Close Cookie Popup
Cookie Einstellungen
Mit Klick auf "Alle akzeptieren" stimmst du der Speicherung von Cookies auf deinem Gerät zu, um die Navigation auf der Website zu verbessern, die Nutzung der Website zu analysieren und unsere Marketingaktivitäten zu unterstützen. Mehr Infos
Essentielle Cookies (Immer aktiviert)
Cookies, die erforderlich sind, um grundlegende Funktionen der Website zu ermöglichen.
Cookies, die helfen zu verstehen, wie diese Website funktioniert, wie die Besucher mit der Website interagieren und ob es möglicherweise technische Probleme gibt.
Cookies, die verwendet werden, um Werbung zu liefern, die für dich und deine Interessen relevanter ist.
Cookies, die es der Website ermöglichen, die von dir getroffenen Entscheidungen zu speichern (z. B. deinen Benutzernamen, deine Sprache oder die Region, in der du dich befindest).
Einstellungen
Speichern
Alles ablehnen
Alle akzeptieren

Law & Data Protection

Preamble and Scope

This Privacy Policy explains how Sunrise Securities GmbH (hereinafter "SunSec") and Coown Technologies GmbH (hereinafter "CTG") collect, use, store, and process personal data of users of the Sunrise Website and App, and customers utilizing the securities and financial services offered by SunSec.

By using our Website or App, you acknowledge that your personal data will be processed in accordance with this Privacy Policy.

The masculine form used in this document is for ease of reading and refers to all genders equally.

1. Joint Controllership and Data Protection Contact

SunSec and CTG act as Joint Data Controllers (pursuant to Art. 26 GDPR) for the processing of your personal data related to the Sunrise services.

A. Data Controllers

EntityRole & Details
Sunrise Securities GmbH (SunSec)Provides the core securities and financial services.
Coown Technologies GmbH (CTG)Address: Gusshausstraße 3/2A, 1040 Vienna, Austria
Commercial Register: FN 410750w
Develops, maintains, and operates the Website and App infrastructure, and performs automated data processing and IT services.
Address: Gusshausstraße 3/2A, 1040 Vienna, Austria
Commercial Register: FN 441689x

B. Data Protection Officer (DPO)

For inquiries regarding the protection of your personal data, data subject rights, or complaints, please contact:

Coown Technologies GmbH
Attn: Data Protection Officer
Address: Gusshausstraße 3/2A, 1040 Vienna, Austria
E-mail: [Insert DPO Email Address Here]
Subject: Data Protection Inquiry

2. Categories of Data Processed, Purpose, and Legal Basis

We process personal data depending on whether you are simply a User of the public website/app or a registered Customer with a depot/account.

2.1 Customer Data (KYC, Account, Financial Services)

This data is processed to fulfill our contractual and legal obligations, particularly concerning financial market regulations (e.g., the Austrian Securities Supervision Act (WAG) and Money Laundering Act (GwG)).

Category of DataPurpose of ProcessingLegal Basis (Art. 6 GDPR)
Registration & Identity DataIdentity verification (KYC), account opening (Depot), contractual fulfillment, validation of trading capacity. (e.g., Name, Address, DOB, Nationality, ID Type/Number, Tax ID, SEPA data, Selfie/Video legitimization.)Necessary for performance of a contract (Art. 6(1)(b)); Compliance with a legal obligation (Art. 6(1)(c), e.g., GwG/AML laws).
Financial & Transaction DataExecution of purchase/sale orders, management of deposits, reporting to tax authorities, calculating performance metrics (e.g., Depot number, asset holdings, transaction history, dividend data, Power-Up/Loyalty data).Necessary for performance of a contract (Art. 6(1)(b)); Compliance with a legal obligation (Art. 6(1)(c)).
Communications DataHandling service inquiries, customer support, contract management, regulatory communication (e.g., E-mail history, phone records).Necessary for performance of a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) in effective customer support.
Due Diligence/Compliance DataOngoing monitoring of transaction behavior and financial activities as required by financial market regulations.Compliance with a legal obligation (Art. 6(1)(c), e.g., GwG).

2.2 User Data (Website and App Use)

Category of DataPurpose of ProcessingLegal Basis (Art. 6 GDPR)
Technical Usage DataEnsuring website and app security, troubleshooting errors, optimization of functionality, error detection (e.g., IP address (anonymized where possible), Browser type, OS, Device identifiers, Date/Time of access).Legitimate interests (Art. 6(1)(f)) in providing a secure and functional service.
Profiling & Analytics DataUser behavior analysis (internal), targeted advertising, optimization of offerings, fraud prevention. (This relies heavily on tracking technologies detailed in the Cookie Policy).Consent (Art. 6(1)(a)) for non-essential tracking; Legitimate interests (Art. 6(1)(f)) for essential functionality.
Community & Loyalty DataProcessing data related to voluntary participation in quizzes (BlitzQuiz), surveys, voting, commenting, or "Power-Up" features, including username, reaction history, and participation timestamps.Consent (Art. 6(1)(a)) for participation; Legitimate interests (Art. 6(1)(f)) in managing promotional activities.

3. Cookies and Tracking Technologies

The Sunrise Website and App utilize cookies, pixels, and similar tracking technologies for various purposes, including functionality, performance analysis, and advertising (e.g., Google Analytics, Facebook SDKs/Pixels, Google Ads).

GDPR Compliance Note: The use of non-essential cookies and tracking requires explicit, informed, and freely given consent from the user prior to activation.

We categorize our cookies as follows:

  1. Performance/Statistics Cookies: Used to analyze how the site is performing (requires consent).
  2. Functionality Cookies: Used to improve user experience (e.g., language settings, login persistence) (requires consent or may be justified by legitimate interest depending on necessity).

For detailed information on the specific cookies used, their purpose, duration, and how to manage your preferences, please refer to our dedicated, separate policy.

4. Recipients and Third-Party Data Transfers

We only transfer your personal data to third parties if necessary for the performance of the contract, required by law, or if you have provided explicit consent.

4.1 Internal and Domestic Sharing

CTG and SunSec share data as Joint Controllers to fulfill the contractual obligation of providing the securities services (e.g., CTG processes the transaction data collected by SunSec).

4.2 External Service Providers

We engage data processors (suppliers, partners) who act strictly on our instructions. These include:

  • IT Service Providers: Hosting, maintenance, security.
  • Marketing/Analytics Providers: (e.g., Google, Facebook) for targeted advertising and usage analysis (as detailed in the Cookie Policy).
  • Administrative Services: Tax advisors, legal counsel.
  • Financial Market Partners: Custodians, exchanges, clearing houses.
  • Verification Services (e.g., DIMOCO): For mobile number verification necessary for regulatory authentication.
  • Communication Services (e.g., MAJET): For secure delivery of customer emails related to contractual duties.

4.3 Regulatory and Legal Obligations

We are obligated to share data with supervisory authorities (e.g., FMA, OeNB, Tax Authorities, police) and courts when required by Austrian and EU law (e.g., Anti-Money Laundering and Counter-Terrorism Financing laws).

4.4 International Transfers (Transfers outside the EU/EEA)

Since we use services like Google Analytics, Fabric, and Facebook, data is transferred to servers located in the United States of America (USA).

  • Transfers to third countries lacking an adequacy decision by the European Commission are conducted only if appropriate safeguards are in place.
  • We rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, combined with supplementary measures, to ensure that personal data remains protected to a standard equivalent to that provided by the GDPR.

5. Data Retention and Security

5.1 Data Security

SunSec and CTG implement robust technical and organizational measures (TOMs) to ensure data confidentiality, integrity, availability, and resilience. These measures include encryption, access controls, firewalls, and regular security audits, protecting data against unauthorized access, loss, or destruction.

5.2 Retention Period

We store your personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by law.

  • Contractual Data (KYC, Transactions): Data relevant to financial services, documentation, and compliance is retained for a minimum of seven (7) years following the termination of the business relationship, as mandated by financial market legislation (e.g., WAG, GwG).
  • User Data (Consent-based): Retained until consent is revoked or the purpose of processing ceases.
  • Data Subject Rights: If you request deletion, we will delete data immediately, provided there are no overriding legal obligations (such as the 7-year retention period for financial data) that require us to maintain a copy.

6. Your Data Protection Rights (Data Subject Rights)

As a data subject, you have the following rights under the GDPR concerning your personal data processed by SunSec and CTG. To exercise these rights, please contact the DPO using the contact information provided in Section 1.B.

GDPR RightDescription
Right of Access (Art. 15)You have the right to request confirmation of whether we process your data and to receive a copy of that data.
Right to Rectification (Art. 16)You have the right to request the correction of inaccurate or incomplete personal data.
Right to Erasure ('Right to be Forgotten') (Art. 17)You have the right to request the deletion of your personal data, provided there are no legal requirements (such as retention obligations) preventing us from doing so.
Right to Restriction of Processing (Art. 18)You have the right to restrict processing if you contest the accuracy of the data, the processing is unlawful, or we no longer need the data but you require it for legal claims.
Right to Data Portability (Art. 20)You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to Object (Art. 21)You have the right to object to processing based on legitimate interest or direct marketing, including profiling related to direct marketing.
Right to Withdraw Consent (Art. 7)If processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint (Art. 77)You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement.
Competent Supervisory Authority

The responsible Data Protection Authority in Austria is:

Österreichische Datenschutzbehörde (DSB)
Barichgasse 40-42
1030 Vienna, Austria
Website for Complaints: https://www.dsb.gv.at/

7. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy to reflect changes in our services or legal requirements. We will inform you of significant changes via the Website, App, or via email, and require you to accept the updated terms if the changes impact the fundamental nature of data processing or require new consent.