“Clients” are typically venture capital and private equity investors who use our Platform or Services based on master services agreement or similar;
“Data Processing Agreement” means the agreement pursuant to the Article 28 GDPR between Clients as controllers and us a their processor;
”Platform” means the platform www.app.vestberry.com owned and operated by Vestberry as a portfolio management and reporting software;
“Services” are SaaS that Vestberry provides via the Platform to its Clients;
“Platform Data” mean any data whether personal data or non-personal data that our clients entrust for our processing by uploading it to the Platform or by providing it to us via use of our Services under the Data Processing Agreement;
Vestberry acts as Clients’ data processor when providing Services and processing Platform Data via the Platform. We do not process Platform Data as a controller and we do not maintain or take any ownership of the Platform Data. Platform Data is under sole legal control of Clients and its processing is governed by the Data Processing Agreement that we conclude with each Client as part of our standard contractual documentation.
What is Platform Data?
The Services are provided through our centrally hosted online Platform which is designated to use certain types of information (depending on individual product), that all together we call Platform Data. Platform Data includes information uploaded to the Platform by our Clients mainly regarding their own venture capital and private equity investments. Sometimes we can receive information or data from the Client directly and not through the Platform but we still consider this Platform Data. Vestberry stores Platform Data pursuant to a legal contract containing binding obligations on Vestberry, including limiting its processing of personal data only on instruction of the Clients. Platform Data is collected and processed primarily by Clients subject to their individual privacy notice for each generally acting as data controllers. Vestberry and its Clients use a number of different technologies to collect data and to provide Services, including cookies, browser local storage, information stored in cookies and browser local storage, clear gifs, pixel tags, web beacons or others.
Is Platform Data personal data?
This question is often asked by our Clients and their legal counsels. We actually believe the vast majority of the Platform Data is not personal data as such and only poses non-personal economic performance and investment data related to legal persons. However, we cannot rule out that some of the Platform Data is or can be in the future linked to a specific individual. We do not see the whole complexity of all processing operations and purposes that Clients may use the Platform Data and/or our Platform. In addition, some Platform Data is always considered personal data, for example, login credentials or in general user data about particular end users of the Platform that relates to our Client’s employees or representatives. For the benefit of our Clients and from a security perspective, we have opted to approach all Platform Data as personal data although it might turn out that specifically selected pieces of Platform Data is not personal. In any case, we consider all Platform Data as the “Confidential Information” governed by the applicable confidentiality provisions in our master services agreement.
For what purposes is Platform Data processed?
Typical Client purposes |Fund management and reporting
Legal grounds typically relied upon by Clients | Performance of contract pursuant to the Art. 6(1)(b) GDPR and/or Clients’ and their investors’ and/or shareholders’ legitimate interests on managing and reporting within the fund as per Art. 6(1)(f) GDPR
Typical Client purposes | Advanced analysis of the portfolio
Legal grounds typically relied upon by Clients | Performance of contract pursuant to the Art. 6(1)(b) GDPR and/or Clients’ and their investors’ and/or shareholders’ legitimate interests on advanced analysis of the portfolio as per Art. 6(1)(f) GDPR
Typical Client purposes | Statistical purposes
Legal grounds typically relied upon by Clients | Legal ground of the original purpose within the regime of compatible purposes under Art. 6(4) GDPR and Art. 89 GDPR, as explained by recital 50 GDPR
The above information is just illustrative and a default setting that can be found in our template data processing agreements.
Why do we handle Platform Data?
We acknowledge the confidentiality and value of the personal data which we are not exploiting. In particular, we are not:
- selling your personal data to anyone;
- monetizing your personal data by other means;
- claiming ownership over your personal data;
- bartering your personal data for other services or products.
We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Clients to provide us with such data.
We do not knowingly process sensitive or special categories of personal data in relation to Clients, including the following:
- Special categories of personal data as defined in Article 9 of the GDPR, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data uniquely identifying a natural person, or data concerning a person’s sex life or sexual orientation;
- Sensitive data including Social Security Numbers or other Government-issued identity cards, financial account numbers, information about an individual’s health or medical conditions or treatments, including genetic, genomic, and family medical history.
The Data Processing Agreement explains that as an immanent feature of our Services (and as part of statistical purposes), we create for Clients certain aggregated statistical data. Provided rigorous non-identification and Client non-attribution warranties and conditions are met, we use such resulting data for our own business purposes. The resulting data is not related or linkable to any individual and not even to any specific Client. Rather, this data providers market level overview of investments and trends. Our agreements with Client allow us to also use this data publicly, for example for showcasing our services to other investors or prospect clients. This is data is not Platform Data nor confidential information. Please see the relevant contractual provisions governing use of such data.
Who do we share Platform Data with?
We take confidentiality of Platform Data very seriously and share it to our recipients only on need-to-know basis maintaining the confidentiality of the data recipients. Depending on the purpose of processing and particular circumstances typical recipients of the Platform Data are:
- Providers of cloud and hosting services (e.g. Amazon Web Services) – as a necessary technology vendors supporting running of the Platform;
- Providers of platforms for marketing email communication with Clients (e.g. Twilio SendGrid);
What countries do we transfer Platform Data to?
By default, we seek not to transfer your personal data outside the EU and/or European Economic Area where not necessary. However, some of our sub-contractors or the above-mentioned recipients of personal data might be based or their servers might be located in the United States of America (U.S.) or in other country regarded as third party not ensuring adequate level of protection. Any transfer of personal data outside the European Economic Area is done by us only under strict compliance with the GDPR. We ensure the third-party recipients concluded EU model Standard Contractual Clauses (SCC) with us or follow equivalent safeguards in place to ensure high level of protection of your personal data. Where applicable, we strive to adopt additional safeguards on top of SCC both internally and externally, as stems from Schrems II judgement of the CJEU (C-311/18). If you have any question about cross-border transfer of personal data to these countries, please feel free to contact us. If there is an option to choose between two or more comparable sub-processors, Vestberry shall prefer the sub-processor with the data storage in the EU/EEA.
Protecting your privacy is very important to us also in case of potential transfer of data outside EU/EEA. After Schrems II judgement you as a controllers can rely on us to take all possible steps for processing transfers in accordance with the GDPR. Below you will find a link to reasonable or appropriate guaranties in relation to U.S. transfers:
Sub-contractor | Amazon Web Services
Privacy | https://aws.amazon.com/compliance/gdpr-center/
Reasonable guarantees under Art. 46 GDPR | EU SCC processor to processor concluded
Sub-contractor | Twilio SendGrid
Privacy | https://www.twilio.com/legal/privacy
Reasonable guarantees under Art. 46 GDPR | BCR and EU SCC
How long do we store Platform Data?
As soon as our contract with the Clients ends, we are under obligation to either return all personal data to the Clients or securely erase all personal data, at the choice of the Clients. We apply this principle globally to all Platform Data. This way, we comply with basic principles relating to processing of personal data such data minimization, storage limitation and purpose limitation. Subject to our right to retain are (i) copies of transactions between the Clients and Vestberry, (ii) information relating to any dispute or potential fraud, and (iii) any additional information we need to keep protecting our legal rights or the rights of others.
The security of your personal data is important to us. Vestberry follows generally accepted industry standards and has appropriate measures in place to ensure that your data is protected against unauthorized access or use, alteration, unlawful or accidental destruction, and accidental loss. No method of transmission over the internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. We have adopted appropriate organizational and technical measures required under the GDPR to protect personal data.