Last updated: December 2023
"Personal Information" means any information, including personal data within the meaning of Art. 4 (1) of the European Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), relating to an identified or identifiable natural person like names, addresses, email addresses, or phone numbers, as well as other non-public information that is associated with the foregoing.
Role of Cleverbridge Financial Services GmbH
Cleverbridge Financial Services GmbH, Gereonstrasse 43-65, 50670 Cologne, Germany ("cbFS") may prepare and process payment transactions as an independent controller of Personal Information for the purpose of preparing, verifying and performing an e-commerce payment transaction conducted on the Store or a storefront that Cleverbridge operates for a seller. During this process, cbFS receives customer and payment information from the seller, performs fraud prevention services and passes on Personal Information (including payment data) to a specific payment provider.
Controller of Personal Information and data protection officer
Cleverbridge is the controller of the Personal Information that is being processed when you visit the Site or the Store, or when you order Products.
cbFS is the controller of the Personal Information that is being processed during an e-commerce payment transaction conducted on the Store or a storefront that Cleverbridge operates for a seller.
You can contact our data protection officer at
Cleverbridge GmbH / Cleverbridge Financial Services GmbH
Data Protection Officer
Email contact via our Help Center
Your rights as a data subject
As a data subject, you have different rights, including a right to access, rectification, erasure, restriction of processing and data portability with regard to your Personal Information. Furthermore, you can withdraw your consent and object to our processing of your Personal Information based on our legitimate interests. You can also lodge a complaint with a supervisory authority.
These are your rights as a data subject:
- You can withdraw your consent to the processing of your Personal Information by us at any time. In the case of a withdrawal, we may no longer process your Personal Information based on your consent in the future. The withdrawal of consent has no effect on the lawfulness of processing based on consent before its withdrawal.
- You have the right to obtain access to your Personal Information that we process. In addition, you may request information on the purposes of the processing, the categories of Personal Information, the categories of recipient to whom the Personal Information have been or will be disclosed, the envisaged period for which the Personal Information will be stored or the criteria used to determine that period, the existence of the right to request rectification or erasure of Personal Information or restriction of processing of Personal Information or to object to such processing, the right to lodge a complaint with a supervisory authority, any available information as to the Personal Information’s source (if the Personal Information is not collected from you), the existence of automated decision making, including profiling (defined and discussed below in the section entitled "Automated decision-making") and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you. Please note that your right to access may be limited by national law.
- You have the right to obtain from us the correction of inaccurate Personal Information concerning you. Taking into account the purposes of the processing, you have the right to have incomplete Personal Information completed, including by means of providing a supplementary statement.
- You have the right to obtain from us the deletion of Personal Information concerning you, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims. Please note, that the right to deletion may be limited by law (e.g. our obligation to retain Personal Information relating to an e-commerce transaction for a certain time period).
- You have the right to obtain from us the restriction of processing of Personal Information concerning you to the extent that
- you contest the accuracy of the Personal Information,
- the processing is unlawful, but you oppose the deletion of the Personal Information,
- we no longer need the Personal Information, but you require it for the establishment, exercise or defense of legal claims or
- you have objected to the processing.
- You have the right to receive a copy of the Personal Information of you, that you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit that Personal Information to another controller ("right to data portability").
- You have the right to lodge a complaint with a supervisory authority, such as the public authority, which is established in the EU member state of your habitual residence, place of work, or place of the alleged infringement. You can also lodge the complaint with the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (LDI NRW, www.ldi.nrw.de), which is the competent supervisory authority for us.
If we process your Personal Information on the basis of our legitimate interests, you have the right to object to such processing on grounds relating to your particular situation. This also applies to profiling. If we process your Personal Information for purposes of direct marketing, you have the right to object at any time to the processing of your Personal Information for such marketing, which includes profiling to the extent that it is related to such direct marketing.
For more information about your rights as a data subject and/or to exercise any of them, please contact our Data Protection Officer or contact us via our Help Center. Please note that in general the exercise of these rights is free of charge. Where requests are manifestly unfounded or excessive, especially because of a given repetitive character, we may charge a reasonable fee (at the most our actual costs) in accordance with the applicable statutory regulations or refuse to act on the request.
Use of Personal Information you provide
In general, we process Personal Information you submit to us in order to provide you with the Products that you order, process payments, respond to requests that you make, for the purpose of registration (if any), and to offer you additional information, opportunities, and functionality related to the Products that you order. We also use Personal Information to prevent or detect fraud or abuse of our Site or Store and to better tailor the features, performance, and support of the Site or Store to our Customers’ needs, or to carry out technical, logistical, or other functions or improvements.
We process the following Personal Information that you provide by using the Site or the Store or by ordering the Products:
Requests and performance of the contract
In order to purchase Products through the Store, you have to provide and we will process your name, email address, zip code, address (where required to fulfill your order), and all the financial information necessary for billing and recurring billing (where applicable) or a subset of the foregoing.
The information required for billing depends on the selected payment method and may include credit card number, card verification code, account number, account name, billing zip code, or any other information required for the payment methods that you have selected.
We also collect your zip code for the purpose of identifying tax calculation, transaction processing and support, and statistical purposes. We only transfer your zip code to the Suppliers for purposes of fulfilling your order through our Store and for statistical purposes. We do not sell the zip code information you provide us with in connection with other information, do not connect it with data sets external to the transaction, and do not use it ourselves for advertising purposes.
The legal basis for processing activities required for the purpose of identifying fraudulent activities and statistical purposes is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the execution of our offers and services, the integrity of our systems, and in the analysis of the customer base.
On certain websites, we give users the option of providing us with account registration information. This information may include, among other things, your name, address, email address, and a password.
Without your prior explicit consent, we will only send you Product-related announcements that are not promotional in nature (for example, notices related to your purchase of Products or information regarding the renewal of subscriptions) and only when we believe it is necessary to do so.
When you contact us by email, fax, contact form or telephone, or if you are using any of the email addresses, fax, or telephone numbers provided on the Site or the Store, we will collect any Personal Information you choose to provide to us in connection with this communication. Unless your request pertains to the performance of a contract, the legal basis for processing of your request is Art. 6 (1) (f) GDPR. Our legitimate interest is to process your request.
Unless stated otherwise above, the legal basis for all processing activities mentioned in this section is Art. 6 (1) (b) GDPR and – with regard to the processing for compliance with a legal obligation to which we are subject – Art. 6 (1) (c) GDPR.
Prevention of Fraud and Anti-Money-Laundering, Payment Processing and Export Compliance Control
Cleverbridge (including cbFS) collects and processes Personal Information for the following purposes:
- Validation of the legitimacy of a transaction under applicable anti-money-laundering laws by using internal tools and external data providers (in accordance with Article 6 (1) (c) GDPR),
- Confirmation that the intended transaction is not of fraudulent nature by using internal tools and external data providers (in accordance with Article 6 (1) (f) GDPR), and
- Performing the payment processing transaction (in accordance with Article 6 (1) (f) GDPR in the case of cbFS, otherwise, according to Article 6 (1) (b) GDPR).
Newsletter and other promotional information
If you request promotional information via any of the forms of the Site or the Store, or sign up for a newsletter or blog updates, then we will process your Personal Information, subject to your consent, for advertising, market research and tailoring electronic services.
Your Personal Information will be processed on the basis of your consent pursuant to Art. 6 (1) (a) GDPR. You can withdraw your consent at any time for the future as described under Your rights as a data subject.
Unsubscribe instructions will accompany each newsletter or promotional communication you receive from us.
No requirement to provide Personal Information
There is no requirement for you to provide Personal Information to us. However, if you do not provide the information required for the performance of a contract, we cannot enter into a contract with you.
Automatic collection of Personal Information and analytical data
In addition to the information you provide, we automatically collect Personal Information through different technologies as described below:
We collect your IP address and transfer it to the Supplier for the purpose of identifying fraudulent activities, export compliance, calculation of tax, and transaction processing and support. Your IP address will be truncated by our systems before transmission to the Supplier.
Depending on the specific purpose, the processing of your IP address is based on Art. 6 (1) (b), (c) or (f) GDPR. Our legitimate interests are the execution of our offers, contracts and services and the integrity of our systems.
Cookies, tracking and other analytics technologies
We partner with third parties to either display advertising on the Site and Store or to manage advertising on other websites. These third parties may use technologies such as cookies to gather information about your activities on the Site and Store and other websites in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interestbased ads, you may opt-out by clicking here (or if located in the European Union click here). Please note this does not opt you out of being served ads. You will continue to receive generic ads. Also, the optout itself is stored in a cookie, which means that when you clear your cookies, switch to another browser, use a different device, or otherwise modify your cookies, you will have to opt out again.
Our Site and Store use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States ("Google").
Please note that your IP address will be truncated by our systems before sending the data to a Google server. Therefore, you will not be identified as an individual person in Google Analytics, but only as part of the user base.
Google will use this information to evaluate the use of the Site and Store, compile reports on Site and Store activity, and provide other Site and Store activity and internet related services. More information about Google Analytics can be found here.
Our Site and Store also use the Hotjar analysis service to collect analysis and feedback. Hotjar is provided by Hotjar Limited (Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta), https://www.hotjar.com/.
Hotjar's services allow us to analyze how visitors use our Site and Store by revealing online behavior related to our Site and Store and by collecting feedback from those visitors.
We use Hotjar to record – on an aggregated, non-personal basis – information such as mouse movements, mouse clicks, and scrolling activity. Information about the browser (type, version, screen size, etc.), basic information about the user (country, language, time zone), and data containing mouse movements, clicks, scroll events, and keystrokes are transferred to Hotjar. Information that you enter into form fields and your IP address are masked with unreadable content before information is transmitted to Hotjar to protect your privacy.
Automatic analytical data processing
We receive and store certain types of information whenever you interact with us. This automatic exchange of data between your browser and our server upon accessing our Site or Store informs us of which browser you are using, the date and time of your visit, the name of your Internet Service Provider (ISP), device information, including device ID, the Site you are using to visit us, and which parts of our Site and Store you are visiting.
The information we collect automatically is called "Analytical Information."
We use this Analytical Information in an aggregated form for internal purposes, such as determining certain settings for the Site or Store like language or location, for maintaining our operating ability, preventing fraudulent access to our Site or Store, or for analyzing usage patterns so that we may enhance our Site and Store. We also reserve the right to use and disclose any aggregated Analytical Information at our discretion, as you will not be identified as an individual person.
The aggregation of Analytical Information for the above purposes is based on Art. 6 (1) (f) GDPR.
List of tracking and other analytics technologies
Detailed information regarding the tracking and other analytics technologies which may be in use on Cleverbridge's Site and Store can be found here.
Personal Information from other sources
We may collect Personal Information about you from other sources like the Suppliers of Products or third parties that provide services for us in connection with the Site or Store. We may add this information to the Personal Information we collect from you via the Site or Store for the purposes of preventing or detecting fraud or abuses of our Site or Store and to fulfill your order and to contact you regarding your order of Products. We do not process such information for marketing purposes.
The legal bases for these processing activities are Art. 6 (1) (b) GDPR to the extent that the information is necessary for the performance of the contract and Art. 6 (1) (f) GDPR for the prevention and detection of fraud and abuses.
In order to avoid defaults on payment, we reserve the right to obtain information on your creditworthiness (such as based on mathematic-statistical processes) from third parties for certain payment methods (such as direct debit and purchase orders) according to Art. 6 (1) (f) GDPR.
Privacy of minors
The Cleverbridge Store, Site, and product purchases are for adults only. Persons under the age of eighteen (18) shall not supply any Personal Information to us. We will neither inten-tionally ask for Personal Information of persons under the age of eighteen, nor process their Personal Information.
Additional notice to United States residents: We do not intentionally collect or maintain infor-mation from visitors of the Site or Store who are under thirteen (13) years old.
Disclosure of Personal Information
Cleverbridge, Inc. (350 N Clark, Suite 700, Chicago, Illinois, 60654, USA), Cleverbridge GmbH and Cleverbridge Financial Services GmbH (Gereonstr. 43-65, 50670 Cologne, Germany), Cleverbridge KK (Wakamatsu Bldg. 7F, 3-3-6 Nihonbashi-Honcho, Chuo-ku, Tokyo 103-0023 Japan), and Cleverbridge Co., Ltd. (Level 4, Neihu New Century Building, 55 Zhouzi Street, Neihu District, Taipei, Taiwan) (collectively, “Affiliates”) act as processors on behalf of Cleverbridge to provide global customer support, fraud prevention, order fulfillment, client management, marketing and marketing services, and sales, business and platform development.
Suppliers of the Products
We will provide Personal Information to the Suppliers of the Products sold through the Store to enable them to provide you with the Products, to register you as authorized users, to provide you with support and updates, and for similar purposes. The basis for such data transfers is Art. 6 (1) (b) GDPR, which permits the processing of data for the performance of a contract or precontractual measures.
We will also provide analytical data collected through cookies or similar technologies to the Suppliers of the Products sold through the Store to enable them to analyze trends, track users' movements around the Site and Store, and to gather demographic information about our user base as a whole as set forth in Cookies, tracking and other analytics technologies. We only transfer Analytical Information through such technologies.
Third party service providers
We provide analytical data to providers of analytics and tracking technologies as described in Cookies, tracking and other analytics technologies.
In case of non-redemption of a direct debit transaction that is not caused by a revocation through the account holder, we reserve the right to report your account information (your account number and bank routing number) to a third party that saves these facts in a lock file and sends them to other companies that are affiliated with the direct debit procedure. The entry in the lock file is deleted after the amount invoiced has been settled. The legal basis for this processing of your Personal Information is Art. (1) (f) GDPR. Our legitimate interest is to avoid future defaults on payment.
Export and processing of Personal Information in countries outside of the European Economic Area
For the purposes of processing your order, your data may be transferred to our Cleverbridge Affiliates, to Suppliers of the Products and/or Third party service providers based outside the European Economic Area in countries that, to date, may not have a data privacy level that is recognized as being equivalent to that of the European Union, in particular USA.
Cleverbridge Affiliates, Suppliers, and third party service providers that receive Personal Information from us have entered into and executed agreements for the international transfer of Personal Information which allows for the processing of your Personal Information and which correspond to the European Union Standard Contractual Clauses for the transfer of Personal Information to third countries. A copy of the Standard Contractual Clauses is available on the website of the European Commission.
Law enforcement, governmental authorities and agencies
We may disclose your Personal Information to recipients if such disclosure is necessary to:
- comply with relevant laws or respond to subpoenas or warrants served on us (Art. 6 (1) (c) GDPR);
- enforce our General Terms and Conditions (Art. 6 (1) (b) GDPR);
- protect and defend our rights or property, or the rights or property of visitors of the Store and Site, our Customers, our Suppliers, or other third parties (Art. 6 (1) (f) GDPR); or
- in certain situations, abide by lawful requests by public authorities to disclosure of Personal Information, including to meet national security or law enforcement requirements (Art. 6 (1) (c) GDPR).
For tax-exempted orders originating in certain EU countries, your address information may be passed on to the responsible tax authorities in order to establish that your VAT identification number (VAT-ID) is correct (Art. 6 (1) (c) GDPR).
In the following countries, from the EU's perspective, an adequate level of protection for the processing of personal data corresponding to EU standards exists (so-called adequacy decision): Andorra, Argentina, Canada (limited), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay. The US and EU have also executed a Data Pact whereby company who certify under the Pact are considered to provide adequate protections, as well. With recipients in other countries, or US recipients who have not certified under the EU-US Data Pactwe agree to use EU standard contractual clauses, binding corporate rules, or other permissible mechanisms to provide an "adequate level of protection" in accordance with legal requirements. We will be happy to provide you with information on this via the contact details provided above.
Data security and confidentiality
In order to maintain the highest level of Customer and Supplier protection, we adhere to the applicable industry rules and regulations. Thus, we maintain commercially reasonable and appropriate physical, technical, and organizational measures and procedures to safeguard and secure your Personal Information during processing, particularly collection, transmission, and storage. Your Personal Information is only accessible by authorized personnel familiar with Cleverbridge's data privacy policies.
Transport Layer Security (TLS)
All access to the Store's ordering pages is granted using Transport Layer Security (TLS) technology, which encrypts Personal Information you provide during the ordering process. This protects confidential data from being intercepted by third parties and transfers your Personal Information through a secure channel. To ensure this level of security, our systems use a certificate in keeping with common ecommerce practice. This certificate is issued by a trusted security provider. All standard web browsers support this technology and accept the certificates from trusted security providers automatically. If you have any questions about security, you can contact us via our Help Center.
Credit Card Data
Cleverbridge maintains full compliance with PCI DSS (Payment Card Industry Data Security Standard) to enhance payment card data security and provide a secure ecommerce environment for our Customers. The PCI DSS standard lays out requirements for network architecture, software development, security management, and other critical proactive measures to ensure the safety of payment card transactions. Each year a Qualified Security Assessor thoroughly examines the technical and organizational measures within Cleverbridge to make sure we adhere to the strict PCI regulations.
Thus, we disclose only the last four digits of your credit card numbers when confirming an order. But we transmit the entire credit card number only to the appropriate payment processor during order processing. Due to the requirements of the PCI DSS, this transfer is secured using transport-layer-security (TLS).
Profiling and Automated decision-making
In certain instances, Cleverbridge automatically processes your data to analyze and/or predict your interactions with Cleverbridge – referred to as "profiling" – for the purpose of optimizing your user experience. More specifically, we use profiling to compare past purchasing behavior to current purchasing behavior to ensure a current purchase is not fraudulent, detect payment processing anomalies such technical difficulties completing card transactions, and customizing our communications with you, including marketing communications (but only where we have obtained the appropriate consents to do so).
- If you have questions about profiling, or you want us to terminate profiling, please contact via one of the methods disclosed above. Please note that some profiling is required to continue a subscription product or to make a purchase from Cleverbridge, so terminating may prohibit your access to these services.
2. Automated decision-making
Cleverbridge uses profiling in conjunction with automated decision-making. Automated decision-making means that Cleverbridge’s platform makes certain decisions based on automated data processing, without the involvement of a human. Some of this automated decision-making has little-to-no impact on you, such as which marketing communication you receive. But some automated decision-making impacts your ability to complete your transaction, such as preventing the transaction if it is flagged as fraudulent. Specifically, Cleverbridge uses automated checks to prevent payment fraud and to avoid violations against governmental denied-party lists (e.g. OFAC) and to detect anomalies in payment processing.
We make this kind of automated decision when we:
- decide to approve your purchase, completing your transaction and charging the payment method provided.
- decide not to approve your transaction because it:
- May be fraudulent. If our automated process shows that your behavior indicates possible fraudulent conduct, that your behavior is not consistent with previous use of our services, or that you have attempted to conceal your true identity, we will decline your transaction. In such cases, we use information you have provided to us, data from Maxmind, Inc. (a fraud prevention service), and Cleverbridge’s internal data. In some cases, this data will be evaluated through a machine learning algorithm that assigns a risk score to your transaction as part of the risk assessment. We continuously develop our fraud models to keep your transactions secure, and closely investigate how fraud patterns change (for example which merchant categories or products are mostly subject to fraud attempts).
- May constitute money laundering. Our automated process analyzes whether your behavior may indicate money laundering.
- Comes from a person, entity, or location listed on sanction lists, as discussed in more detail above in our Export Compliance section.
Aside from the above-disclosed purposes, we do not process your Personal Information for any other automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR.
Cleverbridge will retain Personal Information for as long as needed to facilitate the sale of Products for which the Suppliers have engaged Cleverbridge as well as to comply with legal obligations (statutory retention periods), resolve disputes, and enforce our agreements.
In general, we delete your Personal Information as soon as it is no longer required for the above-mentioned purposes, unless temporary storage is still necessary. We store your Per-sonal Information on the basis of legal proof and storage obligations, which result among oth-er things from the German Commercial Code and the German Tax Code, according to which the storage periods are up to ten full years. In addition, we keep your data for the peri-od during which claims can be asserted against our company.
Upon your request, we will restrict the processing of your Personal Information based on ap-plicable law. Once the statutory retention periods have expired, the data will be removed from our operative systems.
Additional Rights under the CCPA
In addition to the information disclosed above, you are entitled to instruct Cleverbridge not to sell your data, as defined in the CCPA. To do so, you may submit your request here. Cleverbridge will not discriminate against you for exercising any of your valid rights under the CCPA.
Download this document by clicking the button:Download