Information we collect
Lendorse collects data on the basis of your consent to process the data for one or more specific purposes and to the extent necessary to perform one or more contracts, to administer products or to comply with our legal obligations.
The types of personal data we collect about you may include, but are not limited to, the following:
- Identifying information, such as your full name, email address, phone numbers, social media links and account login details;
- Personal information, such as your full name, educational institution, course of study or major, graduation date and desired funding amount;
- Protected classification data, such as your age or marital status;
- Commercial information, such as personal property records;
- Internet or other electronic network information, such as your interactions with our website, IP address and browsing history;
- Geolocation information - such as physical location information;
- Job-related information, such as your current or previous work history;
- Inferences drawn from any of the above information.
The types of non-personal data we collect may include:
- Use of the website, such as traffic, location and communication data, pages viewed, frequency and duration of access and browsing history;
- Computer type, hardware model, unique identifier of the device, operating system, internet connection, IP address and browser.
Statistical or aggregated non-personal data does not directly identify you or any particular individual. However, we may obtain such information from your personal data. For example, we may aggregate personal data to calculate the number of users in a particular postcode.
Lendorse collects non-personal information to improve the user experience of our website and platform and for other business purposes. How we use your information
Lendorse collects data on the basis of your consent to process the data for one or more specific purposes and to the extent necessary to perform one or more contracts, to administer products or to comply with our legal obligations.
We collect your personal data: (a) to verify your identity as part of our fraud prevention and detection procedures; (b) to administer products; (c) to communicate with you; (d) to provide our products or services to you; (e) to provide you with information that may be of interest to you; (f) to improve the user experience of our website and platform; (g) to customise the content of our products or services; (h) for internal business purposes; (i) or for any other reason for which you have provided the personal data to us.
By using our website and voluntarily submitting such information, you consent to Lendorse sharing all such information, including our underwriting and funding decisions, with third parties and with Lendorse's strategic partners, including but not limited to a partner bank, subject to appropriate data security measures in accordance with all applicable regulations.
Personal data will remain in our records until we determine that the data is no longer needed or we are required by law to delete the data. We will not collect additional categories of personal data or use the personal data we collect for substantially different, unrelated or incompatible purposes without informing you. Data controller
Lendorse is the data controller and responsible for your personal data described in this policy. Sale of information
We do not sell your personal data. How we collect information
We collect most of this personal information directly from you based on your interactions or relationship with our business in order to provide services, including information provided directly through our website or the Platform, by telephone, through written correspondence by post, email or fax, or by viewing public media/networking sites or other information available online. However, we may also collect information from:
- From publicly available sources (e.g. property records or court records);
- from our service providers (e.g. mail delivery providers, payment processing service providers, call analysis providers and/or electronic signature service providers);
- directly from a third party (including financial institutions, employers and tax authorities);
- Consumer Reporting Agencies (CRAs)
- By a third party with your consent (e.g. your authorised representative and/or lawyer);
- External companies or organisations that provide data to support activities such as fraud prevention, underwriting and marketing;
a) Type, scope and purpose of data processing
Various types of cookies are used on our website, the nature and function of which are explained below.
Temporary cookies/session cookies. Our website uses so-called temporary cookies or session cookies, which are automatically deleted as soon as you close your browser. This type of cookie makes it possible to record your session ID. This allows various requests from your browser to be sent to your browser. This makes it possible to identify your terminal device during subsequent visits to the website.
Permanent cookies. So-called permanent cookies are used on our website. Permanent cookies are cookies that are stored in your browser for a longer period of time and can transmit information. The respective storage period differs depending on the cookie. You can delete permanent cookies independently via your browser settings.
Third-party cookies. We use analytical cookies to monitor anonymised user behaviour on our website.
We also use advertising cookies. These cookies allow us to track user behaviour for advertising and targeted marketing purposes.
Social media cookies allow you to connect to your social networks and share content from our website within your networks.
Configuration of the browser settings
Most web browsers are preset to automatically accept cookies. However, you can configure your respective browser so that it only accepts certain cookies or no cookies at all. However, we would like to point out that you may then no longer be able to use all the functions of our website.
You can also delete cookies already stored in your browser via your browser settings. Furthermore, it is possible to set your browser to notify you before cookies are stored. As the various browsers can differ in their respective modes of operation, we ask you to use the respective help menu of your browser for the corresponding configuration options.
b) Legal basis
Based on the purposes described, the legal basis for the processing of personal data using cookies is Art. 6 (1) sentence 1 lit. f) DSGVO. Only those cookies that are technically absolutely necessary to enable you to use the website can be based on this.
c) Storage period
As soon as the data transmitted to us via the cookies is no longer required for the purposes described above, this information is deleted. Further storage may take place in individual cases if this is required by law.
Services we use
Our website is operated on servers of DigitalOcean, LLC based in NYC, USA (server owner). The server operated is located in Frankfurt (server location). The log files are created via NGINX / Apache server logs.
For hosting in the Google Cloud (Google Cloud Platform, GCP), which we also use, the Frankfurt, Germany region is used (europe-west3). However, the Google Cloud works on the principle of a multi-tenant environment, so that data is replicated between several geographically distributed data centres (data centre resilience).
Personal data is only transferred to countries outside the EU within the scope of hosting (Google Cloud Platform, GCP). The legal basis for this is the corresponding EU standard contractual clauses, see GCP sample contractual clauses and further information on data protection in the Google Cloud at https://cloud.google.com/security/gdpr/resource-ce....
Hosting with Amazon Web Services (AWS)
We also host our website on AWS. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter: AWS).
When you visit our website, your personal data is processed on the servers of AWS. This may also involve the transfer of personal data to the parent company of AWS in the US. The data transfer to the USA is based on the EU standard contractual clauses. You can find details here:
The use of AWS is based on Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in ensuring that our website is presented as reliably as possible. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
Conclusion of a contract on commissioned processing
We have concluded an order processing contract with AWS. This is a contract required by data protection law, which ensures that AWS only processes the personal data of our website visitors in accordance with our instructions and in compliance with the DSGVO.
This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables the website operator to analyse the behaviour of website visitors. In doing so, the website operator receives various usage data, such as page views, length of stay, operating systems used and the origin of the user. This data may be summarised by Google in a profile that is assigned to the respective user or their end device. Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the USA and stored there.
The use of this analysis tool is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission.
Details can be found here:
We have activated the IP anonymisation function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographic characteristics in Google Analytics
This website uses the "demographic characteristics" function of Google Analytics in order to be able to display suitable advertisements to website visitors within the Google advertising network. This allows reports to be generated that include statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google as well as visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as shown in the item "Objection to data collection".
We use Yandex.Metrica, a web analytics and click tracking service provided by Yandex, located at 119021 Moscow, L. Tolstoy Street, 16. The information generated by the use of the service about your use of our website (including your IP address) is transferred to a Yandex server in the Russian Federation and stored there. Cookies are used on your terminal device for this purpose. Cookies are text files that are stored on your computer and enable an analysis of your use of the website. Yandex will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Yandex may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Yandex's behalf. You can object to this form of data collection and storage at any time with effect for the future. You can do this yourself in the settings of your browser by preventing the storage of cookies from the website www.metrica.yandex.com. If you wish to have your already stored data deleted, simply send an e-mail to email@example.com.
On our website, we use functions of the Content Delivery Network Tilda of Tilda Publishing LTD, Aviamotornaya str. 35, sq. 9111024 Moscow, Russia (hereinafter referred to as: Tilda). A Content Delivery Network (CDN) is a network of regionally distributed servers connected across the Internet to deliver content, particularly large media files such as videos. Tilda provides web optimisation and security services that we use to improve the loading times of our website and to protect it from misuse. When you visit our website, a connection is established to Tilda's servers in order to retrieve content, for example. Personal data may be stored and analysed in server log files, especially the user's activity (in particular which pages have been visited) and device and browser information (in particular the IP address and the operating system).
Further information on the collection and storage of data by Tilda can be found here: https://tilda.cc/privacy
Purpose of the data processing
The use of Tilda's functions serves to deliver and accelerate online applications and content.
Legal basis for data processing
The collection of this data is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - for this purpose, the server log files must be collected.
Duration of storage
Possibility of objection and removal
Information on objection and removal options vis-à-vis Tilda can be found at: https://tilda.cc/privacy
We use the tool "Buffer". The provider is Buffer Inc, 2443 Fillmore St #380-7163, San Francisco, CA 94115. We are happy to describe the processing: Buffer anonymously evaluates the number of comments, likes, clicks and shared content after publishing a post in a social network. Furthermore, the reach of the post is recorded.
As far as we are aware, no personal data is processed, only anonymised data. The aim of using Buffer is to be able to plan future contributions and associated settings/modifications.
Insofar as the data are processed anonymously, there is no need for a legal basis for the processing. This is because European data protection law, in particular the GDPR, is only applicable to personal data. Should, which we do not assume, personal data nevertheless be processed, the consent given by you to the provider of the social network would apply.
In the event that personal data is processed, we have commissioned Buffer to do this for us as a precaution. The fact that the provider of this tool, Buffer Inc., is based in the USA does not prevent this. This is because we do not transmit data to the provider, it transmits it to us. As a precaution, however, the provider has also committed itself in accordance with the EU standard contractual clauses.
Insofar as we can influence the data processing, its purpose is to present our company, to analyse your usage behaviour in relation to interaction with our company page maintained there, as well as to communicate with you via this social network (possibly advertising).
These advertisements are delivered by Google via so-called "ad servers". For this purpose, we use ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks by users. If you access our website via a Google ad, Google Ads will store a cookie on your PC. These cookies usually expire after 30 days and are not intended to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. These cookies enable Google to recognise your internet browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer will be able to recognise that the user clicked on the ad and was redirected to that page. A different cookie is assigned to each Ads customer. Cookies can therefore not be tracked via the websites of Ads customers. We ourselves do not collect or process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. These evaluations enable us to recognise which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising tools; in particular, we cannot identify users on the basis of this information. Due to the marketing tools used, your browser automatically establishes a direct connection with Google's server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of ads, Google receives the information that you have called up the corresponding part of our website or clicked on an ad from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address.
You can prevent participation in this tracking process in various ways:
a) by setting your browser software accordingly, in particular the suppression of third-party cookies will result in you not receiving ads from third-party providers; b) by disabling cookies for conversion tracking by setting your browser to block cookies from the domain "www.googleadservices.com", https://www.google.de/settings/ads, deleting this setting when you delete your cookies; c) by deactivating the interest-based ads of the providers that are part of the self-regulatory campaign "About Ads" via the link http://www.aboutads.info/choices, deleting this setting when you delete your cookies; d) by permanently deactivating them in your browsers Firefox, Internetexplorer or Google Chrome at the link http://www.google.com/settings/ads/plugin. We would like to point out that in this case you may not be able to use all functions of this offer to their full extent.
The data processing operations are also not prevented by the fact that the data may be processed outside the European Union by the provider; possibly in cooperation with Google LLC. This is because your consent also includes a declaration pursuant to Article 49(1)(a) DSGVO. Please read our notes under "General part/special constellation: consent to transfer to third-country bodies based in the USA, including risk information" beforehand.
Except as set forth below, Lendorse does not share personal information with companies or marketing groups outside of Lendorse. Lendorse may share the personal information collected with its employees who need this information to provide services to you. However, Lendorse may disclose the collected information to other individuals or organisations without restriction if Lendorse deems it lawful to do so. For example, Lendorse may disclose your personal information to third parties as necessary to administer or service your account, process payments, complete a transaction, provide customer service or as otherwise permitted by law. In addition, we may share the personal information we collect:
- to fulfil the purpose for which you provided them;
- to our subsidiaries and affiliates;
- to contractors, service providers and other third parties who support our business and are contractually bound to maintain the confidentiality of the personal data and to use it only for the purpose for which it was disclosed to us;
- to manage products;
- to third parties to market their products or services to you if you have consented or not objected to such disclosure;
- with your consent;
- to meet our obligations or enforce our legal rights;
- to third parties pursuant to a subpoena, court order or other form of legal process, or in response to a request from or on behalf of any local, state, federal or other governmental authority, department or agency, whether pursuant to a subpoena, court order or other form of legal process, or in connection with litigation brought against or on behalf of Lendorse, as may be appropriate or otherwise required by law;
- if we reasonably believe that disclosure is necessary or appropriate to protect the rights, property, or safety of our company, our users, or others;
- for any other purpose we specify when you provide the information to us.
Security of your personal information
We take all reasonable steps to protect your personal information from unauthorised access, alteration or disclosure, including misuse, interference and loss. Lendorse has physical, technical and administrative safeguards in place to prevent the unauthorised release of or access to personal information. We use internal and external safeguards to protect the confidentiality and security of personal information. Lendorse and its third party providers secure this data in accordance with industry standards.
We cannot guarantee the security of online transactions and electronically transmitted communications as no electronic transmission or storage can be 100% secure. You transmit information to us at your own risk. Emails sent to Lendorse may not be protected from interception by unauthorised persons. To protect against interception by unauthorised persons or because we cannot verify your identity, we may not respond to email enquiries relating to your account unless you have requested or authorised us to do so.
The confidentiality of any communication or material transmitted to or from Lendorse via the Website, email or SMS cannot be and is not guaranteed. You acknowledge that the technical processing and transmission of the content of the Website may be unencrypted and involves (a) transmissions over various networks and (b) changes to confirm and adapt to the technical requirements of connected networks or devices. Lendorse is therefore not responsible for the security of information transmitted or received via the Internet or personal communication devices (such as smartphones).
We are not responsible for the privacy or security practices of third parties, including our users, payment processors and third parties to whom we disclose personal information. The collection, use, storage and disclosure of your personal information by these third parties is subject to their own privacy and security policies.
We collect the IP address of all visitors to the Lendorse website for internal security and other protected purposes. This is done even if you have made a Do Not Track request, as there is currently no industry standard for detecting Do Not Track browser signals. We do not share this data with third parties and only use it for internal purposes.
If you suspect that personal information has been misused, lost or accessed by unauthorised persons, please let us know immediately by contacting us using the contact information provided at the bottom of this page.
Lendorse offers you certain choices in connection with the personal information it collects from you, including
Your Account: Lendorse strives to ensure that all personal information we collect, use, share or store is accurate and complete. Our users are responsible for providing us with accurate and up-to-date information. You may review, update and correct your contact information, including your phone number and email address, after logging into the Site. Lendorse accepts no responsibility for inaccurate, incomplete or outdated information.
You have the opportunity to request access to, correct, delete or obtain an explanation of our use or disclosure of your personal information. You also have the opportunity to withdraw your consent to the use or disclosure of your personal data. However, we are not obliged to comply with your request if any of several exceptions apply, including circumstances where it is necessary for us or our service provider to obtain your personal data in order to complete the transaction with you; an internal use that is reasonably consistent with your expectations; compliance with a legal obligation; or other internal use of your personal data that is consistent with the context in which you provided it.
Your choice to reject cookies: You can set your browser to reject cookies if you do not wish to accept cookies. However, rejecting cookies may affect the proper functioning of the Lendorse website.
If you have any questions or concerns about your rights, please contact us using the contact information provided in this policy.
Retention of personal data
Lendorse will retain your personal data until we determine that the data is no longer needed or until we are otherwise required to do so by law. Thereafter, we will take reasonable steps to destroy or permanently anonymise such data in accordance with applicable law.
Data transfer to bodies outside the European Union
It is possible that we transfer personal data to bodies that are located outside the European Union or at least cannot exclude this (henceforth: third country body). In these cases, we must guarantee in accordance with Article 44 of the GDPR that the level of protection provided by the GDPR will not be undercut. As a precaution, we would like to point out that the third country agency can be both a controller and a processor.
Where we refer to a so-called adequacy decision in the following statement, this means that the third country body is located in a country, territory or specific sector for which the Commission has decided that it offers an adequate level of protection. This guarantee then follows from Article 45 GDPR.
Insofar as we refer to the so-called standard contractual clauses in the following declaration, this means that the third country agency has accepted the so-called EU standard contractual clauses and has thus contractually committed itself to respecting the level of protection of the General Data Protection Regulation. This guarantee then follows from Article 46(1) and (5) GDPR.
Insofar as we refer in the following statement to the fact that you have consented to the transfer to the third country agency, this means that you have been informed of all existing possible risks of such transfers for which there is no adequacy decision or other guarantees and have nevertheless consented to the data transfer. This guarantee then follows from Article 49(1)(a) of the GDPR. For reasons of transparency, we describe the corresponding risks in a separate section.
We are only providing this information as a precautionary measure. It only applies if we refer to it in the following declaration. There is also the possibility that we do not make use of this.
Special constellation: EU standard contractual clauses and third country entities based in the USA
In addition to the explanations under "Data transfer to bodies outside the European Union" - paragraph 3, we would like to draw your attention to a special constellation. In the case of transfers to third-country bodies based in the USA, the possibility of invoking the EU standard contractual clauses is restricted. Therefore, if we intend to invoke the EU standard contractual clauses in this context (or are already doing so), please note the following:
- We will only base the transfer of personal data to US third country entities on the EU standard contractual clauses if we have previously conducted a thorough review of the related facts. In doing so, we first determine a risk level (type and, in particular, sensitivity of the data concerned, scope of data processing, purpose of data processing, susceptibility to abuse). We then check whether the contractual commitments of the US third-country office and the technical and organisational measures taken there (e.g. processing of data exclusively in EU-based data centres, encryption technology) sufficiently minimise the risks identified in advance. Only if we come to the conclusion that, exceptionally, the EU standard contractual clauses are also a sufficient guarantee in the case of a US third country agency, will we invoke them.
- We are only providing this information as a precautionary measure. It only applies if we refer to it in the following declaration. There is also the possibility that we do not make use of this.
Special constellation: Consent to transfer to third-country offices located in the USA, including risk notices
In addition to the explanations under "Data transfer to bodies outside the European Union" - paragraph 4, we would like to draw your attention to another special constellation. In the case of transfers to third-country bodies based in the USA, the possibility of invoking the EU standard contractual clauses is limited. Therefore, in some cases, the only option is to ask for your consent to this transfer. However, before you give this consent, we ask you to take note of the following risks and consider them when deciding whether to consent:
We would like to emphasise that a data transfer to the USA without the protection of an adequacy decision may entail considerable risks. In particular, we would like to point out the following risks:
- There is no uniform data protection law in the US; certainly not one comparable to the data protection law applicable in the EU. This means that both US companies and government agencies have more possibilities to process your personal data, especially for advertising targeting, profiling and conducting (criminal) investigations. Our possibilities to take action against this are significantly limited.
- The US legislator has granted itself numerous rights of access to your personal data (cf. for example Section 702 of FISA or E.O. 12333 in conjunction with PPD-28), which are not compatible with our understanding of the law. In particular, there is no proportionality test comparable to those in the European Union prior to access.
- Citizens of the European Union cannot expect effective legal protection in the USA.
- We will generally only ask you for such consent if we have concluded that the US third country office cannot successfully rely on EU standard contractual clauses.
We make this declaration merely as a precaution. It shall only apply if we refer to it in the subsequent declaration. There is also the possibility that we do not make use of this.
Special constellation: Consent to transfer to third country entities located in the Russian Federation, including risk warnings
In addition to the explanations under "Data transfer to bodies outside the European Union" - paragraph 4, we would like to draw your attention to another special constellation. In the case of transfers to third-country bodies based in the Russian Federation, the possibility of invoking the EU standard contractual clauses is limited. Therefore, in some cases, the only option is to ask for your consent to this transfer. However, before you give this consent, we ask you to take note of the following risks and consider them when deciding whether to consent:
We would like to point out emphatically that a data transfer to the Russian Federation without the protection of an adequacy decision may entail considerable risks. In particular, the following risks should be pointed out:
The legislature of the Russian Federation has ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (so-called European Data Protection Convention), but there may be implementation deficits.
The legislator of the Russian Federation has granted itself and its investigative authorities access rights to your personal data that are at least not fully compatible with our understanding of the law. In particular, there is no proportionality test comparable to those in the European Union before access is granted.
European Union citizens cannot expect the same legal protection in the Russian Federation as in the EU.
We will generally only ask you for such consent if we have come to the conclusion that the third country office in Russia cannot successfully invoke EU standard contractual clauses. Note on the legal obligation to process
Only insofar as we refer to Article 6 (1) sentence 1 lit. c DSGVO in the following data protection declaration is there a legal obligation to process. Data protection for children
This website is not intended for use by children. If you are under 18 years of age, you may use this website only with the involvement of a parent or guardian. If you are a parent or guardian and believe that we have inadvertently collected personal information about your child, please notify us immediately by emailing firstname.lastname@example.org. Links to other websites