The platform iVE.ONE is provided by Agora Innovation GmbH (“Agora”, “we”, “us”), Robert-Schneider-Str. 38, 64289 Darmstadt, Germany; firstname.lastname@example.org.
Agora operates this website
Agora is the controller and therefore responsible party for the provision of iVE.ONE and as described herein. This in particular excludes any processing of personal data carried out and/or controlled by Customers or Token-Buyers, especially in connection with transactions of Tokens which customers (issuers) have created with iVE.ONE including any associated data processing operations (c.f. Section 3.6). In this regard, the respective Customer or Token-Buyer is responsible.
Wherever Agora acts as processor on behalf of a controller, respective processing contracts pursuant of Art 28 GDPR are in place.
iVE.ONE partly utilizes blockchain technology. The technology is characterised by the decentralised storage of immutable data on numerous computers, each controlled by different entities. iVE.ONE will store personal data on the blockchain only as pseudonymous data (e.g. a “hash” that cannot identify an individual person). All personal data capable of identifying an individual will be securely stored separately by iVE.ONE without using any blockchain technology.
Evgeny Matershev, M. Sc. (Computer Science)
When providing iVE.ONE we process personal data for the following purposes:
When using the website or the service, we process certain information automatically. This includes: the IP address or device ID assigned to the respective end user device, which we require for the transmission of requested content (e.g. in particular content, texts, images and product information as well as files made available for download, etc.), the type of end user device, the URL of the previously visited services, the browser type and operating system used and the date and time of use.
This data processing takes place in order to facilitate the use of the website or the service.
We hold this information for a maximum of one month for the purpose of recognizing and pursuing misuse. Aside from this, we delete or anonymize these usage data, including the IP addresses, without undue delay as soon as they are no longer needed for the above mentioned purposes.
The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of the service to the user (Art. 6 para. 1(b) General Data Protection Regulation (GDPR)), or because we have a legitimate interest in safeguarding the security and functionality of our service as well as its proper and compliant use (Art. 6 para. 1(f) GDPR).
In order to use our service, users must create a user account as stipulated in our individual contracts or Terms and Conditions.
When registering for a user account, users provide the following information (jointly “Customer Data”):
When setting up a user account, users must create an individual password. Users can opt for a 2 factor authentication. Users can change their password at any time.
In order to login to a user account, the following data must be entered:
Data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of this functionality to the user (Art. 6 para. 1(b) GDPR).
Customer Data is generally stored until the respective Customer closes its account or otherwise unregisters for the use of the service, unless statutory retention obligations apply, or the Customer Data is necessary for other purposes described herein.
To use iVE.ONE, in particular to create tokens, the Customers must verify their identities. In this regard we receive certain information from Know Your Customer service provider(s) (“KYC-Provider”) we work with and the respective Customer chooses to verify its identity with. In this regard, we receive the result of any such verification process (i.e. verified “yes” or “no”) and store that information in the Customer’s account.
Data is processed because it is contractually required for the provision of the service to the Customers (Art. 6 para. 1(b) GDPR), and because compliance with KYC- and Anti-Money-Laundering regulations is required by law (Art. 6 para. (c) GDPR).
This information is generally stored until the respective Customer closes its account or otherwise unregisters for the use of the service, unless statutory retention obligations apply, or the information is necessary for other purposes described herein.
With registration a Customer automatically creates its crypto-currency wallet by using the functionalities of iVE.ONE that have been contractually licensed to the customer under the respective license agreement. In case a Customer chooses to integrate its own crypto-currency wallet into its iVE.ONE account, we store the appropriate information provided by the Customer relating to its wallet. In such cases, we may also receive certain information from the respective wallet provider.
The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of this functionality to the Customers (Art. 6 para. 1(b) GDPR).
This information is generally stored until the respective Customer closes its account, otherwise unregisters for the use of the service or lifts the integration of a wallet, unless statutory retention obligations apply, or the information is necessary for other purposes described herein.
When the Customer creates a Token, the following information must be provided. The customer will process this information in order to create the Token (jointly “Token Data”), using the iVE.ONE functionalities which have been licensed to him by Agora.
Additionally, each Customer may elect to embed certain individual requirements into a Token that must be observed when transferring that Token (e.g. to comply with anti-money laundering provisions) in order to ensure the monitoring of any transaction of the Token being in compliance with the respectively embedded requirements (jointly “Rule Stack Data”).
To this end, the customer will process its Rule Stack Data for the purpose of embedding it into the Token which the customer creates by using the iVE.ONE functionalities which have been licensed to him by Agora. In case a transaction is in violation of the respectively embedded Rule Stack Data, the respective Token cannot be transferred.
Provided that the Customer chooses to embed a black- or whitelist into the Token, i.e. a list of persons or entities to whom the Token may not be transferred, respectively to whom it may exclusively be transferred (c.f. below Section 3.6.2), any names or other information provided by the Customer in this regard will be processed for the purpose of implementing the respective black- or whitelist into the Token.
Provided that the Customer chooses to embed a forced authentication process into the Token (see Section 3.6.1), any such pertinent information provided by the Customer (e.g. data of the respective KYC-Provider to be utilized) will be implemented into the Token.
After the creation of a Token, in order to transfer the Token to the Customer, the Customer must provide a respectively applicable and valid public key which will be processed in order to transfer the Token.
The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of this functionality to the Customer (Art. 6 para. 1(b) GDPR). Rule Stack Data is also processed based on Art. 6 para. 1 (c) GDPR because compliance with mandatory KYC and AML regulations is required by law.
Token and Rule Stack Data is generally stored until the respective Customer closes its account or otherwise unregisters for the use of the service, unless statutory retention obligations apply, or the Token and Rule Stack Data is necessary for other purposes described herein.
The Customer can track all transactions of Tokens which he has created via iVE.ONE. Transactions are compiled in a transaction history that can be accessed by the respective Customer through a dashboard provided in its respective iVE.ONE account. The purpose of this tracking is to ensure that each transaction complies with the Rule Stack Data and the underlying legal requirements the Customer is subject to.
To this end, we process the following information of the Token-Buyers:
In case a Customer elects to embed a forced authentication process into the Token, personal data of the potential Token-Buyers is processed for the purpose of authenticating each Token Buyers’ identity.
To this end, the Token Buyer has to verify its identity via the respective KYC-Provider provided by Agora to be able to buy the Token.
To this end, the following information of the Token-Buyers is processed:
We disclose this information to the respective KYC-Provider for the purpose of validating the entered information. From the respective KYC-Provider, we receive the result of such verification (i.e. verified “clear” or “suspected”).
Based on processing contracts between Agora and the KYC provider according to Art. 28 GDPR, the KYC provider collects and processes verification data and sends the following data to us:
Based on the above data, transactions are blocked or allowed as contractually agreed by token issuers and token buyers using iVE.ONE.
The appropriateness test is carried out as part of the acquisition of a capital investment. During this process, a Token-Buyer provides data about his knowledge and experience with various investment product classes.
The information is used to check whether the investment decision corresponds to the investor’s previous knowledge and experience and whether the investor, based on his knowledge, can correctly assess the risks associated with the investment. The investor is informed of the result of the examination, whereupon he can decide whether or not to continue with the investment.
When brokering financial instruments, an investment services company is obliged under Section 63 para. 10 WpHG (German Securities Trading Act) to assess the appropriateness of the investment on the basis of the investor’s knowledge and experience.
No investment advice is given by Agora.
Provided that the Customer elects to embed the optional black- or whitelist into the Token, the personal data from potential Token-Buyers is processed for the purpose of comparison with the black/whitelist created by the Customer.
To this end, we process the following information of the Token-Buyers:
All transactions within the Black-/Whitelists are processed against the E-mail and Wallet addresses defined by the Customer and respectively embedded into the Token. On this basis, transactions are blocked or allowed.
Data processing as described in 3.6.1-3 is carried out on the basis of legal provisions which authorise the data processing because
Data relating to transactions of Tokens is respectively retained for a maximum of five years, unless statutory retention obligations apply, or such data is necessary for other purposes described herein.
As initially stated (see Section 1), the Customer (issuer) independently and in its own responsibility renders any transaction of the initially handed over Tokens which it has created using the functionalities of iVE.ONE as licensed to it by Agora (see Section 3.5).
Agora has no influence on a transaction of a Token being granted or refused on the basis of the information defined by the Customer and respectively embedded in the Token. This power lies exclusively with the Customer. Against this background, if you wish to contest any rejection of a Token transaction, please contact the relevant Customer (i.e. Token issuer).
In case that a “transaction of a Token being granted or refused on the basis of the information defined by the Customer and respectively embedded in the Token” should qualify as a decision based solely on automated processing, such processing would be based on Art. 22, para. 2 (a), (b) GDPR because
Token-Buyers may request that the authentication data provided by the respective KYC-Provider during the course of a Token transaction (see section 3.6.1) may also be used to validate further Token transactions the respective Token-Buyer wishes to carry out in the future.
On the basis of such a request (Art. 6 para. 1(a), (b) GDPR), previously collected authentication data will be used to validate Token transactions in case the respective Token-Buyer wishes to acquire another Token (e.g. from another Customer) with embedded forced authentication requirement (see section 3.6.1).
Token-Buyers may cancel their request or withdraw their consent with effect for the future at any time without affecting the lawfulness of processing based on consent before its withdrawal, e.g. by contacting us via e-mail to email@example.com.
After the c, the cancellation the respective Token-Buyer’s authentication data will no longer be used for the validation of further Token transactions. The processing of such information for other purposes as described in this data protection statement remains unaffected.
We also analyse Customer Data, data we receive from KYC-Providers, Rule Stack Data and information pertaining to Token transactions to develop and improve our services for our customers, in particular to analyse risk patterns with legal requirements such as anti-money laundering provisions.
The data processing is carried out on the basis of legal provisions which authorise the data processing because we have a legitimate interest in improving our service and in offering and ensuring compliance with regulatory requirements for the transfer of Tokens without the affected data subjects having an overriding interest (Art. 6 para. 1(f) GDPR).
The service allows general contact or specific service inquiries to be submitted. When communicating via our service, we will process the respective Customer Data as well as additional information the respective user will provide to us (e.g. the content of the message).
We process that information in order to answer the inquiries. This processing is carried out on the basis of legal provisions which authorise the processing because it is necessary in order to process the inquiries (Art. 6 para. 1(b), (f) GDPR).
After the final answering of an inquiry, we delete the inquiry as well as information with regard to their handling within a period of three years after the end of the respective calendar year.
We therefore use so-called session cookies to maintain a login session. Session cookies are small information units in which a randomly generated identification number, the so-called session ID, is stored. In addition, a session cookie stores information about its origin and the storage period. These cookies cannot store any other data. Session cookies will be deleted at the latest within a period of 24 days.
The processing takes place on the basis of legal regulations which permit the processing because of the user’s consent and because it is necessary for the intended and comprehensive provision of the service and the functionalities offered thereon (Art. 6 para. 1 (f) GDPR). If you would like more detailed information on the weighing of interests, please contact one of the addresses listed under section 1.
The service can also be used without cookies. Most Internet browsers automatically accept cookies. To prevent cookies from being stored each user may select “do not accept cookies” in his or her browser settings. Please refer to the instructions of the browser manufacturer to find out how this works in detail. Already stored cookies can be deleted at any time. Not accepting cookies may however lead to functional restrictions of our services.
On our website (www.ive.one, www.issuer.ive.one, www.investment.ive.one) users can subscribe to a free newsletter. When registering for the newsletter, the following data from the input mask is transmitted to us:
In connection with the data processing for the dispatch of newsletters, an evaluation of the user behaviour takes place, but the data is not passed on to third parties. The data is used for sending the newsletter and for analysing user activity on our websites.
The legal basis for the processing of the data after registration for the newsletter by the user is Art. 6 Para. 1 S.1 lit. (a), (f) GDPR as the user has given his consent by requesting the newsletter, and Agora has a legitimate interest to promote their services and to prevent misuse of their service.
The collection of the user’s email address is used to deliver the newsletter. The collection of other personal data during the registration process serves to prevent misuse of the services or the email address used.
The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The user’s email address is therefore stored as long as the subscription to the newsletter is active.
The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, there is a corresponding link in every newsletter.
Users have the possibility on the website of iVE.ONE to book an appointment with our contact persons. iVE.ONE uses the online calendar “Calendly” to request and select an appointment. Calendly is an offer of Calendly, LLC, 3423 Piedmont Road NE, Atlanta, GA 30305-1754, United States. When the user presses the corresponding booking button, the user is automatically connected to the appointment account of one of our contacts at Calendly. After the user has chosen the appointment, confirmed it and entered the contact details and concerns, the user will receive an email from Calendly confirming the appointment.
The legal basis for the processing of the data is Art. 6 para. 1, (a), (f) GDPR.
The purpose of the processing of personal data is to arrange an appointment requested by the user as well as the possibility to process the request in case of possible queries.
This data remains with iVE.ONE until you request us to delete it, revoke your consent to storage or the purpose for which the data was stored no longer applies (e.g. date of the event). Mandatory legal regulations – especially retention periods – remain unaffected.
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses so-called cookies. Cookies are text files, which are stored on your computer and that enable an analysis of the use of the website by users. The information generated by cookies on your use of this website is usually transferred to a Google server in the United States, where it is stored. The storage of Google Analytics cookies and the utilization of this analysis tool are based on Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in the analysis of user patterns to optimize both, the services offered online and the operator’s advertising activities. On this website, we have activated the IP anonymization function. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and abbreviated there only in exceptional cases. On behalf of the operator of this website, Google shall use this information to analyze your use of this website to generate reports on website activities and to render other services to the operator of this website that are related to the use of the website and the Internet. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.
You do have the option to prevent the archiving of cookies by making pertinent changes to the settings of your browser software. However, we have to point out that in this case you may not be able to use all of the functions of this website to their fullest extent. Moreover, you have the option prevent the recording of the data generated by the cookie and affiliated with your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
You have the option to prevent the recording of your data by Google Analytics by clicking on the following link. This will result in the placement of an opt out cookie, which prevents the recording of your data during future visits to this website: Google Analytics deactivation. For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.
If you would like to deactivate the recording of data by Hotjar, please click on the link below and follow the instructions provided under the link: https://www.hotjar.com/opt-out. Please keep in mind that you will have to separately deactivate Hotjar for every browser and every device. For more detailed information about Hotjar and the data to be recorded, please consult the Data Privacy Declaration of Hotjar under the following link: https://www.hotjar.com/privacy.
In addition to the other instances mentioned in this data protection statement, a disclosure of personal data may only occur in the following cases:
6.1 To criminal prosecution authorities as well as, if necessary, harmed third parties if necessary to investigate illegal or abusive use of the service. However, this only occurs if there are specific indications for illegal use or misuse. A disclosure can also take place if this serves to enforce the terms and conditions for the use of the service or other agreements or if necessary, to assert, exercise or defend legal claims.
6.2 We are also required by law to provide information to certain governmental agencies. These are the criminal prosecution authorities, public authorities that prosecute administrative misdemeanours sanctioned with fines and the tax authorities.
6.3 To the extent necessary to process a request or order, and in the case of centralised or outsourced business functions, personal data may be transferred to Agora affiliates for the purposes set out above.
6.4 From time to time we may rely on contracted third parties or other partners and external service providers such as IT service providers, business consultants and financial institutions to fulfil the purposes described herein or to provide our services. In such cases, personal data may be shared with these recipients.
6.5 During the course of the further development of our business, it is possible that the structure of our company will change by changing the legal form, establishing, purchasing or selling subsidiaries, company divisions or parts of the company. In case of such transactions, personal data is passed on together with the part of the business which is transferred. We make sure in the case of each disclosure of personal data to third parties as described above that this takes place in accordance with this data protection statement and applicable data protection laws.
6.6 Insofar as the recipients referred to in Sections 6.2 to 6.4 are entities outside the EU or the EEA, we shall ensure an appropriate level of data protection, for example by concluding appropriate contracts or on basis of appropriate certifications of the respective recipient, or ensure the applicability of an exemptions as per Art. 49 GDPR.
6.7 Where processing is to be carried out on behalf of us (Art. 28 GDPR), we shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Processing by a processor will be governed by a contract according to Art. 28 GDPR.
Right of access: The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
Right to rectification: The data subject has the right to have false personal data corrected. In case pseudonymized personal data is stored on a blockchain, a new data block with the rectified data will be stored that supersedes the previous blocks.
Right to erasure: The data subject has the right to request the deletion of personal data, for example if personal data are no longer required for the purposes for which they were collected or otherwise processed. In case pseudonymized personal data is stored on a blockchain, e.g. as a hash, the separately stored reference data that would enable to identify the data subject will be erased, so that the block remains unreadable.
Right to restriction of processing: The data subject has the right to request that the processing of personal data be restricted; in such a case, the data will be blocked for any processing. This right exists in particular if the accuracy of the personal data is debated.
Right to data portability: If we process personal data to fulfil a contract with a user or on the basis of consent, the users have the right to receive their personal data in a structured, commonly used and machine-readable format, provided and to the extent that they have made the data available to us.
Right not to be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
In addition, the users may object to processing of their personal data for reasons arising from their particular situation. However, this only applies in such cases in which we process data to fulfil a legitimate interest of Agora or a third party. If the user can state such a reason and we cannot assert a compelling, overriding interest for the further processing, we will not process these data further for the respective purpose.
This does not affect the other rights of objection described in this data protection statement.
If users wish to enforce any of the above mentioned rights or if they have questions about how we protect or process personal data, they can contact our data protection officer via the contact details provided in Section 2. After the final answering of an inquiry, we delete the inquiry with a period of three years after the end of the respective calendar year.
Users also have the right to file a complaint at any time with a supervisory authority, in particular a supervisory authority in the Member State where they are staying, working or the place of alleged infringement, if they believe that the processing of personal data concerning them is in violation of applicable data protection laws.
Unless otherwise described in this data protection statement, we will only store personal data for as long as it is necessary to achieve the purposes stated herein or within the framework of an applicable statutory storage period; in the latter case, we will block the affected personal data for other processing operations.
We can delete your Personal Data only if there is no statutory obligation or prevailing right of Agora to retain it. If you request that we delete your Personal Data, you will not be able to continue to use any iVE.ONE services that require our use of your Personal Data.
We reserve the right to amend this data protection statement from time to time and make changes as to which we process personal data. The current version of the data protection statement is always available under www.ive.one/privacy-policy.