Effective Date: 01 August 2019
To be able to run this website, we collect, record, organise, structure, store, adapt or alternate, retrieve, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, erase or destruct, and otherwise process data that relates to you as an identified or identifiable natural person (‘Data Subject’) as described in Art. 1 (1) GDPR. By processing these data, we generally decide the means and purposes of the data processing and thus work as Data Controller.
Our full address is:
Trust Fractal GmbH
Wiener Straße 10
10999 Berlin, Germany
Your Personal Data’s journey
When accessing the Fractal website your device and browser may automatically store an identifier to continue your journey and disclose certain technical information that might qualify as Personal Data of you. The legal basis for such data processing is Art. 6 (1) lit. b) GDPR.
Schedule a call
When you click on “Schedule a call”, you get directed to your email provider. Your email address and the additional personal data you might add will be stored and processed by us. To do that, we additionally use the service providers salesforce and yesware.
Login to your Fractal ID Button
To conduct our Services, we use third parties to provide us with necessary services (‘Data Processors’). We may disclose your personal data with them, while making sure they only receive your personal data what is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Fractal involves the following Data Processors to process your personal data on our behalf:
The categories of personal data we process
For Fractal ID, we collect the following categories of Personal Data about you in our capacity Data Controller to provide you the Fractal ID services:
When you contact us, you might send us your name, position in your company, email address and other personal information that enables us to contact you.
receives and records information from your browser or mobile device when you visit the platform or use the Apps, such as your Internet Protocol (IP) address or unique device identifier. Cookies and data about which pages you visit on our platform allow us to operate and optimize the Products and Services we provide to you. This information is stored in secure logs and is collected automatically. We may combine this browser information with other information we collect about you. This information is used to keep the Products and Services secure, analyze and understand how our Products and Services are used, optimize such usage and personalize your experience.
trustfractal follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services' analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users' movement on the website, and gathering demographic information.
Duration of data storage (‘Data Retention’)
We will not keep your personal data for longer than is necessary for the purpose it was collected. This means that data will be destroyed or erased from our systems when it is no longer required.
We take appropriate steps to ensure that we process and retain information about you based on the following logic:
Purpose of the processing and how we process your Personal Data
When you access our website, we collect, display, store, share, transmit, and process your information in the manner described in this policy. In order to carry out these activities, we may rely on a number of legal bases in order to process your personal data, including where:
Your rights when your Personal Data are being processed
We guarantee you the applicable rights of the German data protection laws. Please note that we will require you to provide us with proof of identity before responding to any requests to exercise your rights. We must respond to a request by you to exercise those rights without undue delay and at least within one month (although this may be extended by a further two months in certain circumstances).
To exercise any of your rights, please contact us at:
Trust Fractal GmbH
Wiener Straße 10
10999 Berlin, Germany
As soon as personal data is being processed, you have the following rights:
Right of access
Pursuant to Art. 15 GDPR, you have the right to obtain confirmation as to whether or not your personal data is processed. If we process your personal data, you are entitled to receive information on such personal data and the processing, which includes thorough information on what we do with your personal data.
Right to rectification
In accordance with Art. 16 GDPR, you are entitled to demand that we rectify your personal data if they are inaccurate or erroneous. We will rectify your data immediately upon notification.
Right to restriction of processing
In accordance with Art. 18 GDPR, you have the right demand a restriction of processing for your personal data. However, if we stop processing the Personal Data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. to comply with regulatory obligations in respect of anti-money laundering, counter terrorism financing and customer due diligence legislations and procedures, for the defence of legal claims or for another’s protection).
You may request we stop processing and just store the Personal Data we hold about you when:
you believe the Personal Data is not accurate, for the period it takes for us to verify whether the Personal Data is accurate;
we wish to erase the Personal Data as the processing we are doing is unlawful but you want us to store it instead;
we wish to erase the Personal Data as it is no longer necessary for our purposes but you require it to be stored for the establishment, exercise or defence of legal claims; or
you have objected to us processing Personal Data we hold about you on the basis of our legitimate interest and you wish us to stop processing the Personal Data whilst we determine whether there is an overriding interest in us retaining such Personal Data.
Right to erasure (‘right to be forgotten’)
In accordance with Art. 17 GDPR, you have the right to have your personal data erased without undue delay. This does not include your personal data that has to be stored due to statutory provisions.
The right to erasure does not apply if processing your personal data is required for
the execution of the right to freely express one’s opinion and the right to information;
in order to fulfil a legal obligation we are subject to (e.g. statutory KYC/AML retention periods), or
in order to assert, execute or defend legal claims.
Right to data portability
Pursuant to Art. 20 GDPR, you have the right to receive your personal data which you provided to the Controller in a structured, commonly used and machine-readable format. You also have the right to transfer this data to a third party without hindrance from the Fractal, if
The processing is based on consent pursuant to Article 6 (1) lit. a) GDPR or on a contract pursuant to Article 6 (1) lit. b) GDPR; and
The processing is carried out by automated means.
The relevant subset of Personal Data is data that you provide us with your consent or for the purposes of performing our contract with you.
Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure. However, we may retain your personal data if there are valid grounds under law for us to do so (e.g., to comply with regulatory obligations in respect of KYC/AML, counter terrorism financing, embargo sanctions, and customer due diligence legislations and procedures, for the defence of legal claims or freedom of expression) but we will let you know if that is the case. Please note that after deleting the Personal Data, we may not be able to provide the same level of servicing to you as we will not be aware of your preferences.
Right to object
Pursuant to Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Article 6 (1) lit. e) or lit. f) GDPR, including profiling based on those provisions.
The Controller shall no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is for the establishment, exercise or defence of legal claims.
Right to withdraw your consent
You have the right to withdraw your consent under the data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal.
If you withdraw your consent regarding your personal data leads to a termination of your contract as the whole contractual relationship of Fractal and You is dependant on personal data.
Automated individual decision-making, including profiling
Pursuant to Art. 22 GDPR, you shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. You have the right to address the supervisory authority for any questions or complaints. The supervisory authority of Fractal is the data protection supervisory authority in Berlin (‘Berliner Beautragte für Datenschutz und Informationsfreiheit’) https://datenschutz-berlin.de/.
Transfer to third countries
At the moment, we do not use processors that process your data outside the European Union. We may use processors that process your data in countries outside of the EU that do not ensure an adequate data protection level comparable to the EU (no adequacy decision of the EU Commission). If we do so, we make sure that the processor in that third country warrants a data protection level comparable to the GDPR. This will also not affect your rights against Us as controller of your personal data.
In case we transfer Personal Data outside the territorial scope of the GDPR, we ensure that there is either an adequacy decision by the European Commission or a similar level of data protection compared to the GDPR is guaranteed by the use of the Standard Contractual Clauses provided by the EU Commission (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en)
Additionally, we disclose your personal data to other third parties for business and product development. However, in order to provide you with effective and continuous products and services, and for the purposes listed above, your Personal Data may be disclosed to the following parties:
Service providers who provide operational services to Fractal, such as telecommunications, information technology;
Partners or Clients who have referred you to Fractal ID so that you may be whitelisted for their services.
professional advisers such as (financial) auditors and lawyers;
relevant public authorities, government agencies, statutory boards, administrative bodies, authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes to which Fractal may be subject, whether situated locally or overseas.
Third Party Privacy Policies
Third party data processors for hosting
Goodbits is also the website’s e-mail processor. When you send us an e-mail either directly or through the contact form, Goodbits is processing the e-mail on our behalf.Goodbist is storing your personal data in the EU and Canada.
Our website is hosted by Fortrabbit. FortRabbit is a service by fortrabbit GmbH, Görlitzer Str. 52, 10997 Berlin, Germany.
Fortrabbit stores all personal data of EU residents on servers in Frankfurt, Germany, otherwise in the USA. All personal data of EU residents stored in the USA are processed under the principles of EU Directive on Data Protection passed in 1998. Fortrabbit is obligated through a data processor agreement with us to keep this standard.
Third party social media
We partner with third parties to provide you with connections to certain social networks. By engaging with third-party plug-ins and widgets on our website, such third parties may place session or persistent cookies or similar technologies on your browser. These technologies may provide to the third parties information about your visit so that they can present you with advertisements and services which may be of interest to you. As we are not responsible for the use of such cookies and do not gather any information in that regard, the use of these cookies is subject to third party’s own cookie policies:
Our website links services of the social media network LinkedIn: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. When visiting our website no data are being processed to Linkedin, since none of Linkedin’s plugins have been implemented.
However, when clicking on a Linkedin link or a Linkedin button, you will be directed to Linkedin. Linkedin will process your personal data. We have no influence on the scope and kind of data that Linkedin processes.
If you are a registered Linkedin user and do not want Linkedin to collect data about you and connects the data with your registered data at Linkedin, you need to log out of Linkedin before clicking on a Linkedin link or Linkedin button.
Our website links services of GitHub: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. When visiting our website no data are being processed to GitHub, since none of GitHub’s plugins have been implemented.
However, when clicking on a GitHub link or a GitHub button you will be directed to GitHub. GitHub will process your personal data. We have no influence on the scope and kind of data that GitHub processes.
If you are a registered GitHub user and do not want GitHub to collect data about you and connects the data with your registered data at GitHub, you need to log out of GitHub before clicking on a GitHub link or GitHub button.
Our website links services of the social media network Twitter: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. When visiting our website no data are being processed to Twitter, since none of Twitter’s plugins have been implemented.
However, when clicking on a twitter link or a twitter button you will be directed to Twitter. Twitter will process your personal data. We have no influence on the scope and kind of data that Twitter processes.
If you are a registered Twitter user and do not want Twitter to collect data about you and connects the data with your registered data at Twitter, you need to log out of Twitter before clicking on a Twitter link or Twitter button.
Your privacy preferences with Twitter can be modified in your account settings at https://twitter.com/account/settings.
Our website links services of the blogging provider and network Medium: privately held company A Medium Corporation, 760 Market Street Floor 9, San Francisco, CA 94102, USA. When visiting our website no data are being processed to Medium, since none of Medium’s plugins have been implemented.
However, when clicking on a Medium link or a Medium button you will be directed to Medium. Medium will process your personal data. We have no influence on the scope and kind of data that Medium processes.
If you are a registered Medium user and do not want Medium to collect data about you and connects the data with your registered data at Medium, you need to log out of Medium before clicking on a Medium link or Medium button.
Your privacy preferences with Medium can be updated through your Medium account’s “Settings” page.
This website uses Google Analytics, a web analytics service. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called "cookies". These are text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.
Google Analytics cookies are stored based on Art. 6 (1) (f) DSGVO. The website operator has a legitimate interest in analyzing user behavior to optimize both its website and its advertising.
We have activated the IP anonymization feature on this website. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the USA. Only in exceptional cases is the full IP address sent to a Google server in the US and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity, and to provide other services regarding website activity and Internet usage for the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.
You can prevent these cookies being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of this website. You can also prevent the data generated by cookies about your use of the website (incl. your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Objecting to the collection of data
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Disable Google Analytics.
Outsourced data processing
We have entered into an agreement with Google for the outsourcing of our data processing and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographic data collection by Google Analytics
This website uses Google Analytics' demographic features. This allows reports to be generated containing statements about the age, gender, and interests of site visitors. This data comes from interest-based advertising from Google and third-party visitor data. This collected data cannot be attributed to any specific individual person. You can disable this feature at any time by adjusting the ads settings in your Google account or you can forbid the collection of your data by Google Analytics as described in the section "Refusal of data collection".
Google Analytics Remarketing
Our websites use the features of Google Analytics Remarketing combined with the cross-device capabilities of Google AdWords and DoubleClick. This service is provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
This feature makes it possible to link target audiences for promotional marketing created with Google Analytics Remarketing to the cross-device capabilities of Google AdWords and Google DoubleClick. This allows advertising to be displayed based on your personal interests, identified based on your previous usage and surfing behavior on one device (e.g. your mobile phone), on other devices (such as a tablet or computer).
Once you have given your consent, Google will associate your web and app browsing history with your Google Account for this purpose. That way, any device that signs in to your Google Account can use the same personalized promotional messaging.
To support this feature, Google Analytics collects Google-authenticated IDs of users that are temporarily linked to our Google Analytics data to define and create audiences for cross-device ad promotion.
You can permanently opt out of cross-device remarketing/targeting by turning off personalized advertising in your Google Account; follow this link: https://www.google.com/settings/ads/onweb/.
The aggregation of the data collected in your Google Account data is based solely on your consent, which you may give or withdraw from Google per Art. 6 (1) (a) DSGVO. For data collection operations not merged into your Google Account (for example, because you do not have a Google Account or have objected to the merge), the collection of data is based on Art. 6 (1) (f) DSGVO. The website operator has a legitimate interest in analyzing anonymous user behavior for promotional purposes.
As part of Google AdWords, we use so-called conversion tracking. When you click on an ad served by Google, a conversion tracking cookie is set. Cookies are small text files that your internet browser stores on your computer. These cookies expire after 30 days and are not used for personal identification of the user. Should the user visit certain pages of the website and the cookie has not yet expired, Google and the website can tell that the user clicked on the ad and proceeded to that page.
Each Google AdWords advertiser has a different cookie. Thus, cookies cannot be tracked using the website of an AdWords advertiser. The information obtained using the conversion cookie is used to create conversion statistics for the AdWords advertisers who have opted for conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a conversion tracking tag page. However, advertisers do not obtain any information that can be used to personally identify users. If you do not want to participate in tracking, you can opt-out of this by easily disabling the Google Conversion Tracking cookies by changing your browser settings. In doing so, you will not be included in the conversion tracking statistics.
Conversion cookies are stored based on Art. 6 (1) (f) DSGVO. The website operator has a legitimate interest in analyzing user behavior to optimize both its website and its advertising.
Where Fractal intends to further process the personal data for a purpose other than that for which the personal data were collected, we provide you with the relevant information on that other purpose and with any relevant further information prior to processing your personal data regarding the new purpose.
Contact support at firstname.lastname@example.orgEmail support