Data Protection

I. NAME AND ADDRESS OF THE CONTROLLER

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

CYCAP Asset Management GmbH Speersort 10 20095 Hamburg Germany Tel.: 040 688 788 0 Email: info@cycap.com Website: www.cycap.com

II. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

IBS data protection services and consulting GmbH Zirkusweg 1 20359 Hamburg Germany Tel.: 040 540 90 97 80 Email: datenschutz@cycap.com Website: https://ibs-data-protection.de

III. PURPOSES OF PROCESSING

A. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

  • Referrer (previously visited website)
  • Requested webpage or file
  • Browser type and version
  • Operating system used
  • Device type used
  • Time of access
  • IP address in anonymized form (used only to determine the location of access)

The data is also stored in our system’s log files. This data is not stored together with other personal data of the user.

Storage in log files serves to ensure the functionality of the website. The data also helps us optimize the website and ensure the security of our IT systems. No evaluation of the data for marketing purposes takes place in this context.

These purposes also represent our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR.

Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collected for the provision of the website, this is when the respective session ends. In the case of data stored in log files, this is after seven days at the latest. Further storage is possible, in which case the users’ IP addresses are deleted or anonymized so that identification of the accessing client is no longer possible.

You must provide this data without any legal or contractual obligation. Visiting our website is not possible, or only possible with restrictions, without providing this information.

B. HOSTING

This website is hosted externally. Personal data collected on this website is stored on the host’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated via a website.

External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online services by a professional provider (Art. 6(1)(f) GDPR). Where consent has been obtained, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device within the meaning of the TDDDG. Consent may be revoked at any time.

Our host(s) will only process your data to the extent necessary to fulfill their service obligations and will follow our instructions with respect to this data.

We use the following host:

Homepage Helden GmbH Poststraße 20 20354 Hamburg

We have concluded a Data Processing Agreement (DPA) for the use of the above service. This is a data protection legally required contract that ensures the host processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

C. USE OF COOKIES

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. The cookie contains a characteristic string that enables unique identification of the browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.

This website uses the local plugin Cookiebot Consent, which sets a technically necessary cookie (Cookiebot) to store your cookie consents.

The following data is stored and transmitted in cookies:

  • Operating system, browser, etc.
  • Language settings
  • Number of page views
  • Timestamps
  • Privacy settings such as cookie preferences

The legal basis for processing personal data using technically necessary cookies is Art. 6(1)(f) GDPR. User data collected via technically necessary cookies is not used to create user profiles.

The legal basis for processing personal data using cookies for analytical purposes, where the user has given their consent, is Art. 6(1)(a) GDPR.

Cookies are stored on the user’s computer and transmitted to our site. Therefore, as a user, you have full control over the use of cookies. You can disable or restrict the transmission of cookies by changing your browser settings. Cookies already stored can be deleted at any time, including automatically.

There is neither a legal nor contractual obligation to provide your data. However, visiting our website is not possible, or only possible with restrictions, without providing this information. If cookies are disabled for our website, not all functions of the website may be fully available.

C. VIMEO ACCOUNT AND EMBEDDING OF VIDEOS ON THE WEBSITE

Our Vimeo account, provided by Vimeo.com, Inc., 330 West 34th Street, 10th Floor, New York, New York 10001, is used by us to host and manage our videos. Vimeo operates the online video portal as a controller within the meaning of data protection law. When you access our account or individual videos, subscribe, comment, or react, Vimeo collects information about you that you provide through your visit (e.g., username, comments, subscriptions, likes, dislikes on our videos). Vimeo also collects data on the browser used, the device, and the IP address. Vimeo analyzes your reaction and behavior in relation to our channel and videos and provides us with statistical information in anonymized form via Vimeo Analytics. This analysis data is provided by Vimeo as a data processor pursuant to Art. 28 GDPR.

This website also embeds videos from Vimeo to provide you with content. Vimeo sets a cookie in the user’s browser by embedding the URL. The cookie stores user behavior and passes it on to Vimeo. The following data is collected: technical data (IP address, referrer URL, date and time, browser type, operating system) and usage data such as interactions with the video. If you are logged in as a user, Vimeo records all actions you take on the site and can assign your activities to your personal profile.

The processing of data collected when visiting our channel is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR to make our videos available.

The reading of website visitor data and transmission to Vimeo when embedding videos only occurs if you have consented to data processing (two-click solution). The legal basis in this case is your consent pursuant to Art. 6(1)(a) GDPR. The transfer of personal data to Vimeo is based on the adequacy decision (Vimeo.com Inc. is certified under the Data Privacy Framework).

Data collected by us in connection with the Vimeo account is stored for as long as necessary for the management of our videos. Storage of data by Vimeo is carried out in accordance with their privacy policy: https://vimeo.com/privacy

You have the right to object to data processing based on Art. 6(1)(f) GDPR. There is neither a legal nor contractual obligation to provide your data. However, visiting our website is not possible, or only possible with restrictions, without providing this information.

E. USE OF WEB SERVICES

GOOGLE MAPS

This site uses the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

To ensure data protection on our website, Google Maps is disabled when you first visit our website. A direct connection to Google’s servers is only established when you independently activate Google Maps (consent pursuant to Art. 6(1)(a) GDPR). This prevents your data from being transmitted to Google when you first visit the page.

After activation, Google Maps will store your IP address, which is then generally transmitted to a Google server in the USA and stored there.

When Google Maps is activated, Google Fonts are also used. Your browser loads the required web fonts into its browser cache to display texts and fonts correctly.

The transfer of personal data to Google is based on the adequacy decision. Once Google Maps is activated, the provider of this site has no influence over this data transfer.

For more information on how user data is handled, please refer to Google’s privacy policy: https://www.google.de/intl/de/policies/privacy/

MATOMO

This website uses the open source web analytics service Matomo. Matomo is a service of InnoCraft Limited, 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand. With Matomo, we are able to collect and analyze data about the use of our website by visitors.

This allows us to, among other things, determine when which page views were made and from which region you are visiting. We also collect various log files (e.g., IP address, referrer, browser and operating systems used) and can measure whether our website visitors perform certain actions (e.g., clicks, purchases, etc.).

Processing is carried out for the purpose of optimizing our website and our services, based on Art. 6(1) GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website and its advertising.

IP anonymization
We use IP anonymization when analyzing data with Matomo. This involves shortening your IP address before analysis, so that it can no longer be uniquely linked to you.

Cookie-free analytics
We have configured Matomo so that it does not store cookies in your browser.

You are neither legally nor contractually required, nor required for the conclusion of a contract, to provide the data. Without providing your data, anonymized analysis is not possible.

F. SOCIAL MEDIA

Processing is carried out for the purpose of providing our fan pages on social networks (company pages) as well as for marketing purposes, based on a prevailing legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interests are the support of social media platforms as well as the presentation of our business activities and the execution of marketing activities.

We have set links to the pages of social networks. No further data exchange takes place with these pages on our side. When the social media element is active, a direct connection is established between your device and the provider. The provider thereby receives information about your visit to this website. Where consent has been obtained, use of the aforementioned service is based on Art. 6(1)(a) GDPR. Consent may be revoked at any time.

When you, as a logged-in user, visit our profile on the social network “LinkedIn,” follow us, or interact with us (e.g., message, comment), LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”) processes personal data to provide us with aggregated information (“Page Insights”). No information is provided that would allow us to trace the behavior of an individual user.

For the processing of personal data for the purpose of providing Page Insights, we and LinkedIn are jointly responsible pursuant to Art. 26 GDPR. Further information on the processing of your personal data as joint controllers is available directly from LinkedIn at the following external link: https://legal.linkedin.com/pages-joint-controller-addendum

When you additionally interact with our profile or posts shared by us as a logged-in user (e.g., reading, following, commenting) or we access your profile, LinkedIn processes your information as an independent controller (operation of the social network) and shares with us all information required for the operation of the social network in accordance with LinkedIn’s terms of use.

In this case, we collect user data (e.g., name, location), qualification data (e.g., occupation, position, education), and communication data (e.g., message contents) directly from you or through the use of the LinkedIn social network.

For more information on the processing of personal data by LinkedIn, please refer to the following external link: https://de.linkedin.com/legal/privacy-policy

You are neither legally nor contractually obligated to provide us with this information. Use of the social networks is independent of providing your data; however, contacting us or visiting our profile is not possible without the social network provider making this data available to us.

YOUTUBE

Our YouTube channel is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The transfer of personal data to Google is based on the adequacy decision.

Google operates YouTube as a controller within the meaning of data protection law. When you access our channel or individual videos, subscribe, comment, or react, Google collects information about you that you provide through your visit (e.g., username, comments, subscriptions, likes, dislikes on our videos). Google analyzes your reaction and behavior in relation to our channel and videos and provides us with statistical information in anonymized form via YouTube Analytics. This analysis data is provided by Google as a data processor pursuant to Art. 28 GDPR.

G. JOB APPLICATIONS BY EMAIL OR VIA OUR CAREER PORTAL

We offer applicants the opportunity to submit applications to us with personal data. The data is transmitted to us via the email address specified in the respective job description.

To provide our career portal and manage applications, we use the software Personio by Personio GmbH, Rundfunkplatz 4, 80335 Munich. We have concluded a data processing agreement with Personio. Your application data is stored and transmitted by Personio in encrypted form in Germany or the European Union.

All personal data and attachments of your application are collected and used by CYCAP Asset Management GmbH and its subsidiaries solely for the purpose of evaluation, analysis, and assignment in connection with the application process. The data you submit is only accessible to responsible employees in the HR department and the employing company who are involved in candidate selection and recruitment. In the case of an application for a specific advertised position, your data will be forwarded to the relevant HR managers of the respective departments and branches of the employer named in the job posting. Otherwise, data is only passed on to contracted IT processors (cf. Art. 28 GDPR) such as web hosters and external IT administrators, as well as to Personio GmbH.

The legal basis for processing data in connection with the initiation of a contractual relationship and the implementation of pre-contractual measures is Art. 6(1)(b) GDPR. The server connection to your Personio account for embedding job advertisements on our website is based on consent pursuant to Art. 6(1)(a) GDPR.

The information is required so that we can contact you and assess your suitability for the advertised position. This facilitates the initiation of an employment relationship with us.

In the case of an application for a specific vacancy, your data will be considered for the duration of the selection process. After a maximum of six months following a possible rejection, we will anonymize your data. All attachments and all communication will be deleted.

If, following a specific application, you wish your data to be considered for future HR developments, please send us a separate unsolicited application or we will approach you. Unsolicited applications will be retained for a period of 6 months. After this period, we will handle these applications as described above regarding anonymization.

If we decide to offer you a contract and you accept it, your documents will be transferred to our ongoing HR administration as part of the usual processes and will continue to be used in accordance with the relevant legal regulations.

As an applicant, you have the right at any time to correct or withdraw your application and have your data deleted. To do so, please send us an email explaining your request to: bewerbungen@cycap.com

H. ENQUIRIES BY EMAIL AND TELEPHONE

If you send us enquiries by email or telephone, your details will be stored for the purpose of processing the enquiry and in the event of follow-up questions. We do not share this data without your consent.

The legal basis for processing data where the user has given their consent is Art. 6(1)(a) GDPR. The legal basis for processing data transmitted in the course of sending an email is Art. 6(1)(f) GDPR. If your enquiry is aimed at concluding a contract, the additional legal basis for processing is Art. 6(1)(b) GDPR. Processing of personal data serves solely to handle the contact. In the case of contact by email, this also constitutes the required legitimate interest in processing the data.

Data is deleted as soon as it is no longer necessary for the purpose for which it was collected, until you request deletion, or until you withdraw your consent to storage. For personal data transmitted by email, this is the case when the respective conversation with the user has ended — i.e., when it can be inferred from the circumstances that the matter in question has been conclusively resolved. Mandatory statutory provisions — in particular retention periods — remain unaffected.

The user has the right at any time to withdraw consent to the processing of personal data. If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of the contact will be deleted in this case.

I. EXERCISING YOUR RIGHTS AS A DATA SUBJECT

If you contact us to exercise your rights as a data subject, we will collect all personal data you provide in connection with the enquiry. Alternatively, we may also receive data from third parties if you have authorized someone to exercise your rights on your behalf (e.g., a representative, lawyer, or guardian) or if you have previously contacted other bodies (e.g., data protection officer).

We process this data to verify your identity, assess the applicability of the respective rights, implement your rights, and communicate with you.

Processing is carried out for the purpose of ensuring data subject rights on the basis of fulfilling legal obligations pursuant to Art. 6(1)(c) GDPR as well as for the exercise of prevailing legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest is the assertion, exercise, and defense of legal claims.

There is no legal or contractual obligation for you to provide your data. Without providing certain information that enables identification of your person or the implementation of your rights, processing your request may not be possible, or may only be possible to a limited extent.

IV. TRANSFER OF PERSONAL DATA

At CYCAP Asset Management GmbH, only those persons who are responsible for processing will have access to personal data (e.g., administrators, clerks).

Certain activities are not carried out by us directly but by contracted service providers acting as data processors pursuant to Art. 28 GDPR. These are carefully selected, contractually bound, and regularly reviewed by us. In the context of employee administration/applicant management, we transmit your data to Personio GmbH.

In certain individual cases, we share personal data with third parties (e.g., legal advisors, auditors, data protection officers, authorities, courts, affiliated companies) to the extent that this is necessary for processing and legally permissible, or you have consented to processing.

Transfers to recipients in third countries outside the EU/EEA or to international organizations only take place to the extent that this is necessary for the respective processing and legally permissible. In such cases, the transfer is based on an adequacy decision by the EU or, where none exists, on agreed standard contractual clauses or binding internal data protection rules. Where the aforementioned guarantees are not in place, the transfer to third countries outside the EU/EEA is based on an exception pursuant to Art. 49(1) GDPR (explicit consent, performance of a contract, assertion, exercise, or defense of legal claims).

V. OTHER RETENTION PERIODS

To ensure the principle of storage limitation pursuant to Art. 5(1)(e) GDPR, we store personal data in a form that permits identification of data subjects only for as long as is necessary for the respective lawful purposes.

The following retention periods have been established:

  • Server log files are stored for 1–30 days depending on the IT system and then automatically deleted.
  • Technically necessary cookies are deleted at the end of a session (e.g., when the browser is closed) or upon reaching the defined maximum age (max-age), or manually by the user in the browser.
  • Non-necessary cookies are deleted upon expiry of the defined maximum age (max-age) or manually by the user in the browser.
  • Application documents of rejected applicants are deleted 6 months after rejection, unless consent to permanent retention has been given.
  • Personal data that must be retained under commercial or tax law pursuant to § 147 AO, § 257 HGB will not be deleted before the expiry of 6 years or 10 years respectively. Further storage is carried out for the assertion, exercise, or defense of legal claims, e.g., in the case of unconcluded tax, audit, or administrative proceedings.
  • Personal data processed for the assertion, exercise, or defense of legal claims is generally deleted after 3 years (standard limitation period pursuant to § 195 BGB); in certain cases (e.g., claims for damages), the limitation period is 10 years or 30 years from the date the claim arose pursuant to § 199 BGB, with the maximum retention period being 30 years from the date of the damaging event.

VI. RIGHTS OF THE DATA SUBJECT

If personal data is processed about you, you are a data subject within the meaning of the GDPR and have the following rights against the controller:

1. RIGHT OF ACCESS You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you may request information from the controller regarding the following:

  • The purposes for which personal data is being processed
  • The categories of personal data being processed
  • The recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed
  • The planned retention period for the personal data concerning you or, if specific information is not possible, criteria for determining the retention period
  • The existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing
  • The existence of a right to lodge a complaint with a supervisory authority
  • All available information on the origin of the data if personal data is not collected from the data subject
  • The existence of automated decision-making including profiling pursuant to Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved and the significance and intended consequences of such processing for the data subject

You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

2. RIGHT TO RECTIFICATION You have the right to rectification and/or completion from the controller if the personal data concerning you that is processed is inaccurate or incomplete. The controller must carry out rectification without delay.

3. RIGHT TO RESTRICTION OF PROCESSING Under the following conditions, you may request restriction of the processing of personal data concerning you:

  • You contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
  • Processing is unlawful and you object to the erasure of the personal data and request restriction of its use instead
  • The controller no longer needs the personal data for the purposes of processing, but you need it for the assertion, exercise, or defense of legal claims
  • You have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds

Where processing of personal data concerning you has been restricted, such data — with the exception of storage — may only be processed with your consent or for the assertion, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

Where restriction of processing has been restricted under the above conditions, you will be informed by the controller before the restriction is lifted.

4. RIGHT TO ERASURE

A) OBLIGATION TO ERASE You may request from the controller the immediate erasure of personal data concerning you, and the controller is obliged to erase this data immediately if one of the following reasons applies:

  • The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed
  • You withdraw your consent on which processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for processing
  • You object to processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for processing, or you object to processing pursuant to Art. 21(2) GDPR
  • The personal data concerning you has been unlawfully processed
  • Erasure of the personal data concerning you is necessary to fulfill a legal obligation under Union or Member State law to which the controller is subject
  • The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8(1) GDPR

B) INFORMATION TO THIRD PARTIES Where the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller, taking into account available technology and the cost of implementation, shall take reasonable measures, including technical measures, to inform other controllers processing the personal data that you, as the data subject, have requested erasure of all links to, or copies or replications of, that personal data.

C) EXCEPTIONS The right to erasure does not exist to the extent that processing is necessary:

  • For the exercise of the right to freedom of expression and information
  • For the fulfillment of a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • For reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR
  • For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing
  • For the assertion, exercise, or defense of legal claims

5. RIGHT TO NOTIFICATION Where you have exercised the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to be informed of those recipients by the controller.

6. RIGHT TO DATA PORTABILITY You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, provided that:

  • Processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR, and
  • Processing is carried out by automated means

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller where technically feasible. The freedoms and rights of other persons must not be adversely affected.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. RIGHT TO OBJECT (INCLUDING TO DIRECT MARKETING) You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.

The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for processing which override your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

In the context of the use of information society services — notwithstanding Directive 2002/58/EC — you may exercise your right to object using automated means using technical specifications.

8. RIGHT TO WITHDRAW CONSENT TO DATA PROCESSING You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent carried out prior to withdrawal.

9. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Privacy Policy version as of 17th March 2026