This translation is provided for informational purposes only. In case of inconsistencies, the original German Text is binding.
BitsaboutMe AG was founded for the purpose of giving you full control over your personal data. The protection of your personal data is therefore a top priority for BitsaboutMe and we have been guided by the principles of “Privacy By Design” (see Appendix 2) right from the start when designing and implementing our products and services.
In particular, BitsaboutMe guarantees the following for maximum protection of your data:
- Your personal data is and will always remain your property. BitsaboutMe has no rights to or access to your data unless you explicitly authorize us to do so.
- BitsaboutMe stores your personal data in a Personal Data Store (PDS) assigned to you – and only to you.
- All data in your PDS is encrypted and only you have the key in the form of your login password.
- Your PDS is hosted exclusively in trusted data centers within the EU and or Switzerland.
- You alone decide which data from which data sources is stored in your PDS.
- Nobody – not even BitsaboutMe – can read or use your data without your key. Accordingly, your data cannot be passed on to third parties without your consent.
- You alone decide whether you want to participate in BitsaboutMe’s online data marketplace and, if so, which data you provide to whom for which purposes.
- If you decide to participate in the marketplace and share selected data with third parties, BitsaboutMe gains access to this data and can share it with those data requesters to whom you have previously given the necessary consent.
- You can correct, download or completely delete the data in your PDS at any time.
- All communication within our systems and with your web browser takes place exclusively via encrypted channels (HTTPS).
You can find out more about the handling of your personal data in our data protection guidelines.
|You||You are the person who has visited our website or registered an account on our website to use the services of BitsaboutMe.|
|We / BitsaboutMe||BitsaboutMe AG and affiliated companies|
|Contractual partner||Third parties called contracted with by BitsaboutMe to provide services, such as auxiliary persons, suppliers, sales partners and other service providers.|
|Third party||Everyone except you and us.|
|BitsaboutMe account||Your personal, password-protected account with BitsaboutMe as a prerequisite for using our services.|
|PDS – Personal Data Store||Storage space associated with your account to store and encrypt your data.|
|Services||Websites, tools and interfaces provided by us for the import, storage, analysis, statistical processing, visualization and use of data.|
|Data sources||Third parties who store and process personal data. BitsaboutMe allows you to import a copy of the data stored there into your PDS (e.g. by linking your accounts created there).|
|Marketplace||Online data marketplace operated by BitsaboutMe for the exchange of personal data according to predefined scope and purpose between data providers and data requestors.|
|Offer||Data deals published on the marketplace according to predefined data processing criteria.|
|Data transfer agreement||Contract concluded via the marketplace between you (“data provider”) and data requestors for the provision of personal data for a predefined scope and purpose.|
|Data requestors||Companies and institutions that make specific data deals in the form of offers on the marketplace.|
|Profile||The profile is a data list created and stored in the PDS consisting of personal data, demographic data and interests. When participating in the marketplace, you can share predefined profile data with data requestors (marketplace profile).|
|Remuneration||A financial, monetary or immaterial advantage that the data requestor offers to the data provider with his offer or owes based on a data transfer agreement.|
|Data||Any information, data, text, images provided either by you, from third party sources or BitsaboutMe, or added to your PDS.|
|Personal information||All personal and non-personal data about you or created by you.|
|Personal data / Person specific data||All data relating to an identified or identifiable person.|
Published on March 27th, 2019
1. Who we are
This website and services are operated by BitsaboutMe AG. We are responsible for your personal data that is stored by us. This is how you can reach us:
BitsaboutMe AG / Bollwerk 4 / 3011 Bern / Switzerland
You can reach our data protection officer at BitsaboutMe, data protection officer, Bollwerk 4, 3011 Bern, Switzerland, firstname.lastname@example.org.
We are happy that you are using BitsaboutMe! The following describes how we handle your personal data, what personal data is provided by you when you use our services as well as how we store, process and, if necessary, pass this data on to third parties.
Our mission is to give users back control of their personal information in order to protect their privacy and allow them to participate appropriately in the value of their information.
With BitsaboutMe, we have developed a product that enables you to gain an overview of the data about you stored by third parties and to obtain interesting and valuable information about this aggregated data with the help of our services.
The marketplace service provides you with a platform on which you can share personal data with data requesters according to your own criteria. The participation in the marketplace is always voluntary.
3. Legal basis of data processing
As a Swiss company, we not only act in strict compliance with the applicable provisions of the Swiss Data Protection Act, but also develop and offer our services in compliance with the European General Data Protection Regulation (GDPR). We see ourselves as active supporters of this policy by offering BitsaboutMe, a product that allows you and ultimately also third parties who store data about you to technically exercise your legal rights and obligations as simply and transparently as possible.
The legal basis for the processing of your personal data by us can generally be found in:
- The processing in direct connection with the conclusion or execution of a contract (Article 13 paragraph 2 letter a FADP, corresponds to Article 6 paragraph 1 letter b EU-GDPR)
- The consent of the data subject (Article 13(1) FADP, corresponds to Article 6(1)(a) EU GMO)
- The obligation to process by law or to protect our legitimate interests (Article 13 paragraph 1 FADP, corresponds to Article 6 paragraph 1 letter c and f EU-GDPR)
Please note that websites and offers of third parties that can be reached via our services are not subject to the principles set out here, but generally have their own data protection regulations. We cannot assume any responsibility or liability for their compliance with data protection.
4. Which data we process and for what purpose
In order to offer, further develop and protect our services in the best possible way, we and our contractual partners collect, process, store and use the following data:
Your usage – In order to continuously optimize our services and to detect and prevent misuse, we collect, use and store information from and about your device. This usage data is transmitted to us by your Internet browser each time you visit BitsaboutMe and use our services and subsequently stored in log files. These include:
- The IP address of the device used
- Date and time of the visit
- Name and URL of the service visited
- Address of the website from which you accessed our services (referrer URL)
- User ID (for logged in users)
- Browser and device type used
This data is only used and stored as long as it is actually used, in particular for the following purposes:
- To enable the use of our services (connection establishment)
- To ensure the security and stability of our systems
- To analyze and evaluate the use of our services
- To optimize our services
- Internal statistical and administrative purposes
Your BitsaboutMe account – To set up your personal BitsaboutMe account and to ensure your access to it, we collect, use and store your email address, and your encrypted password, and link them to your BitsaboutMe account. Your BitsaboutMe account will then automatically be linked to your personal data storage (see “Your PDS” below). Access to your account and decryption of the data stored in your PDS is only possible using the password you have created. Your encrypted password and email address are stored by us on protected servers outside your PDS in order to authorize access to your BitsaboutMe account and PDS.
The Personal Data Store (PDS) – In your PDS we store, process and analyse the data imported from third parties according to your request and on your behalf as well as data generated by our services or yourself. This data is always stored encrypted in your PDS and can only be read if you are logged into your account with your password. The data imported by us into your PDS on your behalf from third party sources is always a copy. We do not delete or alter any of your personal data in the source systems of the respective third party sources. Nobody but yourself has access to your PDS, unless you give us or third parties your explicit and revocable consent.
BitsaboutMe allows you to analyse the data in your PDS. All analysis tools provided by BitsaboutMe run within a closed system. The data analysed and evaluated therein is stored in your PDS. By entering your login data for the respective account (e.g. Facebook, Migros Cumulus, email – the detailed list of possible data sources can be found here), you authorize us to link the corresponding accounts with your PDS and to import, edit (in particular to analyse and to evaluate) and save a copy of the data you selected for import from the respective data source into your PDS via an interface. Each time you log in to BitsaboutMe from your account, you give us these permissions again. This enables us to guarantee automatic data synchronization and analysis that is up to date at all times. In your account settings, you can manually manage this automatic data update and analysis for individual data sources. We store your login data for access to the data sources encrypted in your PDS.
Your profile – Your PDS contains a personal profile. This contains various personal data. The data either comes from the data sources connected by you (by means of automatic import) or is entered manually by you. These are in particular:
- Personal data (name, address, email)
- Demographic information (age, gender, place of residence, education)
- Fields of interest (hobbies, topics, interests)
By opening your BitsaboutMe account and linking data sources to your PDS, you consent to BitsaboutMe creating an appropriate profile. The content in your profile can be continuously adapted and expanded.
You will find the current list in your PDS under the menu item “My Data/Profile”. As long as you do not participate in the marketplace, your profile is only stored in the PDS and can only be accessed and viewed by you. Your profile is only stored in the PDS and can only be accessed and viewed by you. You can add, change and delete all entries at any time.
In the menu item “My Data/Profile” you always have an overview of which information comes from which data source and can adjust or delete it at any time if required.
If you decide to participate in the marketplace by opting in, an encrypted copy of your profile will be created on the marketplace (marketplace profile). You permit access to this marketplace profile defined by you by explicitly accepting a corresponding offer from a data requestor on the marketplace. Without the acceptance of an offer, nobody has access to your marketplace profile. You explicitly determine which data will be exchanged, with whom and under which conditions.
The marketplace – By participating in the marketplace or accepting a deal published there, we will transmit the data requested in the deal to the respective data requestor on your behalf for the purposes and conditions defined there. With the conclusion of the respective data transfer agreement, you therefore authorize us to transmit the personal data released by you to the respective data requester accordingly. The BitsaboutMe marketplace rules also apply to participation in the marketplace.
Newsletter – If you agree to receive our newsletter (opt-in), we use your personal data (in particular your email address) to send it. We may also involve third parties. Our newsletters may contain information and offers about our own services as well as services of third parties that are connected with the services of BitsaboutMe. You can unsubscribe to the newsletter at any time in your BitsaboutMe account or directly via the unsubscribe link in the corresponding email.
The only cookie we use is the so-called session cookie. This is essential for the functioning of our services and is automatically deleted at the end of your session. We deliberately refrain from permanent cookies and especially cookies from third party providers, as they are usually used for tracking users. This results in a small loss of convenience, e.g. we have to wait until after logging in to set your preferences (e.g. language selection) in our services.
When using counting pixels for web analysis we work with the open source software Matomo (Matomo.org), which allows us to ensure your privacy. We deliberately refrain from using Google Analytics and other third-party analysis services.
Social media plugins – Your BitsaboutMe account / our services includes functions (so-called plugins) to connect to various third-party providers of social media platforms (such as Facebook, Twitter, Instagram). We use a special “two-click” implementation of these plugins to protect your privacy, where data is only exchanged with third parties if the plugins are activated by you, i.e. clicked. As long as these plugins are only displayed, no data exchange takes place. These plugins allow you to share content on social networks. If you activate these plugins while surfing the website (e.g. “share button” of Facebook), a connection to the servers of this website is established. Data can be transferred to this third party provider. If you are logged in to this third party’s network at the same time, your visit to BitsaboutMe can be assigned to your network account (e.g. Facebook account). BitsaboutMe has no influence on the way this data is transmitted. The purpose and scope of the data collection and the further processing and use of the data by your social media provider as well as your rights and setting options for the protection of your privacy can be found in the data protection information of this provider.
5. Passing on data to third parties
We may involve third parties in the processing of personal data. This is particularly the case when it makes our services safer and more reliable and generally serves the purpose of the contract. We share personal data with the following categories of order data processors.
Data requestors on the marketplace – Data requestors are companies and institutions which have been audited by us and are obliged to data protection and which can address data deals to you (data provider) by means of offers on the marketplace. By accepting data deals, you authorize us to transmit the predefined personal data to the respective data requesting party. Both parties will then receive proof of the agreed data use and its scope.
Contractors working with BitaboutMe – In certain cases (in particular to improve and protect our services) it may make sense for us to use third-party services (e.g. hosting providers, IT support, web analysis services and marketing services providers). When selecting these contractual partners, we pay particular attention to their trustworthiness and contractually ensure that any personal data transmitted is processed exclusively on our behalf and according to our instructions within the scope of the respective contractual purpose and wherever possible anonymised or encrypted and is not passed on.
- OVH, 59100 ROUBAIX, FR – Internet hosting
We rent our servers and data storage from OVH, in the most modern data centers within the EU and manage this infrastructure independently.
- MailChimp, The Rocket Science Group LLC, Atlanta GA, US – Newsletter dispatch
We use MailChimp to send our newsletters. If you register for our newsletter, we will share your email address as well as your first and last name with MailChimp.
We will never share or sell your personal information to advertisers or third parties who are not contractors without your explicit consent.
Transmission of personal data abroad – If a transfer of your personal data to contracted service providers appears appropriate for the data processing described in these data protection guidelines, we are entitled to transfer these to third parties abroad. These third parties are obliged to the same extent as we ourselves to protect data. If the level of data protection in a country does not meet the European and Swiss requirements, we will contractually ensure that the protection of your personal data corresponds to that of the EU and Switzerland. In doing so, we use contracts that comply with the standards of the European Commission (which are also recognised in Switzerland), ensure that the commissioned service providers are data protection certified (e.g. by means of Swiss-US or EU-US Privacy Shield) or ensure that there are binding corporate rules (BCR) recognised by a data protection authority.
6. How we protect your data
Security – It is BitsaboutMe’s top priority to protect your data against manipulation, loss and against unauthorised access by third parties by means of suitable technical and organisational measures and to continuously improve our security measures in line with technological developments. Our employees and the third parties commissioned by us have been obligated by us to secrecy and to adhere to these data protection guidelines. All data, login’s and passwords in your PDS are stored encrypted and can only be decrypted with your personal password. BitsaboutMe always uses recognized, high standards of encryption technology, i.e. exclusively HTTPS for data transfer as well as SQLCipher, an open source extension of SQLite that ensures transparent 256-bit AES encryption of the data in the PDS.
Duration – We store your data only as long as we need it to offer you our services according to our Terms and Conditions or as we are legally obliged to do so. If you delete your BitsaboutMe account or object to the processing of your data, we will always delete your data immediately. If you have not used your BitsaboutMe account for 12 months, we will irrevocably delete your data unless you agree to further storage at our request by email.
If, due to misuse, payment defaults or other legitimate reasons, we wish to refuse further business contacts with an affected person or take legal action against you, we reserve the right to retain the relevant personal data such as name, address and email address for five years, in the event of a repeat for ten years.
7. These are your rights: information, deletion and data export right
It is the explicit goal of BitsaboutMe to make it as easy as possible for you to exercise these rights. Wherever it makes sense and is appropriate, we incorporate the relevant functionalities into our services and make them easily accessible and applicable.
Upon your request, we will provide you with information as to whether and, if so, which personal data about you will be processed (right to confirmation, right to information). At your request:
- we waive the processing of personal data in whole or in part (right to revoke your consent to the processing of personal data that is not absolutely necessary; right to be forgotten). We will also inform third parties with whom you have previously forwarded your personal data of your request to be forgotten.
- we correct the corresponding personal data (right to correction);
- we restrict the processing of the relevant personal data (right to restrict processing; in this case we will only store your personal data or use it to protect our legal claims or the rights of another person);
- you will receive the relevant personal data in a structured, common and machine-readable format (right to data transferability).
To make such a request to exercise a right described in this section, for example if you no longer wish to receive email newsletters from us or wish to delete your BitsaboutMe account, please use the appropriate feature on our website or contact our Data Protection Officer (email@example.com).
If we do not comply with a request, we will inform you of the reasons. For example, we may refuse to delete in a legally permissible manner if your personal data is still required for the original purposes (for example, if you continue to purchase a service from us), if the processing is based on a mandatory legal basis (for example, statutory accounting regulations), or if we have an overriding interest of our own (for example, in the event of a legal dispute against the data subject).
Legal status – You have control over your personal information and we will only import and store it securely for you on your behalf. This also applies in the event of changes as part of any restructuring, merger, acquisition or sale of BitsaboutMe. Your personal data will always remain encrypted. In the event of a structural change, BitsaboutMe will notify you in a timely manner via the email address associated with your BitsaboutMe account. If you do not agree with such a change, you have the option to download your data from your PDS and/or permanently delete your BitsaboutMe account with all data.
BitsaboutMe AG – all rights reserved. Version October 2018
It is currently possible to connect the following data sources and copy data contained therein into the PDS:
- Email accounts
- Deutsche Bank
To connect a data source, enter your login data (usually user name/email and password). With this information, you allow:
- BitsaboutMe to access the corresponding data source and the data it contains on your behalf;
- data from the data source to be stored and encrypted in your PDS;
- your login data to be encrypted and stored in the PDS;
- every time you log in to your BitsaboutMe account, the data source is to be compared and the data to be updated if necessary;
- the data in your PDS to be analyzed, visualized and displayed according to your criteria in the private statistics area;
- parts of the data to be used to create your profile.
You can terminate this connection at any time and delete the associated data by disconnecting the corresponding source in the My Data/Data Source area. All data in the PDS are irretrievably deleted, the original data in the corresponding source remain unchanged.
In detail, we process the following data for you:
|Deletion||Disconnecting/deleting the Facebook source deletes all Facebook data in the PDS|
Only data that was selected when the takeout file was created can be processed. All other data types not listed above are not transferred to the BitsaboutMe PDS.
|Deletion||Disconnecting/deleting the Google source deletes all Google data in the PDS|
|Deletion||Disconnecting/deleting the Instagram source deletes all Instagram data in the PDS|
|Deletion||Disconnecting/deleting the Twitter source deletes all Twitter data in the PDS|
|Deletion||Disconnecting/deleting the Migros source deletes all Migros data in the PDS|
|Deletion||Disconnecting/deleting the email source deletes all email data in the PDS|
|Data||Basic profile data from LinkedIn as described here:
|Deletion||Disconnecting/deleting the LinkedIn source deletes all LinkedIn data in the PDS
Data that has been transferred to your own profile can be deleted there.
|Data||Profile data and account transaction data:
|Deletion||Disconnecting/deleting the source Deutsche Bank deletes all account movements and profile data in the PDS
Data that has been transferred to your own profile can be deleted there.
|Deletion||Disconnecting/deleting the Coop source deletes all Coop data in the PDS|
|Deletion||Disconnecting/deleting the Amazon source deletes all Amazon data in the PDS|
|Deletion||Disconnecting/deleting the Zalando source deletes all Zalando data in the PDS|
|Deletion||Disconnecting/deleting the Payback source deletes all Payback data in the PDS|
1. Proactive not reactive; preventative not remedial
The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
2. Privacy as the default
We can all be certain of one thing − the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
3. Privacy embedded into design
Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.
4. Full functionality – positive-sum, not zero-sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “winwin” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.
5. End-to-end security – lifecycle protection
Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
6. Visibility and transparency
Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to both users and providers alike. Remember, trust but verify!
7. Respect for user privacy
Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!