Privacy Policy
1. Introduction
We, Spargold GmbH (hereinafter 'we' or 'us'), take the protection of your personal data very seriously. We process this data exclusively on the basis of legal provisions, in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Commercial Code (HGB), the German Tax Code (AO), and the German Anti-Money Laundering Act (GwG). This policy explains what data we collect, why we use it, and what rights you have.
2. Controller
Spargold GmbH
Hermannstraße 5, 26441 Jever, Germany
Email: privacy@spar.gold
3. Data Protection Officer
No Data Protection Officer has been appointed, as this is not legally required. For any questions regarding data protection, please feel free to contact us using the contact details provided above.
4. Definitions
Our Privacy Policy is based on the terms used by the European legislator when enacting the GDPR. To ensure easier understanding, we define some important terms here:
Personal Data: Any information relating to an identified or identifiable natural person (hereinafter 'data subject').
Data Subject: Any identified or identifiable natural person whose personal data is processed by the controller.
Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5. Data Processing on our Website
5.a Collection of General Data and Information (Server Log Files)
When you visit our website, we automatically collect data and information that your browser transmits to our server. This data is technically necessary to display our website to you and to ensure its stability and security. This includes:
Browser types and versions used
The operating system used by the accessing system
The website from which an accessing system reaches our website (referrer)
The sub-websites accessed on our website via an accessing system
Date and time of access to the internet page
An Internet Protocol address (IP address)
The Internet service provider of the accessing system
Other similar data and information that serve to avert danger in the event of attacks on our information technology systems.
- Legal Basis: The processing of this data is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in providing a functional and secure website.
- Storage Period: Server log files are automatically deleted after 7 days. Longer storage only occurs if necessary for the investigation of security incidents or to comply with legal retention obligations.
5.b Cookies
Our website uses cookies. Cookies are small text files that are stored on your device and contain certain information. Some cookies are technically necessary (essential cookies), while others are used for analysing user behaviour (analytics cookies) or marketing purposes (marketing cookies).
Essential Cookies: These cookies are essential for the basic operation of our website. They enable functions such as page navigation, access to secure areas of the website, and storing your cookie consent. The legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in providing a technically functional website.
Analytics Cookies (Google Analytics 4): We use Google Analytics 4 for anonymised usage statistics. Google Analytics uses cookies that enable an analysis of your use of our website. The information generated by the cookies about your use of this website is generally transmitted to a Google server in the USA and stored there.
IP Anonymisation: Your IP addresses are truncated ('AnonymizeIP'). This means your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.
Purpose of Data Processing: On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide us with other services related to website and internet use.
Legal Basis: The use of Google Analytics is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in website optimisation.
Third Country Transfer: Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses (SCCs).
Right to Object (Opt-Out): You can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser add-on 'Google Analytics Opt-out' available at https://tools.google.com/dlpage/gaoptout/.
Further information on cookies can be found in our separate Cookie Policy.
5.c Contacting Us (e.g., via Email, Contact Form)
If you contact us by email or via a contact form, the personal data you provide (e.g., your name, email address, message) will be stored for the purpose of processing your inquiry and for follow-up questions.
- Legal Basis: The processing of this data is carried out for the fulfilment of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR, insofar as your inquiry aims at concluding a contract. In all other cases, the processing is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to effectively process your inquiry.
- Storage Period: The data will be deleted as soon as it is no longer required for the purpose for which it was collected and no legal retention obligations prevent its deletion. This is generally the case when your inquiry has been definitively processed.
6. Data Protection in the Spargold App
6.a Collected Personal Data
- Master Data: Name, address, date of birth
- Contact Data: Email address, mobile number
- Bank Details: IBAN
- KYC Data (Know Your Customer): Photo of you, photo of your ID card
6.b Purposes of Processing & Legal Bases
| Purpose | Data Category | Legal Basis |
|---|---|---|
| Purchase of precious metals (contractual performance) | Master Data, Bank Details | Art. 6 para. 1 lit. b GDPR |
| Fulfilment of legal retention obligations | all data mentioned above | Art. 6 para. 1 lit. c GDPR; § 257 HGB; § 147 AO |
| Identity verification (KYC) | KYC Data | GwG; Art. 6 para. 1 lit. c GDPR |
| Security & prevention of misuse | Connection and Usage Data | Art. 6 para. 1 lit. f GDPR |
6.c Storage Period
- Contract and Bank Data: This data is stored for at least 10 years to comply with our legal retention obligations under § 257 HGB and § 147 AO.
- KYC Data: This data is stored for at least 5 years after the end of the business relationship, as required by the Anti-Money Laundering Act (GwG). Longer storage may be necessary in accordance with commercial and tax law requirements.
6.d Processors (Hosting & Services)
| Service Provider | Processing | Location | Data Transfer to Third Countries |
|---|---|---|---|
| Hetzner | Storage of all app data | Germany | no |
| Google Cloud | Infrastructure, Back-Up | EU Region (Ireland) | USA (Standard Contractual Clauses, EU-US Data Privacy Framework) |
| Seven.io | Sending SMS OTP (mobile number only) | Germany | no |
| SendGrid | Sending emails (verification) | USA | USA (Standard Contractual Clauses) |
6.e Checks for Politically Exposed Persons (PEP) and Sanctions (OpenSanctions)
To comply with our legal obligations for anti-money laundering, we conduct checks for Politically Exposed Persons (PEP) and sanctions.
- Purpose of Processing: The check serves to fulfil our legal obligations under the Anti-Money Laundering Act (GwG), particularly to identify politically exposed persons (PEP) and individuals on sanctions lists, in order to prevent money laundering and terrorist financing.
- Affected Data Categories: For this check, we use your master data (name, date of birth, address) and other available identification data.
- Time of Check: This check is only carried out when the total amount of deposits to your Spargold account exceeds EUR 1,999.
- Service Provider: For this check, we use the OpenSanctions API. This API accesses publicly available data sources to verify relevant information on PEP and sanctions.
- Legal Basis: The processing of this data is carried out for the fulfilment of a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR in conjunction with the relevant provisions of the Anti-Money Laundering Act (GwG).
- Data Transfer to Third Countries: The OpenSanctions API itself can aggregate data from various international sources. A direct transfer of your personal data to OpenSanctions does not occur through our use of the API. We only transmit the identification data necessary for the check (e.g., name) to our systems, which then query the API.
- Storage Period: The results of these checks and the associated data are stored for the duration of the legal retention periods under the GwG (at least 5 years after the end of the business relationship).
7. Data Transfer to Third Countries
If we transfer data to a third country outside the European Union (EU) or the European Economic Area (EEA), we ensure that an adequate level of data protection is guaranteed. This is done through:
Adequacy decisions by the EU Commission (Art. 45 GDPR).
Standard Contractual Clauses (SCCs) of the EU Commission (Art. 46 para. 2 lit. c GDPR), possibly in conjunction with additional safeguards.
Your explicit consent (Art. 49 para. 1 lit. a GDPR).
Information on the specific safeguards for Google Cloud and SendGrid can be found above under section 6d).
8. Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed. If so, you have the right to access this data and further information.
Right to Rectification (Art. 16 GDPR): You have the right to request the rectification of inaccurate personal data or the completion of incomplete data.
Right to Erasure ('Right to be Forgotten') (Art. 17 GDPR): You have the right to request the erasure of your personal data if certain reasons apply (e.g., the data is no longer necessary for the purposes for which it was collected or otherwise processed).
Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your data if certain conditions are met (e.g., the accuracy of the data is contested by you).
Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller.
Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions. In the case of direct marketing, you have a general right to object at any time.
Right to Withdraw Consent (Art. 7 para. 3 GDPR): If the processing of your data is based on your consent, you have the right to withdraw this consent at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
- To exercise your rights, please contact privacy@spar.gold.
9. Data Security
We implement comprehensive technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access. Our security measures are continuously improved in line with technological developments. These include:
TLS (SSL) / TLS encryption of all data transfers.
Physical and technical access controls in our hosting provider Hetzner's German data centers.
Regular security audits and certified backup procedures.
10. Links to Other Websites
Our website and app may contain links to other websites not operated by us. We have no influence on their content or their data protection practices. Please inform yourself about the privacy policies of the linked websites before entering personal data there.
11. Changes to this Policy
This Privacy Policy is currently valid as of July 2025.
We reserve the right to adapt this Privacy Policy from time to time to reflect changed legal requirements or changes in our services. In the event of changes due to new technologies, legal regulations, or guidelines from supervisory authorities, the policy will be updated. The latest version can always be found at https://spar.gold/privacy.
12. Contact
If you have any questions about this Privacy Policy or the processing of your personal data, you can contact us at any time:
Spargold GmbH
Email: privacy@spar.gold