Privacy Policy

bexio AG, Alte Jonastrasse 24, 8640 Rapperswil, Switzerland (hereinafter referred to as “bexio”) is the author of this Privacy Policy and the owner of the information (data) collected about you hereunder. In all other respects, bexio’s General Terms and Conditions (GT&Cs) shall apply.

We know that the careful handling of your personal information is important to you. That is why we appreciate your trust that bexio will handle this information in a conscientious manner. bexio is responsible for the collection, processing, transmission, storage, and protection of your personal information and ensures compliance with the Swiss Data Protection Act as far as data of Swiss customers is concerned as well as compliance with the General Data Protection Regulation of the EU as far as data of customers from the EU area is concerned.

The consent given by you with this Privacy Policy may be revoked at any time with effect for the future (see Section 10, last paragraph).

1. Contact Information

Responsible for data processing:

bexio AG
Alte Jonastrasse 24
8640 Rapperswil
Switzerland
+41 (0)71 552 00 60

You can reach the data protection officer of bexio AG at: datenschutz@bexio.com

2. Applicable Law

The data processing by bexio is subject to the following law:

Data of Swiss Customers and Swiss Visitors of Our Website
The processing of data of Swiss customers is exclusively governed by Swiss law, in particular the Swiss Federal Data Protection Act (DPA, Systematic Compilation of Federal Legislation 235.1) and the corresponding Regulation to the Swiss Federal Data Protection Act (Systematic Compilation of Federal Legislation 235.11). The General Data Protection Regulation of the EU (GDPR) does not apply. The applicability of the GDPR remains unaffected (i) insofar as it is expressly provided for in the Privacy Policy for certain areas, and (ii) insofar as the GDPR is also mandatory for data of Swiss customers due to special circumstances.

Data of Customers from the EU Area and Visitors of Our Website from the EU Area
In addition to Swiss law, Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free transmission of such data, and on the repeal of Directive 95/46/EC (General Data Protection Regulation, GDPR) applies to the processing of data of customers from the EU area. See also Section 12 (Additional Regulations for Customers from the EU Area).

3. Type and Scope of Personal Data Collection

When Visiting Our Website (Without Login)
If you visit our website outside the login-protected area, the web server technology we use automatically logs general technical visit information. This includes, among others, the IP address (which however is anonymised with Google before being saved, so that it can no longer be associated with you. Google uses the anonymizeIp() method for this) of the device used, information about the browser type, the Internet service provider, and the operating system used.

When Using bexio’s Cloud Software (With Login)
During the free trial access and when using the software provided by bexio for a fee within the login- protected area, all data entered or submitted by the user during the registration process and when using the software is also stored. This applies, in particular, when you register, place orders, fill out online forms, take part in surveys or contests, correspond with us online or offline, or contact us via social media, blogs, or other interactive media.

As a rule, we collect your personal master data (name, address, and email address) and the settings required for the respective service. Additional information on which data we process for which purposes can be found in Appendix A to the Commissioned Processing Agreement.

By entering your data (registration), you consent to the processing, use, and disclosure of your personal data within the framework and scope of the purposes described in the Privacy Policy.

Trustee Partner Program
Under bexio’s Trustee Partner Program, end customers can share their data with their personal trustees. By using the Trustee Partner Program, the user agrees that bexio may provide the trustee with or access to all data of the relevant user. The end customer retains full control over the trustee’s access rights to the end customer’s data at all times and can restrict or deny access at any time. The end customer agrees that bexio or the trustee will exchange data with this partner when using further partner functions/add-ons.

Payroll Accounting
When using bexio’s optional payroll accounting software, personal data of the end customer’s employees is naturally transmitted to bexio. bexio treats this data with due care and ensures its security in accordance with the standards set out in the Privacy Policy. The end customer declares its consent and releases bexio from any claims that may be raised by the end customer’s employees against bexio. The end customer further declares that it is solely responsible for informing its employees of the possible storage, use, processing, and transmission of data by bexio in accordance with the guidelines in the Privacy Policy. Should the individual employees of the end customer not agree with the intended data processing, the end customer is responsible for accordingly deleting the respective data of its employees in its bexio cloud.

Banking Functions
When using the optional banking functions of bexio or when linking your own account to a bank, data is exchanged between bexio and the respective bank. This also includes payment and bank-specific information such as IBAN, account information, etc.

Other Partner Functions
When using any other optional partner functions of bexio or when connecting your own account to a partner, data is exchanged between bexio and the relevant partner.

4. Data Security

We use technical and organizational security measures in accordance with the recognized market standards to protect personal data stored with us against unintentional, illegal or unauthorized manipulation, deletion, modification, access, disclosure, or use, as well as against partial or complete loss. bexio servers are located at a secure data center in Switzerland with multiple certifications. The connection to our servers takes place via SSL encryption. We back up customer data on a regular basis. In order to prevent data loss even in extreme cases (e.g. destruction of the data center by an earthquake), the encrypted backups are stored at several data centers in Switzerland and abroad at the same time. Our security measures are continuously adapted and improved in line with technological developments. We assume no liability for the loss of data or for such data becoming known to and being used by third parties. Furthermore, we cannot guarantee the security of data transmission over the Internet. In particular, there is a risk of access by third parties when data is transmitted by email. However, access is protected by HTTPS. If explicitly requested by the customer, the customer can opt for two-factor authentication at any time.

5. Purpose of Processing Personal Data / Recipients of Data

We process the collected data in order to continuously improve the products and services requested by you; to manage your use of and access to our applications, products, and information; to maintain our business relationship with you; to monitor and improve the performance of our services; to detect, prevent, or clarify illegal activities; and to provide you with offers, information, or marketing materials about products or services that we believe may be of interest to you based on the data. The data may also be disclosed to our partner companies and service providers, selected third-party companies, institutes and/or legally authorized state authorities in Switzerland and abroad for processing, storage, and use within the scope of the above-mentioned purposes. If the processing or storage of personal information takes place in countries that do not guarantee adequate data protection in comparison to Swiss data protection law, we require the commissioned processor to fully comply with the relevant provisions of the DPA or – as far as data of customers from the EU area is concerned – the GDPR under contractual obligation.

We make sure that each of the aforementioned processes and services is carried out by service providers that are commissioned in compliance with data protection regulations and are based within the EU or in Switzerland. These are companies from the categories of IT services, payment transactions, printing service providers, billing, collection, and consulting, as well as sales and marketing, and service providers that we use in the context of commissioned processing relationships.

6. Cookies

Cookies help make your visit to our website easier, more enjoyable, and more efficient. Cookies are data files that your web browser automatically stores on your computer’s hard drive when you visit our website and use our services.

You can manage your security settings in your browser independently and thereby block or disable cookies used by us. However, it is possible that in this case you will not be able to use certain bexio services (to the full extent) any longer.

Tracking and Analytics / Social Media
The use of our digital offerings is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be carried out in an anonymous or personalized form. The collected data may be transmitted by us or the third-party providers of such technical systems to third parties in Switzerland and abroad for processing. The most frequently used and the most popular analysis tool is Google Analytics, a service provided by Google Inc. This means that the collected data is generally transmitted to a Google server in the United States.

Our website uses Google Analytics, a web analysis service of Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies, which are text files stored on your computer to help analyze your use of the website. The information generated by the cookie about your use of the website (including your IP address, which however is anonymised with Google before being saved, so that it can no longer be associated with you) will be transmitted to and stored on a Google server in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us, and providing other services relating to website activity and Internet usage. Google may also transmit this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will never associate your IP address with any other data held by Google.

Our website uses the Google Analytics “Demographics and Interests” function. This allows Google Analytics to gain insight into the age, gender and interests of the visitors to the website. These data originate from Google's interest-based advertising and from third-party visitor data. These data cannot be associated with a specific person. You can deactivate this function at any time by changing the advertising settings in your Google account or you can stop your data from being collected by Google Analytics altogether.

For more information please refer to the Google data privacy policy here https://support.google.com/analytics/answer/6004245?hl=en.

If you do not want your website activity to be available to Google Analytics, you can install the browser add-on to disable Google Analytics https://support.google.com/analytics/answer/181881?hl=en.

This prevents the JavaScript (ga.js, analytics.js and dc.js) running on the websites from sharing any activity data with Google Analytics.

The analysis of data by other tools of the website owner is not disabled when you use the add-on. Data may still be sent to the website or other web analytics services.

Finally, our website collects information in server log files that your Internet browser automatically sends to us. This includes the user agent (browser type and version, operating system), http header details (referrer URL, IP address of connected device), the time of the server request and the login status. These server log files are only merged with other data sources for fault analysis purposes.

Advertising Technologies
Our website uses the functions of Google Analytics Remarketing together with the cross-device functions of Google AdWords and Google DoubleClick which are supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This allows the advertising target groups created by Google Analytics Remarketing to be linked to the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising tailored to you based on your previous usage and browsing behaviour on one device (e.g. mobile phone) can be displayed on one of your other devices (e.g. tablet or PC).

If you have given Google the respective consent, Google links your web and app browser history to your Google account. In this way, the same personalized advertising can be displayed on every device from which you log into your Google account.

To assist this function, Google Analytics collects the google-authenticated IDs of the users who are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising.

You can stop cross-device remarketing permanently by deactivating personalized advertising in your Google account under https://www.google.com/settings/ads/onweb/.

For more information please refer to the Google data privacy policy here https://www.google.com/policies/technologies/ads/.

Our website additionally uses the online advertising program Google AdWords which is supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

We use Google AdWords’ conversion tracking feature. When you click on a Google ad, a cookie is set for conversion tracking. The cookies are small text files that the Internet browser creates on your computer. These cookies expire after 30 days at the latest and are not used to identify you. If you visit our website and the cookie has not yet expired, Google and bexio can see that you clicked on the ad and were taken to our page.

Google tells us the total number of users who clicked our ad and were passed on to our website with a conversion tracking tag. However, we do not receive any information through which we could identify you.

You can prevent cookies from being stored by selecting the appropriate settings in your browser, however please note that you may not be able to use the full functionality of this website if you do so. You can also stop the tracking by deactivating the Google conversion tracking cookie in your browser user settings.

For more information please refer to the Google data privacy policy here https://policies.google.com/privacy.

Our website uses Facebook Pixel, a user action tracking function supplied by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.

Facebook Pixel allows website users’ behaviour to be tracked after they click on a Facebook ad and are referred to our website. This allows the effectiveness of Facebook advertising to be tracked for statistical and market research purposes and future advertising to be optimized.

The data collected are anonymous to bexio - we cannot draw any conclusions as to your identity. However, your data are stored by Facebook and processed in order to link them to your user profile and so that Facebook can use the data for its own advertising purposes as explained in the Facebook Data Policy. This enables Facebook to display ads on Facebook pages and outside of Facebook. The use of these data cannot be influenced by bexio.

You can choose to opt out of the remarketing function for good by deactivating the “custom audiences” remarketing function in the ad preferences section under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged into Facebook.

If you do not have a Facebook account, you can deactivate user-based Facebook advertising at the European Interactive Digital Advertising Alliance website by visiting http://www.youronlinechoices.com/uk/your-ad-choices.

For more information please refer to the Facebook data privacy policy at https://www.facebook.com/about/privacy/.

Integration of Third-Party Offerings / Social Media
Our digital services are networked with third-party functions and systems in many ways, for example through the integration of plugins from third-party social networks such as Facebook, Twitter, etc. If you have a user account with these third parties, they may also be able to measure and evaluate your use of our digital offerings. Further personal data such as IP address, browser settings, and other parameters may be transmitted to and stored by these third parties. We have no control over the use of such personal data collected by third parties and assume no responsibility or liability for it. In all other respects, bexio does not have any detailed knowledge of which data is transmitted to third parties, where it is transmitted to, and whether it is made anonymous.

Our website uses Youtube plug-ins supplied by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

The YouTube plug-in sets up a connection to the YouTube servers and tells the YouTube server which of our pages you visited.

If you are logged into your YouTube account, YouTube can associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube user account.

For more information please refer to the YouTube data privacy policy here https://policies.google.com/privacy.

What other tools do we use?
Our website uses the Google Maps service via an API. It is supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.If you use the functions of Google Maps, Google stores your IP address and usually transfers it to a Google server in the USA. Bexio has no influence on this data transfer.

For more information please refer to the Google data privacy policy here: https://policies.google.com/privacy.

7. Automatic Decisions

bexio does not use any profiling or automatic decision-making techniques. Should bexio use these procedures in individual cases, you will be informed of it separately insofar as this is required by law.

8. Communication via Email and/or Newsletter

If you wish to subscribe to one of the newsletters that we offer on our website, we need you to provide us with an e-mail address and other information that allows us to check that you are the owner of the e-mail address you provided and are in agreement with the newsletter subscription ("double opt-in" process).

The newsletters will provide you with regular recommendations and offers that may interest you. In order to be able to do this, we collect and process personal data about your browsing behaviour on our website, within bexio and whether you use our newsletter (e.g. whether you open the newsletter and which of the URL links you click). We evaluate these data for statistical purposes in order to adjust the contents of the newsletters to your interests.

We process the personal data you provide us with in the newsletter subscription form on the basis of your consent, which you can revoke at any point in the future. You can revoke it either by pressing the "Unsubscribe" link in the newsletter. We use the personal data that we collected about you to design the contents of the newsletter and to distribute it.

We store the personal data that you provided us with for the purpose of the newsletter subscription until you unsubscribe from the newsletter.

9. Storage Duration

bexio processes and stores your personal data as long as you use the service. It should be noted that the contractual relationship is a continuing obligation that lasts for years.

Should the data no longer be required for the fulfillment of contractual or legal obligations, it is regularly deleted unless its – limited – further processing is necessary for the following purposes:

  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in Switzerland: In particular, these include the ten-year period for retaining and
    maintaining the accounting records (Swiss Code of Obligations, 958f); special laws may also
    impose longer time periods.
  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in Germany: In particular, these include the German Commercial Code and the
    German Tax Code. The time periods for retention and documentation specified therein range
    from two to ten years; special laws may also impose longer time periods.
  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in other countries insofar as bexio operates there.
  • Preservation of evidence within the framework of the respective statutory periods of limitations,
    whereby such periods of limitations can amount to up to 30 years and more.

10. Information, Correction, Deletion, Blocking, and Consent

You have the following rights with regard to your personal data. bexio explicitly grants these rights contained in the GDPR also to the Swiss customers insofar as they are not already entitled to the analogous rights under the DPA:

  • the right to information under Article 15 of the GDPR,
  • the right to correction under Article 16 of the GDPR,
  • the right to cancellation under Article 17 of the GDPR,
  • the right to restrict processing under Article 18 of the GDPR,
  • the right to data portability under Article 20 of the GDPR, and
  • the right of objection under Article 21 of the GDPR.

The aforementioned rights are subject to any restrictions of the GDPR and the applicable national data protection laws or other national laws.

If you are asked to provide your consent in connection with bexio services, you can do it by clicking on the corresponding checkbox to confirm that bexio may collect, process, use, and transmit your personal data accordingly.

Of course, you may revoke your consent at any time without affecting the legality of the processing carried out on the basis of the consent until revocation. The consent revocation request may be sent in writing to the aforementioned bexio’s address. Sending an email to datenschutz@bexio.com should also be sufficient. Please note that some of the services and features will no longer be available to you afterwards.

11. Links to Other Websites

The website of bexio contains hyperlinks to third-party websites that are not operated or controlled by bexio. bexio is not responsible for their content or data protection practices.

12. Additional Regulations for Customers from the EU Area

The following provisions are only applicable to customers from the EU area; they do not apply to Swiss customers.

Legal Basis for the Processing
The processing of your data for the purposes mentioned in Section 5 takes place in accordance with Article 6(1)(b) of the GDPR for the fulfillment of the contract. The subject matter of the contract is the services mentioned above.

Likewise, your data will be processed as described above to protect the legitimate interests of bexio (Article 6(1)(f) of the GDPR). These are the improvement of products and services (including delivery of direct mail advertising) in order to monitor and improve the performance of the offering, and to recognize, prevent, or clear up any illegal activities.

In addition, the data is processed in accordance with Article 6(1)(c) of the GDPR for the fulfillment of legal obligations (e.g. retention and documentation requirements). This includes, in particular, your personal master data.

If you believe that one or more of the purposes mentioned in Section 5 is not covered by the legal bases mentioned above, you may request that we no longer process your personal data for certain individual purposes (opt out). Opting out does not prevent you from continuing to use bexio’s cloud software provided that such use does not necessarily require the corresponding data processing. You can send the opt-out request in writing to the bexio’s address mentioned above. Sending an email to datenschutz@bexio.com should also be sufficient.

Right of Appeal
If you believe that the processing of your personal data violates the GDPR, you have the right to appeal to a competent supervisory authority in accordance with Article 77 of the GDPR. Of course, bexio will be happy to answer your questions and address your requests in advance of a complaint. Please feel free to contact us by email at datenschutz@bexio.com.

Last update: September 2019