videos

On our Website, videos of the platform https://www.youtube.com, a service of Google Ireland, are embedded as an inline frame.

Google Ireland uses storage technologies (cf. point 7) for the collection and statistical evaluation of data within the framework of such integration. Google Ireland uses the information collected via storage technologies under its own responsibility to compile accurate video statistics, prevent fraud and improve user-friendliness. Information generated by the use of said storage technologies as well as traffic data (inter alia, your IP address) are subsequently transferred to a Google server and stored there. However, the IP address will be shortened beforehand. An immediate allocation to your person is only possible if you are logged into your Google account when accessing a respective video, or when accessing a subpage with such integrated video after you have already given your previous consent. Therefore, if necessary, please log out of your account before you allow us to display the video or access the respective page.

We base our processing of your data within that context on your prior consent (Art 6 para 1 lit a GDPR; for the "right to withdraw" see point 4). We receive statistical evaluations from Google Ireland in regards to the retrieval of individual videos embedded in the Website without reference to the respective user.

Since the videos are only embedded in our Website but played directly via https://www.youtube.com, the terms of use and data protection declaration of YouTube/Google apply in that context.

(iii) Google Tag Manager

Our website uses Google Tag Manager. The Google Tag Manager allows us to manage website tags through a single interface. The Google Tag Manager tool itself (which triggers the tags) is a domain without cookies and does not collect any personally identifiable information. The tool triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If a deactivation was carried out at the domain or cookie level, it remains in effect for all tracking tags that were implemented with the Google Tag Manager.

(iv) Google Ads

We use Google Ads on our website to display targeted advertisements based on user behavior on our website and other platforms. This includes remarketing and conversion tracking features that allow us to evaluate the effectiveness of our advertising efforts. Our goal is to show you ads that are relevant to you, make our website more interesting for you, and ensure a fair calculation of advertising costs.

The following data is processed as part of Google Ads:

• Traffic data (e.g., IP address, browser and device type, access time)
• Usage data (e.g., pages visited, click behavior, interactions, conversions)

Google Ads uses cookies and similar technologies to recognize users and perform cross-device analyses. Cookies for conversion tracking typically remain active for 30 days, while remarketing cookies can be stored for up to 24 months. More information about the cookies used can be found in section 7 of this privacy policy.

We receive only aggregated and anonymized reports from Google about the performance of our ads. Identifying individual users is not possible for us. According to Google, processing as part of remarketing is pseudonymized, so no direct association with your person is made.

Opt-out Options and User Control:
You can prevent participation in the Google Ads tracking process in several ways:

• through appropriate settings in your browser software, especially by suppressing third-party cookies,
• by disabling cookies for conversion tracking by blocking cookies from the domain 'www.googleadservices.com' (see: https://www.google.de/settings/ads),
• by using the opt-out plugin from Google (http://www.google.com/settings/ads/plugin),
• or by disabling interest-based ads via the link http://www.aboutads.info/choices.

Please note that these settings will be deleted if you clear your cookies, and you may not be able to use all functions of this website to their full extent.

Data Sharing and Legal Basis:
Due to the marketing tools used, your browser automatically establishes a direct connection to Google's servers. This enables Google to receive information that you have visited our website or clicked on an advertisement. If you are registered and logged in with Google, Google may associate the data with your account. Even without logging in, Google may collect and store your IP address.

The processing of this data is based on your prior consent in accordance with Art. 6(1)(a) GDPR. You can revoke this consent at any time (see section 4 of this privacy policy for details). Further information on data protection at Google can be found at: https://policies.google.com/privacy

Hotjar

For analyzing user behavior on our website, we use the tool Hotjar. Hotjar allows us to track mouse movements, scrolling actions, and clicks. With this information, we can create so-called heatmaps, which show which areas of our website are preferably viewed by visitors.

Hotjar uses technologies to recognize the user for analyzing their behavior (e.g., cookies). The processing of this data by Hotjar is based on your consent according to Art 6 para 1 lit a DSGVO (GDPR). You can revoke this consent at any time. To deactivate Hotjar's data collection, please visit: https://www.hotjar.com/opt-out. Note that you have to deactivate Hotjar for every browser and device used. For more information about Hotjar and the data collected, please refer to: https://www.hotjar.com/privacy.

9. Social media and third-party platform presences

For the purpose of promoting our business activity and our service offer, we maintain presences in various social networks and similar platforms. The processing of your data in this context is based on our legitimate interest (Art 6 para 1 lit f GDPR; for the "right to object", see point 4) in expanding our reach as well as providing additional information and means of communication to users of social networks and similar platforms. In order to reach said purposes at the best possible rate, we may utilise functions provided by the respective service provider to measure our reach in detail (access statistics, identification of returning users, etc.).

In the course of accessing any of the online presences outlined subsequently, we process the general information being evident due to your profile in the respective network/platform as well as additional continuance, contact or content data, as far as you provide us with such data by interacting with our online presence and its contents. We do not store those data separately outside of the respective social network.

Since we jointly decide with the relevant service provider (respectively entity expressly outlined as controller) upon purposes and means of data processing in the course of a respective online presence, we are to be considered joint controllers in the sense of Art 26 GDPR. The provider of each social network respectively platform mentioned shall act as the primary point of contact with regard to all general and technical questions in respect of our online presences; this also applies to fulfilling rights of the data subjects in the sense of point 4. However, in case of requests concerning the specific operation of our online presences, your interactions with them or information published/collected via such channels, we shall be the primary point of contact; point 4 as well as other stipulations in this Data Protection Declaration apply correspondingly.

Some of the subsequent service providers are respectively their server landscape is located outside of the EU/EEA or they use processors to render their services to which this applies. Please be aware that we have no influence if or to which extent such transfers take place when using the respective network. You can find the relevant information on how each service provider handles third-country transfers (which might include data of you provided in the course of interacting with our social media presences) in the relevant data protection information of such service provider (cf. the respective links under each subsequent subsection). Mostly, those service providers utilise a certification according to the "EU-US Data Privacy Framework" pursuant to the respective adequacy decision of the EU Commission in the sense of Art 45 GDPR or standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the European Commission in order to justify their transfers.

You can review the most relevant certifications relating to group companies of the subsequently displayed providers under the following links:

• Meta Platforms, Inc. (re "Instagram"): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active;
• Google LLC (re "YouTube"): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active;
• Discord, Inc. (re "Discord"): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008TN8AAM&status=Active.

9.1 Instagram

The social network "Instagram" is operated by Instagram Inc., 1601 Willow Road, Menlo Park, California 94025, USA, which is part of the Facebook group. Controller from a data protection point of view with regard to the EEA region is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta Ireland"). In respect of the operation of our Instagram account "moneycare.io" (https://www.instagram.com/moneycare.io/), we are joint controllers in the sense of Art 26 GDPR with Meta Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Instagram in order to personalise and maintain our Instagram account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://help.instagram.com/581066165581870?cms_id=581066165581870) as well as the separate data protection declaration (https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect) and consider the settings options in your Instagram account. In regards to any information provided by us via mechanisms made available by Instagram (postings, stories, etc.), we are naturally fully responsible.

9.2 YouTube

Controller of the video platform "YouTube" for the EEA region is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland ("Google Ireland"). In respect of the operation of our YouTube channel "money:care" (https://www.youtube.com/channel/UC3s3NhUwSDbdHTUuRMC2cKA), we are joint controllers in the sense of Art 26 GDPR with Google Ireland.

Please note that we have no influence on the programming and design of YouTube; thus, we can only use the options provided by YouTube in order to personalise and maintain our YouTube channel. Hence, please carefully review the terms which the service provider prescribes for the use of the video platform (https://www.youtube.com/t/terms) as well as the separate data protection declaration (https://policies.google.com/privacy?hl=en-GB&gl=uk) and consider the settings options in your YouTube account. In regards to videos and content provided by us, we are naturally fully responsible.

9.3 LinkedIn

The social network "LinkedIn" is operated by LinkedIn Corporation, 1000 W. Maude Ave, Sunnyvale, CA 94085, USA. Controller from a data protection point of view with regard to the EEA region is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn Ireland"). In respect of the operation of our LinkedIn account "money:care" (we are joint controllers in the sense of Art 26 GDPR with LinkedIn Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by LinkedIn in order to personalise and maintain our LinkedIn account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.linkedin.com/legal/user-agreement?_l=en_EN) as well as the separate data protection declaration (https://www.linkedin.com/legal/privacy-policy\) and consider the settings options in your LinkedIn account. In regards to any information provided by us via mechanisms made available by LinkedIn (postings, chats, etc.), we are naturally fully responsible.

9.4 Discord

The online communication platform "Discord" is operated by Discord, Inc., 444 De Haro Street, Suite 200, San Francisco, CA 94107, USA. Controller from a data protection point of view with regard to the EEA region is Discord Netherlands BV, Schiphol Boulevard 195 1118BG, Schiphol, Amsterdam, Netherlands ("Discord Netherlands"). In respect of the operation of our Discord server "money:care", we are joint controllers in the sense of Art 26 GDPR with Discord Netherlands.

Please note that we have no influence on the programming and design of the platform; thus, we can only use the options provided by Discord in order to personalise and maintain our Discord presence. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://discord.com/terms) as well as the separate data protection declaration (https://discord.com/privacy) and consider the settings options in your Discord account. In regards to any information provided by us via mechanisms made available by Discord, we are naturally fully responsible.

10. Third-party registration features

On our Website, you have the option to use your registration data held by certain third-parties to register for/log in to our service offer as well without having to pass through a time-consuming standard registration process. This shall facilitate making use of our services.

Using such registration option requires that you are already registered with one of the subsequent providers/services:

• "Registration via Facebook" (Facebook login): Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
• "Registration via Google" (Google sign-in): Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland;
• "Registration via LinkedIn": LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland;
• "Registration via Microsoft": Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

In case you press the respectively named button in the course of creating a user account, you will be requested to indicate your login data held by the respective provider. The same applies where you have already used this option to register and subsequently want to log in again into your account.

After a successful login attempt, we receive a user ID, which solely contains the information that you have logged in via the respective provider using the single sign on procedure. Which data we receive after in the course of this process depends upon the provider utilised as well as upon your settings at the respective third-party account.

Usually, we receive at least your user name and profile picture, potentially your email address as well. We do not get access to your password. If applicable, you may have to expressly consent to a the data release and/or you may be able to make certain settings within your respective third-party account. In order to realise the data exchange, the respective provider will necessarily receive your traffic data in the sense of point 6.1.

For execution of the login/registration, a connection with servers of the respective provider as well as with your respective third-party account will be established. A continuous automatic alignment with your identity data stored by us is possible; however, as it cannot be guaranteed in each case, we ask you to alter your data manually if changing in case of doubt. You may usually terminate the link established by the single sign on procedure via the settings in your respective third-party account. If you wish to achieve erasure of your data stored by us, please contact us using the contact options indicated under point 2.

The service providers outlined above may transfer your data potentially to group companies () or other recipients especially in the US. Such transfer of your data is usually based on the adequacy decision of the EU Commission in the sense of Art 45 GDPR concerning the "EU-US Data Privacy Framework" or on standard data protection clauses in the sense of Art 46 para 2 lit c GDPR adopted by the EU Commission as adequate safeguards. ". You may check certifications according to the "EU-US Data Privacy Framework" of the relevant entities under: https://www.dataprivacyframework.gov/s/participant-search.

Please also review the data protection information provided by the respective provider:

• "Facebook": https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer;
• "Google": https://policies.google.com/privacy?hl=en;
• "LinkedIn": https://www.linkedin.com/legal/privacy-policy;
• "Microsoft": https://privacy.microsoft.com/en-gb/privacystatement.