Privacy Policy – Boerse Stuttgart Digital

Privacy Policy

Last updated: September 2023

Boerse Stuttgart Digital Holding GmbH is part of the Boerse Stuttgart Group, the sixth-largest exchange group in Europe, with strategic pillars in capital markets as well as digital and crypto business. The Boerse Stuttgart Group includes Baden-Württembergische Wertpapierbörse GmbH, blocknox GmbH, Boerse Stuttgart cats GmbH, Boerse Stuttgart Commodities GmbH, Boerse Stuttgart Digital Exchange GmbH, Boerse Stuttgart Digital Ventures GmbH, EUWAX Aktiengesellschaft, Sowa Labs GmbH, Vereinigung Baden-Württembergische Wertpapierbörse e.V., and Boerse Stuttgart Digital Holding GmbH.

Safeguarding your personal data is fundamental to how we operate. For this reason, we conduct our business in full compliance with applicable data protection laws. In this privacy policy, we explain what personal data we may collect, how we use and store it, and under what circumstances we may share it.

 

I.               I. Controller as defined by the GDPR

Boerse Stuttgart Digital Holding GmbH
Börsenstraße 4
70174 Stuttgart

Phone.: +49 711 222985 – 0

Email: info@bsdigital.com

Website: https://www.bsdigital.com

 

II.              Data Protection Officer

Yvonne Piater

Per Post: Datenschutzbeauftragte, Boerse Stuttgart Digital Holding GmbH,

Börsenstraße 4, 70174 Stuttgart

E-Mail: dsb@boerse-stuttgart.de

 

III.            ZWECKE, RECHTSGRUNDLAGE DER DATENVERARBEITUNG, LÖSCHUNG

1.     Website usage

You can access our website without identifying yourself or logging in. When you do so, we process technical log data, which may include the following information: IP address, date and time of access, page accessed or file requested, amount of data transferred, HTTP referrer, size of the server response, browser and version used, operating system and version, time zone difference from Greenwich Mean Time (GMT), and an indication of whether the request was successful. These data are also stored in our system’s log files. The data are not stored together with other personal data that could be used to identify you.

Purpose of data processing

The temporary storage of the IP address is technically necessary to deliver the website to your device. The IP address must remain stored for the duration of the session. Storing this data in log files ensures the functionality of the website. Additionally, the data help us optimize the website and ensure the security of our IT systems. The data are not evaluated for marketing purposes.

 

Legal basis for data processing

The legal basis for processing this data is Article 6(1)(f) of the GDPR, which permits processing for the purpose of providing the website in a technically sound manner.

Our legitimate interest lies in offering a stable, user-friendly, and technically secure website, and in protecting it from cyber threats. The collection of data for website delivery and storage in log files is essential for the operation of the site. For this reason, there is no option for users to object to this processing.

If the data are processed in preparation for a contractual relationship, the legal basis is Article 6(1)(b) GDPR.

Data retention period

The data are deleted as soon as they are no longer needed for the purpose for which they were collected. For session-related data, this occurs when the session ends. Log file data are deleted after no more than seven days. In certain cases, longer storage may occur; in such instances, IP addresses are either deleted or anonymized to prevent any link to the user. Temporary storage for up to 14 days may take place to ensure website functionality. In some cases, server logs may be retained for up to three months for security and optimization purposes.

Data recipients

Your data will not be shared with third parties.

2.     Your contact with us

When you contact us, we collect your contact details. Depending on how you reach out (e.g. via contact form, telephone, or email), this may include your name, mailing address, phone number, email address, and any additional information you provide. We use this data solely to process your inquiry or to follow up with you if we have any questions regarding your request.

Legal basis for data processing

The legal basis for processing your inquiry is Article 6(1)(f) GDPR (legitimate interest in responding to customer or prospect inquiries in a satisfactory manner and thereby acting in our shared interest), or Article 6(1)(b) GDPR (if your inquiry occurs in the context of a contractual relationship), or Article 6(1)(a) GDPR (with your consent, if forwarding your inquiry to third parties is appropriate).

Data recipients

Your data will be processed within the Boerse Stuttgart Group for the purpose of responding to your inquiry. If forwarding your request to contractual partners is necessary, we will anonymize your inquiry. If, in an individual case, it appears appropriate to share your personal data, we will inform you beforehand and ask for your consent. We will not forward your data to third parties for these purposes without your consent.

We use the services of SendGrid as our email provider for the contact form (SendGrid, Inc., 1801 California Street, Suite 500, Denver, CO 80202, USA). SendGrid does not store message content, only the data necessary to send emails. We have entered into a data processing agreement with SendGrid pursuant to Article 28 GDPR. An adequate level of data protection is ensured through the use of EU Standard Contractual Clauses. For further details, please refer to SendGrid’s privacy policy: https://sendgrid.com/resource/general-data-protection-regulation-2/ and https://www.twilio.com/en-us/legal/privacy

Data retention period

We retain your data until the purpose for which it was collected has been fulfilled (i.e., once the conversation is concluded). A conversation is considered concluded when it can be inferred from the circumstances that the relevant matter has been fully resolved.

If your inquiry contains information relevant to a contract, we may be required to retain your personal data in order to comply with contractual or legal obligations.

 

Google Tag Manager

We use Google Tag Manager on our website. This is a tool provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, that allows us to manage website tags via a single interface. Google Tag Manager itself is a cookie-free domain and does not collect any personal data. It merely triggers other tags (such as cookies and pixels), which in turn may collect data. We would like to point this out explicitly. Google Tag Manager does not access any of this data. If a user disables tags at the domain or cookie level, this setting will remain in place for all tracking tags implemented via Google Tag Manager.

Technical protocols such as HTTPS may cause your browser to send personal data—such as your IP address, device information, and browser data—to Google Tag Manager when you access our website. However, Google Tag Manager does not collect or process this data.

 

Google Ads

On our website, we use technologies provided by Google (Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland) as an independent controller. These include Google Conversion Tracking and Google Retargeting (collectively referred to as Google Ads). Within Google Conversion Tracking, we use the Google Pixel, as well as the Enhanced Conversions and Consent Mode features. We only use these functions if you have given your consent to Google Ads.

If you arrive at our website via a Google ad, both we and Google can recognize that someone clicked on an ad, was redirected to our website, and reached a predefined landing page (a "conversion site"). We and Google may also determine that you accessed the site via other means and performed an action defined as a conversion. This enables us to evaluate how effective individual campaigns are—e.g. by measuring impressions or clicks—and optimize them accordingly. To improve the accuracy of conversion tracking, we use Google Enhanced Conversions. For this, we transmit hashed first-party conversion data (such as your hashed email address) to Google via the Google Ads API. Google does not gain direct access to data entered on our website. Instead, it compares the hashed data we provide with its own user data. If there is a match, the conversion is reported back to our Google account to support campaign optimization. We also use Google Consent Mode for partial modeling of conversions. We do not use Consent Mode to control Google tags on our website. No additional personal data is processed via Consent Mode, and the feature is only used if you have consented to the use of Google Ads.

We do not collect or process personal data ourselves in connection with these advertising tools. Google provides us with statistical reports only. These help us understand which campaigns are most effective, but we do not receive any further information and cannot identify users based on these reports.

Google’s retargeting technology is also used. This allows data about your user behavior on our site to be collected and stored in cookies on your device, which Google can then access. These cookies allow Google to create pseudonymized user profiles based on your browsing behavior.

These profiles are used to analyze visitor behavior and to serve personalized ads on other websites based on your activity on our site.

Because these marketing tools are embedded, your browser may automatically establish a direct connection to Google’s servers. We have no control over the scope and further processing of data collected through these tools by Google, and we inform you here based on the information available to us: By integrating Ads Conversion, Google is informed that you have accessed the relevant part of our website or clicked on one of our ads. If you are logged into a Google service, Google can associate the visit with your account. Even if you are not logged in or are not a registered Google user, it is possible that Google may identify and store your IP address.

When you use our website, Google may process the following data: IP address, cookie ID, pixel ID, hashed email address, device information, browser data, location data, usage behavior, and user agent.

Your data is stored on servers within the EU and is not shared with third parties outside of the Google network. However, transfers to third countries such as the USA may occur within Google’s internal network. If so, such transfers are based on EU Standard Contractual Clauses.

You may revoke your consent to data collection and storage at any time with future effect by clicking the following link: https://safety.google/privacy/privacy-controls/

For more information, please refer to Google’s privacy policy: https://policies.google.com/privacy?hl=de&gl=de

 

Legal basis for data processing

The legal basis for this data processing is your consent in accordance with Article 6(1)(a) GDPR.

Data recipients

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, (Mutterunternehmen: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)

Data retention period

Log data is anonymized after nine months, and cookie information after 18 months. If there is no match via Enhanced Conversion, Google deletes this data after 48 hours. Otherwise, data is deleted once the processing purpose has been fulfilled.

 

Use of Google Analytics 4

To ensure that our website is tailored to user needs and continuously optimized, and to measure reach and user flows, we use Google Analytics. Google Analytics is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). We have entered into a data processing agreement with Google for the use of Google Analytics. Through this agreement, Google assures that it processes data in compliance with the GDPR and protects the rights of data subjects. Additionally, we only transmit your data to Google if you have explicitly consented to the processing.

As part of the web analytics process, data is collected such as the website from which a visitor arrived (referrer), which subpages were accessed, how often, and for how long each subpage was visited. In addition to this analysis, we may also use A/B testing or similar tools to test and optimize different versions of our online offerings or their components.

During your visit to our website, the following data may be recorded: pages visited, user behavior on those pages (e.g., time spent, clicks, scrolling behavior), your approximate location (country and city), your IP address (with IP anonymization enabled, so that no direct identification is possible), technical information such as browser, internet provider, device type and screen resolution, and how you found our site (e.g., via a specific website or marketing channel). Personal data such as your name, address, or contact details are never transmitted to Google Analytics. The information generated by Google Analytics cookies about your use of the website is transferred to Google servers in the USA and processed there. The transferred data are pseudonymous and cannot be traced back to you directly.

Google Analytics 4 also includes a feature called “demographic data,” which enables the generation of statistics on the age, gender, and interests of website users. These insights are based on interest-based advertising and third-party information and allow us to identify and distinguish user groups for more targeted marketing strategies. However, the data collected through the “demographic data” feature cannot be linked to any specific person and therefore cannot identify you. This data is retained for two months and then deleted.

We also use Google Signals as an extension of Google Analytics 4. Google Signals allows us to generate cross-device reports (“cross-device tracking”). If you have enabled “personalized ads” in your Google account settings and have linked your internet-capable devices to your Google account, and you have consented to the use of Google Analytics 4 under Art. 6(1)(a) GDPR, Google may analyze your usage behavior across devices and create database models based on this. This includes logins and device types for all website users who were logged into a Google account and triggered a conversion. The data show, for example, which device you first clicked an ad on and on which device the related conversion occurred. We do not receive any personal data from Google, only anonymized statistics based on Google Signals.
You can deactivate the “personalized ads” function in your Google account settings at any time to prevent cross-device analysis through Google Signals. Follow the instructions on this page: https://support.google.com/ads/answer/2662922?hl=de

You can revoke your consent at any time with effect for the future using our Consent Management Tool. If you do not agree to data collection, you can also prevent it by installing the browser add-on to disable Google Analytics (available here: https://tools.google.com/dlpage/gaoptout?hl=de) or by rejecting cookies via our cookie settings dialog.

Legal basis for data processing

The legal basis is your consent under Article 6(1)(a) GDPR. Google processes this information on our behalf to evaluate the use of the website, compile reports on website activity, and provide us with additional services related to website and internet usage for market research and website optimization.

Data recipients

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, (Mutterunternehmen: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)

Data retention period

The data collected via Google Analytics 4 is retained for 14 months and then deleted.

 

LinkedIn

The LinkedIn pages of the Boerse Stuttgart Group are operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, and are part of LinkedIn’s online platform at https://www.linkedin.com. Our LinkedIn company profile is used to publish posts, promote upcoming events, and share general information about the Boerse Stuttgart Group.

We are aware that LinkedIn processes user data for purposes such as providing services, communication, advertising, marketing, service development and research, customer support, analytics, and security. The categories of personal data processed by LinkedIn are described in its privacy policy, available at: https://www.linkedin.com/legal/privacy-policy. When users send direct messages or comment on our page or posts, we receive the message or comment, as well as the username of the person who posted it. LinkedIn also provides us with anonymized statistics regarding visitors to our LinkedIn pages. Through the analytics function on LinkedIn’s company pages, we can access various categories of statistical data. These statistics are not personally identifiable and do not allow any conclusions to be drawn about individual users. They are generated and provided by LinkedIn.

As the operator of the page, we have no control over the creation or presentation of this data. We cannot deactivate this function or prevent the collection and processing of data by LinkedIn.

In addition, we use LinkedIn Insight Tags to measure whether visitors to our website perform specific actions (conversion tracking). Conversion tracking can also take place across devices (e.g., from a PC to a tablet). The LinkedIn Insight Tag also enables retargeting, allowing us to display targeted advertising to visitors outside our website. According to LinkedIn, this does not allow users to be personally identified.

You can opt out of usage analysis and targeted advertising by LinkedIn at any time via the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

LinkedIn members can also manage how their personal data is used for advertising purposes in their account settings. To avoid LinkedIn linking data collected on our website to your LinkedIn account, please log out of your LinkedIn account before visiting our website.

As part of their shared responsibility for providing and processing Page Insights, LinkedIn assumes responsibility for fulfilling all applicable obligations under the GDPR—particularly Articles 12–22 and 32–34. You may exercise your rights as a data subject with either us or LinkedIn.

Legal basis for data processing

The legal basis is our legitimate interest pursuant to Article 6(1)(f) GDPR. Our legitimate interest lies in offering a modern, supportive channel for information and interaction with users and visitors to our LinkedIn pages. By accepting LinkedIn’s terms of use, users have agreed that we may identify them as followers or fans of the page and view their profiles and other shared information.

Data recipients

Where LinkedIn processes personal data as part of its platform (including our LinkedIn pages), the categories of recipients (including recipients outside the EU) are detailed in LinkedIn’s privacy policy at: https://www.linkedin.com/legal/privacy-policy LinkedIn processes data both inside and outside the United States and relies on the European Commission’s approved Standard Contractual Clauses as the legal basis for data transfers from the EU. We have no control over these processing activities. We do not transmit any personal data collected through our LinkedIn profile ourselves.

Data retention period

Any data about you collected by us on LinkedIn is stored and deleted in accordance with LinkedIn’s privacy policy and on its servers. We do not retain such data beyond what LinkedIn stores.

 

YouTube

We do not use any YouTube plugins on our website; we only provide links to the relevant YouTube pages.

 

IV.            Your Rights as a Data Subject

Under the applicable legal provisions, you have the following rights as a data subject, which you may exercise with us: As a data subject, you have the right to request information about your personal data in accordance with Article 15 of the GDPR. You may also request that your data be corrected (Article 16 GDPR) or deleted, provided the conditions of Article 17 GDPR are met. You also have the right to request a restriction on the processing of your data (Article 18 GDPR). If you can demonstrate a particular personal situation, you may object to the processing of your data either in general or in specific areas (Article 21 GDPR). For data you have provided to us, you can request a copy in a commonly used format (Article 20 GDPR). Any consent you have given us for the processing of your data may be revoked at any time. Please direct such requests to: dsb@boerse-stuttgart.de. Additional contact details can be found above under “Contact Information for the Data Protection Officer.” Please note that revoking your consent only applies going forward and does not affect the legality of processing that occurred prior to the withdrawal. You also have the right to lodge a complaint with a supervisory authority under the conditions of Article 77 GDPR—particularly in the Member State of your residence, place of work, or the place of the alleged infringement—if you believe the processing of your personal data violates the GDPR. This right exists without prejudice to any other administrative or legal remedy.

Right to object

You have the right to object at any time to the processing of your data based on Article 6(1)(f) GDPR (legitimate interest), if reasons arising from your particular situation apply. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is required for the establishment, exercise, or defense of legal claims. We will respect your objection from that point forward.

We will also stop processing your data for direct marketing purposes if you object to such use. Objections can be made without formal requirements and should preferably be sent by email to dsb@boerse-stuttgart.de, or alternatively by post to the contact address of our data protection officer listed above.

 

V.              V. Automated Decision-Making / Profiling

We do not use automated decision-making or profiling (automated analysis of your personal circumstances)

 

VI.            Categories of Recipients

We do not share your data with third parties for commercial purposes (such as selling or renting). Only authorized employees have access to your personal data. In some cases, this may also include authorized employees of our service providers who process the data on our behalf or have access to it. We limit the disclosure of your personal data to what is necessary, and authorized employees of our service providers are strictly bound by our instructions when handling your personal data.

Possible categories of recipients of your personal data may include: external service providers for website programming, hosting, and email delivery; external service providers for event management; telecommunications providers; insurance companies and insurers in the event of claims made against us; payment service providers and banks for processing payments; IT service providers / cloud providers; social media platforms; legal advisors for asserting or defending claims; business consultants / auditors / tax advisors; public authorities / government bodies.

 

VII.           Data Transfer to a Third Country

As a rule, our external service providers process your personal data within the European Union (EU) or the member states of the European Economic Area (EEA). However, in the context of using certain tools, personal data is transferred to the United States. If your personal data is transferred to and processed by a service provider located in a third country, we ensure the protection of your data through appropriate safeguards, such as the use of standard data protection clauses, or the transfer is based on your explicit consent.

 

VIII.         COOKIES

We use cookies on our websites to ensure the technical functionality of the site, to gather statistical data on how our website is used, and to analyze this data for optimization purposes. The specific cookies that are set and the extent to which your personal data is processed depend largely on how you use our websites and the consents you have given.

Below, we describe the different categories of cookies we use:

Essential cookies: Essential cookies help make our website technically accessible and usable for you. They enable core functionalities such as navigation, correct display in your internet browser, or consent management via the consent layer. Without these cookies, our website cannot function properly. These cookies also help us make the website more user-friendly.

Analytics & statistics: In order to continuously improve the user experience on our website, we use cookies that measure and evaluate, either anonymously or pseudonymously, which features and content are most frequently accessed. This helps us understand which parts of our site are particularly relevant to users.

Advertising: These cookies and related technologies are used to display advertisements on websites that are tailored to your interests—based on what we believe may be particularly relevant to you. These cookies are used by advertising networks of companies that process your data independently as separate data controllers.

You have the option to accept all cookies, reject them, or make a customized selection. Essential cookies, which are necessary for displaying the website, are excluded from this choice.

Legal basis for data processing

The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in providing core website functionalities such as navigation and correct display in your browser. Without these cookies, our website cannot function, and we assume that it is in your interest for the website to be usable and to offer certain services you expect.

In addition, we only use cookies and process data collected via cookies based on your consent in accordance with Article 6(1)(a) of the GDPR. You can withdraw your consent at any time with future effect via our consent management tool. The tool can be accessed at any time via the link at the bottom of the website.

 

IX.            LINKS

Links to content on third-party websites are subject to the privacy policies of those providers. We are not responsible for their operation, including how they handle data. If you send information to or via such third-party sites, you should review their privacy policies before providing any information that could be linked to you personally.

 

X.              SECURITY

We use technical and organizational security measures to protect the data we manage against manipulation, loss, destruction, and unauthorized access. Our security measures are continuously improved in line with technological developments and are adapted to reflect the current state of the art.
To protect the personal data you enter on our website, we use the standard Secure Sockets Layer (SSL), which encrypts the information you provide.