Only valid for new customers until 31 may – Get 44% off all bexio packages with bx44

Privacy Policy

Valid from: 01.06.2022

Privacy Policy

bexio AG

bexio AG, Alte Jonastrasse 24, 8640 Rapperswil, Switzerland (hereinafter, the “Provider”), is the author of this Privacy Policy. This Privacy Policy applies to all users of the Provider’s services, insofar as personal data is processed as a result. In particular, this includes Customers who have concluded a contract with the Provider for the Provider’s services, their employees and website visitors. Furthermore, the Provider may declare that the Privacy Policy applies to other contractual partners on a contractual basis. For the sake of simplicity, all persons whose personal data is processed are hereinafter referred to as “Customers.”

The Provider is responsible for the careful and conscientious handling of the personal information of its Customers. The Provider is responsible for the collection, processing, disclosure, storage and protection of the personal information of its Customers and ensures compliance with the Swiss Federal Act on Data Protection (“FADP”) insofar as protected data of Swiss Customers is concerned; and ensures compliance with the EU General Data Protection Regulation (“GDPR”) insofar as the protected data of Customers from the EU area is concerned.

Customers may revoke the consent they have given under this Privacy Policy at any time with effect for the future (see Section 11, last paragraph).

1. Contact details

The data controller for data processing is:

bexio AG
Alte Jonastrasse 24
8640 Rapperswil
Schweiz
+41 (0)71 552 00 60

The Data Protection Officer can be reached at datenschutz@bexio.com .

2. Applicable Law

Data processing carried out by the Provider is subject to the following law in each case:

Data of Swiss Customers

Only Swiss law is applicable to the processing of data of Swiss customers, in particular the Swiss Federal Act on Data Protection (FADP, SR 235.1) and the associated Ordinance to the Swiss Federal Act on Data Protection (SR 235.11). The EU General Data Protection Regulation (GDPR) shall not apply. The applicability of the GDPR is reserved (i) insofar as it is expressly provided for in this Privacy Policy for partial areas, and (ii) insofar as the GDPR is also mandatorily applicable to data of Swiss customers due to special circumstances.

Data of Customers from the EU area

In addition to Swiss law, Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation, GDPR) is applicable to the processing of data of Customers from the EU area. See also Section 13 (additional regulations for Customers from the EU area).

3. Type and scope of the collection of personal data

When visiting our website (without login)

When Customers visit the Provider’s online presence outside the protected login area, the web server technology automatically logs general technical visit information. This includes, among other things, the IP address of the device being used, which is, however, anonymized by Google before being stored so that it can no longer be assigned to the Customer. Google uses the _anonymizeIp() method for this purpose. This also includes information on the browser type, the Internet service provider and the operating system being used.

When using the bexio cloud software (with login)

During the free trial access as well as during the paid use of the bexio software within the protected login area, all data entered or submitted by the Customer during the registration process and during the use of the software will also be stored. This is particularly the case when the Customer registers, places orders, fills out online forms, participates in surveys or contests, corresponds with the Provider online or offline, or interacts with the Provider via social media, blogs or other interactive media.

As a rule, the personal master data (name, address, email address) and the settings required for the respective service are collected here. Further information on data processing and its purposes can be found in Annex A to the Order Processing Contract.

With the collection of data, the Customer consents to the processing, use and disclosure of personal data within the context and as part of the purposes described in this Privacy Policy.

Data exchange with third parties / trustees

Customers have the option to share their data with third parties, e.g., its personal trustee, directly or as part of the Provider’s trustee partner program. By granting access rights, the Customer agrees that the Provider may provide third parties (e.g., the trustee) with all the Customer’s data or allow access to it. The Customer retains full control over the third party’s access rights to the data at all times and can restrict or deny access at any time.

In addition, the Provider allows the third party (e.g., the trustee) to open a bexio account itself as a customer. In this case, the third party or trustee, manages the access rights as a customer and can grant, restrict or deny these rights to third parties. However, the Provider reserves the right to release specific data to authorized third parties in justified individual cases.

Payroll accounting

When using the Provider’s optional payroll accounting software, the personal data of the Customer’s employees is necessarily transmitted to the Provider. The Provider shall handle this data with reasonable care and shall ensure its security in accordance with the standards set forth in this Privacy Policy. The Customer declares its consent and releases the Provider from any possible claims. The Customer is responsible for obtaining the consent of its employees. The Customer further declares that it is solely responsible for informing its employees about the possible storage, use, processing and disclosure of data by the Provider in accordance with the guidelines of this Privacy Policy. If individual employees of the Customer do not agree with the intended data processing, the Customer is responsible for deleting the data of these employees from its bexio cloud accordingly.

App marketplace / Third-party add-ons

The Provider provides the Customer with an interface (“API”) to communicate with third-party software. This enables the Customer to integrate various additional packages or offers from third-party providers (“Add-ons”) in addition to the bexio software. The Customer can order various Add-ons in the Provider’s App Marketplace. The Customer may also grant other third-party providers the right to use the interface to its bexio account. Unless expressly agreed otherwise, contractual relationships regarding the use of third-party Add-ons are established exclusively between the Customer and the third-party provider.

If access rights are required for the use of an Add-on, by ordering or integrating the Add-on, the Customer thereby expressly agrees to grant all necessary access rights. The Provider shall then be entitled to provide or permit access to all Customer data required for the use of the Add-on. The Customer shall at all times retain full control over the access rights of the third-party provider to its data and may restrict or deny access at any time. The Customer agrees that the Provider or the third-party provider may exchange data with the third-party provider when using other Add-ons.

By ordering the add-on, the Customer declares its consent to the General Terms and Conditions and the Privacy Policy. The Provider assumes no responsibility for the data processing carried out by the third-party provider.

Third-party consulting services

The Provider offers third-party consulting services to its Customers. In order for the third-party provider to verify the Customer’s eligibility and to have the necessary contact information, the following data will be transmitted to the third-party provider: Name / Company name; address (street, postal code, city, address additional address information); contracts concluded between the Provider and the Customer; telephone number(s); email address(es). For further information, please refer to the currently valid version of the privacy policy of the third-party providers.

Banking functions

When the Customer uses the optionally available banking functions (“Bank Interfaces”) of the Provider or when the Customer connects its own account to a bank, data is exchanged between the Provider and the bank. The Bank Interfaces are provided in part directly in cooperation with the respective bank and in part via the SIX BBS AG bLink platform. The processed data also includes payment and specific bank information such as IBAN, account information, etc. For the purpose of troubleshooting and error alerts, the Provider stores the following log data for a period of one month when the banking functions are used: database abbreviation, Bank BIC, technical steps (e.g., authentication, file sent, file retrieved, logout) as well as the date and time.

The Provider may send to the users of the Bank Interfaces, or to the employees with access rights to them, messages regarding the existing Bank Interfaces and the connected bank. Personal data may be processed for this purpose. Customers who no longer wish to receive messages about banking may unsubscribe at any time via the “unsubscribe” link.

Other partner functions

When the Customer uses any other optionally available partner functions of the Provider or when the Customer connects its own account to a partner, data will be exchanged between the Provider and the partner.

4. Data security

The Provider uses technical and organizational security measures in accordance with recognized market standards to protect stored personal data from accidental, unlawful or unauthorized tampering, deletion, alteration, access, disclosure or use, and against partial or complete loss. The Provider’s servers are located in Switzerland. Certain services can be processed via servers in other countries – with an appropriate level of data protection – whereby the requirements according to the FADP or the GDPR are fully complied with at all times. The connection to the servers is made using SSL encryption. The Provider regularly backs up the customer data. In order to prevent data loss even in extreme cases (e.g., the destruction of the data center by an earthquake), the encrypted backups are also stored in several data centers in Switzerland and abroad. The requirements according to the FADP and the GDPR are fully complied with at all times. The security measures are continuously adapted and improved according to technological developments. The Provider assumes no liability for the loss of data or access to and use of the data by third parties. Furthermore, the Provider cannot guarantee the security of data transmission on the Internet. In particular, there is a risk of access by third parties when data is transmitted by email. However, access is protected by means of HTTPS. If explicitly requested by the Customer, the Customer can decide to use dual authentication at any time.

5. Purpose of the processing of personal data / Data recipients

The Provider processes the collected data in order to be able to continuously improve its products and services, to manage the use of and access to the applications, products and information, to maintain its business relationship with the Customers, to monitor and improve the performance of its offer, to detect, prevent or clarify illegal activities and to send the Customers offers, information and marketing materials about products or services which the Provider, based on the data, assumes could be of interest to the Customers. The data may also be disclosed to partner companies and service providers, selected third-party companies, institutes and/or legally authorized government authorities, both domestic and foreign, for processing, storage and use as part of the above-mentioned purposes. If personal information is processed or stored in countries that do not ensure adequate data protection compared to Swiss data protection law, the Provider shall require the processor under contractual obligation to fully comply with the relevant provisions of the FADP or – where the data of Customers from the EU area is concerned – with the GDPR.

The Provider has some of the aforementioned processes and services carried out by service providers who are based within the EU or Switzerland and who have been commissioned in accordance with data protection regulations. These are, in particular, companies in the categories of IT services, payment transactions, printing service providers, billing, collection and consulting, as well as sales and marketing and service providers used as part of order processing contracts.

6. Mobiliar Data Exchange Group

By accepting the Provider’s General Terms and Conditions and this Privacy Policy, the Customer expressly declares its consent to the transfer of its data to the Provider’s parent company and to affiliated companies (hereinafter, jointly referred to as “Mobiliar”) in accordance with this section. These include:

  • Insurance companies belonging to the Mobiliar Group 1
  • Other companies belonging to the Mobiliar Group 2

1 Insurance companies belonging to the Mobiliar Group include: Schweizerische Mobiliar Versicherungsgesellschaft AG, Schweizerische Mobiliar Lebensversicherungsgesellschaft AG, Protekta Rechtsschutz-Versicherung AG and SwissCaution SA.

2 Other companies belonging to the Mobiliar Group can be found at: https://www.mobiliar.ch/die-mobiliar/ueber-uns/unternehmen-der-gruppe-mobiliar

In particular, the exchange of data between the Provider and Mobiliar enables even greater use of existing synergies with the parent company. Under no circumstances will personal data requiring special protection be disclosed.

Mobiliar undertakes to process all data of which it becomes aware exclusively within the framework of data protection legislation and to comply with data protection security regulations. Mobiliar undertakes to maintain the confidentiality of the data of which it becomes aware.

The Provider and the Mobiliar Group are is entitled to process data in accordance with the following overview and to disclose it for the following purposes:

  • Customer master comparison: customer master data is compared for statistical purposes. The comparison is used to analyze how many shared customers exist, how this proportion develops over time and how the shared customers are distributed geographically.
  • Market segment analysis: data can be processed for the purpose of market segment analysis. The main purpose of market segmentation is to reveal differences between Customers in order to draw conclusions for marketing programs for specific segments (customer structure analysis).
  • Information exchange: data can be processed for the purpose of information exchange between the Provider and Mobiliar. The main purpose is to be able to continuously improve the products and services offered to the Customer, to manage use and access to the applications, products and information, to maintain the business relationship with the Customer, to monitor and improve the performance of the offers.
  • Marketing and analysis purposes: Data may be exchanged in order to provide Customers with offers, information or marketing materials about products and services which, based on the data, may be of interest to the Customer.

7. Cookies

Cookies help to make the visit to the Provider’s website easier, more pleasant and more useful. Cookies are information files that the web browser automatically stores on the computer’s hard disk when the Customer visits the Provider’s website and uses the offers.

Customers can choose to manage the security settings in their browser and thus block or disable cookies that have been installed, in which case, certain services of the Provider may no longer be able to be (fully) used.

Tracking and analysis tools / Social media

The use of the Provider’s digital offerings is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be both anonymous and personal. The collected data may in turn be transferred by the Provider or the third-party providers of these technical systems to third parties in Germany and abroad for processing. The most frequently used and best-known analytics tool is Google Analytics, a service provided by Google Inc. This means that the data collected may be transmitted to a Google server in the United States (or to a location specified by Google).

The Provider’s website uses Google Analytics, a web analytics service provided by Google Inc. with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A. (“Google”). Google Analytics uses cookies. Cookies are text files which are stored on the Customer’s computer and which are used to analyze the Customer’s use of the website. The information generated by the cookies about the use of the website (including the IP address, which is, however, anonymized by Google before being stored so that it can no longer be assigned to the Customer) is transmitted to a Google server in the United States (or to a location determined by Google) and stored there. Google will use this information for the purpose of evaluating the use of the website, compiling reports on website activity for the Provider and providing other services relating to website activity and Internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate the IP address of Customers with any other data held by Google.

The Provider’s website uses the “demographic characteristics” function of Google Analytics. This allows reports to be created that contain information about the age, gender and interests of Customers. This data comes from interest-based advertising from Google as well as visitor data from third-party providers. This data cannot be assigned to a specific person. Customers can disable this function at any time via the ad settings in their Google account or generally prohibit Google Analytics from collecting their data. Further information can be found in Google’s privacy policy at: https://support.google.com/analytics/answer/6004245?hl=en

If Customers do not want their website activity to be made available to Google Analytics, they can install the browser add-on to disable Google Analytics: https://support.google.com/analytics/answer/181881?hl=en

This prevents activity data from being shared with Google Analytics via JavaScript executed on websites (ga.js, analytics.js and dc.js).

The analysis of data by other tools of the website owner is not prevented when Customers use the add-on. Data may still be sent to the website or to other web analytics services.

Finally, the Provider collects certain information about its website in so-called server log files, which are automatically transmitted by the Customer’s Internet browser. This includes the user agent (browser type and version, operating system used), http header information (referrer URL, IP address of the accessing computer), the time of the server request and the login status. These server log files are only merged with other data sources for error analysis.

Technologies for advertising purposes

The Provider’s website uses the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. This enables interest-based, personalized advertising messages that have been adapted to the Customer based on the Customer’s previous usage and browsing behavior on one end device (e.g., cell phone) to be displayed on another end device (e.g., tablet or PC).

If the Customer has given Google the corresponding consent, Google links the Customer’s web and app browsing history with the Customer’s Google account for this purpose. This enables the same personalized advertising messages to be displayed on every end device on which the Customer logs in with their Google account.

To support this feature, Google Analytics collects the Google-authenticated IDs of users, which are temporarily linked to the Provider’s Google Analytics data to define and create target groups for cross-device advertising.

Customers can permanently object to cross-device remarketing by disabling personalized advertising in their Google account: https://www.google.com/settings/ads/onweb/

Further information can be found in Google’s privacy policy at: https://www.google.com/policies/technologies/ads/

The Provider’s website also uses the online advertising program Google AdWords. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

In the context of Google AdWords, the Provider uses conversion tracking. When the Customer clicks on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the Customer’s computer. These cookies expire after 30 days at the latest and are not used for identification. If the Customer visits our website and the cookie has not yet expired, Google and the Provider can recognize that the Customer clicked on the ad and was redirected to this page.

Google informs the provider of the total number of users who clicked on its ad and were redirected to its website, which contains a conversion tracking tag. However, the Provider does not receive any information with which it can personally identify the Customer.

Customers can prevent the storage of cookies by adjusting their browser software settings accordingly. However, the Provider would like to point out the fact that if the storage of cookies is disabled, certain features of this website may not be fully available. Customers can also prevent tracking by disabling the Google conversion tracking cookie via their Internet browser under User Settings.

For further information, please refer to Google’s privacy policy: https://www.google.de/policies/privacy/

The Provider’s website additionally uses the visitor action pixel from Facebook. The provider is Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.

The Facebook pixel can be used to track the behavior of website visitors after they have been redirected to the Provider’s website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and allows future advertising measures to be optimized.

The collected data is anonymous for the Provider. The Provider cannot draw any conclusions about the identity of the Customers. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and so that Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Usage Policy. This allows Facebook to place advertisements on Facebook pages as well as outside of Facebook. The Provider cannot influence this use of the data.

Customers can permanently object to remarketing by disabling the “Custom Audiences” remarketing function in the Ad Settings area under the following link. To do this, Customers must be logged in to Facebook: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

Customers who do not have a Facebook account may opt out of Facebook usage-based advertising on the European Interactive Digital Advertising Alliance website at the following link: https://www.youronlinechoices.com/uk/your-ad-choices

For further information, please refer to Facebook’s privacy policy: https://www.facebook.com/about/privacy/

Integration of third-party offers / Social media

The Provider’s digital offerings are networked with third-party functions and systems in a variety of ways, for example by integrating plug-ins from third-party social networks such as Facebook, Twitter, etc. If the Customer has a user account with these third parties, they may also be able to measure and evaluate the use of the Provider’s digital offerings. In the process, additional personal data, such as IP address, browser settings and other parameters may be transmitted to these third parties and stored there. The Provider has no control over the use of such personal data collected by third parties and assumes no responsibility or liability. Moreover, the Provider has no detailed knowledge of what data is transmitted to the third parties, where it is transmitted to, and whether it is anonymized.

Plugins from YouTube are integrated on the Provider’s website. The provider is YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.

The YouTube plugin establishes a connection to the YouTube servers. In doing so, the YouTube server is informed about which of the Provider’s pages the Customer has visited.

If Customers are logged into their YouTube account, YouTube can assign their browsing behavior directly to their personal profile. Customers can prevent this by logging out of their YouTube user account.

For more information, please refer to YouTube’s privacy policy: https://www.google.com/intl/en/policies/privacy

Other tools

The Provider’s website uses the map service Google Maps via an API. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If the Customer uses the functions of Google Maps, the Customer’s IP address is stored by Google and usually transmitted to a Google server in the USA. The Provider has no influence on this data transfer.

For further information, please refer to Google’s privacy policy: https://www.google.com/intl/en/policies/privacy/

8. Profiling / Automated decision-making

Profiling is the automated processing of personal data in order to analyze or predict certain personal aspects or behavior. This makes it possible, for example, to provide Customers with more individualized support and advice or to better tailor offers to individual customer needs.

An “automated individual decision” is a decision that is fully automated, i.e., without relevant human influence, and that has negative legal effects on the Customer or other similarly negative effects. As a rule, the Provider does not make automated individual decisions. The Provider will inform the Customer separately if it uses automated individual decisions in individual cases. In such a case, the Customer has the option of having this decision reviewed manually by an employee of the Provider.

9. Communication by email and/or newsletter

If the Customer wishes to receive a newsletter offered on the Provider’s website, the Provider requires an email address and other information that allows verification that the email address provided is correct and that the Customer agrees to receive the newsletter (the “double-opt-in” procedure).

The newsletter provides regular recommendations and offers that may be of interest to the Customer. For this purpose, the Provider collects and processes personal data regarding the Customer’s usage behavior on the website, in the bexio software and in relation to the use of the newsletter (e.g., whether the Customer opens the newsletter or on which web URL links the Customer clicks). The Provider evaluates this data for statistical purposes in order to better tailor the content of the newsletter to the interests of its Customers.

The processing of the personal data entered in the newsletter registration form is based on the Customer’s consent, which the Customer can revoke at any time with effect for the future. The Customer may withdraw this consent at any time via the “unsubscribe” link in the newsletter. The personal data collected is used for the design of the content and for sending of newsletter.

The Provider stores the personal data provided by the Customer for the purpose of receiving the newsletter until the Customer unsubscribes from the newsletter.

10. Duration of storage

The Provider processes and stores personal data as long as the Customer uses the Service. It should be noted that the contractual relationship between the Provider and the Customer is a continuing obligation, which is designed to last for years.

After termination of the contractual relationship, the Provider is generally not obliged to store the Customer’s data. For this reason, data that is no longer required is regularly deleted. This does not apply to data which is required for further processing due to legal regulations or for mandatory internal purposes.

11. Information, rectification, erasure, blocking, consent

With regard to their personal data, Customers have the following rights according to the FADP or the GDPR. In principle, the Provider grants the rights contained in the GDPR to Swiss customers as well. However, the Provider reserves the right to make a different assessment in individual cases.

  • The right to information (Art. 8 FADP, Art. 15 GDPR);
  • The right to rectification (Art. 5 para. 2 FADP, Art. 16 GDPR);
  • The right to erasure (Art. 17 GDPR);
  • The right to restriction of processing (Art. 18 GDPR);
  • The right to data portability (Art. 20 GDPR); and
  • The right to object (Art. 21 GDPR).

In the case of the rights mentioned above, any restrictions of the GDPR as well as the respective applicable Swiss data protection laws or other national laws shall apply.

Insofar as the Customer is asked to give consent in connection with the Provider’s services, the Customer gives this consent by clicking on the corresponding checkbox. The Provider is then entitled to collect, process, use and disclose the Customer’s personal data accordingly.

The Customer can, of course, withdraw this consent at any time without affecting the legality of the processing carried out on the basis of the consent until the withdrawal. The withdrawal can be sent in writing to the Provider’s address mentioned at the beginning of this Privacy Policy. However, it is also sufficient to send an email to: datenschutz@bexio.com. However, some of the services and features will no longer be available to the Customer thereafter.

12. Links to other websites

The Provider’s website contains hyperlinks to third-party websites that are not operated or controlled by the Provider. The Provider is not responsible for the content or data protection practices of these third-party websites.

13. Additional regulations for Customers from the EU-area

The following regulations are only applicable to Customers from the EU area, they do not apply to Swiss Customers.

Legal basis of processing

The processing of data for the purposes stated in Section 5 is carried out in accordance with Article 6 (1) (b) GDPR for the performance of the contract. The subject matter of the contract is the above-mentioned services.

Likewise, the processing of data, as described above, is carried out to protect the legitimate interests of the Provider (Article 6 (1) (f) GDPR). These legitimate interests are to improve the products and services (including the delivery of direct advertising), to monitor and improve the performance of the offer and to detect, prevent or clarify illegal activities.

In addition, the data is processed in accordance with Article 6 (1) (c) GDPR to fulfill legal obligations (e.g., the storage and documentation obligations of the Provider). This includes in particular the personal master data.

If Customers are of the opinion that one or more of the purposes mentioned under Section 5 is/are not covered by the legal bases mentioned above, Customers may request the Provider to stop processing their personal data for certain individual purposes (opt-out). The decision to opt-out shall not prevent Customers from the further use of the Provider’s SaaS services, unless such use necessarily requires the corresponding data processing. Customers may send an opt-out request in writing to the Provider’s address mentioned above. However, it is also sufficient to send an email to: datenschutz@bexio.com.

Right to lodge a complaint

If Customers are of the opinion that the processing of their personal data violates the GDPR, they have the right of appeal to a competent supervisory authority pursuant to Article 77 GDPR.

The Provider will of course be pleased to answer the Customer’s questions and requests before a complaint is lodged. For this purpose, the Customer may contact the Provider in writing or by email (datenschutz@bexio.com).

bexio AG
Alte Jonastrasse 24
8640 Rapperswil
Schweiz


Valid until: 31.05.2022

Privacy Policy

bexio AG

bexio AG, Alte Jonastrasse 24, 8640 Rapperswil, Switzerland (hereinafter referred to as “bexio”) is the author of this Privacy Policy and the owner of the information (data) collected about you hereunder. In all other respects, bexio’s General Terms and Conditions (GT&Cs) shall apply.

We know that the careful handling of your personal information is important to you. That is why we appreciate your trust that bexio will handle this information in a conscientious manner. bexio is responsible for the collection, processing, transmission, storage, and protection of your personal information and ensures compliance with the Swiss Data Protection Act as far as data of Swiss customers is concerned as well as compliance with the General Data Protection Regulation of the EU as far as data of customers from the EU area is concerned.

The consent given by you with this Privacy Policy may be revoked at any time with effect for the future (see Section 10, last paragraph).

1. Contact Information

Responsible for data processing:

bexio AG
Alte Jonastrasse 24
8640 Rapperswil
Switzerland
+41 (0)71 552 00 60

You can reach the data protection officer of bexio AG at: datenschutz@bexio.com

2. Applicable Law

The data processing by bexio is subject to the following law:

Data of Swiss Customers and Swiss Visitors of Our Website
The processing of data of Swiss customers is exclusively governed by Swiss law, in particular the Swiss Federal Data Protection Act (DPA, Systematic Compilation of Federal Legislation 235.1) and the corresponding Regulation to the Swiss Federal Data Protection Act (Systematic Compilation of Federal Legislation 235.11). The General Data Protection Regulation of the EU (GDPR) does not apply. The applicability of the GDPR remains unaffected (i) insofar as it is expressly provided for in the Privacy Policy for certain areas, and (ii) insofar as the GDPR is also mandatory for data of Swiss customers due to special circumstances.

Data of Customers from the EU Area and Visitors of Our Website from the EU Area
In addition to Swiss law, Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free transmission of such data, and on the repeal of Directive 95/46/EC (General Data Protection Regulation, GDPR) applies to the processing of data of customers from the EU area. See also Section 12 (Additional Regulations for Customers from the EU Area).

3. Type and Scope of Personal Data Collection

When Visiting Our Website (Without Login)
If you visit our website outside the login-protected area, the web server technology we use automatically logs general technical visit information. This includes, among others, the IP address (which however is anonymised with Google before being saved, so that it can no longer be associated with you. Google uses the anonymizeIp() method for this) of the device used, information about the browser type, the Internet service provider, and the operating system used.

When Using bexio’s Cloud Software (With Login)
During the free trial access and when using the software provided by bexio for a fee within the login- protected area, all data entered or submitted by the user during the registration process and when using the software is also stored. This applies, in particular, when you register, place orders, fill out online forms, take part in surveys or contests, correspond with us online or offline, or contact us via social media, blogs, or other interactive media.

As a rule, we collect your personal master data (name, address, and email address) and the settings required for the respective service. Additional information on which data we process for which purposes can be found in Appendix A to the Commissioned Processing Agreement.

By entering your data (registration), you consent to the processing, use, and disclosure of your personal data within the framework and scope of the purposes described in the Privacy Policy.

Trustee Partner Program
Under bexio’s Trustee Partner Program, end customers can share their data with their personal trustees. By using the Trustee Partner Program, the user agrees that bexio may provide the trustee with or access to all data of the relevant user. The end customer retains full control over the trustee’s access rights to the end customer’s data at all times and can restrict or deny access at any time. The end customer agrees that bexio or the trustee will exchange data with this partner when using further partner functions/add-ons.

Payroll Accounting
When using bexio’s optional payroll accounting software, personal data of the end customer’s employees is naturally transmitted to bexio. bexio treats this data with due care and ensures its security in accordance with the standards set out in the Privacy Policy. The end customer declares its consent and releases bexio from any claims that may be raised by the end customer’s employees against bexio. The end customer further declares that it is solely responsible for informing its employees of the possible storage, use, processing, and transmission of data by bexio in accordance with the guidelines in the Privacy Policy. Should the individual employees of the end customer not agree with the intended data processing, the end customer is responsible for accordingly deleting the respective data of its employees in its bexio cloud.

Banking Functions
When using the optional banking functions of bexio or when linking your own account to a bank, data is exchanged between bexio and the respective bank. This also includes payment and bank-specific information such as IBAN, account information, etc.

Other Partner Functions
When using any other optional partner functions of bexio or when connecting your own account to a partner, data is exchanged between bexio and the relevant partner.

4. Data Security

We use technical and organizational security measures in accordance with the recognized market standards to protect personal data stored with us against unintentional, illegal or unauthorized manipulation, deletion, modification, access, disclosure, or use, as well as against partial or complete loss. bexio servers are located at a secure data center in Switzerland with multiple certifications. The connection to our servers takes place via SSL encryption. We back up customer data on a regular basis. In order to prevent data loss even in extreme cases (e.g. destruction of the data center by an earthquake), the encrypted backups are stored at several data centers in Switzerland and abroad at the same time. Our security measures are continuously adapted and improved in line with technological developments. We assume no liability for the loss of data or for such data becoming known to and being used by third parties. Furthermore, we cannot guarantee the security of data transmission over the Internet. In particular, there is a risk of access by third parties when data is transmitted by email. However, access is protected by HTTPS. If explicitly requested by the customer, the customer can opt for two-factor authentication at any time.

5. Purpose of Processing Personal Data / Recipients of Data

We process the collected data in order to continuously improve the products and services requested by you; to manage your use of and access to our applications, products, and information; to maintain our business relationship with you; to monitor and improve the performance of our services; to detect, prevent, or clarify illegal activities; and to provide you with offers, information, or marketing materials about products or services that we believe may be of interest to you based on the data. The data may also be disclosed to our partner companies and service providers, selected third-party companies, institutes and/or legally authorized state authorities in Switzerland and abroad for processing, storage, and use within the scope of the above-mentioned purposes. If the processing or storage of personal information takes place in countries that do not guarantee adequate data protection in comparison to Swiss data protection law, we require the commissioned processor to fully comply with the relevant provisions of the DPA or – as far as data of customers from the EU area is concerned – the GDPR under contractual obligation.

We make sure that each of the aforementioned processes and services is carried out by service providers that are commissioned in compliance with data protection regulations and are based within the EU or in Switzerland. These are companies from the categories of IT services, payment transactions, printing service providers, billing, collection, and consulting, as well as sales and marketing, and service providers that we use in the context of commissioned processing relationships.

6. Cookies

Cookies help make your visit to our website easier, more enjoyable, and more efficient. Cookies are data files that your web browser automatically stores on your computer’s hard drive when you visit our website and use our services.

You can manage your security settings in your browser independently and thereby block or disable cookies used by us. However, it is possible that in this case you will not be able to use certain bexio services (to the full extent) any longer.

Tracking and Analytics / Social Media
The use of our digital offerings is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be carried out in an anonymous or personalized form. The collected data may be transmitted by us or the third-party providers of such technical systems to third parties in Switzerland and abroad for processing. The most frequently used and the most popular analysis tool is Google Analytics, a service provided by Google Inc. This means that the collected data is generally transmitted to a Google server in the United States.

Our website uses Google Analytics, a web analysis service of Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies, which are text files stored on your computer to help analyze your use of the website. The information generated by the cookie about your use of the website (including your IP address, which however is anonymised with Google before being saved, so that it can no longer be associated with you) will be transmitted to and stored on a Google server in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us, and providing other services relating to website activity and Internet usage. Google may also transmit this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will never associate your IP address with any other data held by Google.

Our website uses the Google Analytics “Demographics and Interests” function. This allows Google Analytics to gain insight into the age, gender and interests of the visitors to the website. These data originate from Google's interest-based advertising and from third-party visitor data. These data cannot be associated with a specific person. You can deactivate this function at any time by changing the advertising settings in your Google account or you can stop your data from being collected by Google Analytics altogether.

For more information please refer to the Google data privacy policy here https://support.google.com/analytics/answer/6004245?hl=en.

If you do not want your website activity to be available to Google Analytics, you can install the browser add-on to disable Google Analytics https://support.google.com/analytics/answer/181881?hl=en.

This prevents the JavaScript (ga.js, analytics.js and dc.js) running on the websites from sharing any activity data with Google Analytics.

The analysis of data by other tools of the website owner is not disabled when you use the add-on. Data may still be sent to the website or other web analytics services.

Finally, our website collects information in server log files that your Internet browser automatically sends to us. This includes the user agent (browser type and version, operating system), http header details (referrer URL, IP address of connected device), the time of the server request and the login status. These server log files are only merged with other data sources for fault analysis purposes.

Advertising Technologies
Our website uses the functions of Google Analytics Remarketing together with the cross-device functions of Google AdWords and Google DoubleClick which are supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This allows the advertising target groups created by Google Analytics Remarketing to be linked to the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising tailored to you based on your previous usage and browsing behaviour on one device (e.g. mobile phone) can be displayed on one of your other devices (e.g. tablet or PC).

If you have given Google the respective consent, Google links your web and app browser history to your Google account. In this way, the same personalized advertising can be displayed on every device from which you log into your Google account.

To assist this function, Google Analytics collects the google-authenticated IDs of the users who are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising.

You can stop cross-device remarketing permanently by deactivating personalized advertising in your Google account under https://www.google.com/settings/ads/onweb/.

For more information please refer to the Google data privacy policy here https://www.google.com/policies/technologies/ads/.

Our website additionally uses the online advertising program Google AdWords which is supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

We use Google AdWords’ conversion tracking feature. When you click on a Google ad, a cookie is set for conversion tracking. The cookies are small text files that the Internet browser creates on your computer. These cookies expire after 30 days at the latest and are not used to identify you. If you visit our website and the cookie has not yet expired, Google and bexio can see that you clicked on the ad and were taken to our page.

Google tells us the total number of users who clicked our ad and were passed on to our website with a conversion tracking tag. However, we do not receive any information through which we could identify you.

You can prevent cookies from being stored by selecting the appropriate settings in your browser, however please note that you may not be able to use the full functionality of this website if you do so. You can also stop the tracking by deactivating the Google conversion tracking cookie in your browser user settings.

For more information please refer to the Google data privacy policy here https://policies.google.com/privacy.

Our website uses Facebook Pixel, a user action tracking function supplied by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.

Facebook Pixel allows website users’ behaviour to be tracked after they click on a Facebook ad and are referred to our website. This allows the effectiveness of Facebook advertising to be tracked for statistical and market research purposes and future advertising to be optimized.

The data collected are anonymous to bexio - we cannot draw any conclusions as to your identity. However, your data are stored by Facebook and processed in order to link them to your user profile and so that Facebook can use the data for its own advertising purposes as explained in the Facebook Data Policy. This enables Facebook to display ads on Facebook pages and outside of Facebook. The use of these data cannot be influenced by bexio.

You can choose to opt out of the remarketing function for good by deactivating the “custom audiences” remarketing function in the ad preferences section under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged into Facebook.

If you do not have a Facebook account, you can deactivate user-based Facebook advertising at the European Interactive Digital Advertising Alliance website by visiting http://www.youronlinechoices.com/uk/your-ad-choices.

For more information please refer to the Facebook data privacy policy at https://www.facebook.com/about/privacy/.

Integration of Third-Party Offerings / Social Media
Our digital services are networked with third-party functions and systems in many ways, for example through the integration of plugins from third-party social networks such as Facebook, Twitter, etc. If you have a user account with these third parties, they may also be able to measure and evaluate your use of our digital offerings. Further personal data such as IP address, browser settings, and other parameters may be transmitted to and stored by these third parties. We have no control over the use of such personal data collected by third parties and assume no responsibility or liability for it. In all other respects, bexio does not have any detailed knowledge of which data is transmitted to third parties, where it is transmitted to, and whether it is made anonymous.

Our website uses Youtube plug-ins supplied by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

The YouTube plug-in sets up a connection to the YouTube servers and tells the YouTube server which of our pages you visited.

If you are logged into your YouTube account, YouTube can associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube user account.

For more information please refer to the YouTube data privacy policy here https://policies.google.com/privacy.

What other tools do we use?
Our website uses the Google Maps service via an API. It is supplied by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.If you use the functions of Google Maps, Google stores your IP address and usually transfers it to a Google server in the USA. Bexio has no influence on this data transfer.

For more information please refer to the Google data privacy policy here: https://policies.google.com/privacy.

7. Automatic Decisions

bexio does not use any profiling or automatic decision-making techniques. Should bexio use these procedures in individual cases, you will be informed of it separately insofar as this is required by law.

8. Communication via Email and/or Newsletter

If you wish to subscribe to one of the newsletters that we offer on our website, we need you to provide us with an e-mail address and other information that allows us to check that you are the owner of the e-mail address you provided and are in agreement with the newsletter subscription ("double opt-in" process).

The newsletters will provide you with regular recommendations and offers that may interest you. In order to be able to do this, we collect and process personal data about your browsing behaviour on our website, within bexio and whether you use our newsletter (e.g. whether you open the newsletter and which of the URL links you click). We evaluate these data for statistical purposes in order to adjust the contents of the newsletters to your interests.

We process the personal data you provide us with in the newsletter subscription form on the basis of your consent, which you can revoke at any point in the future. You can revoke it either by pressing the "Unsubscribe" link in the newsletter. We use the personal data that we collected about you to design the contents of the newsletter and to distribute it.

We store the personal data that you provided us with for the purpose of the newsletter subscription until you unsubscribe from the newsletter.

9. Storage Duration

bexio processes and stores your personal data as long as you use the service. It should be noted that the contractual relationship is a continuing obligation that lasts for years.

Should the data no longer be required for the fulfillment of contractual or legal obligations, it is regularly deleted unless its – limited – further processing is necessary for the following purposes:

  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in Switzerland: In particular, these include the ten-year period for retaining and
    maintaining the accounting records (Swiss Code of Obligations, 958f); special laws may also
    impose longer time periods.
  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in Germany: In particular, these include the German Commercial Code and the
    German Tax Code. The time periods for retention and documentation specified therein range
    from two to ten years; special laws may also impose longer time periods.
  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in other countries insofar as bexio operates there.
  • Preservation of evidence within the framework of the respective statutory periods of limitations,
    whereby such periods of limitations can amount to up to 30 years and more.

10. Information, Correction, Deletion, Blocking, and Consent

You have the following rights with regard to your personal data. bexio explicitly grants these rights contained in the GDPR also to the Swiss customers insofar as they are not already entitled to the analogous rights under the DPA:

  • the right to information under Article 15 of the GDPR,
  • the right to correction under Article 16 of the GDPR,
  • the right to cancellation under Article 17 of the GDPR,
  • the right to restrict processing under Article 18 of the GDPR,
  • the right to data portability under Article 20 of the GDPR, and
  • the right of objection under Article 21 of the GDPR.

The aforementioned rights are subject to any restrictions of the GDPR and the applicable national data protection laws or other national laws.

If you are asked to provide your consent in connection with bexio services, you can do it by clicking on the corresponding checkbox to confirm that bexio may collect, process, use, and transmit your personal data accordingly.

Of course, you may revoke your consent at any time without affecting the legality of the processing carried out on the basis of the consent until revocation. The consent revocation request may be sent in writing to the aforementioned bexio’s address. Sending an email to datenschutz@bexio.com should also be sufficient. Please note that some of the services and features will no longer be available to you afterwards.

11. Links to Other Websites

The website of bexio contains hyperlinks to third-party websites that are not operated or controlled by bexio. bexio is not responsible for their content or data protection practices.

12. Additional Regulations for Customers from the EU Area

The following provisions are only applicable to customers from the EU area; they do not apply to Swiss customers.

Legal Basis for the Processing
The processing of your data for the purposes mentioned in Section 5 takes place in accordance with Article 6(1)(b) of the GDPR for the fulfillment of the contract. The subject matter of the contract is the services mentioned above.

Likewise, your data will be processed as described above to protect the legitimate interests of bexio (Article 6(1)(f) of the GDPR). These are the improvement of products and services (including delivery of direct mail advertising) in order to monitor and improve the performance of the offering, and to recognize, prevent, or clear up any illegal activities.

In addition, the data is processed in accordance with Article 6(1)(c) of the GDPR for the fulfillment of legal obligations (e.g. retention and documentation requirements). This includes, in particular, your personal master data.

If you believe that one or more of the purposes mentioned in Section 5 is not covered by the legal bases mentioned above, you may request that we no longer process your personal data for certain individual purposes (opt out). Opting out does not prevent you from continuing to use bexio’s cloud software provided that such use does not necessarily require the corresponding data processing. You can send the opt-out request in writing to the bexio’s address mentioned above. Sending an email to datenschutz@bexio.com should also be sufficient.

Right of Appeal
If you believe that the processing of your personal data violates the GDPR, you have the right to appeal to a competent supervisory authority in accordance with Article 77 of the GDPR. Of course, bexio will be happy to answer your questions and address your requests in advance of a complaint. Please feel free to contact us by email at datenschutz@bexio.com.