Data Privacy Policy of QPLIX GmbH for the Use of QPLIX Account Information Services by Parqet End Users

QPLIX processes personaldata of users of the service provided via the internet (website and app) by Parqet Fintech GmbH, Ballindamm 27, 20095 Hamburg (hereinafter "Parqet")(such users hereinafter "Parqet End Users") in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and other applicable data protection legislation.

1. Controller and Data Protection Officer
‍The controller responsible for the processing of personal data within the meaning of the GDPR is:

‍QPLIX GmbH (hereinafter "QPLIX")
Managing Directors: Mathias Lindermeir, Kai Linde, Philipp Pötzl
Nußbaumstrasse 12, 80336 Munich, Germany
Tel: +49 89 998 2716-0
E-Mail: info@qplix.com
Local Court (Amtsgericht) Munich, HRB 200052

‍Data Protection Officer:
Mr Markus Bischof
QPLIX GmbH, Nußbaumstrasse 12, 80336 Munich, Germany
E-Mail: info@qplix.com
Tel: +49 89 998 2716-0

2. Sources and Categories of Data
QPLIX processes personal data of Parqet End Users (hereinafter "Customer Data") which it receives from the Parqet End Users, from Parqet or from the financial service providers maintaining the Parqet End Users' accounts and/or securities accounts (Depots).

Customer Data processed by QPLIX may include:
- First name, last name, address, contact details (telephone number, e-mail address),
- User ID assigned by Parqet,
- IP address, device type, device ID and other device-specific information relating to the end device used,
- Name of the financial service provider maintaining the account/securities account (Depot), account/securities account number, access credentials and security credentials for the account/securities account,
- Data relating to account balances/portfolio holdings as well as account transactions/portfolio movements,
- Timestamps of the Parqet End User's consent to the Terms of Use for Parqet End Users of QPLIX Account Information Services (hereinafter "QPLIX Terms of Use") as well as the start and end of the retrieval of information from the account/securities account, and other data relating to the manner in which the specific account/securities account retrieval was carried out.

3. Purpose of Processing Customer Data
The Customer Data collected is processed by QPLIX for the following purposes:
‍
- Pre-contractual measures and contract performance: Implementation of pre-contractual measures and fulfilment of contractual obligations towards the Parqet End User, as described in the QPLIX Terms of Use (Article 6(1)(b) GDPR).
- Legal obligations: Compliance with statutory obligations, in particular regulatory requirements (Article 6(1)(c) GDPR).
- Legitimate interests: Processing for the purpose of safeguarding legitimate interests of QPLIX, for example the creation of anonymised analyses for the improvement of services, legal defence, or ensuring the IT security and IT operations of QPLIX, provided that the interests, fundamental rights or fundamental freedoms of the Parqet End User do not override such interests (Article 6(1)(f) GDPR).

4. Disclosure of Data to Third Parties
As a general principle, QPLIX does not disclose Customer Data to third parties. By way of exception, disclosure is made to third parties contractually bound to observe dataprotection and data security obligations, to the extent required for the purposes set out in Section 3. Such recipients include in particular:
‍
- QPLIX employees acting within the scope of their duties,
- external service providers (e.g. IT service providers, account information service providers),
- Parqet,
- financial service providers maintaining accounts and/or securities accounts.
‍
Disclosure is in each case limited to what is necessary for the fulfilment of the relevant purpose.

5. No Transfer of Customer Data to a Third Countryor International Organisation
No transfer of Customer Datato countries outside the EU or the EEA (so-called third countries) or to an international organisation takes place.

6. Retention Period and Deletion
QPLIX retains Customer Datafor as long as this is necessary for the fulfilment of contractual or statutory obligations.

Once Customer Data is nolonger required for the fulfilment of contractual or statutory obligations, it is regularly deleted, unless its continued – time-limited – processing is required for the following purposes:

- Compliance with commercial, tax or regulatory retention obligations, with retention periods generally ranging from two to ten years.
- Preservation of evidence for the duration of statutory limitation periods (up to 30 years, where by the standard limitation period is three years).

7. Data Protection Rights of Data Subjects
7.1 General Data Protection Rights
‍
Parqet End Users have the following data protection rights:
‍
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)

7.2 Exercise of Rights and Identity Verification
Parqet End Users may contact the QPLIX Data Protection Officer at any time (contact details see Section 1).

In order to process requests, it may be necessary for the Parqet End User to provide his or her full first and last name, current (and where applicable former) address, date of birth and e-mail address. This information serves to verify the identity of the Parqet End User and thus to protect the Parqet End User against unauthorised access by third parties.

The right of access and the right to erasure are subject to the limitations set out in Sections 34 and 35 of the German Federal Data Protection Act (BDSG).

7.3 Right to Lodge a Complaint
Parqet End Users have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. The respective Parqet End User may exercise this right in particular with a data protection supervisory authority in the Member State of his or her habitual residence, place of work or the place of the alleged infringement.

The supervisory authority responsible for QPLIX is:

Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht – BayLDA)
Promenade 18, 91522 Ansbach, Germany
Tel: +49 981 180093-0
E-mail: poststelle@lda.bayern.de
Web: www.lda.bayern.de

8. Profiling
No automated decision-making (e.g. profiling) takes place.

9. Obligation to Provide Personal Data
The Parqet End User is under no obligation to provide Customer Data prior to entering into a contractual relationship with QPLIX. However, without the necessary Customer Data, QPLIX will not be in a position to conclude the contract and provide the agreed services.