Only for new customers: Get 40% off all bexio packages. Code: bx40
In the present case, the Provider is responsible for the careful and conscientious handling of the personal information of its customers. The Provider is responsible for the collection, processing, disclosure, storage and protection of its customers' personal information and ensures compliance with applicable data protection legislation.
1. Contact information
The data controller responsible for data processing is:
Alte Jonastrasse 24
+41 (0)71 552 00 60
The data protection officer can be reached at [email protected].
2. Governing law
3. Nature and scope of the collection of personal data
We primarily process the personal data that we receive from our customers and other business partners in the context of our business relationships with such parties, as well as other persons involved in them, or that we collect from the users of our websites, apps and other applications when they operate these services.
Insofar as is permitted, we also extract certain data from publicly accessible sources (e.g., debt collection registers, land registers, commercial registers, press, Internet) or receive such data from other companies within the Mobiliar group (see Chapter 6), from authorities and other third parties. In addition to the data that you give us directly, the categories of personal data that we receive about you from third parties include, in particular, information from public registers, information that we learn in connection with official and judicial proceedings, information in connection with your professional roles and activities (so that we can, for example, conclude and conduct business with your employer with your help), information about you in correspondence and meetings with third parties, creditworthiness information (insofar as we personally conduct business with you), information about you that people from your environment (family, consultants, legal representatives, etc.) give us, so that we can conclude or process contracts with you or with your involvement (e.g., references, your address for deliveries, powers of attorney, information on compliance with legal requirements such as anti-money laundering and export restrictions, information from banks, insurance companies, sales and other contractual partners of ours on your use of services or provision of some performance (e.g., payments made, purchases made), information from the media and the Internet about you (insofar as this is indicated in the specific case, e.g., in the context of an application, press review, marketing/sales, etc.), your addresses and, if applicable, interests and other socio-demographic data (for marketing), data in connection with the use of the website (e.g., IP address, MAC address of the smartphone or computer, information about your device and settings, cookies, date and time of the visit, pages and content accessed, functions used, referring website, location information).
When visiting our website (without logging in)
If customers visit the Provider's website outside the area protected by login, the web server technology used automatically logs general technical information about their visit. This includes, among other things, the IP address of the device used, though this is anonymised by Google before being stored, which means that it can no longer be associated with the customer. Google uses the _anonymizeIp() method for this). It also includes information on the browser type, the Internet service provider and the operating system used.
When using the bexio Cloud software (logged in)
During free trial access and when using the bexio software for a fee within the area protected by login, all data entered or submitted by the customer during the registration process and during use of the software will also be stored. This is particularly the case if the customer registers, carries out orders, fills out online forms, participates in surveys or competitions, corresponds with the Provider online or offline, or comes into contact with the Provider via social media, blogs or other interactive media.
Here, the personal master data (name, address, email address) and the settings required for the service in question are usually collected.
Data exchange with third parties/trustees
The customer has the option of sharing their data with third parties, e.g., their personal trustee, directly or within the framework of the Provider's trustee partner programme. By granting access rights, the customer consents to the Provider making all data of the customer concerned available to third parties (e.g., the trustee) or allowing them access to it. The customer retains full control over the third party's access rights to their data at all times and may restrict or refuse access at any time.
In addition, the Provider allows the third party (e.g., trustee) to open a bexio account themselves as a customer. In this case, the third party or trustee manages the access rights as a customer and may grant, restrict or refuse them to third parties. However, the Provider reserves the right to disclose specific data to authorised third parties in justified individual cases.
App marketplace/third-party add-ons
The Provider provides the Customer with an interface (API) for communicating with third-party software. As a result, the customer has the option of integrating various additional packages or offers from third-party providers ("add-ons") in addition to the bexio software. The customer can order various add-ons in the Provider's app marketplace. In addition, the customer can grant other third-party Providers the right to use the interface to their bexio account. Unless expressly agreed otherwise, a contractual relationship regarding the use of third-party add-ons will come into being exclusively between the customer and the third-party provider.
If access rights are required for the use of an add-on, the customer expressly agrees to grant all necessary access rights when ordering or integrating the add-on. The Provider is then entitled to make all customer data necessary for the use of the add-on available, or to allow access to it. The customer retains full control over the third party provider's access rights to their data at all times and may restrict or refuse access at any time. The customer consents to the Provider or the third-party provider exchanging data with this third-party provider when other add-ons are used.
Third-party consulting services
The Provider offers its customers consulting services from third-party providers. In order for the third-party provider to be able to check the permissions of customers and have the necessary contact details, the following data, among other things, will be transmitted to the third-party provider: name/business of the company; address (street, postcode, city, additional address information); contracts concluded between the Provider and the customer; telephone number(s); email address(es). In all other respects, reference is made to the privacy policies of the third-party providers, in each case, as amended.
When using the optionally available banking features ("bank interfaces") of the Provider or when connecting one's own account to a bank, data is exchanged between the Provider and the bank in question. The bank interfaces are made available to SIX BBS AG, partly directly, in cooperation with the bank in question, and partly via the bLink platform. The processed data also includes payment- and bank-specific information, such as IBAN, account information, etc. For the purpose of troubleshooting and error alerting, the Provider stores the following log data for a duration of one month when the banking features are used: database abbreviation, bank BIC, technical steps (e.g., authentication, file sent, file retrieved, logout), and date and time.
The Provider may send the users of the bank interfaces, or the authorised employees, notifications relating to the existing bank interfaces and the associated bank. Personal data may be processed for this purpose. Users can revoke their consent for these banking-specific messages via the "unsubscribe" link.
Additional partner features
When using any other optionally available partner features of the Provider, or when connecting one's own account to a partner, data is exchanged between the Provider and the partner in question.
4. Purposes of the data processing and legal basis
We primarily use the personal data we collect to conclude and process our contracts with our customers and business partners, particularly within the scope of the bexio software and the software-as-a-service services for our customers and the purchase of products and services from our suppliers and subcontractors, as well as to comply with our legal obligations in Switzerland and abroad. If you work for such a customer or business partner, you may, of course, also be affected by this with your personal data in this role.
In addition, we process personal data about you and other persons, insofar as this is permitted and appears to us to be appropriate, including for the following purposes, in which we (and sometimes also third parties) have a legitimate interest corresponding to the purpose:
- To offer and further develop our offers, services and websites, apps and other platforms on which we are present
- To communicate with third parties and process their enquiries (e.g., applications, media enquiries)
- To review and optimise procedures for needs analysis for the purpose of direct customer contact and to collect personal data from publicly accessible sources for the purpose of customer acquisition
- Advertising and marketing (including the organisation of events), insofar as you have not objected to the use of your data (if we send advertising to you as an existing customer, you can object to this at any time; we will then place you on a blacklist to prevent further advertising mailings);
- Market and opinion research, media monitoring
- To assert legal claims and defence in connection with any legal disputes and official proceedings;
- To prevent and investigate criminal offences and other misconduct (e.g., to carry out internal investigations, to analyse data to combat fraud, to comply with official instructions and orders);
- To guarantee our operations, in particular, the IT, our websites, apps and other platforms;
- Video surveillance to safeguard our rights as a proprietor and other measures for IT, building and system security and to protect our employees as well as other persons and valuable objects belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone recordings);
- The purchase and sale of business units, companies or parts of companies, and other transactions under company law, and the transfer of personal data in connection with this, as well as measures for the purposes of business management and, where applicable, to comply with legal and regulatory obligations and internal regulations.
If you have given us your consent to process your personal data for certain purposes (for example, when you register to receive newsletters or for a background check to be performed), we will process your personal data within the framework of and on the basis of this consent, insofar as we have no other legal basis and require such a basis. Consent that has been provided can be revoked at any time, though this has no effect on data processing that has already taken place.
5. Disclosure of personal data
In the course of our business activities and for the purposes set out in the above section, we also disclose personal data to third parties, insofar as this is permitted and appears to us to be appropriate, either because these third parties process it for us or because they want to use it for their own purposes. This applies, in particular, to the following bodies:
- Service providers of ours (internal and external, such as payment processors), including order processors (such as IT providers)
- Dealers, suppliers, subcontractors and other business partners
- Purchasers of or parties interested in the acquisition of business units, companies or other parts of the Provider
- Other parties in any possible or actual legal proceedings;
- Other companies of the Mobiliar group in accordance with Chapter 6
All are collectively referred to as "recipients".
All personal data of our customers that is stored in the bexio software will be stored and processed exclusively in Switzerland.
These recipients are primarily located in Switzerland, but can also be located abroad. In particular, you must expect your data to be transferred to all countries in Europe and the USA, where the service providers we use are located (such as Google Drive, Zoom, etc.). In particular, the Provider has individual data processing carried out by service providers based in the EU or Switzerland who comply with data protection regulations. These include, in particular, companies in the categories of IT services, payment transactions, printing service providers, billing, debt collection and consulting, as well as sales and marketing, and service providers that are used within the scope of contracts for commissioned data processing.
If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection standards (for this, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless it is already subject to a legally recognised set of rules for ensuring data protection or we are able to rely on an exemption provision. An exception may apply, in particular, in the event of legal proceedings abroad, but also in cases of overriding public interest or if such disclosure is required to execute a contract, if you have given your consent, or if it relates to data that you have made generally accessible and whose processing you have not objected to.
6. Data exchange within the Mobiliar Group
- Insurance companies of the Mobiliar Group1
- Other companies belonging to the Mobiliar Group2
1 The insurance companies of the Mobiliar Group include: Schweizerische Mobiliar Versicherungsgesellschaft AG, Schweizerische Mobiliar Lebensversicherungsgesellschaft AG, Protekta Rechtsschutz-Versicherung AG and SwissCaution SA.
2 Other companies belonging to the Mobiliar Group can be found at: https://www.mobiliar.ch/die-mobiliar/ueber-uns/unternehmen-der-gruppe-mobiliar
The exchange of data between the Provider and Mobiliar enables, in particular, even greater harnessing of existing synergies with the parent company. Particularly sensitive personal data (i.e., data that is particularly worthy of protection) will not be passed on under any circumstances.
Mobiliar is obliged to process all data that it becomes aware of exclusively within the framework of data protection legislation and to comply with data protection security regulations. Mobiliar is obliged to maintain confidentiality regarding the data it becomes aware of.
The Provider and the Mobiliar Group are entitled to process data in accordance with the following list, or to pass it on for the following purposes:
- Customer base matching: customer master data is matched for statistical purposes. When this matching is carried out, analyses are performed of how many joint customers there are, how this proportion of customers develops over time, and how the joint customers are distributed geographically.
- Market segment analysis: data can be processed for the purpose of market segment analysis. The main purpose of market segmentation is to uncover differences between customers in order to draw conclusions for segment-specific marketing programmes (customer structure analysis).
- Exchange of information: data may be processed for the purpose of exchange of information between the Provider and Mobiliar. The main purpose of this is to be able to continuously improve the products and services for the customer, to manage the use of and desired access to the applications, products and information, to maintain the business relationships with the customers, and to monitor and improve the performance of the offerings.
- Marketing and analytical purposes: data may be exchanged in order to provide customers with offers, information or marketing material about products or services which, based on the data, can be assumed to be of interest to the customer.
Cookies help make visits to the Provider's website easier, more pleasant and more meaningful. Cookies are information files that the web browser automatically stores on the computer's hard drive when the customer visits the Provider's website and takes advantage of offers.
The customer can independently manage their security settings in their browser and thus block or disable set cookies, though this may mean that certain services of the Provider may no longer be (fully) usable.
Tracking and analysis tools/social media
The use of the Provider's digital offers is measured and evaluated by means of various technical systems, predominantly by third-party providers such as Google Analytics. These measurements may be carried out both anonymously and in relation to a particular person. It is possible that the collected data may be passed on by the Provider or the third-party providers of such technical systems to third parties in Switzerland and abroad for processing. The most commonly used and well-known analysis tool is Google Analytics, a service provided by Google Inc. This means the collected data can, in principle, be transmitted to a Google server in the USA (or a location determined by Google).
The provider's website uses Google Analytics, a web analysis service provided by Google Inc., with its registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses so-called cookies, which are text files that are stored on the customer's computer and which enable the analysis of their usage of the website. The information generated by these cookies about use of the website (including the IP address, though this is anonymised by Google before being stored, so that it can no longer be associated with the customer) is transmitted to a Google server in the USA (or a location determined by Google) and stored there. Google will use this information to evaluate the use of the website, to compile reports on website activities for the Provider, and to provide other services connected to use of the website and Internet. Google may also pass this information on to third parties insofar as this is required by law or if third parties process the data on Google's behalf. Google shall in no event link customers' IP addresses with other Google data.
If the customer does not want their website activities to be available for Google Analytics, they can install the browser add-on to disable Google Analytics: https://support.google.com/analytics/answer/181881?hl=en
The analysis of data by other tools of the website owner is not prevented if the customer uses the add-on. Data can still be sent to the website or to other web analysis services.
Finally, the Provider collects certain information via its website in so-called server log files, which are automatically transmitted by the customer's Internet browser. These include, among other things, the user agent (browser type and browser version, operating system used), http header information (referrer URL, IP address of the accessing computer), the time of the server request and the login status. These server log files are merged with other data sources only for error analysis.
Technologies for advertising purposes
The Provider's website uses the features of Google Analytics Remarketing combined with the Cross Device capabilities of Google AdWords and DoubleClick. This service is provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google").
This feature enables the target groups created with Google Analytics Remarketing to be linked with the Cross Device capabilities of Google AdWords and Google DoubleClick. This allows personalised advertising that is based on the customer's interests and identified from their previous usage and surfing behaviour on one device (e.g., your mobile phone) to be displayed on other devices (such as a tablet or computer).
If the customer has given Google the appropriate consent, Google will link the web and app browser history with the customer's Google account for this purpose. This allows the same personalised advertising messages to be displayed on every device on which the customer logs in with their Google account.
To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to the Provider's Google Analytics data to define and create target groups for cross-device ad targeting.
The customer can permanently object to cross-device remarketing by disabling personalised advertising in their Google account: https://www.google.com/settings/ads/onweb/
The Provider's website also uses the online advertising program Google AdWords. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, US.
As part of Google AdWords, the Provider uses so-called conversion tracking. When the customer clicks on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the customer's computer. These cookies expire after 30 days at the latest and are not used for personal identification. If the customer visits our website and the cookie has not yet expired, Google and the Provider can recognise that the customer has clicked on the ad and has been redirected to this page.
Google informs the Provider of the total number of users who clicked on its ad and were redirected to its website with a conversion tracking tag. However, the Provider does not receive any information with which it can personally identify the customer.
The customer can prevent the storage of cookies by setting their browser software accordingly. However, the Provider points out to the customer that the customer may not be able to use all the features of this website in full. The customer can also prevent tracking by disabling the Google Conversion Tracking cookie via their Internet browser under user settings.
The Provider's website also uses the visitor action pixel from Facebook; the provider is Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.
The Facebook Pixel can be used to track the behaviour of website visitors after they have been redirected to the Provider's website by clicking on a Facebook ad. This allows an analysis of the effectiveness of Facebook advertisements for statistical and market research purposes and optimisation of future advertising measures.
The data collected is anonymous for the Provider. The Provider cannot draw any conclusions about the identity of customers. However, the data is stored and processed by Facebook, which means that association with the user profile in question is possible and Facebook can use the data for its own advertising purposes in accordance with Facebook's data usage policy. This allows Facebook to display ads both on Facebook's pages and on third-party websites. The Provider cannot influence this use of the data.
The customer can permanently object to remarketing by disabling the "Custom Audiences" remarketing feature in the ad settings section under the following link. To do this, they must be logged in to Facebook: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
If the customer does not have a Facebook account, they can disable usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance at the following link: http://www.youronlinechoices.com/uk/your-ad-choices/
Integration of third-party offers/social media
The Provider's digital offers are networked with third-party features and systems in a variety of ways, such as by integrating plug-ins from third-party social networks, such as Facebook, Twitter, etc. If the customer has a user account with these third parties, these third parties may also be able to measure and evaluate their use of the Provider's digital offers. Other personal data, such as IP address, browser settings and other parameters, may be transmitted to these third parties and stored there. The Provider has no control over the use of personal data collected in this way by third parties and assumes no responsibility or liability in this regard. In other respects, the Provider has no detailed knowledge of which data is transmitted to these third-party providers, where it is transmitted, and whether it is anonymised.
Plug-ins from YouTube are integrated on the Provider's website. The provider is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
The YouTube plug-in establishes a connection to the YouTube servers. The YouTube server is informed about which of the Provider's pages the customer has visited.
If the customer is logged in to their YouTube account, YouTube can match their surfing behaviour directly with their personal profile. The customer can prevent this by logging out of their YouTube user account.
The Provider's website uses the Google Maps map service via an API. This is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If the customer uses the features of Google Maps, their IP address is stored by Google and usually transmitted to a Google server in the USA. The Provider has no influence over this data transfer.
8. Data security
The Provider uses technical and organisational security measures in accordance with recognised market standards to protect stored personal data against unintentional, unlawful or unauthorised manipulation, deletion, alteration, access, disclosure or use and against partial or complete loss. The Provider's servers are located in Switzerland. Certain services can be processed via servers in other countries – with an appropriate level of data protection – whereby the requirements of the FADP or GDPR are fully complied with at all times. The connection to our servers is made using SSL encryption. The Provider regularly performs backups of customer data. In order to prevent data loss even in extreme cases (e.g., destruction of the data centre by an earthquake), the encrypted backups are stored in parallel in several data centres in Switzerland and abroad. Our security measures are continuously adapted and improved in line with technological developments. Incidentally, the Provider cannot assume any guarantee for the security of data transmission on the Internet; in particular, there is a risk of access by third parties when data is transmitted by email. However, access is protected using HTTPS. If explicitly requested by the customer, the customer can opt for two-factor authentication at any time.
9. Profiling/automated decision-making
We process your data in part automatically, with the aim of evaluating certain personal aspects (profiling). We use profiling, in particular, to be able to provide you with targeted information about products and advice. We use evaluation tools that enable us to provide needs-based communication and advertising, including market and opinion research.
In principle, we do not use fully automated decision-making (as regulated, for example, in Art. 22 GDPR) to establish and implement the business relationship or otherwise. If we use such procedures in individual cases, we will inform you of this separately, if required to do so by law, and will inform you of your associated rights.
10. Communication by email and/or newsletter
If the customer wishes to receive a newsletter offered on the Provider's website, the Provider requires an email address and other information that makes it possible to verify the email address provided and that the customer consents to receiving the newsletter ("double opt-in" procedure).
With the newsletter, the customer regularly receives recommendations and offers that might interest them. For this purpose, the Provider collects and processes personal data relating to the customer's usage behaviour on the website, in the bexio software, and in relation to use of the newsletter (e.g., whether the customer opens the newsletter or which web URL links they click on). The Provider evaluates this data for statistical purposes in order to better tailor the content of the newsletters to the interests of its customers.
The processing of the personal data entered in the newsletter registration form is based on the customer's consent, which they can revoke at any time with effect for the future. Users can revoke their consent via the "unsubscribe" link in the newsletter. The personal data collected will be used to design the content of newsletters and to send them.
The Provider stores the personal data deposited by customers for the purpose of receiving the newsletter until the customer unsubscribes from the newsletter.
11. Duration of storage
We process and store your personal data for as long as it is necessary to fulfil our contractual and legal obligations or for the purposes otherwise pursued by the processing, i.e., for the duration of the entire business relationship, for example (from initiation, to execution, to termination of a contract) and, beyond this, in accordance with statutory storage and documentation obligations. It is possible that personal data may be stored for the period during which claims can be made against our company and insofar as we are otherwise legally obliged to store it or legitimate business interests require its storage (e.g., for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will generally be deleted or anonymised as far as possible. For operational data (e.g., system logs, other logs), generally shorter retention periods of twelve months or less apply.
12. Data access, rectification, erasure, restriction of processing, and consent
Customers have the following rights with regard to their personal data in accordance with the FADP (in particular, Art. 25 ff FADP) or GDPR (in particular, Arts. 12–23 GDPR). In principle, the Provider also grants the rights contained in the GDPR to Swiss customers. However, the Provider reserves the right to make a different assessment in individual cases.
- The right of access
- The right to rectification;
- The right to erasure;
- The right to restriction of processing;
- The right to data portability
- The right to object.
Please note, however, that we reserve the right to enforce the limitations imposed by law, such as when we are obliged to retain or process certain data, have an overriding interest in doing so (as far as we may invoke it), or require the data to assert claims. In the event that costs are incurred for you, we will inform you of this in advance. Please note that the exercise of these rights may conflict with contractual agreements and may have consequences such as premature termination of the contract or cost consequences. In this case, we will inform you of this in advance, if it is not already contractually regulated.
The exercise of such rights usually requires that you clearly prove your identity (e.g., by means of a copy of an identity card, where your identity is otherwise not clear or cannot be verified). To assert your rights, you can contact us at the address given in section 1.
Each data subject also has the right to enforce their claims in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch). The Provider is, of course, glad to receive the questions and wishes of customers in advance of a complaint. For this purpose, the customer can contact the Provider in writing or by email ([email protected]).
Insofar as the customer is asked to give their consent in connection with the Provider's services, they grant this consent by clicking on the corresponding checkbox. As a result, the Provider is entitled to collect, process, use and pass on the Customer's personal data accordingly.
The customer can, of course, revoke their consent at any time, though this does not affect the legality of the processing carried out on the basis of this consent up until the point of its withdrawal. The withdrawal of consent can be addressed in writing to the Provider's address, mentioned at the start. However, it is also sufficient to send an email to [email protected]. However, some of the services and features will no longer be available to the customer afterwards.
13. Links to other websites
The Provider's website contains hyperlinks to third-party websites that are not operated or controlled by the Provider. The Provider is not responsible for their content or data protection practices.
Alte Jonastrasse 24