Data Protection Information

(as of 02/01/2026)

1. Scope of Application

This data protection notice explains how personal data is processed in connection with the initiation, conclusion, execution, and termination of loan agreements as well as in the context of the use of our website.

Lending services are provided exclusively to companies, small and medium-sized enterprises (SMEs), sole proprietors, freelancers, commercial traders, and both registered and unregistered merchants. No loans are granted to consumers within the meaning of Section 13 German Civil Code (BGB).

Personal data means any information relating to an identified or identifiable natural person (e.g., name, date of birth, address).

2. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Montold Asset Management GmbH
Fischerhüttenstraße 81a
14163 Berlin
Germany
E-Mail: info@montold.com

For data protection enquiries or to exercise your data subject rights, you may contact the above address.

3. Data Protection Officer

The Data Protection Officer appointed is:

Kertos GmbH
Brienner Straße 41
80333 Munich
Germany
E-Mail: dsb@kertos.io

4. Categories of Data Subjects

The following categories of data subjects may in particular be affected by data processing:

• Sole proprietors and freelancers

• Managing directors, board members and other legal representatives of legal entities

• Shareholders and beneficial owners

• Guarantors, especially for joint and several guarantees

• Contact persons at credit intermediaries

5. Categories of Personal Data

In connection with the granting of loans and in order to comply with statutory obligations, we process in particular the following data:

• Company and business-related data

  • Company name, legal form, registered office

  • Commercial register data

  • Business accounts and bank statements, including all transactions

  • Revenue, earnings, and liquidity data

• Personal data of natural persons

  • Name, date of birth, place of residence

  • Information from commercial register extracts

  • Identification documents (e.g., identity card, passport)

  • Proof of residence and address

  • Creditworthiness and scoring information

• Communication data

  • E-mail address

  • Telephone number

  • Contents of communication (e.g., e-mail, Intercom)

6. Purposes of Processing

Personal data is processed for the following purposes:

• Creditworthiness check and risk assessment

• Initiation, conclusion and execution of loan agreements

• Compliance with statutory obligations, in particular under the German Money Laundering Act (GwG)

• Performance of customer identification and KYC measures

• Management, security and enforcement of contractual claims

• Debt collection and cooperation with collection agencie

• Communication with borrowers, guarantors, intermediaries and other parties involved

7. Legal Bases of Processing

The processing of personal data is based on the following legal grounds:

• Article 6(1)(b) GDPR – Processing for the performance of pre-contractual measures and for the fulfilment of loan agreements

• Article 6(1)(c) GDPR – Compliance with legal obligations, in particular under the German Money Laundering Act (GwG)

• Article 6(1)(f) GDPR – Legitimate interest in fraud prevention, risk assessment, enforcement of claims as well as IT and data security

• Article 22(2)(a) GDPR – Use of automated procedures for creditworthiness assessment

8. Automated decision-making

For the purpose of assessing creditworthiness, we use internal systems that analyze transaction and financial data.

No exclusively automated decision-making within the meaning of Article 22 GDPR takes place. Each credit decision is reviewed and made finally by a staff member.

9. Recipients of personal data

Personal data may be transmitted to the following recipients:

• Credit agencies (e.g. SCHUFA) for the credit assessment of sole proprietors and guarantors

• Credit intermediaries within the meaning of Section 34c German Trade Regulation Act (GewO)

• Third parties for the performance of statutory due diligence obligations under Section 17 GwG

• Debt collection service providers (e.g. Debtist, FOMA) for the enforcement of open claims

• IT and hosting service providers, in particular Amazon Web Services (AWS)

All service providers are contractually obligated to comply with data protection regulations.

Transfer of data to credit agencies (e.g. SCHUFA)

As part of the credit assessment and risk evaluation, we transmit personal data to credit agencies, in particular SCHUFA Holding AG ("SCHUFA"). The transmission includes in particular identification data, credit assessment information and contractual details necessary for evaluating creditworthiness.

The transfer and processing of personal data by us is based on Article 6(1)(f) GDPR (legitimate interest), as the request and transmission of creditworthiness data is required to safeguard our legitimate interests in the credit decision, risk assessment and fraud prevention, and the interests of the data subjects do not generally override these interests.

Please note that SCHUFA, as recipient, processes the transmitted personal data independently and uses it for its own purposes such as scoring and providing information. Data subjects may obtain additional information about processing by SCHUFA and their rights (e.g. access to stored data, rectification, deletion) directly from SCHUFA. As a rule, data subjects will be notified of the data transfer as well as, if applicable, provided with SCHUFA's information sheet pursuant to Article 14 GDPR during the data collection or SCHUFA query.

Data subjects also have the right to request information on whether and what personal data has been transmitted to SCHUFA and to exercise further data subject rights under the GDPR (in particular Articles 15 to 21 GDPR).

10. Transfer of data to third countries  

Personal data is generally processed within the European Union or the European Economic Area.

In the context of using cloud infrastructure (Amazon Web Services), it cannot be ruled out that personal data is transferred to the United States of America.

Such data transfer only takes place in compliance with the requirements of Articles 44 et seq. GDPR and on the basis of appropriate safeguards, in particular the conclusion of Standard Contractual Clauses.

11. Retention period

The retention period for personal data is determined by statutory retention periods, in particular:

• under the German Money Laundering Act (GwG)

• under commercial and tax regulations pursuant to the German Civil Code (BGB) and the German Commercial Code (HGB)

After expiry of the respective retention periods, the data will be deleted unless there is another legal basis for further storage.

12. Obligation to provide data

The provision of the requested personal data is required for the conclusion and performance of the loan agreement and for compliance with legal obligations.

Without the provision of this data, conclusion of a contract is not possible.

13. Analytics and tracking services

We do not conduct our own analytics or tracking measures.

Any analytics or tracking is carried out exclusively by credit intermediaries or other third parties on their own responsibility under data protection law.

14. Data subject rights

Data subjects have the following rights:

• Right of access (Article 15 GDPR)
  

• Right to rectification (Article 16 GDPR)
  

• Right to erasure (Article 17 GDPR)
  

• Right to restriction of processing (Article 18 GDPR)
  

• Right to data portability (Article 20 GDPR)
  

• Right to withdraw consent (Article 7(3) GDPR)
  

• Right to object (Article 21 GDPR)
  

• Right to lodge a complaint with a supervisory authority (Article 77 GDPR)