Privacy Policy
In this Privacy Policy, we inform you about the processing of your personal data.
Controller responsible for the processing of your personal data is:
Heartfelt APX GmbH & Co. KG
Zimmerstraße 50
10888 Berlin
E-mail address: hello@heartfelt.capital
Phone number: + 49 30 2591 78001
Represented by the general partner (personally liable)
Heartfelt Capital GP GmbH
Zimmerstraße 50
10888 Berlin
Represented by the managing directors Dr. Henric Hungerhoff and Jörg Rheinboldt
Purposes of data processing and legal basis
We process personal data (Article 4 No. 2 GDPR) in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) and comply with the provisions of the Telecommunications Telemedia Data Protection Act (“Telekommunikation-Telemedien-Datenschutz-Gesetzes”, TTDSG) when using cookies and similar technologies.
Provision of the Website
We process your personal data in order to provide you the Website https://heartfelt.capital/ ("Website").
Logfiles
When you visit the Website, the browser used on your end device sends information automatically to our Website server. This information is temporarily stored in a so-called logfile. The following information is collected without you being involved and stored until automatic deletion: IP address of the requesting device, date and time of access, name and URL of the accessed file, Website from which the access is made ("referrer URL"), if applicable the search engine used by you, browser used and if applicable the operating system of your device as well as the name of your access provider. Logfiles serve as a source of information for error analysis in the event of a system crash, allowing lost data to be reconstructed. They can also be used to analyse user behaviour.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interests follow in particular from the following purposes:
Ensuring a functioning connection of the Website,
Ensuring a comfortable use of the Website,
Statistical evaluation using a pseudonym in order to optimise the Website as well as the quality and range of our services,
Evaluation of system security and stability, and
Fulfilment of other administrative purposes.
Cookies
We only use cookies on the Website that are technically necessary to enable you to use the Website. Cookies are small text files that are placed in the memory of your browser or device when you visit the Website. Cookies contain information about your visit of our Website, such as login information, browser information and your chosen language.
These cookies are placed by the provider Bubble Group, Inc., 900 Broadway, Suite 504, New York, NY 10003, USA ("Bubble"), which hosts the Website for us. The cookies are required for the operation of the Website. We use these cookies to allow you to access our Website and to effectively provide you the Website´s functionalities, to identify you as being logged into the Website or to authenticate you, and to prevent fraud and improve the security of the Website. The cookies will only be stored on your device as long as your browser is active ("session cookies"). We will not combine the data with other personal data and will not use the data for advertising purposes.
Via the cookies, Bubble collects information on your use of the Website. This includes:
Information about your browser, network and device;
Web pages you visited before coming to the Website;
Web pages you access on this Website;
Date and time of your visit; and
Your IP address.
As these cookies are necessary to provide you with the Website and the services offered via the Website, you cannot refuse them. Our legitimate interest in data processing lies in this purpose. The legal basis for the use of cookies is Art. 6 para. 1 p. 1 lit. f GDPR, Section 25 para. 2 number 2 TTDSG.
As a host provider of the Website Bubble as US-based entity has access to the data. Further Bubble uses the services of Amazon Web Services to host Websites built on Bubble. Your data may be transferred to and stored on servers in the USA, a third country outside the European Union (EU) and the European Economic Area (EEA) not recognized under EU Data Protection Law as providing an adequate level of protection for your personal data. If the data is transferred to the US, according to the data protection authorities, there is nevertheless a risk that your data will be processed by authorities, for control and for monitoring purposes, without you being informed or having the right to appeal. Bubble may also use sub-processors in such countries.
For this reason, we have concluded a data processing agreement within the meaning of Art. 28 GDPR with Bubble including the EU Standard Contractual Clauses (SCC) to make sure that the processing of your data is covered by appropriate guarantees within the meaning of Art. 46 para. 2 p. 1 lit. c GDPR. Please refer to our general information on the data processing outside the EU (see Sec. 7 of this Privacy Policy) or contact us using the contact details provided in this Privacy Policy.
For more information on the purpose and scope of the data collection and processing by Bubble, please visit https://bubble.io/dpa and https://bubble.io/privacy.
Simple links to our Social Media Fanpages
Our Website also contains simple links to our profiles on Social Media (Instagram, Twitter etc., “Social Media Fanpages”). If you click on the link, you will leave our Website. The data processing on these Social Media Fanpages is governed by the data protection provisions available there.
Funding applications
Application process
When you apply for funding from us, we collect the personal data you provide us with when contacting us, e.g., when filling out our online application form, contacting us via e-mail and sending us your pitch deck. Your application data can be any personal data that you provide us with that could help us to make an investment decision. We may also obtain and review such information from third parties or from publicly accessible sources in order to come to a well-founded investment decision.
This data usually includes, without limitation, your pitch deck itself, identification and contact details (e.g. first name, last name, e-mail address, telephone number), data about your company (e.g. company name and website, the information whether you are incorporated, number of founders and members and financial information about the company), data about your general business (e.g. your business model, your branch of industry, product information) and information about your motivation (e.g. how you found us).
We process your application data for the evaluation of your pitch, for carrying out the selection process and making the decision on our investment. The legal basis for data processing is Art. 6 para. 1 lit. b GDPR, as these are pre-contractual measures that precede a potential investment agreement with you or our legitimate interest according to Art. 6 para. 1 lit. f GDPR to come to a well-founded investment decision. If you provide us with data that is not absolutely necessary for the application, the processing of this voluntary data is based on your consent; the legal basis is then Art. 6 para. 1 lit. a GDPR or Art. 9 para 2 lit. a GDPR insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are affected in the individual case.
You can ask us to delete your data at any time by sending an e-mail to (hello@heartfelt.capital). Please note that this will mean that if you have an application process that is still ongoing, you will withdraw your application.
Video interviews
As part of our funding application process, we conduct video interviews with some of our applicants.
We use the video conferencing system of the provider Google Ireland Limited ("Google Meet") to conduct the video interviews. We offer you the opportunity to take part in the video call as a "guest". Guest access is possible via the browser and via the Google Meet app. As far as you access the website of Google, Google Ireland Limited is responsible for the data processing. If you decide to download the Google Meet app, you must accept the terms of use and data protection of Google as part of running the Google Meet app. Your data may be transferred to and stored on servers in the USA, a third country outside the European Union (EU) and the European Economic Area (EEA) not recognized under EU Data Protection Law as providing an adequate level of protection for your personal data. Please refer to our general information on the data processing outside the EU (see Sec. 7 of this Privacy Policy) or contact us using the contact details provided in this Privacy Policy.
For more information on the purpose and scope of the data collection and processing by Google, please visit https://cloud.google.com/terms/data-processing-addendum and https://cloud.google.com/privacy.
We process personal data that is collected by us in the course of your participation in video interview or that we receive from you on the occasion of you participation in the interview. These are in particular the following data:
Participant details: first name, last name, telephone (optional), e-mail address, profile picture (optional).
Participation information: topic and description of the call, traffic data such as times of dial-in, use of camera, microphone and chat, end of participation.
When dialling in with the telephone: information on the incoming and outgoing call number, country name, start and end time.
Text, audio and video data: You have the opportunity to use the chat, question or survey functions during the video call. We process the text entries made by you in order to log them. If you use the audio and/or video function during the video interview, we process the data collected by the microphone and/or video camera of your terminal device. You can switch off the microphone and/or camera yourself at any time via the Google Meet app or the Google website.
We process this application data for carrying out the selection process and making the decision on our investment. The legal basis for data processing is Art. 6 para. 1 lit. b GDPR, i.e., the application process as pre-contractual measure.
Only if you have given your consent (Art. 6 para. 1 p. 1 lit. a GDPR and Art. 9 para 2 lit. a GDPR if special categories of personal data are affected, e.g., ethnic origin, religious beliefs, biometric data) we will record the video interview, in order to evaluate the application process internally and to forward it to those involved in the funding process, e.g., members of our investment team and investment committee. We will inform you of the recording when inviting you to the interview session via email as well as in the video call before we start recording. Consent is voluntary and will be logged by us. If you do not agree to this, we will conduct the interview without recording. This will not cause you any disadvantages. If we do proceed to record the interview, we will store and use the recording only to evaluate and process your application for funding. You can withdraw your consent at any time. Google will not store videos, audios, or chat data unless we start to record the video interviews. Please note that the withdrawal is only effective for the future. Processing that took place before the revocation is not affected.
Funding
We further process your personal data to make investment decisions and to carry out our investments. We process your data in particular for the purpose of concluding and processing the investment agreement with you, for the rendering of our services, in particular for the provision of access to all our extensive online and offline resources, network, curated mentors and campus, to communicate with you in connection with the provision of the funding and our services and to answer enquiries in connection with our business relationship, also using the communication channels of our Website.
For this purpose, we process the personal information that you provide to us during application for the funding (see Sec. above), for contractual purposes or in the context of enquiries, including payment data (e.g. IBAN and BIC, or account number and bank code), data about your use of our services, messages and conversation content (e.g. for answering enquiries), and other data that we are legally obliged or entitled to collect and process.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. b GDPR, i.e., the investment agreement that we conclude with you and fulfil by granting the investment and providing our services.
Cooperation with business partners
We further process personal data for the conclusion and implementation of contracts with business partners, including the implementation of pre-contractual measures, the processing of payments, and the answering of enquiries in connection with our business relationship. The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR. The purposes and further details of the data processing are defined in the respective contract.
Protection of legitimate interests
In addition, we process your data to protect the legitimate interests of ours or of third parties, such as:
Responding to your enquiries outside of a contract or a pre-contractual measure (in particular if provided via the Website’s contact form),
Assertion of legal claims and defence in legal disputes,
Ensuring IT security and IT operations,
Prevention and investigation of criminal offences, and
Measures for business management and further development of our services.
The legal basis is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest is to further develop our services or to protect ourselves against impairments and dangers and to enforce our claims.
Based on your consent
If you have given us your consent to process personal data for certain purposes (e.g., passing on data), this processing is lawful based on your consent (Art. 6 para. 1 p. 1 lit. a GDPR). You can withdraw your consent at any time. Please note that the withdrawal is only effective for the future. Processing that took place before the revocation is not affected.
Compliance with legal requirements
In addition, we are subject to various legal obligations, i.e., legal requirements (e.g., tax laws), which require the processing of data. The legal basis for data processing is Art. 6 para. 1 p. 1 lit. c GDPR.
No obligation to provide personal data
If we ask you to provide personal data, you can of course refuse to do so. However, we may then not be able to provide certain functions of the Website or to process your application for funding or to answer your enquiries. This applies, in particular, if data is necessary for our application process, for the establishment, negotiation, execution, implementation and termination of the investment agreement and the newsletter service, or if we are legally obliged to collect data.
Categories of recipients
Within our company, those departments of individuals get access to your data that need it to provide the Website and the services offered via the Website or to fulfil our contractual and legal obligations.
We will share your data with the Heartfelt Capital Services GmbH, Zimmerstraße 50, 10888 Berlin that provides us with operational services to the entities pertaining to the Heartfelt company group, if it is necessary for the fulfilment of a contractual relationship existing between you and us or for the implementation of pre-contractual measures (Art. 6 para. 1 p. 1 lit. b GDPR) or if this is necessary to protect legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR).
We pass on your data to the recipients expressly named in this data protection declaration. In doing so, we observe the legal requirements and, if necessary, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
Furthermore, we might share your data with the following categories of recipients if this is necessary for the fulfilment of a contractual relationship existing between you and us or for the implementation of pre-contractual measures (Art. 6 para. 1 p. 1 lit. b GDPR) or if this is necessary to protect legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR).
Third parties involved in the funding process, e.g., experts, mentors and (follow-on) investors as well as our advisors (e.g., legal, tax and accounting);
IT service provider;
Marketing and advertising service providers, especially in the area of email marketing;
Third parties involved in legal proceedings, provided they provide us with a legal order, court order or equivalent legal order.
Where processing is necessary to protect legitimate interests, such as when using IT services, our legitimate interest is to outsource functions. In addition, your personal data will be disclosed or transferred if required by law (Art. 6 para. 1 sentence 1 lit. c DSGVO) or if you have given your consent (Art. 6 para. 1 sentence 1 lit. a DSGVO).
Social Media Fanpages
We operate Social Media Fanpages. There we publish and share recommendations, content, competitions and offers.
When you visit the Social Media Fanpages, the Social Media provider processes information about you. You can find more detailed information on data processing in the privacy policy of the respective Social Media provider listed below. Some Social Media providers also offer the option to object to certain data processing. Please note that according to the Social Media providers, user data is also processed in the USA or other third countries.
Platform
Postal address
Link to the privacy policy
Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
https://www.facebook.com/about/privacy/
Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
https://instagram.com/about/legal/privacy
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
https://www.linkedin.com/legal/privacy-policy
1355 Market St #900, San Francisco, CA 94103, USA
https://twitter.com/de/privacy
Medium
799 Market Street
5th Floor
San Francisco,
CA 94103, USA
https://policy.medium.com/medium-privacy-policy-f03bf92035c9
Insights
Meta (Facebook, Instagram) and LinkedIn use cookies and similar technologies to record your user behavior when visiting the Social Media Fanpages and provide us with the information in anonymized form as statistics (so-called Insights). This gives us insights into how our Social Media Fanpages are used, which topics are particularly popular and what interests our Social Media Fanpages visitors have. This enables us to optimize our Social Media Fanpages and better respond to the interests of our audience. We do not have access to the personal data used by Meta or LinkedIn to create this information. Meta and LinkedIn select the data for Insights independently of us and process it accordingly.
We are jointly responsible with both Meta and LinkedIn for the collection of your data and the processing for the provision of the Insights, but not the further processing of that data by the Social Media providers. We have closed with
Meta the following agreement https://de-de.facebook.com/legal/terms/page_controller_addendum
LinkedIn the following agreement https://legal.linkedin.com/pages-joint-controller-addendum,
which specify which company fulfils which data protection obligations when processing personal data for Insights. Under these agreements, Meta and LinkedIn agree to comply with users' requests regarding their data subject rights. This means that you can contact Meta (Facebook, Instagram) or LinkedIn directly for information and deletion requests. You can find a summary of the most important provisions of the Meta agreement here https://www.facebook.com/legal/terms/information_about_page_insights_data and information regarding your data subject rights in the respective privacy policy of:
Meta: https://www.facebook.com/privacy/policy
LinkedIn: https://de.linkedin.com/legal/privacy-policy.
Contact
If you communicate directly with us via a Social Media Fanpages or share personal content with us, we are responsible for processing your data. The purpose of the data processing is to communicate with you. Furthermore, we also use the information you share with us for marketing purposes. The legal basis for the data processing is our legitimate interest within the meaning of Art. 6 (1) sentence 1 lit. f DSGVO to get in touch with enquirers and to further develop our offer.
Storage duration and erasure
We and our service providers will process and store your personal data in accordance with applicable data protection law to the extent and for the duration necessary for the processing purposes set out in this Privacy Policy.
Log files are generally deleted after the end of the respective browser session, at the latest after seven days, unless their further storage is exceptionally necessary and lawful. The storage period of cookies depends on the individual case, which is usually fourteen days. If we process your personal data based on your consent, we store the data for the period required to process your personal data in accordance with your consent.
Something else applies if we are legally obliged or entitled to store your personal data for a longer period. With regard to the pursuit of civil claims, the storage period also depends on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years. In addition, data contained in contracts, communications or business letters may be subject to retention and documentation obligations under national law. In Germany, the retention periods are usually between 6 and 10 years.
International data transfer
For the processing of your personal data, we also use service providers located in third countries outside the European Union (EU) or the European Economic Area (EEA). These countries may have a lower level of data protection than within the European Union. In case of a data transfer to these countries, we will provide for the necessary safeguards to ensure that your data is processed as securely as within the EEA, e.g., by concluding Standard Contractual Clauses (SCC) within the meaning of Art. 46 para. 2 p. 1 lit. c GDPR or by other measures provided for by law. You can request a copy of the measures taken by contacting us at the contact details given above.
Data security
We transmit your personal data securely by using encryption. We use the TLS (Transport Layer Security) coding system for this purpose. Furthermore, we secure the Website and other systems through technical and organisational measures against loss as well as destruction, access, modification, or distribution of your data by unauthorised persons.
Rights of the data subject
Insofar as you are affected by the data processing, you have the right of access (Art. 15 GDPR), the right of rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). With regard to the right of access and the right to erasure, the restrictions according to Sections 34 and 35 BDSG apply. You also have the right to object to data processing (Art. 21 GDPR).
Your rights in detail:
Right of access: You can request the confirmation as to whether and how we process your personal data. In particular, you have a right of access to your personal data and the information about the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed, if possible the envisaged storage period, or, if this is not possible, the criteria for determining this period; the existence of a right to rectification or erasure of your personal data, to restriction of the processing or to object to such processing; the existence of a right to lodge a complaint with a supervisory authority; the source of the data if the personal data has not been collected from you, the existence of automated decision-making, including profiling, and, if applicable, meaningful information about the logic involved and the significance and envisaged consequences of such processing. If we transfer personal data to a third country or an international organisation, you may also request information about the safeguards we have in place to protect your data. Your right to information may be limited in individual cases by national law (Sections 29 para. 1 sentence 2, 34 BDSG) and the rights and freedoms of others.
Right to rectification: You may request the rectification of inaccurate personal data with undue delay or, taking into account the purposes of the processing, the completion of incomplete personal data – also by means of providing a supplementary declaration.
Right to erasure: You have a right to immediate erasure of your personal data under certain circumstances, e.g. if your personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw your consent and there is no other legal basis for the processing, or if you have objected to the processing of your data for direct marketing purposes. The right does not exist to the extent the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the exercise of a public power vested in us, or for the establishment, exercise or defence of legal claims. Your right to erasure may be limited in individual cases by national law (Section 35 BDSG).
Right to restriction of processing: You may request the restriction of processing if you contest the accuracy of the personal data for the duration of the verification of the accuracy by us, if the processing is unlawful but you object to the erasure of your personal data, if we no longer need your personal data but you need the data to establish, exercise or defend legal claims, or if you have objected to the processing.
Right to data portability: You have the right to data portability, i.e. the right to receive and transmit the personal data you have provided to us in a structured, commonly used and machine-readable format, if we process your personal data on the basis of your consent or a contract and the processing is carried out by automated means.
Right of objection according to Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 p. 1 lit. e GDPR (public security) or Art. 6 para. 1 p. 1 lit. e GDPR (legitimate interests); this also applies to profiling based on these provisions. We shall no longer process this data upon the lodging of the objection, unless there are compelling reasons for the processing that merit protection, e.g. processing for the establishment, exercise, or defence of legal claims.
Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is associated with such direct marketing. We will no longer process your personal data for direct advertising if you exercise your right to object.
If our processing of your personal data is based on consent (Art. 6 para. 1 p. 1 lit. a GDPR), you may withdraw this consent at any time; the lawfulness of the data processing carried out on the basis of the consent until withdrawal remains unaffected by this.
To assert your rights and for further questions on the subject of personal data, you can contact us at any time using our contact details above (see Section 1).
Regardless of this, you have the right to file a complaint with a supervisory authority – in particular in the EU member state of your place of residence, your place of work or the place of the alleged infringement – if you believe that the processing of personal data concerning you violates the GDPR or other applicable data protection laws (Art. 77 GDPR, Section 19 BDSG).
No automated decision-making in individual cases
For the establishment and implementation of the business relationship, we generally do not use fully automated decision-making pursuant to Art. 22 GDPR. Should we use this procedure in individual cases, we will inform you of this separately if this is required by law.
Status: May 1, 2023