Privacy Policy

§ 1 – The Identity of the Controller

For the use of the Bitwala platform ("Platform"), Bitwala GmbH ("Bitwala" or "we") is the controller of your data within the meaning of Art. 4 para 7 of GDPR. 

For the use of the self-custodial Bitcoin wallet ("Bitcoin Vault"), Bitwala and BitGo, Inc. 2443 Ash Street Palo Alto, CA 94306 ("BitGo") are separate controllers. Find BitGo's privacy policy here

With respect to custodial wallets, virtual asset services and virtual IBANs, which are provided by Striga Technology OÜ (registry code: 16298772), Sepapaja 6, Tallinn, Estonia ("Striga"), in accordance with its terms and conditions, the following applies:

To the extent that we process your data upon the instructions of Striga, we act as a data processor and Striga is the data controller. You can find Striga’s privacy policy. For the processing of any additional user data, we are the data controller. 

§ 2 – Data Processing for the Provision of Services Regarding the Bitwala App

2.1 Our Services

This section informs you how we process your personal data when you use our services via the Bitwala app ("Bitwala App"). 

The Bitwala App provides you the opportunity to create and manage self-custodial Bitcoin and Ethereum crypto wallets ("Crypto Vaults") and, in cooperation with our partner Striga, the opportunity to use (i) custodial wallets; (ii) virtual asset exchange services; and (iii) virtual IBAN issuing for fiat currency deposits and withdrawals.

While we have no control over the processing of personal data on the respective blockchain, we are processing your data to assist you in the creation of and in accessing your Crypto Vault via the Bitwala App. 

The data which we process for our services includes:

  • Your crypto assets information (public keys, transaction history);

  • Your general account information (address, contact details, identification, documentation);

  • Your payment information (virtual IBAN, transaction history); and

  • Virtual Asset exchange information (order information, transaction history).

Legal Basis for Data Processing

The legal basis for the processing of your data, which is collected and processed in the course of our services as laid down in our terms and conditions, is Art. 6 (1) lit. b GDPR. 

Purpose of the Data Processing

The purpose of data processing is the fulfilment of the service contract.

Storage Duration

We delete your personal data when they are no longer required to achieve the purpose of their processing. This is usually the case after the expiration of the statute of limitations, beginning with the end of the year in which the contractual relationship is terminated. After the statute of limitations has expired, your data will be blocked and deleted after expiry of the statutory retention obligations (see 10 – Retention Periods).

2.2 Transaction History

Description and Scope of Data Processing

Our platform provides you with an overview of every transaction sent or received from your Crypto Vaults, custodial wallets and your virtual IBAN. To offer you an overview on your crypto transactions, we store a history of all incoming and outgoing transactions on your Crypto Vaults and custodial wallets.

Legal Basis for Data Processing

The legal basis for the processing of your data to display the transaction history is Art. 6 para. 1 p. 1 lit. b GDPR.

Purpose of the Data Processing

The purpose of data processing is to fulfil the service contract.

Storage Duration

We delete your personal data when they are no longer required to achieve the purpose of their processing. This is usually the case after the expiration of the statute of limitations, beginning with the end of the year in which the contractual relationship was terminated. After the statute of limitations has expired, your data will be blocked and deleted after expiry of the statutory retention obligations (see 10 – Retention Periods). 

2.3 Operation of the Bitwala App

Description and Scope of Data Processing

When you access our Platform through the Bitwala App, we collect certain app-specific data (your device model, device identifiers, timestamp, your IP address, browser type and version, mobile app version, operating system version, and model on your phone) to provide our services and to optimise and market our product.

We process your device token to send you transaction push notifications with relevant transaction information that may be triggered by certain events on your account, Crypto Vault, custodial wallet, virtual IBAN, or mobile device. 

We perform the same processing for promotional and marketing notifications when you turn on marketing push notifications under the account settings of your Bitwala App. 

Legal Basis for Data Processing

The processing of your app-specific data for the transmission of the transaction push notifications as well as your device token is based on Art. 6 (1) lit. f of the GDPR.

The processing of your app-specific data for the transmission of advertising and marketing messages is based on your consent pursuant to Art. 6 para. 1 lit. a of the GDPR.

Purpose of the Data Processing

The aforementioned app-specific data is processed for the purpose of optimising and marketing our product better. Your device token is processed to send transaction push notifications. This is also our legitimate interest.

This app-specific data is also processed for the purpose of sending you marketing push notifications.

Storage Duration

We delete your personal data when they are no longer necessary to achieve the purpose of their processing. With regard to the processing of app-specific data for the optimization of our Bitwala App as well as the device token for the transmission of transaction push notifications, this is the case if you object to the processing.

With regard to the data processing for sending the marketing push notifications, your app-specific data will no longer be processed and deleted even in the event of withdrawal. You can withdraw the data processing at any time by deactivating it in the notification area in the control centre of the Bitwala App. This does not affect the lawfulness of the processing carried out until then on the basis of the consent.

2.4 Crypto Vaults

Description and Scope of Data Processing

We offer you a technical setup to open and manage a Bitcoin Vault and Ethereum Vault, where you can store, send and receive your cryptocurrencies.

Your Bitcoin Vault is provided via BitGo, the creation and management of your Ethereum Vault is technically supported by us. The creation process requires you to generate a key pair that will be used to access your Crypto Vault.

The original generation of the keys takes place exclusively on your own device. At no point will Bitwala or BitGo have access to your private keys and/or the cryptocurrencies in your Crypto Vaults.

Incoming or outgoing transactions can be initiated with the help of our platform and sent to the respective blockchain via your Crypto Vaults, which means that for each transaction, one of the addresses (public key) stored in your Crypto Vaults is published on the respective public blockchain and is publicly accessible in pseudonymised form over the internet.

Although Crypto Vault addresses do not appear at first glance to be personally identifiable information because they are pseudonymized, they are considered personal data under the GDPR because it is possible for us to associate individual addresses with our users for the purposes of providing our services.

Since the Bitcoin Vault provider is located in the US, any of your interactions with the Bitcoin Vault, including your creation, will transfer information about digital assets to the US. A sufficient level of data protection is ensured by the EU-US Data Privacy Framework decided by the EU Commission.

Legal Basis for Data Processing

We process the Crypto Vault addresses of the sender and the recipient as well as the transaction data and the publication of pseudonymized transaction data on the blockchain with our support on the basis of Art. 6 (1) lit. b GDPR.

Purpose of the Data Processing

The purpose of the data processing is the fulfilment of our contractual obligations to you for the provision of services.

Storage Duration

Due to the nature of the blockchain technology, we are not able to erase the data that is stored on the respective public Bitcoin and Ethereum blockchain.

2.5 Sending of account and services-related messages

We will inform you about important updates for your account, its management and security, as well as your transactions, payments and asset performance through emails or push notifications.

You can unsubscribe from these notifications at any time in your account settings in the Bitwala apps. You can choose which type of notification you no longer want to receive, such as push notification or email. We advise you not to unsubscribe from service-related notifications, as they often receive important information for the management and security of your account.

Legal basis for data processing

We send you account- and service-related communications due to our contractual and statutory obligations in connection with our service contract. In addition, we may send you communications based on instructions by Striga which can be based on regulatory requirements and our contractual obligations vis-à-vis Striga. The legal basis for the processing of your personal data is Art. 6 para. 1 p. 1 lit. b GDPR.

Purpose of the data processing

The purpose of the data processing is to provide our contracted services and keep you informed about our services.

Duration of storage

We delete your personal data when they are no longer required to achieve the purpose of their processing. This is usually the case after the expiration of the statute of limitations, beginning with the end of the year in which the contractual relationship is terminated. After the statute of limitations has expired, your data will be blocked and deleted after expiry of the statutory retention obligations (see 10 -  Retention Periods).

§ 3 – Data Processing for Website and Bitwala App

When you visit our website for informational purposes without signing up for the Platform, we will be the sole controller for any processing related to your visit.

3.1 Processing of Your Data When You Visit Us

Description and Scope of Data Processing

We process your personal data to provide access to our website. This includes any information you provide manually as well as technical information that is required for the communication between your end-device and our applications.

The technical information we collect for our website www.bitwala.com includes your:

  1. Email address (if you sign up to our newsletter)

  2. IP Address 

  3. Your activity on our web page 

  4. Referrer URL (i.e. the page you visited before)

  5. Information about your browser

With every access to our website or Bitwala App, usage data is transmitted through the respective internet browser and stored in log files, the so-called server log files.

The log records stored in this case contain the following data: 

  1. Date and time of retrieval,

  2. Page name, 

  3. IP address,  

  4. Referrer URL (i.e. the page you have previously visited), 

  5. The amount of data transferred,

  6. Information about your browser.

Additionally, you may provide us with certain information by your own choice to use certain features of our website.

The mobile application on which our Platform runs is hosted on servers provided by Amazon Web Services, EMEA SARL 38 Avenue John F. Kennedy, L-1855, Luxembourg, ("AWS"). The servers we use are located within the European Economic Area. For certain technical services, however, data may be processed outside the EEA, especially in the USA. A sufficient level of data protection is ensured by the EU-US Data Privacy Framework decided by the EU Commission.

Legal Basis for Data Processing

The processing of the above data is based on Art. 6 (1) lit. fGDPR in conjunction with paragraph 25 para 2 no. 2 TTDSG, alsofor the purpose of disaster recovery and IT audits.

Purpose of the Data Processing

We use the log data and log files only for statistical evaluations for the purpose of operation, security and optimization of our offer. If you are a user, we keep your transaction data (fiat and digital assets), standing orders and your access activity within our logs for the purpose of disaster recovery and IT audits.

Storage Duration

We delete your personal data when they are no longer necessary to achieve the purpose of their processing. This data is stored for 3 years. If you are a customer, we store your transaction data, standing orders and your access activities in our logs for the purpose of disaster recovery and IT audits.

Possibility of objection according to Art. 21 GDPR

There is no possibility to object to this data processing, as the processing of the data is mandatory for the provision of the website.

3.2 Cookies (in general)

We use cookies and similar technologies that are necessary for the operation of the app and the website. The use of essential cookies ensures that you can use the website or app at all without further ado. Essential cookies are used on the basis of our legitimate interest, Art. 6 para. 1 p. 1 lit. f GDPR in conjunction with paragraph 25 para 2 no. 2 TTDSG. 

In addition, we use non-essential cookies, which are placed by us or third-party providers. Such non-essential cookies are only used with your consent pursuant to Art. 6 (1) p. 1 lit a GDPR in conjunction with paragraph 25 para 1 TTDSG, as they are not absolutely necessary for the provision of the website. For example, non-essential cookies are used by us to access, analyse, and store information such as the characteristics of your device as well as certain personal data (your IP address, navigation usage, geolocation data, or unique identifiers). The use of non-essential cookies concerns in particular marketing and analytics cookies, which allow us to understand user behaviour in order to provide you with a relevant user experience or to personalise the content on our website. 

You can withdraw your consent regarding data processing by non-essential cookies at any time by changing your preferences in the cookie settings and rejecting non-essential cookies. Please note that the withdrawal is only effective against us, so you may continue to be tracked by other websites that use the services listed below.

In the following, data processing in connection with the use of non-essential cookies is listed. 

3.3 Google Analytics and Tag Manager

Description and Scope of Data Processing

Our website and our mobile application use Google Analytics and Tag Manager, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Both may process the categories of personal data below:

  • Online identifiers, including cookie identifiers

  • Internet protocol addresses and device identifiers

  • Client identifiers

This data is only collected and stored in pseudonymous form. Google will process the information obtained through cookies in order to evaluate your use of the website, to compile reports on website activity for website operators, and to provide other services related to website activity and internet usage. As part of this, personal data may be transferred to the US. A sufficient level of data protection is ensured by the EU-US Data Privacy Framework decided by the EU Commission. 

For more information, please visit Google’s Privacy Policy.

Legal Basis for Data Processing

The legal basis for the data processing is your consent according to Art. 6 para. 1 p. 1 lit. a GDPR in conjunction with paragraph 25 para 1 TTDSG. 

Purpose of the Data Processing

We use Google Analytics with cross-device tracking enabled by a unique user ID. This allows us to link interaction data from different devices and from different sessions to a unique ID. This allows us to provide more accurate visitor analytics. For more information, see User ID feature - Google Analytics Help.

Storage Duration

The user and event data relevant for the evaluation of website usage will be deleted by us immediately when they are no longer required. In addition, you can independently uninstall the cookies installed by Google Analytics and thus delete the stored data. We explain how this deletion can be carried out via the browser settings in the following point.  

Possibility of withdrawal according to Art. 7 GDPR

You can withdraw your consent to data processing at any time in accordance with Art. 7 GDPR. You are free to prevent the installation of cookies by setting your browser software accordingly.

For this purpose, Google offers a deactivation add-on for the most common browsers, which gives you more control over what data is collected by Google about the websites you visit. The add-on tells the JavaScript (ga.js) of Google Analytics that no information about the website visit should be transmitted to Google Analytics. However, the Google Analytics browser deactivation add-on does not prevent information from being transmitted to us or to other web analytics services we may use. For more information on how to install the respective browser add-on, see the Google Analytics Opt-out Browser Add-on.

The lawfulness of the processing carried out until then on the basis of the consent is not affected by the withdrawal. In the event of withdrawal, your personal data will no longer be processed and will be deleted. 

3.4 Google Ads-Tracking and Remarketing

Description and Scope of Data Processing

Our website uses the services of the online advertising tool "Google Ads" and the conversion tracking within Google Ads, which is provided by Google Ltd. Ireland Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). When you access our website by clicking on an ad delivered by Google, a conversion tracking cookie is placed on your computer. Cookies are small text files that are stored in a visitor's browser and allow the visitor to be recognized through their browser. Cookies are not used to identify you personally.  

Legal Basis for Data Processing

The legal basis for the use of Google Ads is Art. 6 para 1 p. 1 lit a GDPR in conjunction with paragraph 25 para 1 TTDSG.

Purpose of the Data Processing

If you visit certain pages on our website while the cookie has not yet expired, Google and we can see that you have clicked on the advertisement and been redirected to this page. Information obtained by using a conversion cookie is used to generate visitor statistics for our website. In this way, we get information on the total number of users, who have clicked on one of the advertisements placed by us and been redirected to a page utilising a conversion tracking tag. However, we do not get any information that can be used for personally identifying you.

As we use these data for advertising purposes, our legitimate interest in processing said data lies in these purposes.

Storage Duration

The cookies used by Google Ads for analysing website usage have a predefined storage period. Please be aware that we have no information and no influence on that storage period. You can uninstall the cookies placed on your device by Google Ads on your own and thereby erase the stored data. More details on how to delete cookies using your browser settings are provided below.

Possibility of withdrawal according to Art. 7 GDPR

You can withdraw your consent to data processing at any time in accordance with Art. 7 GDPR. You can prevent the installation of conversion cookies via your browser settings. You can either generally prevent cookies from being automatically stored on your computer or block the cookies of a specific domain. You can find more information in the data use policy and the Privacy Policy of Google.

If you are using a Google Account, Google may associate your web and app browsing history with your Google Account and use information from your Google Account to personalise your advertisement, based on the settings stored in your Google Account. If you do not want this connection to your Google Account, you have to log out of your Google account, before visiting our website.

You can configure your browser in order to reject cookies and also disable the Personalized Advertising button in the Google Ads Settings. In this case, Google will only display general advertising that has not been selected based on the information collected about you. Alternatively you can use YourAdChoices to change your preferences regarding individual online advertisement.

The lawfulness of the processing carried out until then on the basis of the consent is not affected by the withdrawal. In the event of withdrawal, your personal data will no longer be processed and will be deleted.

3.5 Processing of Your Data When You Sign Up to Our Newsletter

Description and Scope of Data Processing

With our newsletter we inform you about important product news, special announcements, and our offers, even if you are not our customer.

To subscribe to our newsletter, enter your email address in the field provided. This data will be stored and used for sending the newsletter.

In addition, we collect your IP address and the date and time of registration to ensure that no third party has misused your email address and hereby signed you up to receive the newsletter without your knowledge.

Legal Basis for Data Processing

The legal basis for the processing of your personal data is your consent according to Art. 6 para. 1 p. 1 lit. a GDPR. 

Purpose of the Data Processing

We use your email address to send the newsletter to keep you informed and to increase awareness of our products.

Storage Duration

After registration, you will receive an email confirming your inclusion in the email distribution list of the newsletter. If you do not confirm your subscription to the newsletter within 24 hours, we will delete your data required for subscription to the newsletter (your email address, your IP address and the date and time of subscription) 24 hours after sending the confirmation email, provided that there are no legal retention obligations to the contrary (see 10 – Retention Periods). 

Possibility of withdrawal according to Art. 7 GDPR

You can unsubscribe from the newsletter at any time later and withdraw your consent by clicking the link provided at the end of the letter. Alternatively, you can reach us through our contact form https://support.bitwala.com/hc/en-gb. Upon unsubscribing from the newsletter, the personal data transmitted for the purpose of providing the newsletter will be blocked. This does not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of withdrawal, your personal data will no longer be processed and will be deleted.

3.6 Processing of Your Data for UX Research

Description and Scope of Data Processing

We use UX research ("User Experience - Research") and conduct UX research (e.g. interviews) from time to time. You can decide for yourself if you want to be part of the research process. We will collect and process your data in the following:

  • Full name

  • Email address 

  • The data which you provide us in connection with the UX research

  • Video and audio (if you are invited to the research)

Legal Basis for Data Processing

We process your personal data on the basis of Art. 6 para. 1 p. 1 lit. a GDPR.

Purpose of the Data Processing

User Experience Research ("UX Research") helps us determine how product features can be improved. We may conduct UX research from time to time to test our products and determine how a participant interacts with them as a (potential) customer.

Storage Duration

The storage period of your data is usually based on the duration of the research, unless the data has been deleted at your request. The typical storage period for our research purposes is 3 months. 

Possibility of withdrawal according to Art. 7 GDPR

You can withdraw your consent to data processing at any time in accordance with Art. 7 GDPR. This does not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of withdrawal, your personal data will no longer be processed and deleted. 

§ 4 – Data Processing for Customer Support

This section informs you how we process your personal data when you reach out to our customer support via the website or the Bitwala App.

We use the data processors below to provide you our customer support:

4.1 Zendesk Inc.

Description and Scope of Data Processing

On our website, we are using Zendesk Inc. 1019 Market St., San Francisco, CA 94103, USA ("Zendesk"), a tool for customer support communication.

The types of data you give us depend on the content of the message you send us. Typically, we receive the types of data below from you:

  • Full name

  • Email address

  • Residential address

  • Phone number

  • Other personal data transmitted as part of the message

Zendesk is contractually bound to our instructions under a Data Processing Agreement. A sufficient level of data protection is ensured by the EU-US Data Privacy Framework decided by the EU Commission.

You can find further information about data protection in Zendesk’s privacy policy and about supplementary measures on their blog.

Legal Basis for Data Processing

The legal basis for the processing of your data, which is transmitted in the course of sending the message, is Art. 6 para. 1 p. 1 lit. b of the GDPR, insofar as your contact is aimed at the conclusion of a contract with us or the communication concerns an already existing contractual relationship. 

If the contact is neither related to a contract nor aimed at the conclusion of a contract, the legal basis for the data processing is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a of the GDPR.

Purpose of the Data Processing

The purpose of the data processing is the handling of your request with which you have contacted us. 

Storage Duration

Your personal data will be deleted after 6 years.

Possibility of withdrawal according to Art. 7 GDPR

You can withdraw your consent to data processing at any time in accordance with Art. 7 GDPR by sending an email with the corresponding content via our contact form https://support.bitwala.com/hc/en-gb. This does not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of withdrawal, your personal data will no longer be processed and will be deleted, provided that there are no legal retention obligations to the contrary (see 10 - Retention Periods).

§ 5 – Data Processing for Performance, Marketing Analytics, and Marketing

This section informs you how we process your personal data for performance, marketing analytics, and marketing.

5.1 Mixpanel

Description and Scope of Data Processing

On Bitwala Apps we use a tool for user’s data collection and its integration with our data analytics tools, which is provided by Mixpanel Inc., 1 Front Street 28th Floor San Francisco, CA 94111 ("Mixpanel"). We use Mixpanel also for analysing the user’s behaviour across devices and partner applications. 

Mixpanel processes the categories of your personal data below:

  • Activity on the Bitwala App

  • IP address

  • Account status

Mixpanel uses cookies and similar technologies to enable cross-device tracking through a unified user ID. We use this data to evaluate your use of our website and our App.

The information generated by the cookie about the use of the website is stored on a server in the USA.

Mixpanel is subject to our instructions by a data processing agreement. A sufficient level of data protection is ensured by the EU-US Data Privacy Framework decided by the EU Commission.

Further information about data privacy can be found in Mixpanel’s Privacy Policy.

Legal Basis for Data Processing

The data processing is based on your consent according to Art. 6 para. 1 p. 1 lit. a GDPR in conjunction with paragraph 25 para 1 TTDSG.

Purpose of the Data Processing

The purpose of data processing is the analysis of user behaviour. 

Storage Duration

We delete your personal data when they are no longer necessary to achieve the purpose of their processing. This is usually the case if you have withdrawn your consent. We explain how you can withdraw your consent in the following point.  

Possibility of withdrawal according to Art. 7 GDPR

You can withdraw your consent to data processing at any time in accordance with Art. 7 GDPR. You are free to prevent the installation of cookies by setting your browser software accordingly.

You can refuse the setting of a cookie by Mixpanel at any time via the cookie settings by changing your preferences. This does not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of withdrawal, your personal data will no longer be processed and will be deleted. 

5.2 Customer.io

Description and Scope of Data Processing

We use the marketing tool for contextual emailing provided by Customer.io, Peaberry Software Inc. d / b / a Customer.io, 921 SW Washington Street, Suite 820, Portland, Ore., 97205, USA ("Customer.io").

Customer.io processes the your data as mentioned in the categories below:

  • Full name

  • Email address

  • Address

  • Salutation

  • Citizenship

  • Language settings

  • Activity within the Bitwala App

  • Interaction with our emails and newsletters

  • Device model

Your personal data provided upon the registration for the onboarding will be transmitted to a server of the company Peaberry Software Inc. in the USA and stored there.

Customer.io is subject to a data processing agreement, incorporating Standard Contractual Clauses.

Please visit Customer.io’s Privacy Policy for further information and its Warrant Canary for further information on the requests from law enforcement they get regarding customer data.

Legal Basis for Data Processing

The legal basis for the data processing is Art. 6 (1) lit. a of the GDPR in conjunction with paragraph 25 para 1 TTDSG, based on your consent to receive marketing-related communications.

Purpose of the Data Processing

The purpose of data processing is to send contextual and marketing emails.

Storage Duration

We delete your personal data when they are no longer necessary to achieve the purpose of their processing. This is usually the case if you have withdrawn your consent. We explain how you can withdraw your consent in the following point.  

Possibility of withdrawal according to Art. 7 GDPR

You can unsubscribe from the emailing at any time later and withdraw your consent by clicking the Unsubscribe button at the bottom of a marketing email. When you unsubscribe from the emailing, the personal data that was transmitted for the purpose of providing the emailing will be blocked. This will not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of withdrawal, your personal data will no longer be processed and will be deleted.

5.3 Metabase

Description and Scope of Data Processing

We use the tool provided by Metabase, Inc, 660 4th Street #557, San Francisco, CA 94107, USA ("Metabase") to analyze the data from our users.

Your personal data provided upon the registration for the onboarding will be transmitted to a server of the company Metabase Inc. in the USA and stored there. A sufficient level of data protection is ensured by the EU-US Data Privacy Framework decided by the EU Commission.

Legal Basis for Data Processing

The legal basis for the data processing is Art. 6 (1) lit. a of the GDPR in conjunction with paragraph 25 para 1 TTDSG, based on your consent.

Purpose of the Data Processing

The purpose of data processing is extensive evaluation of user data.

Storage Duration

We delete your personal data when they are no longer necessary to achieve the purpose of their processing.

Possibility of withdrawal according to Art. 7 GDPR

You can withdraw your consent to data processing at any time in accordance with Art. 7 GDPR. You are free to prevent the installation of cookies by setting your browser software accordingly.

You can refuse the setting of a cookie at any time via the cookie settings by changing your preferences. This does not affect the lawfulness of the processing carried out until then on the basis of the consent. In the event of withdrawal, your personal data will no longer be processed and will be deleted. 

§ 6 – Data Processing for Data Subject Rights

6.1 Egnyte, Inc.

Description and Scope of Data Processing

For exercising your data subject rights, we use the file sharing platform Egnyte to send files to third parties in a secure way, e.g. with an encrypted link and password, which is provided by Egnyte, Inc. 1350 W. Middlefield Road, Mountain View, California 94043 ("Egnyte"). When you ask for your personal data from us, we use Egnyte to provide you your data. Egnyte itself has no access to the data which is uploaded to the platform.

Egnyte is subject to our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission.

For more information about Egnyte‘s data processing, please refer to Egnyte’s privacy policy.

Legal Basis for Data Processing

The legal basis for data processing is Art. 6 para. 1. lit. c of GDPR, based on our compliance with the legal obligation arising from Art. 15 and 20 of GDPR and other legal obligations.

Purpose of the Data Processing

The purpose of data processing is the fulfilment of our legal obligation to comply with the data subject rights exercised by you. 

Storage Duration

We delete your personal data when they are no longer necessary to achieve the purpose of their processing. This is the case when your request to exercise your data protection rights has been comprehensively processed.

§ 7 – Automated decision in individual cases including profiling

We do not use fully automated decision-making in accordance with Art. 22 GDPR for processing your personal data. In addition, we do not process your personal data with the aim of evaluating certain personal aspects (profiling).

§ 8 – Your Rights

This section is to inform you about your rights and how to exercise them. You have the rights as listed below.

Right of Access to Your Personal Data

You have the right to information about the processing of your personal data at any time and free of charge. This information includes an overview of the data relating to you, as well as a copy of such data. We will be providing you with your personal data in a commonly used electronic form.

Right to Rectification

Should data be or become inaccurate, we are obliged to correct the information on your request

Right to Erasure (‘Right to Be Forgotten’)

You may at any time request the deletion of data.

Right to Restriction of Processing

Wherever we are not able to delete your data, as may be the case when we are subject to statutory retention periods, data processing will be restricted. Processing will also be restricted upon your request, if you believe that the data we have stored are not correct or if there is a dispute over the legality of the processing

Right to Data Portability

You may at any time request us to transfer your personal data to you or a third party of your choice.

Right to Object

Wherever we process your data on the basis of legitimate interests under Art. 6 para. 1 lit. f of GDPR you have the right to object to the processing of your data according to Art. 21 of GDPR.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you are of the opinion that the processing of your personal data violates the General Data Protection Regulation. 

As a rule, you can contact the supervisory authority of your place of residence, your place of work or our office. The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Alt-Moabit 59-61

10555 Berlin
Germany

Tel.: +49 (0)30 13889-0

Fax: +49 (0)30 2155050

Email: mailbox@datenschutz-berlin.de 

Right to withdraw your consent

Under Art. 7 para. 3 of GDPR you have the right to withdraw any consent you may have given to us at any time. In this case, data processing will no longer take place based on your consent. The withdrawal however does not affect the lawfulness of past processing activities.

For Separate Controllers, please reach out to each controller individually via the contact details provided above.

When available, you may alternatively use features provided within our applications to withdraw your consent.

§ 9 – Further Transmission of Data

Whenever we transfer data to service providers, data may only be used for performance of their services. Services are selected and commissioned carefully and contractually bound by our instructions. Additionally to the transfer of data to the ones explicitly mentioned in this Privacy Policy we may include further service providers, including cloud services, IT services providers maintaining our systems, tax consultancy and other consultancy firms.

Otherwise, we transfer data to Third Parties only if:

  • You have given an express declaration of consent for this, pursuant to Art. 6, para. 1, lit. a of GDPR,

  • further transmission is necessary, pursuant to Art. 6, para. 1 lit. f of GDPR, for bringing, exercising or defending legal claims, and no reason exists to suppose that you have a predominant and properly protected interest in preventing your data from being passed on,

  • we have a legal duty to pass on your data pursuant to Art. 6 para. 1 lit. c of GDPR, or

  • this is legally permissible and requisite, pursuant to Art. 6 para. 1 lit. b of GDPR, for the handling of contracts with yourself or for the execution of pre-contractual actions which are being carried out at your request.

§ 10 – Retention Periods

When you no longer wish to benefit from our services and send us a deletion request, we are removing all personal data except the categories required for the fulfilment of our legal storage obligations. This data will be deleted immediately without you having to request the deletion anew, upon expiry of the periods.

If the retention is necessary for your personal data, it is necessary for the following purposes and laws:

Performing commercial and tax retention periods, which relate to the following laws: Commercial code (Handelsgesetzbuch), Fiscal Code (Abgabenordnung) and VAT Act (UStG). The statutory retention periods and documentation obligations are between6 and 10 years.

Ensure a proper disaster recovery, conduct IT-audits: GDPR (DSGVO) and German Civil Code (BGB). The statutory periods and documentation obligations are 3 years.

Claim and evidence management: GDPR (DSGVO) and German Civil Code (BGB). The statutory periods and documentation obligations are 3 years.