MIGRAFOUNDERS — A PROGRAMME OF HOUSE OF OYOKO
Privacy Policy (Datenschutzerklärung)
In accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications Digital Services Data Protection Act (TDDDG)
1. Summary
This privacy policy explains how MigraFounders (a programme of House of Oyoko) collects, processes, and protects personal data of website visitors and programme participants. We take data protection very seriously and process all personal data in strict compliance with applicable law.
Important notice regarding sensitive data: MigraFounders processes special categories of personal data — including identity documents, residence permits, and tax identification numbers — as part of the banking referral process. This is done exclusively to fulfil the programme's purpose of connecting migrant entrepreneurs with banking partners, and is subject to the strictest data protection standards.
2. Data Controller
The data controller responsible for processing personal data in connection with this website and the MigraFounders programme is:
House of Oyoko
Represented by: Evelyn Sarpong-Schulz (Founder and Owner)
Herrschinger Str. 13, 82266 Inning am Ammersee, Germany
Telephone: +49 172 823 4177
Email: info@houseofoyoko.com
3. Data Protection Officer
House of Oyoko is a small enterprise and is not legally required to appoint a formal Data Protection Officer (Datenschutzbeauftragter) under Art. 37 GDPR. All data protection enquiries are handled directly by:
Evelyn Sarpong-Schulz
Email: info@houseofoyoko.com
Telephone: +49 172 823 4177
4. Data We Collect and Why
4.1 Website visitors — automatically collected data
When you visit this website, our server automatically collects and temporarily stores the following technical data in server log files:
• IP address of the requesting device
• Date and time of access
• Name and URL of the retrieved file
• Website from which access was made (referrer URL)
• Browser type, version, and operating system
• Name of your internet service provider
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the technically error-free operation and security of our website). This data is not combined with other data sources and is deleted after 7 days.
4.2 Contact by email or telephone
If you contact us by email or telephone, we store your name, email address, telephone number, and the content of your message in order to process your enquiry and respond to follow-up questions.
Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance or pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest in processing enquiries). Data is deleted as soon as the purpose of processing is fulfilled, subject to statutory retention obligations.
4.3 Programme application data
When you apply to participate in the MigraFounders pilot programme, we collect:
• Full name
• Email address and telephone number
• Business name and registration details
• Description of your business and funding needs
• Nationality and migration background (where voluntarily provided)
Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual and contractual measures) and Art. 6 para. 1 lit. a GDPR (your explicit consent). You may withdraw your application at any time by contacting us at info@houseofoyoko.com.
4.4 Banking referral data — sensitive personal data
For participants accepted into the programme, and solely for the purpose of connecting you with our banking partner, we collect and transmit the following documents:
• Passport or residence permit (Aufenthaltserlaubnis)
• Personal tax identification number (Steuer-ID) of all managing directors and authorised signatories
• Company tax number (Steuernummer des Unternehmens), if already issued
• Video identity verification confirmation (via Stadtsparkasse München's online identification procedure)
These documents constitute special categories of personal data within the meaning of Art. 9 GDPR (data revealing racial or ethnic origin, in the case of nationality information embedded in identity documents) and are processed exclusively on the basis of your explicit written consent (Art. 9 para. 2 lit. a GDPR) and for the performance of the programme services (Art. 6 para. 1 lit. b GDPR).
This data is transmitted to our banking partner exclusively and is not shared with any other third party. We transmit this data using secure, encrypted methods only.
4.5 Workshop and programme participation data
For programme participants attending workshops, advisory sessions, and events, we collect:
• Attendance records
• Feedback and survey responses
• Notes from advisory sessions (with your knowledge and consent)
• Progress indicators (e.g. whether a loan application was submitted)
Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance) and Art. 6 para. 1 lit. f GDPR (legitimate interest in programme evaluation and improvement). Anonymised and aggregated data is used for impact reporting to the EU INNOVATE project and the Migration Policy Group.
5. Recipients and Third Parties
Your personal data is only shared with third parties in the following circumstances:
5.1 Banking partner
For accepted programme participants: your banking referral documents (see section 4.4) are transmitted to our banking partner, Stadtsparkasse München (Sparkasse), for the sole purpose of opening a business banking relationship or assessing a loan application. This data sharing takes place on the basis of your explicit consent.
Stadtsparkasse München acts as an independent data controller for data received from us. Their privacy policy is available at: www.sskm.de
5.2 Migration Policy Group
As the contracting body for the EU INNOVATE project, the Migration Policy Group (Brussels) receives anonymised, aggregated impact data — for example, the number of participants, workshops delivered, and loan applications submitted. No personally identifiable data is shared with the Migration Policy Group.
5.3 EU INNOVATE project
As required by the terms of EU funding, anonymised programme data may be included in project reports submitted to the European Commission. No personally identifiable data is included in such reports.
5.4 IT and hosting providers
Our website is hosted by an external provider. All hosting providers are bound by data processing agreements (Auftragsverarbeitungsvertrag, AVV) in accordance with Art. 28 GDPR and are contractually obligated to process your data only on our instructions and in compliance with the GDPR.
We do not sell, rent, or otherwise commercially transfer your personal data to any third party.
6. International Data Transfers
We do not intentionally transfer your personal data to countries outside the European Economic Area (EEA). Should a transfer to a third country occur — for example through the use of Google services or social media platforms — such transfers are conducted on the basis of the EU Commission's Standard Contractual Clauses (SCC) or an adequacy decision, as described in the relevant sections of this policy. Providers certified under the EU-US Data Privacy Framework (DPF) are deemed to provide an adequate level of data protection.
7. Retention Periods
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:
• Application data (not selected): deleted within 3 months of rejection notification
• Application data (selected participants): retained for the duration of the programme plus 12 months for impact evaluation, then deleted
• Banking referral documents (passport, tax ID, residence permit): transmitted to the banking partner and deleted from our systems within 30 days of successful transmission
• Workshop and programme participation data: retained for 3 years for EU INNOVATE impact reporting requirements, then deleted
• Email correspondence: retained for 3 years after the last contact, then deleted
• Server log files: automatically deleted after 7 days
• Invoices and financial records: retained for 10 years in accordance with § 147 Abgabenordnung (AO) and § 257 Handelsgesetzbuch (HGB)
8. Cookies and Tracking
This website may use cookies — small text files stored on your device — to improve functionality and analyse usage. We distinguish between:
• Technically necessary cookies: essential for the website to function correctly. These do not require your consent (§ 25 para. 2 TDDDG).
• Analytics and marketing cookies: used to analyse visitor behaviour (e.g. Google Analytics) and display relevant advertising (e.g. Google Ads, Microsoft Advertising). These require your explicit consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TDDDG).
You can control the use of cookies through your browser settings at any time. Withdrawing consent for non-essential cookies does not affect the lawfulness of prior processing. Note that disabling cookies may impair certain website functions.
For details on Google Analytics, Google Ads, Google Tag Manager, Facebook/Instagram plug-ins, LinkedIn plug-ins, and Microsoft Advertising, please refer to the House of Oyoko Privacy Policy at www.houseofoyoko.com/dataprotection, which applies in full to MigraFounders as a programme of House of Oyoko.
9. Your Rights Under the GDPR
As a data subject, you have the following rights under the GDPR, which you may exercise at any time by contacting us at info@houseofoyoko.com:
Right of access (Art. 15 GDPR)
You have the right to request confirmation as to whether we process personal data about you, and if so, to receive a copy of that data and information about the processing.
Right to rectification (Art. 16 GDPR)
You have the right to request the correction of inaccurate or incomplete personal data without undue delay.
Right to erasure (Art. 17 GDPR)
You have the right to request the deletion of your personal data, subject to applicable legal retention obligations.
Right to restriction of processing (Art. 18 GDPR)
You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or a contract.
Right to object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data where processing is based on Art. 6 para. 1 lit. e or f GDPR. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority. The supervisory authority responsible for House of Oyoko is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany
Telephone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de
10. Data Security
We implement appropriate technical and organisational security measures (TOMs) to protect your personal data against unauthorised access, loss, destruction, or manipulation. These measures are regularly reviewed and updated in line with current technological standards.
Data transmission on this website is encrypted using SSL/TLS protocols. You can recognise an encrypted connection by the 'https://' prefix and the padlock symbol in your browser address bar.
Please note that electronic communication (e.g. email) may not be completely secure. We recommend not transmitting highly sensitive documents by unencrypted email. Where sensitive documents are required (see section 4.4), we will provide you with a secure transmission method.
11. Changes to This Privacy Policy
We reserve the right to update this privacy policy at any time in compliance with applicable data protection regulations. The current version is always available on this website. We recommend that you review this policy periodically. Where changes are material, we will notify participants directly by email.
