Privacy Policy

Privacy Policy for the website and platform available on www.bunch.capital

At bunch technology GmbH (“we”, “us”, “our”), we take data protection very seriously. This Privacy Policy describes how we as controller within the meaning of the General Data Protection Regulation ("GDPR") collect and further process your personal data when you (“user”, “users” or “you”) use the website www.bunch.capital (“Website”) and/or the platform available via the Website (“Electronic Platform”).

Content Overview
‍

• Controller
• Description of the Data Processing / Processing Purposes
• Categories of Personal Data / Legal Basis / Requirement to provide Personal Data
• Recipients
• International Data Transfers
• Retention
• Your Rights Under Data Protection Law
• Changes to this Privacy Policy

• Controller
  ‍
  ‍Our contact details are as follows:
  bunch technology GmbH
  Neue Schönhauser Str. 13
  10178 Berlin
  ‍hi@bunch.capital
  ‍

• Description of the Data Processing / Processing Purposes
  We are the technical operator of the Electronic Platform. Via the Electronic Platform users can collaborate and establish a German Partnership pursuant to German civil law (Gesellschaft bürgerlichen Rechts), a German limited liability company (Gesellschaft mit beschränkter Haftung) or entrepreneurial company (Unternehmergesellschaft (haftungsbeschränkt)) as well as a German limited partnership (GmbH & Co KG) (the “Investment Vehicle”). The Investment Vehicle can then via the Electronic Platform manage its investments activities. Thus, the Investment Vehicle is responsible for the processing of all personal data about the users that relate to the establishment of the Investment Vehicle and the management of the investments through the Investment Vehicle. 
  
  We are merely the controller for your personal data relating to job applications submitted via the Website, the registration with the Electronic Platform, and cookies and similar technologies as further described below.

  • Job Application with bunch
    You can send us your job application via our Website. If you decide to do so, we will process your personal data to review and process your application, to carry out the recruiting process, to decide whether or not we will make you an offer, to comply with applicable legal obligations, and, if necessary, to defend our legal interests. 
  • Registration
    ‍If you want to use the Electronic Platform, you are required to register with the Electronic Platform. Your personal data provided during registration is processed by us to ensure that (i) you meet our eligibility requirements (see section 2 of our Platform Terms and Conditions https://www.bunch.capital/terms-conditions), (ii) only authorized users access the Electronic Platform and (iii) we have appropriate security measures for the Electronic Platform in place to prevent fraud and misuse by unauthorized individuals. 
  • Cookies 
    Furthermore, we collect and process certain data relating to your use of the Website and the Electronic Platform through cookies and similar technologies (“Cookies”) for purposes such as ensuring security, technical stability and overall proper functioning of the Website and Electronic Platform.
    ‍

• Categories of Personal Data / Legal Basis / Requirement to provide Personal Data

  • Categories of Personal Data: 
    We process the following categories of personal data per processing purpose:
    • Job Application: Name, contact details, CV, educational and work history, degrees and diplomas, skills, qualifications, references, interview notes, application assessments, internal feedback;
    • Registration: name, email address, password, mobile phone number, country of residence, and positive eligibility requirements;
    • Cookies: Your personal data processed via and in connection with Cookies is further specified in the table below: 
    Cookie Name

    Type

    Expiry

    Description

    Data

    bunch.sid (bunch-ts-backend.prod.bunch.capital) / Login

    1st Party; strictly necessary Cookie

    Session

    When you log into the Electronic Platform, this login cookie is dropped. The login cookie stores an authentication token which tells the Electronic Platform that the device on which the login cookie is stored has successfully logged in and can browser through the Electronic Platform and open subpages of the Electronic Platform.

    Encrypted authentication token 

    okta-oauth-state
    (frontend.prod/stage.bunch.
    capital) / Login & Session

    3rd party;
    strictly
    necessary Cookie

    Session

    The Electronic Platform uses session storage in the browser to store the identity tokens. The identity token tells the backend that the particular user that has logged into the Electronic Platform is authorized to review the particular compliance
    data of the particular user to whom the credentials belong. There is no transfer of 3 Germany/7489738.1 data to the web server, and it stays in the browser of the user. The identity token will only exist when a user successfully authenticates with username and password. When the user closes the tab or browser even when still logged-in and then open new tab or browser, the data in session storage from previous session cannot be retrieved anymore.

    Encrypted authenticated external user ID

    okta-oauth-state
    (frontend.prod/stage.bunch.
    capital) / Login & Session

    3rd party; strictly necessary Cookie

    Session

    Random initial seed used during the authentication process, to identify the user in the authentication.

    Random string

    okta-oauth-state
    (frontend.prod/stage.bunch.
    capital) / Login & Session

    3rd party; strictly
    necessary Cookie

    Session

    Storing of the URL used to redirect the user from external authentication provider to Electronic Platform frontend.

    Redirect parameters
  • Legal Basis
    ‍In the table below, we summarize the legal bases applicable to the data processing activities / processing purposes described in 2. above.
    
    Data Processing Activity as specified in 2 .
    above

    Applicable Legal Bases (may vary depending
    on the details of the processing activity)

    Job Application

    • Sec. 26 para. 1 Federal Data ProtectionAct
      (processing necessary for hiring decisions)
    • Art. 6 para. 1 lit. f GDPR (legitimate interest)
    • Art. 6 para. 1 lit. a GDPR (consent)

    Registration

    • Art. 6 para. 1 lit. b GDPR (performance of contract)
    • Art. 6 para. 1 lit. f GDPR (legitimate interest)
    • Art. 6 para. 1 lit. a GDPR (consent)
    • Art. 6 para 1 lit. c GDPR (compliance with legal obligations)

    Cookies

    • Sec. 25 para. 2 no. 2 TelecommunicationsTelemedia Act
      (deploying necessary cookies)
  • Requirement to provide Personal Data
    When you register for the Electronic Platform or apply to a job offering of bunch via the Website, you provide your personal data voluntarily and actively. Providing your personal data is not required by law but is necessary to enter into a contract with us (regarding the Electronic Platform) and to apply to a job offering with bunch. Without providing such data, we cannot enter into a contract with you or review your job application.
    
    In other cases, your personal data is collected automatically by Cookies on our Website and the Electronic Platform. The provision of your personal data is not required by law or contract, but in certain cases (strictly necessary Cookies) it is necessary to enable your use of the Website and the Electronic Platform. Without such strictly necessary Cookies, both the Website and the Electronic Platform may not function properly so that these Cookies cannot be disabled. Where this is not the case (i.e., non-necessary Cookies), you are not required to provide your personal data and you can deny your consent to such non-necessary Cookies. If you do not want to provide your personal data via non-necessary Cookies, you will not suffer any disadvantages. However, you may not be able to use certain features of the Website and the Electronic Platform, if you do not consent to the use of such non-necessary Cookies.

• Recipients
  In addition to us, the following recipients may have access to your personal data processed in connection with the Website and the Electronic Platform:

  • Service providers
    
    Name

    Services provided

    Okta Inc.

    Identity and access management for the Electronic Platform

    Kerberos Compliance-Managementsysteme
    GmbH

    AML and KYC checks of investors

    Typeform Inc.

    Initial sign-up process storing user data

    Amazon Web Services, Inc.

    Providing on-demand cloud computing servise
    and storage for the website and platform

    Hubspot Inc.

    CRM system services for storing and processingof customer data
  • Third parties
    
    • The Investment Vehicle, which enters into a service contract with us, under which we will provide certain investment related services to the Investment Vehicle and its shareholders / Partners (as defined in the service contract / the partnership agreement);
    • If necessary to investigate illegal use of the Website or the Electronic Platform, violations of the Platform Terms and Conditions or for the establishment or exercise of related legal claims, we may disclose personal data to competent law enforcement authorities and, if necessary, to injured third parties. We may also be legally obligated to provide information to certain public authorities upon request, such as law enforcement agencies, authorities that prosecute administrative offenses subject to fines and tax authorities. 
    • We may also disclose personal data to auditors, accounting service providers, lawyers, banks, tax advisors and similar bodies to the extent necessary for the provision of our services or for the proper operation of our business.

• International Data Transfers
  We may transfer your personal data to recipients outside the European Union / European Economic Area (“EU/EEA”). 

  • Some recipients of your personal data outside the EU/EEA, e.g., certain service providers or third parties, are located in countries for which the European Commission has determined that this country ensures a level of protection equivalent to the level of data protection in the EU/EEA (adequacy decision). Thus, your personal data are protected pursuant to Art. 45 GDPR. 
  • Some recipients of your personal data are located in a country for which the European Commission has not adopted an adequacy decision. This applies in particular to service providers in the USA. In those cases, we have entered into appropriate data transfer agreements with the recipients based on the standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR and will implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access and against all other unlawful forms of processing. A copy of the executed standard contractual clauses can be requested via the contact details provided under 1. above.

• Retention
  We generally retain your personal data for as long as required or permitted by applicable law, in particular for as long as such data might be needed to fulfil or defend against claims that are not yet time-barred, e.g., pursuant to Sec. 195 German Civil Code or Sec. 21 the General Act on Equal Treatment. Thereafter, we will remove your personal data from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it.
  
  Personal data that we process for the purposes set out in section 2 above will be stored only as required to meet our data retention obligations under the applicable legal provisions. In case of legal actions, the personal data may be stored until the end of the relevant measure, including any appeal periods, and will subsequently be deleted or archived to the extent permitted by applicable law.

• Your Rights Under Data Protection Law
  You have the rights described below in relation to the processing of your personal data. To exercise your rights, you can make a request by post or email to our address above. Your rights may be restricted by law, in particular to the extent that your personal data constitutes a trade secret or business secret. 

  • Right of access: You have the right to obtain confirmation from us at any time as to whether or not personal data concerning you are being processed, and, where that is the case, to obtain access to the personal data relating to you that is being processed by us to the extent and under the conditions of Art. 15 GDPR. 
  • Right to rectification: You have the right to obtain from us without undue delay rectification and completion of your personal data if it is inaccurate or incomplete, Art. 16 GDPR 
  • Right to erasure: You have the right to request erasure of personal data concerning you from us under the conditions of Art. 17 GDPR.
  • Right to restriction of processing: You have the right to obtain from us restriction of processing in accordance with Art. 18 GDPR. This right exists in particular (i) if the accuracy of the personal data is contested between you and us, for a period enabling us to verify the accuracy of the personal data, (ii) if you request restricted processing instead of erasure in case of an existing right to erasure, (iii) if the personal data are no longer necessary for the purposes pursued by us, but you need them for the establishment, exercise or defence of legal claims, or also (iv) if the successful exercise of an objection is still disputed between you and us.
  • Right to data portability: You have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR. 
  • Right to object: In certain cases, you have the right to object to the processing on grounds relating to your particular situation in accordance with Art. 21 GDPR. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
  • Right to withdraw consent: If we have requested your consent to the processing of your personal data and you have provided such, you have the right to withdraw your consent at any time with effect for the future, free of charge. Any withdrawal of consent does not affect the lawfulness of the processing prior to such withdrawal. 
  • Notification obligation regarding rectification or erasure: Pursuant to Art. 19 GDPR, we shall notify all recipients to whom personal data have been disclosed of any request for rectification or erasure of the personal data or for restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to request information about these recipients from us. 
  • Complaint to the data protection authority: You also have the right to lodge a complaint with the competent data protection authority if you believe that we have not complied with applicable data protection laws. Our competent data protection authority is the following: 

• Changes to this Privacy Policy
  We may amend or supplement this Privacy Policy at any time with effect for the future. You can access the most current version of this Privacy Policy at https://www.bunch.capital/privacy-policy.