Privacy

Overview Privacy Policy

This translation is provided for informational purposes only. In case of inconsistencies, the original German Text is binding.

BitsaboutMe AG was founded for the purpose of giving you full control over your personal data. The protection of your personal data is therefore a top priority for BitsaboutMe and we have been guided by the principles of “Privacy By Design” (see Appendix 2) right from the start when designing and implementing our products and services.

In particular, BitsaboutMe guarantees the following for maximum protection of your data:

  • Your personal data is and will always remain your property. BitsaboutMe has no rights to your data unless you explicitly authorize us to do so.
  • BitsaboutMe stores your personal data in a Personal Data Store (PDS) assigned to you – and only to you.
  • All data in your PDS is encrypted and only you have the key in the form of your login password.
  • Your PDS is hosted exclusively in trusted data centers within the EU and or Switzerland.
  • You alone decide which data from which data sources are stored in your PDS.
  • If you give explicit consent to share selected data with BitsaboutMe, BitsaboutMe will have access to this data and may process, analyze and share the results with partners in anonymized or pseudonymized form.
  • You can correct, download or completely delete the data in your PDS at any time.
  • All communication within our systems and with your web browser takes place exclusively via encrypted channels (HTTPS).
  • BitsaboutMe does not use cookies, the only exception is our session cookie, which is mandatory for a web application and is automatically deleted after the session.

You can find out more about the handling of your personal data in our data protection guidelines.

Definitions:

TermDefinition
YouYou are the person who has visited our website or registered an account on our website to use the services of BitsaboutMe.
We / BitsaboutMeBitsaboutMe AG and affiliated companies
Contractual partnerThird parties called contracted with by BitsaboutMe to provide services, such as auxiliary persons, suppliers, sales partners and other service providers.
Third partyEveryone except you and us.
BitsaboutMe accountYour personal, password-protected account with BitsaboutMe as a prerequisite for using our services.
PDS – Personal Data StoreStorage space associated with your account to store and encrypt your data.
ServicesWebsites, tools and interfaces provided by us for the import, storage, analysis, statistical processing, visualization and use of data.
Data sourcesThird parties who store and process personal data. BitsaboutMe allows you to import a copy of the data stored there into your PDS (e.g. by linking your accounts created there).
ProfileThe profile is a data list created and stored in the PDS consisting of personal data, demographic data and interests. When participating in the marketplace, you can share predefined profile data with data requestors (marketplace profile).
CashbackA financial, monetary or intangible benefit that BitsaboutMe offers its users for sharing data.
DataAny information, data, text, images provided either by you, from third party sources or BitsaboutMe, or added to your PDS.
Personal informationAll personal and non-personal data about you or created by you.
Personal data / Person specific dataAll data relating to an identified or identifiable person.
Access TokenA machine-generated access code that we use for automatic updates of PDS data and password resets

Privacy Policy

Published on October 1st, 2023

1. Who we are

This website and services are operated by BitsaboutMe AG. We are responsible for your personal data that is stored by us. This is how you can reach us:

BitsaboutMe AG / Marktgasse 50 / 3011 Bern / Switzerland

You can reach our data protection officer at BitsaboutMe, data protection officer, Marktgasse 50, 3011 Bern, Switzerland, privacy@bitsabout.me.

2. Introduction

We are happy that you are using BitsaboutMe! The following describes how we handle your personal data, what personal data is provided by you when you use our services as well as how we store, process and, if necessary, pass this data on to third parties.

Our mission is to give users back control of their personal information in order to protect their privacy and allow them to participate appropriately in the value of their information.

With BitsaboutMe, we have developed a product that enables you to gain an overview of the data about you stored by third parties and to obtain interesting and valuable information about this aggregated data with the help of our services.

As a Swiss company, we not only act in strict compliance with the applicable provisions of the Swiss Data Protection Act, but also develop and offer our services in compliance with the European General Data Protection Regulation (GDPR). We see ourselves as active supporters of this policy by offering BitsaboutMe, a product that allows you and ultimately also third parties who store data about you to technically exercise your legal rights and obligations as simply and transparently as possible.

The legal basis for the processing of your personal data by us can generally be found in:

  • The processing in direct connection with the conclusion or execution of a contract (Article 13 paragraph 2 letter a FADP, corresponds to Article 6 paragraph 1 letter b EU-GDPR)
  • The consent of the data subject (Article 13(1) FADP, corresponds to Article 6(1)(a) EU GMO)
  • The obligation to process by law or to protect our legitimate interests (Article 13 paragraph 1 FADP, corresponds to Article 6 paragraph 1 letter c and f EU-GDPR)

Please note that websites and offers of third parties that can be reached via our services are not subject to the principles set out here, but generally have their own data protection regulations. We cannot assume any responsibility or liability for their compliance with data protection.

4. Which data we process and for what purpose

In order to offer, further develop and protect our services in the best possible way, we and our contractual partners collect, process, store and use the following data:

Your usage – In order to continuously optimize our services and to detect and prevent misuse, we collect, use and store information from and about your device. This usage data is transmitted to us by your Internet browser each time you visit BitsaboutMe and use our services and subsequently stored in log files. These include:

  • The IP address of the device used
  • Date and time of the visit
  • Name and URL of the service visited
  • Address of the website from which you accessed our services (referrer URL)
  • User ID (for logged in users)
  • Browser and device type used

This data is only used and stored as long as it is actually used, in particular for the following purposes:

  • To enable the use of our services (connection establishment)
  • To ensure the security and stability of our systems
  • To analyze and evaluate the use of our services
  • To optimize our services
  • Internal statistical and administrative purposes

We also use cookies and analysis services when you use our services. For further details, please refer to the section below entitled Web analysis “Cookies and tracking pixels”.

Your BitsaboutMe account – To set up your personal BitsaboutMe account and to ensure your access to it, we collect, use and store your email address, and your encrypted password, and link them to your BitsaboutMe account. Your BitsaboutMe account will then automatically be linked to your personal data storage (see “Your PDS” below). For maximum security, your PDS is individually encrypted at the user level with your personal password. BitsaboutMe does not store a copy of your password. Your encrypted password and email address are stored by us on protected servers outside your PDS in order to authorize access to your BitsaboutMe account and PDS.

The Personal Data Store (PDS) – In your PDS we store, process and analyse the data imported from third parties according to your request and on your behalf as well as data generated by our services or yourself. This data is always stored individually encrypted at the user level in your PDS. The data imported by us into your PDS on your behalf from third party sources is always a copy. We do not delete or alter any of your personal data in the source systems of the respective third party sources.

BitsaboutMe allows you to analyse the data in your PDS. All analysis tools provided by BitsaboutMe run within a closed system. The data analysed and evaluated therein is stored in your PDS. By entering your login data for the respective account (e.g. Migros Cumulus, Apple Health – the detailed list of possible data sources can be found here), you authorize us to link the corresponding accounts with your PDS and to import, edit (in particular to analyse and to evaluate) and save a copy of the data you selected for import from the respective data source into your PDS via an interface. Each time you log in to BitsaboutMe from your account, you give us these permissions again. This enables us to guarantee automatic data synchronization and analysis that is up to date at all times. We store your login data for access to the data sources encrypted in your PDS.

Your profile – Your PDS contains a personal profile. This contains various personal data. The data either comes from the data sources connected by you (by means of automatic import) or is entered manually by you. These are in particular:

  • Personal data (name, address, email)
  • Demographic information (age, gender, place of residence, education)
  • Derived data (information aggregated or calculated from raw data, e.g. Nutri-Score based on purchasing data)
  • Fields of interest (hobbies, topics, interests)

By opening your BitsaboutMe account and linking data sources to your PDS, you consent to BitsaboutMe creating an appropriate profile. The content in your profile can be continuously adapted and expanded.

You will find the current list in your PDS under the menu item “My Data/Profile”. Here you always have an overview of which information comes from which data source and can adjust or delete it at any time if required.

Cashback – By participating in the Cashback Program, BitsaboutMe will receive the data requested in the Cashback Program from your PDS on your behalf for the purposes and conditions specifically defined therein. In particular, BitsaboutMe obtains the right to process and analyze this data and to use the results in anonymized or pseudonymized form for research purposes through their explicit consent.

Newsletter – If you agree to receive our newsletter (opt-in), we use your personal data (in particular your email address) to send it. We may also involve third parties. Our newsletters may contain information and offers about our own services as well as services of third parties that are connected with the services of BitsaboutMe. You can unsubscribe to the newsletter at any time in your BitsaboutMe account or directly via the unsubscribe link in the corresponding email.

Web analysis “Cookies and tracking pixels” – On our website we use “cookies” and “tracking pixels”. These technologies enable us to collect and evaluate statistical data about the use of our website in order to continually improve our services. A cookie is a small data package that is sent from the web server to your browser and stored on your computer’s hard drive (you can delete or refuse cookies at any time using your browser settings). A pixel-code is a file that is implemented on our website and makes it possible to collect statistical usage data, such as the evaluation of visitor traffic.

The only cookie we use is the so-called session cookie. This is essential for the functioning of our services and is automatically deleted at the end of your session. We deliberately refrain from permanent cookies and especially cookies from third party providers, as they are usually used for tracking users. This results in a small loss of convenience, e.g. we have to wait until after logging in to set your preferences (e.g. language selection) in our services.

When using counting pixels for web analysis we work with the open source software Matomo (Matomo.org), which allows us to ensure your privacy. We deliberately refrain from using Google Analytics and other third-party analysis services.

Social media plugins – Your BitsaboutMe account / our services includes functions (so-called plugins) to connect to various third-party providers of social media platforms (such as Facebook, Twitter, Instagram). We use a special “two-click” implementation of these plugins to protect your privacy, where data is only exchanged with third parties if the plugins are activated by you, i.e. clicked. As long as these plugins are only displayed, no data exchange takes place. These plugins allow you to share content on social networks. If you activate these plugins while surfing the website (e.g. “share button” of Facebook), a connection to the servers of this website is established. Data can be transferred to this third party provider. If you are logged in to this third party’s network at the same time, your visit to BitsaboutMe can be assigned to your network account (e.g. Facebook account). BitsaboutMe has no influence on the way this data is transmitted. The purpose and scope of the data collection and the further processing and use of the data by your social media provider as well as your rights and setting options for the protection of your privacy can be found in the data protection information of this provider.

5. Passing on data to third parties

We may involve third parties in the processing of personal data. This is particularly the case when it makes our services safer and more reliable and generally serves the purpose of the contract. We share personal data with the following categories of order data processors.

Contractors working with BitaboutMe – In certain cases (in particular to improve and protect our services) it may make sense for us to use third-party services (e.g. hosting providers, IT support, web analysis services and marketing services providers). When selecting these contractual partners, we pay particular attention to their trustworthiness and contractually ensure that any personal data transmitted is processed exclusively on our behalf and according to our instructions within the scope of the respective contractual purpose and wherever possible anonymised or encrypted and is not passed on.

Our most important data relevant service providers are:

  • OVH, 59100 ROUBAIX, FR – Internet hosting

We rent our servers and data storage from OVH, in the most modern data centers within the EU and manage this infrastructure independently.

  • MailChimp, The Rocket Science Group LLC, Atlanta GA, US – Newsletter dispatch

We use MailChimp to send our newsletters. If you register for our newsletter, we will share your email address as well as your first and last name with MailChimp.

We will never share or sell your personal information to advertisers or third parties who are not contractors without your explicit consent.

Transmission of personal data abroad – If a transfer of your personal data to contracted service providers appears appropriate for the data processing described in these data protection guidelines, we are entitled to transfer these to third parties abroad. These third parties are obliged to the same extent as we ourselves to protect data. If the level of data protection in a country does not meet the European and Swiss requirements, we will contractually ensure that the protection of your personal data corresponds to that of the EU and Switzerland. In doing so, we use contracts that comply with the standards of the European Commission (which are also recognised in Switzerland), ensure that the commissioned service providers are data protection certified (e.g. by means of Swiss-US or EU-US Privacy Shield) or ensure that there are binding corporate rules (BCR) recognised by a data protection authority.

6. How we protect your data

Location – Unless the privacy policy states otherwise, your data will only be stored and processed within the EU and Switzerland in trusted data centers of leading providers. We contractually ensure that the data protection rights applicable between you and BitsaboutMe are also guaranteed in the relationship between BitsaboutMe and the respective provider.

Security – It is BitsaboutMe’s top priority to protect your data against manipulation, loss and against unauthorised access by third parties by means of suitable technical and organisational measures and to continuously improve our security measures in line with technological developments. Our employees and the third parties commissioned by us have been obligated by us to secrecy and to adhere to these data protection guidelines. All data, logins and passwords in your PDS are stored individually encrypted at the user level and can only be decrypted with your personal password or with the help of an access token. BitsaboutMe generates and stores individual access tokens to enable automatic updates of PDS data and reset of lost passwords. BitsaboutMe always uses recognized, high standards of encryption technology, i.e. exclusively HTTPS for data transfer as well as SQLCipher, an open source extension of SQLite that ensures transparent 256-bit AES encryption of the data in the PDS.

Duration – We store your data only as long as we need it to offer you our services according to our Terms and Conditions or as we are legally obliged to do so. If you delete your BitsaboutMe account or object to the processing of your data, we will always delete your data immediately. If you have not used your BitsaboutMe account for 12 months, we will irrevocably delete your data unless you agree to further storage at our request by email.

If, due to misuse, payment defaults or other legitimate reasons, we wish to refuse further business contacts with an affected person or take legal action against you, we reserve the right to retain the relevant personal data such as name, address and email address for five years, in the event of a repeat for ten years.

7. These are your rights: information, deletion and data export right

It is the explicit goal of BitsaboutMe to make it as easy as possible for you to exercise these rights. Wherever it makes sense and is appropriate, we incorporate the relevant functionalities into our services and make them easily accessible and applicable.

Upon your request, we will provide you with information as to whether and, if so, which personal data about you will be processed (right to confirmation, right to information). At your request:

  • we waive the processing of personal data in whole or in part (right to revoke your consent to the processing of personal data that is not absolutely necessary; right to be forgotten).
  • we correct the corresponding personal data (right to correction);
  • we restrict the processing of the relevant personal data (right to restrict processing; in this case we will only store your personal data or use it to protect our legal claims or the rights of another person);
  • you will receive the relevant personal data in a structured, common and machine-readable format (right to data transferability).

To make such a request to exercise a right described in this section, for example if you no longer wish to receive email newsletters from us or wish to delete your BitsaboutMe account, please use the appropriate feature on our website or contact our Data Protection Officer (privacy@bitsabout.me).

If we do not comply with a request, we will inform you of the reasons. For example, we may refuse to delete in a legally permissible manner if your personal data is still required for the original purposes (for example, if you continue to purchase a service from us), if the processing is based on a mandatory legal basis (for example, statutory accounting regulations), or if we have an overriding interest of our own (for example, in the event of a legal dispute against the data subject).

8. Changes

Privacy policy – BitsaboutMe reserves the right to amend or modify this Privacy Policy from time to time in accordance with the provisions of Section 1 of the Terms and Conditions.

Legal status – You have control over your personal information and we will only import and store it securely for you on your behalf. This also applies in the event of changes as part of any restructuring, merger, acquisition or sale of BitsaboutMe. Your personal data will always remain encrypted. In the event of a structural change, BitsaboutMe will notify you in a timely manner via the email address associated with your BitsaboutMe account. If you do not agree with such a change, you have the option to download your data from your PDS and/or permanently delete your BitsaboutMe account with all data.

BitsaboutMe AG – all rights reserved. Version October 2023

Appendix 1 – List of data sources that can be imported into the Personal Data Store (PDS)

It is currently possible to connect the following data sources and copy data contained therein into the PDS:

  • Migros
  • Coop
  • Amazon
  • Lidl
  • REWE
  • Hypothekarbank Lenzburg AG (HBL)
  • Apple
  • Receipt Scanner

To connect a data source, enter your login data (usually user name/email and password). With this information, you allow:

  • BitsaboutMe to access the corresponding data source and the data it contains on your behalf;
  • data from the data source to be stored and encrypted in your PDS;
  • your login data to be encrypted and stored in the PDS;
  • every time you log in to your BitsaboutMe account, the data source is to be compared and the data to be updated if necessary;
  • the data in your PDS to be analyzed, visualized and displayed according to your criteria in the private statistics area;
  • parts of the data to be used to create your profile.

You can terminate this connection at any time and delete the associated data by disconnecting the corresponding source in the My Data/Data Source area. All data in the PDS are irretrievably deleted, the original data in the corresponding source remain unchanged.

In detail, we process the following data for you:

Migros

SourceMigros
Data– Purchased items (date, time, description, price)
– Name of Migros branch
Purpose– Archiving
– Analysis and visualization of stored data
– Creation of the BitsaboutMe profile that can be used and shared on the marketplace with prior consent
Processing– Access to your Cumulus account
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the Migros source deletes all Migros data in the PDS.
SourceCoop
Data– Purchased items (date, time, description, price)
– Name of Coop branch
Purpose– Archiving
– Analysis and visualization of stored data
– Creation of the BitsaboutMe profile that can be used and shared on the marketplace with prior consent
Processing– Access to your digital receipts
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the Coop source deletes all Coop data in the PDS.

Lidl

SourceLidl Plus
Data– Purchased items (date, time, description, price)
– Name of Coop branch
Purpose– Archiving
– Analysis and visualization of stored data
– Creation of the BitsaboutMe profile that can be used and shared on the marketplace with prior consent
Processing– Access to your digital receipts
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the Lidl source deletes all Lidl data in the PDS.

REWE

SourceREWE
Data– Purchased items (date, time, description, price, quantity)
– Address of REWE branch
Purpose– Archiving
– Analysis and visualization of stored data
Processing– Access to your digital receipts
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the REWE source deletes all REWE data in the PDS.

GPS

SourceGPS
Data– Location data
Purpose– Archiving
– Analysis and visualization of stored data
Processing– Access to your mobile GPS
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the GPS source deletes all GPS data in the PDS.

Hypothekarbank Lenzburg AG (HBL)

SourceHypothekarbank Lenzburg AG (HBL)
DataAccounts and transaction data:
– List of accounts
– Account movements (date, account number, amount, reference text, bank code, bank name)
Purpose– Archiving
– Analysis and visualization of stored data
– Creation of the BitsaboutMe profile that can be used and shared on the marketplace with prior consent
Processing– Access to Hypothekarbank Lenzburg (HBL) account
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the HBL source deletes all account movements and profile data in the PDS.
Data that has been transferred to your own profile can be deleted there.

Apple

SourceApple
Data– Health information (steps, calories, height, weight)
– Apple IDFA
Purpose– Archiving
– Analysis and visualization of stored data
– Creation of the BitsaboutMe profile that can be used and shared on the marketplace with prior consent
Processing– Access to your Apple data
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the Apple source deletes all Apple data in the PDS.
Data that has been transferred to your own profile can be deleted there.

Receipt Scanner

SourceReceipt Scanner
Data– Name of the retailer
– Purchased items (name, price, quantity, currency, total price)
– Payment method
– Day, date and time of the purchase
– Address of the store
Purpose– Archiving
– Analysis and visualization of stored data
– Creation of the BitsaboutMe profile that can be used and shared on the marketplace with prior consent
Processing– Access to scanned receipts
– Copying the above data to the PDS
– Analysis and visualization
DeletionDisconnecting/deleting the source of receipts deletes all scanned purchase data in the PDS.
Data that has been transferred to your own profile can be deleted there.

Appendix 2 – The 7 Foundational Principles of Privacy by Design

1. Proactive not reactive; preventative not remedial

The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

2. Privacy as the default

We can all be certain of one thing − the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.

3. Privacy embedded into design

Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.

4. Full functionality – positive-sum, not zero-sum

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “winwin” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.

5. End-to-end security – lifecycle protection

Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.

6. Visibility and transparency

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to both users and providers alike. Remember, trust but verify!

7. Respect for user privacy

Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!