Privacy Policy

PRIVACY POLICY

  1. INTRODUCTION

SEKONDARY, S.L. (hereinafter “Sekondary“) is the owner of the website https://sekondary.com/ (hereinafter the “Website“) and is responsible for the processing of the personal data of the users thereof (hereinafter the “Users“).

Through this Privacy Policy, and in compliance with Articles 12 and 13 of Regulation (EU) 2016/679 (hereinafter “GDPR“) and Article 11 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (“LOPDPGDD“), Sekondary informs Users who use the Website about the processing of their personal data that may be collected through this and processed by Sekondary.

In order to allow the User to access and use the Platform and Sekondary Services, Sekondary may process some personal data in the capacity of:

  • Data Controller: Sekondary shall process the identification data necessary for the execution of the Terms and Conditions and for the invoicing of the contracted Services, and more generally to manage our contractual and/or commercial relationship with the Users, and to inform them promptly about any aspect related to the Services provided or that can be performed by Sekondary in the future. This data processing is regulated in Section 2 of this Privacy Policy.
  • Data Processor: Sekondary may access and process certain personal data under the responsibility of the Business Angel who has contracted the Service, Institutional Investors and Directors and Shareholders who complete the KYC registration or other third-party personal data, in particular data relating to the members of the Company in which Business Angels hold the shares. Much of this data will be processed by Sekondary on behalf of the Business Angel within the EU and EEA. This data processing is regulated in the Data Processing Addendum included in Annex 1 of this Privacy Policy.
  1. SEKONDARY AS DATA CONTROLLER
  • Data Controller: SEKONDARY, S.L.
  • VAT Number: B-72794613
  • Registered office: Diagonal, 359, 08037 Barcelona (Spain).
  • Contact: legal@sekondary.com

 

  • PURPOSES, DATA PROCESSED, LEGAL BASIS AND RETENTION PERIOD
Purposes Data processed Legal Basis Retention period
Management of the functionality of the Website.

 

Analysis of browsing behavior and statistics: The information collected through cookies and other similar tracking technologies allow an analysis of the navigation made by Users

 The IP address of User’s computer and the type of browser User is using. We use this information to analyze general trends and improve the service. This information is not shared with third parties without User’s consent. Consent of the User (Not necessary cookies).

Legitimate Interest (Necessary Cookies).

 The retention periods depend on each specific cookie. For more information on the information retention periods for each type of cookie, see the Cookie Policy.
To attend and respond to requests, comments, suggestions. As well as providing support to the User during the use of the Website. User’s name, email, phone number, company and the content of the message the User sends to Sekondary. Consent The personal data will be processed by Sekondary for the necessary period of time to answer the question and/or solve the incident indicated by the User. Such data will be blocked in order to comply with Sekondary’ legal obligations and, after that time, will be definitively deleted.
Sign up on the Platform. Manage the registration of Users on the Platform User´s

identification data (name, surname, KYC when applicable), image (optional)

 Execution of the Terms and Conditions The personal data provided will be kept for as long as the User maintains his/her account. In the event that the User wishes to cancel his/her account Sekondary will proceed to delete the data*.
Manage our contractual and/or commercial relationship with the Users. Maintain, fulfill, develop, monitor, and execute the contractual relationship with the user The processed data includes user identification information such as name, surname, and contact details like email. Execution of the Terms and Conditions The personal data provided will be kept for as long as the User maintains his/her account. In the event that the User wishes to cancel his/her account Sekondary will proceed to delete the data.
Processing Payments, Invoicing, and Collection The processed data includes banking information and credit card details. Execution of the Terms and Conditions Personal data provided will be retained for the duration of the transaction. Once the transaction is completed, this data will be blocked to fulfill Sekondary’s legal obligations, and after that period, it will be permanently deleted
Offers and Binding Offers notifications. Notify the Managers and Partners of the Offers and Binding Offers and inform them of their right of first refusal. Managers’ and/or Partners email addresses Legitimate interest The personal data provided will be kept for the duration of the transaction. Once the transaction has been completed, such data will be blocked in order to comply with Sekondary’s legal obligations and, after that time, they will be definitively deleted.
Electronic communications related to contracted services and similar products. Sekondary may send commercial communications to users related to contracted services or similar ones, as well as offer new opportunities based on the legitimate interest of both parties. These communications may include information about service improvements, offers, and other relevant opportunities. The processed data includes users’ email addresses. Legitimate Interest Personal data provided will be retained as long as the user maintains their account. In the event that the user wishes to cancel their account, Sekondary will proceed to delete the data.
Newsletters. If the Users have consented to receive commercial communications, this data will be used to send the User commercial information about Sekondary until the user withdraws his or her consent. The User has the right to withdraw consent at any time as indicated in section 6. User’s e-mail address. Consent The personal data will be processed by Sekondary for as long as the User has agreed to receive commercial communications. Such data will be blocked in order to comply with Sekondary’s legal obligations and, after that time, will be definitively deleted.
Demo  request. Request a demo. Personal data will be processed to contact with the User to provide it a Demo of the Sekondary product. Name, surname, email, phone number, job title and message content. Consent The personal data will be processed for the period of the use of the demo by the User and, once this has ended, will be blocked for the necessary period of time to fulfill the legal obligations of Sekondary. Once this time has expired, the data will be definitively deleted.
Processing data of users on social media who interact with Sekondary’s profiles on those social media. Interacting with these users in accordance with the policies of the social media platform and managing our virtual communities according to the policies of each social media platform and the mutual interests of both parties. The processed data includes identification information of social media users such as name, surname User Consent to the terms of use, privacy policy, and access rules of the corresponding social media platform. Personal data will be retained for the duration of our interaction. Personal data will be retained for the duration of our interaction.

 

Sekondary may also process the User’s personal data during the period of time in which civil, commercial, administrative, criminal or tax liabilities may arise, in compliance with the applicable regulations in force. Once these periods have expired, Sekondary will delete this personal data.

  • DATA COMMUNICATION TO THIRD PARTIES AND INTERNATIONAL TRANSFERS

Sekondary informs that, for the fulfillment of the purposes described above, it will not transfer the User’s personal data to third parties. Notwithstanding the above, Sekondary may give access to such personal data to registered Users and technological service providers with which it has entered into a data processor contract, in particular to:

  • Other registered users on the platform who, in turn, are shareholders of an Enterprise or a company  part of a user’s portfolio, including access to the user’s name and email.
  • Database maintenance and newsletter subscription management service providers.
  • KYB technology providers.
  • Analytics service providers.
  • Hosting service providers.
  • Email service providers.
  • Consent Management Platform providers.

The aforementioned providers may be located in jurisdictions that generally do not provide adequate safeguards in relation to the processing of personal data. For all entities that are not part of the European Economic Area (EEA), Sekondary has entered into contracts with such entities that include such safeguards, including the European Commission’s standard clauses.

Also, the data may be provided to:

  • Companies interested in buying or acquiring Sekondaryor a part of its business and, consequently, give access to any national or international auditor to carry out their due diligence.
  • Authorities to investigate suspected fraud, harassment or other violations of any law, rule or regulation, or of the website policies.

 

  • SECURITY AND CONFIDENTIALITY

Sekondary undertakes to adopt the necessary technical and organizational measures, in accordance with the provisions of the applicable regulations, to ensure the security of personal data and to prevent the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data. The personal data will be processed confidentially by Sekondary, which undertakes to inform and enforce, by legal or contractual obligation, such confidentiality to its employees, partners and any person who should have access to the User’s personal data.

  • USERS RIGHTS

The User may exercise the rights of access, rectification, deletion, opposition and, where appropriate, limitation of processing and portability of data by sending an email to legal@sekondary.com.

Likewise, the User may file a complaint with a supervisory authority and, in particular, with the Spanish Data Protection Agency (www.aepd.es) if he/she considers that the rights set forth above in this Privacy Policy have been violated or if he/she considers that the processing of personal data concerning him/her violates the applicable regulations.

  1. CHANGES IN THE PRIVACY POLICY

Sekondary reserves the right to modify this Privacy Policy at any time. If the Changes or updates to the Privacy Policy will be explicitly notified to the User by means of a notice on the Website, together with the updated version of the Privacy Policy.

Latest version: November 2023

 

Annex 1

SEKONDARY AS DATA PROCESSOR (DATA PROTECTION ADDENDUM)

 

  1. Introduction

This Annex is entered into pursuant to Art. 28.3 of GDPR and regulates the processing of personal data by Sekondary (“Sekondary” or “Data Processor”) on behalf of the Institutional Investors, Business Angels, those acting as legal entities and natural persons, and Directors  and Shareholders who complete the KYC registration form(“Customer” or “Data Controller”) in the course of providing its Services under the Terms. The duration of such processing shall be for the period during which the Parties perform their applicable obligations under the Terms.

During the provision of its Services under the Terms, Sekondary process certain personal data for and on behalf of the Business Angel in particular (but without limitation) the data set out below in Annex 1 (“Personal Data”) relating to the indicated persons included in the same Annex below (“Data Subjects”).

Under applicable privacy regulations, Customer is responsible for this Personal Data and is what is known under privacy regulation as the “Data Controller”. Therefore, Customer appoints Sekondary as a “Data Processor” of this Personal Data, to process the Personal Data on Customer’s behalf, for the purpose of providing the Service indicated in the Terms.

  1. Personal Data accessed, type of processing and purposes.

For the provision of the Service, Sekondary may process on behalf of the Customers the Personal Data that will be indicated in Annex 1 paragraph A, and the type of processing as well as the purpose is indicated in Annex 1 paragraph B and C respectively.

  1. Attribution of responsibility

Customer is made aware that for the purpose of providing the Service, Sekondary may access and process the aforementioned Personal Data on its behalf without the prior informed consent of the data subject. The Parties agree that the processing of the Personal Data on behalf of the Customer as part of the Services is legitimized by the acceptance of the Terms by the Customer in the signing up process.

Customer understands that there is still a risk that Data Subjects may (a) object to the processing under the Terms and Conditions and (b) request cancellation or suppression of their data (as indicated below), or (c) request certain limitation or restriction to the processing or even (d) claim against either party for breach of his/her privacy rights under the applicable data protection laws.

In the event of any claim or procedure made against either of the Parties with respect to the processing of any Personal Data hereunder, provided compliance at all times with the remainder of terms of this Annex, Customer will be responsible for dealing with such claim, with the support of Sekondary. In particular, both Parties undertake to come into compliance with applicable privacy law as soon as possible and minimise any harm to Data Subjects’ rights; and to cooperate in good faith to respond to such claims.

Notwithstanding the foregoing, Customer agrees to indemnify and hold Sekondary harmless from all claims, losses and fines relating to the processing of personal data hereunder, provided Sekondary is in compliance with the terms of this Annex. In any event of liability, Sekondary’s liability hereunder is capped at twice the annual contract value.

  1. Compliance with Art. 14 GDPR (Information)

Pursuant to Art. 14 GDPR, Customer that has access to Personal Data not directly from the Data Subject must inform the Data Subject that their data is being processed, providing the information set out in that Article. While it is Customer’s responsibility to provide this information, Customer and Sekondary will cooperate in good faith to determine the best method to achieve this, in each case, and at the request of Customer and on its behalf, Sekondary will use its best efforts to ensure that this information is provided to the Data Subjects.

  1. Rights and responsibilities of the Customer as Data Controller

As established in the GDPR, Customer as Data Controller shall:

  1. Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation; and otherwise adopt appropriate data protection policies with respect to Personal Data.
  2. Ensure that its Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Personal Data.
  3. Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the data subject, when required by law.
  4. Make available to the interested parties the essential aspects of this Agreement, at the request of the Customer or other Data Subject.
  5. Respond to the legal rights established by applicable law on the protection of Personal Data and comply with the stipulations indicated in clause 4 even if these were originally addressed to the Data Processor.
  6. Inform the Data Subjects of the processing, in accordance with clause 2 above.
  7. Appoint a representative in the EU, when the Customer is not established in the EU.

 

  1. Rights and responsibilities of Sekondary as Data Processor

As established in the GDPR, Sekondary as Data Processor shall:

  1. Process Personal Data only on the basis of documented instructions from the Data Controller, including transfers of Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
  2. Ensure that the persons authorised to process Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
  3. Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
  4. Provide reasonable assistance to the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the Data Subjects; and otherwise in ensuring that they comply with their obligations.
  5. Either destroy or return all Personal Data once the processing services have been completed and destroy any existing copies unless the retention of Personal Data is required under Union or applicable Member State law.
  6. Make available to the relevant Data Controller all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Data Controller.
  7. Ensure that its Data Protection Officer or, in his / her absence, the Privacy Manager is involved in an adequate and timely manner in all matters relating to the protection of Customer Personal Data.
  8. Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the Data Subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
  9. Assist the Data Controller in the response to the legal rights established by the GDPR
  10. Data Subjects’ exercise of their rights

If the Data Subjects addresses a request or exercises any of the rights established in GDPR, the Controller and / or the Processor must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.

Similarly, but in the event that the Data Controller and / or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.

  1. Subcontracting

As Data Processor, Sekondary may provide access to a subcontractor processor to Customer Personal Data if it reasonably considers such access and processing necessary to the performance of the Services. In the event of such access and before the access takes place, Sekondary shall ensure that Terms with the third party is in place which is sufficient to require it to process personal data in accordance with the applicable provisions of this Terms and Conditions and applicable. Sub-contractors indicated in Appendix 2 are approved by Customer by accepting the Privacy Policy, and further subcontractors may be engaged upon prior notice to Customer (including with international transfers, provided section 5 is respected).

  1. International transfer of data

International transfers of Personal Data may not be performed unless the requirements of Data Protection Law and regulations that regulate them are met. Sekondary may transfer Customer Personal Data outside the EEA to its subprocessors indicated in section 8 above, who have entered into contract with Sekondary with appropriate contractual safeguards. Sub-processors in other countries (if any) indicated in the table below are approved by the Customer by accepting the Privacy Policy.

  • Security breach of the Customer Personal Data

Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the Personal Data, the Data Controller and/or Data Processor shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than 48 hours after it happened.

  • Termination, resolution and expiration

In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Data Controller and the Data Processor, the latter shall not keep the Personal Data unless otherwise legally required to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, the Data Processor shall destroy or return to the Data Controller all Personal Data and any copies of it, as well as any support or other document containing any Personal Data.

 

Appendix 1

 

In accordance with the provisions set out in herein and in the GDPR, Sekondary may access and process the type and category of Data Subject’s Personal Data provided by the Customer set out hereunder (Personal Data):

 

  1. Data Subjects and Data Categories

 

Data Subjects Data Categories
Institutional Investors Contact and identification data, employment information, financial data, Activities and business data, shared documents
Business Angels Contact and identification data, employment information, financial data, Activities and business data, shared documents
Directors Contact and identification data, employment information, shared documents
Shareholders Contact and identification data, employment information, shared documents
Enterprises Contact and identification data, employment information, financial data, Activities and business data, employees contact and identification data data, shared documents

 

  1. Nature of processing

 

☐ Disclosing

☒ Collecting

☐ Recording

☒ Organizing

☐ Structuring

☐ Modifying

☒ Storing

 

 ☐ Extraction

☒ Consulting

☐ Communication by transmission

☐ Matching o Interconnection

☐ Limiting

☒ Erasing

☐ Using

 
  1. Purpose of processing: to provide the Services contracted by the Customer and set out in the Terms and Conditions.

 

Appendix 2

 

 

Sub-processors

 

 

 Type of processing Location International transfer Privacy policy URL / SCC (if applicable)
PlanetScale, Inc. Hosting   YES https://planetscale.com/legal/privacy
Clerk Inc. User Authentication and Management USA YES https://clerk.com/privacy
Plus Five Five, Inc. Deliver emails USA YES https://resend.com/legal/privacy-policy
Upload.io Hosting United Kingdom YES https://upload.io/dpa
Google  Ireland Limited Cloud Europa YES https://policies.google.com/privacy/frameworks?hl=es
Vercel Inc Development Infraestructure USA YES https://vercel.com/legal/privacy-policy
Axiom.com Loggin solution USA YES https://axiom.co/gdpr
Functional Software, Inc. d/b/a Sentry Crash&Error Monitoring USA YES https://sentry.io/privacy/
Hubspot CRM USA YES https://legal.hubspot.com/es/privacy-policy