The Provider is responsible for the careful and conscientious handling of the personal information of its Customers. The Provider is responsible for the collection, processing, disclosure, storage and protection of the personal information of its Customers and ensures compliance with the Swiss Federal Act on Data Protection (“FADP”) insofar as protected data of Swiss Customers is concerned; and ensures compliance with the EU General Data Protection Regulation (“GDPR”) insofar as the protected data of Customers from the EU area is concerned.
1. Contact details
The data controller for data processing is:
Alte Jonastrasse 24
+41 (0)71 552 00 60
The Data Protection Officer can be reached at email@example.com .
2. Applicable Law
Data processing carried out by the Provider is subject to the following law in each case:
Data of Swiss Customers
Data of Customers from the EU area
In addition to Swiss law, Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation, GDPR) is applicable to the processing of data of Customers from the EU area. See also Section 13 (additional regulations for Customers from the EU area).
3. Type and scope of the collection of personal data
When visiting our website (without login)
When Customers visit the Provider’s online presence outside the protected login area, the web server technology automatically logs general technical visit information. This includes, among other things, the IP address of the device being used, which is, however, anonymized by Google before being stored so that it can no longer be assigned to the Customer. Google uses the _anonymizeIp() method for this purpose. This also includes information on the browser type, the Internet service provider and the operating system being used.
When using the bexio cloud software (with login)
During the free trial access as well as during the paid use of the bexio software within the protected login area, all data entered or submitted by the Customer during the registration process and during the use of the software will also be stored. This is particularly the case when the Customer registers, places orders, fills out online forms, participates in surveys or contests, corresponds with the Provider online or offline, or interacts with the Provider via social media, blogs or other interactive media.
As a rule, the personal master data (name, address, email address) and the settings required for the respective service are collected here. Further information on data processing and its purposes can be found in Annex A to the Order Processing Contract.
Data exchange with third parties / trustees
Customers have the option to share their data with third parties, e.g., its personal trustee, directly or as part of the Provider’s trustee partner program. By granting access rights, the Customer agrees that the Provider may provide third parties (e.g., the trustee) with all the Customer’s data or allow access to it. The Customer retains full control over the third party’s access rights to the data at all times and can restrict or deny access at any time.
In addition, the Provider allows the third party (e.g., the trustee) to open a bexio account itself as a customer. In this case, the third party or trustee, manages the access rights as a customer and can grant, restrict or deny these rights to third parties. However, the Provider reserves the right to release specific data to authorized third parties in justified individual cases.
App marketplace / Third-party add-ons
The Provider provides the Customer with an interface (“API”) to communicate with third-party software. This enables the Customer to integrate various additional packages or offers from third-party providers (“Add-ons”) in addition to the bexio software. The Customer can order various Add-ons in the Provider’s App Marketplace. The Customer may also grant other third-party providers the right to use the interface to its bexio account. Unless expressly agreed otherwise, contractual relationships regarding the use of third-party Add-ons are established exclusively between the Customer and the third-party provider.
If access rights are required for the use of an Add-on, by ordering or integrating the Add-on, the Customer thereby expressly agrees to grant all necessary access rights. The Provider shall then be entitled to provide or permit access to all Customer data required for the use of the Add-on. The Customer shall at all times retain full control over the access rights of the third-party provider to its data and may restrict or deny access at any time. The Customer agrees that the Provider or the third-party provider may exchange data with the third-party provider when using other Add-ons.
Third-party consulting services
When the Customer uses the optionally available banking functions (“Bank Interfaces”) of the Provider or when the Customer connects its own account to a bank, data is exchanged between the Provider and the bank. The Bank Interfaces are provided in part directly in cooperation with the respective bank and in part via the SIX BBS AG bLink platform. The processed data also includes payment and specific bank information such as IBAN, account information, etc. For the purpose of troubleshooting and error alerts, the Provider stores the following log data for a period of one month when the banking functions are used: database abbreviation, Bank BIC, technical steps (e.g., authentication, file sent, file retrieved, logout) as well as the date and time.
The Provider may send to the users of the Bank Interfaces, or to the employees with access rights to them, messages regarding the existing Bank Interfaces and the connected bank. Personal data may be processed for this purpose. Customers who no longer wish to receive messages about banking may unsubscribe at any time via the “unsubscribe” link.
Other partner functions
When the Customer uses any other optionally available partner functions of the Provider or when the Customer connects its own account to a partner, data will be exchanged between the Provider and the partner.
4. Data security
The Provider uses technical and organizational security measures in accordance with recognized market standards to protect stored personal data from accidental, unlawful or unauthorized tampering, deletion, alteration, access, disclosure or use, and against partial or complete loss. The Provider’s servers are located in Switzerland. Certain services can be processed via servers in other countries – with an appropriate level of data protection – whereby the requirements according to the FADP or the GDPR are fully complied with at all times. The connection to the servers is made using SSL encryption. The Provider regularly backs up the customer data. In order to prevent data loss even in extreme cases (e.g., the destruction of the data center by an earthquake), the encrypted backups are also stored in several data centers in Switzerland and abroad. The requirements according to the FADP and the GDPR are fully complied with at all times. The security measures are continuously adapted and improved according to technological developments. The Provider assumes no liability for the loss of data or access to and use of the data by third parties. Furthermore, the Provider cannot guarantee the security of data transmission on the Internet. In particular, there is a risk of access by third parties when data is transmitted by email. However, access is protected by means of HTTPS. If explicitly requested by the Customer, the Customer can decide to use dual authentication at any time.
5. Purpose of the processing of personal data / Data recipients
The Provider processes the collected data in order to be able to continuously improve its products and services, to manage the use of and access to the applications, products and information, to maintain its business relationship with the Customers, to monitor and improve the performance of its offer, to detect, prevent or clarify illegal activities and to send the Customers offers, information and marketing materials about products or services which the Provider, based on the data, assumes could be of interest to the Customers. The data may also be disclosed to partner companies and service providers, selected third-party companies, institutes and/or legally authorized government authorities, both domestic and foreign, for processing, storage and use as part of the above-mentioned purposes. If personal information is processed or stored in countries that do not ensure adequate data protection compared to Swiss data protection law, the Provider shall require the processor under contractual obligation to fully comply with the relevant provisions of the FADP or – where the data of Customers from the EU area is concerned – with the GDPR.
The Provider has some of the aforementioned processes and services carried out by service providers who are based within the EU or Switzerland and who have been commissioned in accordance with data protection regulations. These are, in particular, companies in the categories of IT services, payment transactions, printing service providers, billing, collection and consulting, as well as sales and marketing and service providers used as part of order processing contracts.
6. Mobiliar Data Exchange Group
- Insurance companies belonging to the Mobiliar Group 1
- Other companies belonging to the Mobiliar Group 2
1 Insurance companies belonging to the Mobiliar Group include: Schweizerische Mobiliar Versicherungsgesellschaft AG, Schweizerische Mobiliar Lebensversicherungsgesellschaft AG, Protekta Rechtsschutz-Versicherung AG and SwissCaution SA.
2 Other companies belonging to the Mobiliar Group can be found at: https://www.mobiliar.ch/die-mobiliar/ueber-uns/unternehmen-der-gruppe-mobiliar
In particular, the exchange of data between the Provider and Mobiliar enables even greater use of existing synergies with the parent company. Under no circumstances will personal data requiring special protection be disclosed.
Mobiliar undertakes to process all data of which it becomes aware exclusively within the framework of data protection legislation and to comply with data protection security regulations. Mobiliar undertakes to maintain the confidentiality of the data of which it becomes aware.
The Provider and the Mobiliar Group are is entitled to process data in accordance with the following overview and to disclose it for the following purposes:
- Customer master comparison: customer master data is compared for statistical purposes. The comparison is used to analyze how many shared customers exist, how this proportion develops over time and how the shared customers are distributed geographically.
- Market segment analysis: data can be processed for the purpose of market segment analysis. The main purpose of market segmentation is to reveal differences between Customers in order to draw conclusions for marketing programs for specific segments (customer structure analysis).
- Information exchange: data can be processed for the purpose of information exchange between the Provider and Mobiliar. The main purpose is to be able to continuously improve the products and services offered to the Customer, to manage use and access to the applications, products and information, to maintain the business relationship with the Customer, to monitor and improve the performance of the offers.
- Marketing and analysis purposes: Data may be exchanged in order to provide Customers with offers, information or marketing materials about products and services which, based on the data, may be of interest to the Customer.
Cookies help to make the visit to the Provider’s website easier, more pleasant and more useful. Cookies are information files that the web browser automatically stores on the computer’s hard disk when the Customer visits the Provider’s website and uses the offers.
Customers can choose to manage the security settings in their browser and thus block or disable cookies that have been installed, in which case, certain services of the Provider may no longer be able to be (fully) used.
Tracking and analysis tools / Social media
The use of the Provider’s digital offerings is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be both anonymous and personal. The collected data may in turn be transferred by the Provider or the third-party providers of these technical systems to third parties in Germany and abroad for processing. The most frequently used and best-known analytics tool is Google Analytics, a service provided by Google Inc. This means that the data collected may be transmitted to a Google server in the United States (or to a location specified by Google).
If Customers do not want their website activity to be made available to Google Analytics, they can install the browser add-on to disable Google Analytics: https://support.google.com/analytics/answer/181881?hl=en
The analysis of data by other tools of the website owner is not prevented when Customers use the add-on. Data may still be sent to the website or to other web analytics services.
Finally, the Provider collects certain information about its website in so-called server log files, which are automatically transmitted by the Customer’s Internet browser. This includes the user agent (browser type and version, operating system used), http header information (referrer URL, IP address of the accessing computer), the time of the server request and the login status. These server log files are only merged with other data sources for error analysis.
Technologies for advertising purposes
The Provider’s website uses the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. This enables interest-based, personalized advertising messages that have been adapted to the Customer based on the Customer’s previous usage and browsing behavior on one end device (e.g., cell phone) to be displayed on another end device (e.g., tablet or PC).
If the Customer has given Google the corresponding consent, Google links the Customer’s web and app browsing history with the Customer’s Google account for this purpose. This enables the same personalized advertising messages to be displayed on every end device on which the Customer logs in with their Google account.
To support this feature, Google Analytics collects the Google-authenticated IDs of users, which are temporarily linked to the Provider’s Google Analytics data to define and create target groups for cross-device advertising.
Customers can permanently object to cross-device remarketing by disabling personalized advertising in their Google account: https://www.google.com/settings/ads/onweb/
The Provider’s website also uses the online advertising program Google AdWords. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
In the context of Google AdWords, the Provider uses conversion tracking. When the Customer clicks on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the Customer’s computer. These cookies expire after 30 days at the latest and are not used for identification. If the Customer visits our website and the cookie has not yet expired, Google and the Provider can recognize that the Customer clicked on the ad and was redirected to this page.
Google informs the provider of the total number of users who clicked on its ad and were redirected to its website, which contains a conversion tracking tag. However, the Provider does not receive any information with which it can personally identify the Customer.
Customers can prevent the storage of cookies by adjusting their browser software settings accordingly. However, the Provider would like to point out the fact that if the storage of cookies is disabled, certain features of this website may not be fully available. Customers can also prevent tracking by disabling the Google conversion tracking cookie via their Internet browser under User Settings.
The Provider’s website additionally uses the visitor action pixel from Facebook. The provider is Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.
The Facebook pixel can be used to track the behavior of website visitors after they have been redirected to the Provider’s website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and allows future advertising measures to be optimized.
The collected data is anonymous for the Provider. The Provider cannot draw any conclusions about the identity of the Customers. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and so that Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Usage Policy. This allows Facebook to place advertisements on Facebook pages as well as outside of Facebook. The Provider cannot influence this use of the data.
Customers can permanently object to remarketing by disabling the “Custom Audiences” remarketing function in the Ad Settings area under the following link. To do this, Customers must be logged in to Facebook: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Customers who do not have a Facebook account may opt out of Facebook usage-based advertising on the European Interactive Digital Advertising Alliance website at the following link: https://www.youronlinechoices.com/uk/your-ad-choices
Integration of third-party offers / Social media
The Provider’s digital offerings are networked with third-party functions and systems in a variety of ways, for example by integrating plug-ins from third-party social networks such as Facebook, Twitter, etc. If the Customer has a user account with these third parties, they may also be able to measure and evaluate the use of the Provider’s digital offerings. In the process, additional personal data, such as IP address, browser settings and other parameters may be transmitted to these third parties and stored there. The Provider has no control over the use of such personal data collected by third parties and assumes no responsibility or liability. Moreover, the Provider has no detailed knowledge of what data is transmitted to the third parties, where it is transmitted to, and whether it is anonymized.
Plugins from YouTube are integrated on the Provider’s website. The provider is YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
The YouTube plugin establishes a connection to the YouTube servers. In doing so, the YouTube server is informed about which of the Provider’s pages the Customer has visited.
If Customers are logged into their YouTube account, YouTube can assign their browsing behavior directly to their personal profile. Customers can prevent this by logging out of their YouTube user account.
The Provider’s website uses the map service Google Maps via an API. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If the Customer uses the functions of Google Maps, the Customer’s IP address is stored by Google and usually transmitted to a Google server in the USA. The Provider has no influence on this data transfer.
8. Profiling / Automated decision-making
Profiling is the automated processing of personal data in order to analyze or predict certain personal aspects or behavior. This makes it possible, for example, to provide Customers with more individualized support and advice or to better tailor offers to individual customer needs.
An “automated individual decision” is a decision that is fully automated, i.e., without relevant human influence, and that has negative legal effects on the Customer or other similarly negative effects. As a rule, the Provider does not make automated individual decisions. The Provider will inform the Customer separately if it uses automated individual decisions in individual cases. In such a case, the Customer has the option of having this decision reviewed manually by an employee of the Provider.
9. Communication by email and/or newsletter
If the Customer wishes to receive a newsletter offered on the Provider’s website, the Provider requires an email address and other information that allows verification that the email address provided is correct and that the Customer agrees to receive the newsletter (the “double-opt-in” procedure).
The newsletter provides regular recommendations and offers that may be of interest to the Customer. For this purpose, the Provider collects and processes personal data regarding the Customer’s usage behavior on the website, in the bexio software and in relation to the use of the newsletter (e.g., whether the Customer opens the newsletter or on which web URL links the Customer clicks). The Provider evaluates this data for statistical purposes in order to better tailor the content of the newsletter to the interests of its Customers.
The processing of the personal data entered in the newsletter registration form is based on the Customer’s consent, which the Customer can revoke at any time with effect for the future. The Customer may withdraw this consent at any time via the “unsubscribe” link in the newsletter. The personal data collected is used for the design of the content and for sending of newsletter.
The Provider stores the personal data provided by the Customer for the purpose of receiving the newsletter until the Customer unsubscribes from the newsletter.
10. Duration of storage
The Provider processes and stores personal data as long as the Customer uses the Service. It should be noted that the contractual relationship between the Provider and the Customer is a continuing obligation, which is designed to last for years.
After termination of the contractual relationship, the Provider is generally not obliged to store the Customer’s data. For this reason, data that is no longer required is regularly deleted. This does not apply to data which is required for further processing due to legal regulations or for mandatory internal purposes.
11. Information, rectification, erasure, blocking, consent
With regard to their personal data, Customers have the following rights according to the FADP or the GDPR. In principle, the Provider grants the rights contained in the GDPR to Swiss customers as well. However, the Provider reserves the right to make a different assessment in individual cases.
- The right to information (Art. 8 FADP, Art. 15 GDPR);
- The right to rectification (Art. 5 para. 2 FADP, Art. 16 GDPR);
- The right to erasure (Art. 17 GDPR);
- The right to restriction of processing (Art. 18 GDPR);
- The right to data portability (Art. 20 GDPR); and
- The right to object (Art. 21 GDPR).
In the case of the rights mentioned above, any restrictions of the GDPR as well as the respective applicable Swiss data protection laws or other national laws shall apply.
Insofar as the Customer is asked to give consent in connection with the Provider’s services, the Customer gives this consent by clicking on the corresponding checkbox. The Provider is then entitled to collect, process, use and disclose the Customer’s personal data accordingly.
12. Links to other websites
The Provider’s website contains hyperlinks to third-party websites that are not operated or controlled by the Provider. The Provider is not responsible for the content or data protection practices of these third-party websites.
13. Additional regulations for Customers from the EU-area
The following regulations are only applicable to Customers from the EU area, they do not apply to Swiss Customers.
Legal basis of processing
The processing of data for the purposes stated in Section 5 is carried out in accordance with Article 6 (1) (b) GDPR for the performance of the contract. The subject matter of the contract is the above-mentioned services.
Likewise, the processing of data, as described above, is carried out to protect the legitimate interests of the Provider (Article 6 (1) (f) GDPR). These legitimate interests are to improve the products and services (including the delivery of direct advertising), to monitor and improve the performance of the offer and to detect, prevent or clarify illegal activities.
In addition, the data is processed in accordance with Article 6 (1) (c) GDPR to fulfill legal obligations (e.g., the storage and documentation obligations of the Provider). This includes in particular the personal master data.
If Customers are of the opinion that one or more of the purposes mentioned under Section 5 is/are not covered by the legal bases mentioned above, Customers may request the Provider to stop processing their personal data for certain individual purposes (opt-out). The decision to opt-out shall not prevent Customers from the further use of the Provider’s SaaS services, unless such use necessarily requires the corresponding data processing. Customers may send an opt-out request in writing to the Provider’s address mentioned above. However, it is also sufficient to send an email to: firstname.lastname@example.org.
Right to lodge a complaint
If Customers are of the opinion that the processing of their personal data violates the GDPR, they have the right of appeal to a competent supervisory authority pursuant to Article 77 GDPR.
The Provider will of course be pleased to answer the Customer’s questions and requests before a complaint is lodged. For this purpose, the Customer may contact the Provider in writing or by email (email@example.com).
Last version: June 2022
Alte Jonastrasse 24