top of page

PRIVACY POLICY

Privacy Policy of CRE 42 GmbH („CREX Capital“)



 

General Notes and Mandatory Information


 

Designation of the Responsible Entity

 

The responsible party („controller“) within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

CRE 42 GmbH

Compliance / Datenschutz

Gounodstr. 54

13088 Berlin / Germany

compliance@crex.capital


 

Data Protection

 

As a website operator and provider of a web-based platform, we take the protection of personal data very seriously. All personal information is treated confidentially and in accordance with the legal requirements, as explained in this Privacy Policy.

Users will find further information about our platform in our General Terms and Conditions.

Data transmission on the internet, such as via e-mail, can always have security gaps. Complete protection of data is not possible on the internet.

Below we inform you in detail about the handling of your data.


 

Scope of the Processing of Personal Data

 

We process personal data of our website visitors (interested parties), clients and users (of our platform) in principle only to the extent that this is necessary for the provision of a functional website or platform as well as our content and services and – if present – for the fulfillment of our contractual relationship with you.

When registering on our platform and, for example, when contacting us via our contact form on our website, the following (personal) information is regularly collected:

  • title, first name, last name,

  • company name,

  • address,

  • e-mail address,

  • telephone number (landline and/or mobile),

  • password.

The collection of personal data takes place

  • to be able to identify you as an interested party, client or user,

  • to be able to provide you with appropriate support and advice,

  • to be able to fulfill our contractual obligations towards you,

  • for correspondence and communication with you,

  • for invoicing purposes or, if necessary, as part of the dunning process,

  • for the purposes of admissible direct advertising.


 

Data Deletion and Storage Period

 

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we are subject as the responsible party. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

In general, the personal data collected will be stored until the expiry of the statutory retention periods for business companies and then deleted (here, the provisions of § 257 HGB – German Commercial Code and § 147 AO – German Tax Code apply in particular).


 

Legal Basis for the Processing of Personal Data

 

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Art. 6 (1) lit. a EU General Data Protection Regulation (DSGVO – Datenschutzgrundverordnung) serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c DSGVO serves as the legal basis.

In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.


 

SSL or TLS Encryption

 

For security reasons and to protect the transmission of confidential content that you send to us as a website operator or as a platform provider, we use SSL or TLS encryption. This means that data you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the "https://" address line of your browser and the lock symbol in the browser line.


 

Supply of the Online Offer and Web Hosting

 

In order to provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed as part of the provision of the hosting offer may include all the information relating to our online offer that is generated as part of the visit to our website, the use of our platform and other communication. This regularly includes the IP address, which is necessary to be able to deliver the content of online offers to browsers, and all entries made within our online offer or on our websites.


 

Collection of Access Data and Log Files

 

We (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP addresses and the requesting provider.

The server log files may be used on the one hand for security purposes, e.g., to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and on the other hand, to ensure the utilization of the servers and their stability.

When using our platform, we collect access data about the user (name, IP address, browser type/version, operating system) and his time of use (date, time, duration of use) for the purpose of ensuring contractual use.


 

Data Transfer to Third Countries

 

We only transfer your personal data to countries outside the EEA (European Economic Area) if

  • the EU Commission has adopted a so-called adequacy decision for the third country or the recipient in this third country ("legal act" pursuant to Art. 28 (3) DSGVO);

  • guarantees are provided by the recipient in accordance with Art. 46 DSGVO for the protection of the personal data (including any additional measures required);

  • you have expressly consented to the transfer, after we have informed you of the risks, in accordance with Art. 49 (1) lit. a DSGVO; or

  • the transfer is necessary for the performance of contractual obligations between you and us.

You can find more information on this in the following sections.


 

Services used and Service Providers

 

For the operation of our platform and for the management of our company, we use the services of various providers; these are in relation to the transmission, processing and storage of personal data:

 

Amazon Web Services (AWS)

(Amazon Web Services, Inc., Seattle/USA, resp. its subsidiaries; in the EU e.g. Amazon Web Services EMEA SARL, Luxembourg)

https://aws.amazon.com/

in particular regarding User Identify Management, Chat Application and cloud-based File Storage.

The complete data protection policy (“privacy notice”) you will find here:

https://aws.amazon.com/privacy/

Amazon complies with various IT standards through certifications and certificates, laws, regulations, and other privacy regulations. You can find more information here:

https://aws.amazon.com/compliance/programs/

In addition, the data processing is carried out by Amazon as one of our so-called processors in accordance with Art. 28 DSGVO on the basis of a data processing agreement (DPA – Data Processing Addendum). You can find out more about this from Amazon here:

https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html

According to our contractual relationship with Amazon, the server location is in the AWS region "EU (Ireland) eu-west-1".

 

Atlassian/Jira

(Atlassian. Pty Ltd, Sydney/Australien)

https://www.atlassian.com/

https://www.atlassian.com/software/jira

in particular regarding CRM (customer relationship management) and project management.

The complete data protection policy (“privacy policy”) you will find here:

https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers

Atlassian complies with various IT standards through certifications and certificates, laws, regulations, and other privacy regulations. For more information, for example, on ISO 27001 certification (the leading international certification standard for information security management systems), click here:

https://www.atlassian.com/trust/compliance/resources/iso27001

In addition, the data processing is carried out by Atlassian as one of our so-called processors in accordance with Art. 28 DSGVO on the basis of a data processing agreement (DPA – Data Processing Addendum). You can find out more about this from Atlassian here:

https://www.atlassian.com/de/legal/data-processing-addendum

 

Google

(Google LLC, Mountain View/USA; in the EU e.g. Google Ireland Limited, Dublin/Irland and Google Cloud EMEA Limited, Dublin/Irland)

Google in Germany (in German):

https://about.google/?fg=1&utm_source=google-DE&utm_medium=referral&utm_campaign=hp-header

Google in the UK (in English):

https://about.google/intl/en-GB/

in particular regarding cloud-based Storage (Drive), electronical written communication (Gmail), client registrations (Forms) und other office applications (Docs).

The complete data protection policy (“privacy policy”) you will find here:

https://policies.google.com/privacy?hl=en

Google (Google Workspace, Google Cloud) complies with various IT standards through certifications and certificates, laws, regulations, and other privacy regulations. You can find more information here:

https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Certificate

In addition, data processing is carried out by Google as one of our so-called processors in accordance with Art. 28 DSGVO on the basis of EU standard contractual clauses. You can find out more about this and the Google-specific legal framework for data transfers from Google here:

https://policies.google.com/privacy/frameworks?hl=en

 

Microsoft

(Microsoft Corporation, Redmond/USA; in the EU e.g. Microsoft Ireland Operations Ltd, Dublin/Irland)

Microsoft in Germany (in German):

https://www.microsoft.com/de-de

Microsoft worldwide (choose your country/language):

https://www.microsoft.com/en-gb/locale

in particular regarding MS standard products (Microsoft 365) in connection with cloud-based storage (OneDrive).

The complete data protection policy (“privacy statement”) you will find here:

https://privacy.microsoft.com/en-us/privacystatement

Microsoft complies with various IT standards through certifications and certificates, laws, regulations, and other privacy regulations. For more information, for example, on ISO 27001 certification (the leading international certification standard for information security management systems), click here:

https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-27001

As a Microsoft customer located in Germany, the data we process/store remains in Germany („Sobald der Kunde Microsoft 365 abonniert, werden seine Daten automatisch in Deutschland gehostet – ohne Zusatzkosten und mit dem gleichen Servicelevel. Microsoft bietet Kunden den vollen Funktionsumfang und schützt die Datenbestände in Einklang mit deutschem und europäischem Recht.“ – "As soon as the customer subscribes to Microsoft 365, his data is automatically hosted in Germany - at no additional costs and with the same level of service. Microsoft offers customers the full range of functions and protects the data assets in accordance with German and European law."). For more information, click here (in German):

https://www.microsoft.com/de-de/microsoft-365/microsoft-365-local-datacenter?market=de

 

If the aforementioned service providers transfer/store data in the USA, the Adequacy Decision for the EU-US Data Privacy Framework (EU-US DPF) published by the EU Commission on July 10, 2023 applies; you can access this decision here:

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

The EU Commission has thus determined that the United States ensures an adequate level of protection for personal data transferred from the EU to U.S. companies within this new framework (EU-US Data Privacy Framework). U.S. companies can join this program by agreeing to comply with detailed data protection obligations. Amazon.com, Inc. (and its subsidiary Amazon Web Services, Inc., among others), Atlassian, Inc, Google LLC, and Microsoft Corporation are registered participants in this program.

Program participants can be searched through a U.S. Department of Commerce website:

https://www.dataprivacyframework.gov/s/participant-search


 

Platform Use, Financing Requests

 

In the course of the use of the platform and the conclusion of loan and other financing agreements, personal data of the clients / users of the platform (if applicable also data of their principals) and, if applicable, of the tenants or owners of the property to be financed as well as other related third parties are required and therefore collected, processed and used. They are stored, processed and transmitted to potential financing partners and, if applicable, to other service providers such as appraisers, external data providers or other consultants for the purpose of fulfilling the business purpose associated with the use of the platform and for further use in the context of a specific loan brokerage and loan granting or the conclusion of other financing contracts.

If the client uses the platform for a financing request, then he provides the required information and documents (hereinafter collectively referred to as "information") as specified within the platform-based process by entering data and uploading the required files on the platform. This information is made available to potential financiers or financing intermediaries (hereinafter collectively referred to as "financier") in the course of the further loan brokerage process within the platform and also outside the platform, following automatic or manual selection by us. Contact with potential financiers by us takes place at our own discretion – automated via the platform or outside the platform by personal approach.

We have a business relationship with the recipients of this aforementioned information. These recipients are carefully selected by us, are obligated to us to treat the information transmitted to them confidentially and may only use it to fulfill their tasks required for the respective financing request.

Depending on the content, this transmitted information may contain sensitive personal data (e.g. ID card data). You are not obliged to provide us with such data. If the information is required for individual services we provide, you should check it in advance and, if necessary, make sensitive information (e.g. certain details in the purpose of use in account statements) unidentifiable. If you nevertheless provide such data, you thereby consent at the same time to the processing by us and the aforementioned recipients of the information.


 

Use of Cookies

 

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. If you visit a website, a cookie may be stored on your operating system. This cookie contains a characteristic string of characters that allows your browser to be uniquely identified when you return to the website. With a modern web browser, you can monitor, restrict or prevent the setting of cookies. Many web browsers can be configured to automatically delete cookies when you close the program.

To operate our website, we use the cloud-based web development platform Wix (Wix.com Ltd.); their corporate website can be found here:

https://www.wix.com/

Wix uses cookies for important reasons: to provide you with an optimal visitor experience, to recognize registered users, to monitor and analyze the performance, operation, and effectiveness of the Wix platform, and to ensure that our website and platform are secure.

Only necessary (essential) cookies are set when you access our website. You can learn more about the nature, purpose and storage period of these necessary cookies from Wix here:

https://support.wix.com/en/article/cookies-and-your-wix-site

With respect to the transfer/storage of data, Wix provides the following information in Section 5.3 of its data protection policy: "If you are in Europe, the U.K., or Switzerland, when we transfer your Personal Information to a location outside of Europe, We will make sure that (i) there is a level of protection deemed adequate by the European Commission or (ii) that the relevant Standard Contractual Clauses are in place." The complete data protection policy (“privacy notice”) can be found here:

https://www.wix.com/about/privacy

Wix has its headquarters in Israel. The EU Commission has issued a so-called adequacy decision on this country; you can find it here in various languages:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32011D0061

If Wix transfer/store data in the USA, the Adequacy Decision for the EU-US Data Privacy Framework (EU-US DPF) published by the EU Commission on July 10, 2023 applies; you can access this decision here:

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

The EU Commission has thus determined that the United States ensures an adequate level of protection for personal data transferred from the EU to U.S. companies within this new framework (EU-US Data Privacy Framework). U.S. companies can join this program by agreeing to comply with detailed data protection obligations. Wix (Wix.com Inc.) is a registered participant in this program.

Program participants can be searched through a U.S. Department of Commerce website:

https://www.dataprivacyframework.gov/s/participant-search

If Wix transfers/stores data in countries other than Israel, the USA or within the EU/EEA, Wix provides appropriate guarantees in accordance with Art. 46 of the DSGVO for the protection of personal data. You can find out more about this from Wix here:

https://support.wix.com/en/article/wix-security-measures-overview

According to this warranty information, Wix is certified according to ISO 27001 (the leading international certification standard for information security management systems) and in compliance with ISO 27018 (international code of conduct for data protection in the cloud).

In addition, the data processing is carried out by Wix as one of our so-called processors in accordance with Art. 28 DSGVO on the basis of a data processing agreement (DPA - Data Processing Addendum).

This agreement ("data processing addendum processing") can be found here:

https://www.wix.com/about/privacy-dpa-users


 

Social Media Plugins

 

We do not use any so-called social plugins on our website.

However, we provide further information on our website via links to external social media providers such as LinkedIn and YouTube and to other websites, without giving rise to any data protection obligations for us. Before using these links, please inform yourself about the data protection regulations of the respective provider.


 

Your Rights as Data Subject

 

As a data subject, you have various rights:

  • Right to withdraw your consent (Art. 7 (3) DSGVO): You have the right to revoke consent you have given to us at any time. This has the consequence that we no longer continue the data processing based on this consent for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

  • Right of access to information about your personal data processed by us (Art. 15 DSGVO): You may request information about your personal data processed by us. This applies in particular to the purposes of the data processing, the categories of personal data, if applicable, the categories of recipients, the storage period, if applicable, the origin of your data and, if applicable, the existence of automated decision-making, including profiling and, if applicable, meaningful information on its details.

  • Right to rectification of your personal data stored by us that is incorrect (Art. 16 DSGVO): You may request the correction of inaccurate or the completion of your personal data stored by us.

  • Right to erasure of your personal data (Art. 17 DSGVO): You may request the erasure of your personal data stored by us, unless its processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.

  • Right to restriction of processing of your personal data (Art. 18 DSGVO): You may request the restriction of the processing of your personal data insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you oppose the erasure. In addition, you have this right if we no longer need the data, but you need it to establish, exercise or defend legal claims. Furthermore, you have this right if you have objected to the processing of your personal data.

  • Right to data portability of your personal data (Art. 20 DSGVO): You may request that we transfer the personal data you have provided to us in a structured, commonly used and machine-readable format. Alternatively, you may request the direct transmit of the personal data you have provided to us to another controller, where this is possible.

  • Right to object to the processing of your personal data (Art. 21 DSGVO): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) lit. e or f DSGVO; this also applies to profiling based on these provisions. The controller will then no longer process the personal data concerning you, unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims. If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to processing of the personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

  • Right to complain to a supervisory authority (Art. 77 DSGVO): You can complain to the supervisory authority responsible for us, e.g. if you believe that we are processing your personal data in an unlawful manner. The competent supervisory authority regarding data protection issues is the State Data Protection Commissioner of the federal state in which our company's registered office is located; the authority responsible for us is the Commissioner for Data Protection and Freedom of Information in Berlin: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin; website:
    https://www.datenschutz-berlin.de

In order to assert your rights described here, you can contact us informally at any time using the contact details provided in this privacy policy. Provided that the respective legal requirements are met, we will comply with your data protection request. Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for a longer period if there are grounds for establishing, exercising or defending legal claims. The legal basis is Art. 6 (1) lit. f DSGVO, based on our interest in defending against any civil claims under Art. 82 DSGVO, avoiding fines under Art. 83 DSGVO and fulfilling our accountability obligations under Art. 5 (2) DSGVO.


 

Amendment of the Privacy Policy

 

Our privacy policy may be adapted at irregular intervals so that it complies with current legal requirements or in order to implement changes to our services, e.g. when new offers are added. The new privacy policy will then automatically apply to your next visit. We ask you to check this privacy policy regularly for changes.



 

CRE 42 GmbH

Gounodstr. 54

13088 Berlin / Germany

compliance@crex.capital

 

September 18, 2023

bottom of page