Privacy policy

bexio AG, Alte Jonastrasse 24, 8640 Rapperswil, Switzerland (hereinafter referred to as “bexio”) is the author of this Privacy Policy and the owner of the information (data) collected about you hereunder. In all other respects, bexio’s General Terms and Conditions (GT&Cs) shall apply.

We know that the careful handling of your personal information is important to you. That is why we appreciate your trust that bexio will handle this information in a conscientious manner. bexio is responsible for the collection, processing, transmission, storage, and protection of your personal information and ensures compliance with the Swiss Data Protection Act as far as data of Swiss customers is concerned as well as compliance with the General Data Protection Regulation of the EU as far as data of customers from the EU area is concerned.

The consent given by you with this Privacy Policy may be revoked at any time with effect for the future (see Section 10, last paragraph).

1. Contact Information

Responsible for data processing:

bexio AG
Alte Jonastrasse 24
8640 Rapperswil
Switzerland
+41 (0)71 552 00 60

You can reach the data protection officer of bexio AG at: datenschutz@bexio.com

2. Applicable Law

The data processing by bexio is subject to the following law:

Data of Swiss Customers and Swiss Visitors of Our Website
The processing of data of Swiss customers is exclusively governed by Swiss law, in particular the Swiss Federal Data Protection Act (DPA, Systematic Compilation of Federal Legislation 235.1) and the corresponding Regulation to the Swiss Federal Data Protection Act (Systematic Compilation of Federal Legislation 235.11). The General Data Protection Regulation of the EU (GDPR) does not apply. The applicability of the GDPR remains unaffected (i) insofar as it is expressly provided for in the Privacy Policy for certain areas, and (ii) insofar as the GDPR is also mandatory for data of Swiss customers due to special circumstances.

Data of Customers from the EU Area and Visitors of Our Website from the EU Area
In addition to Swiss law, Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free transmission of such data, and on the repeal of Directive 95/46/EC (General Data Protection Regulation, GDPR) applies to the processing of data of customers from the EU area. See also Section 12 (Additional Regulations for Customers from the EU Area).

3. Type and Scope of Personal Data Collection

When Visiting Our Website (Without Login)
If you visit our website outside the login-protected area, the web server technology we use automatically logs general technical visit information. This includes, among others, the IP address of the device used (anonymized), information about the browser type, the Internet service provider, and the operating system used.

When Using bexio’s Cloud Software (With Login)
During the free trial access and when using the software provided by bexio for a fee within the login- protected area, all data entered or submitted by the user during the registration process and when using the software is also stored. This applies, in particular, when you register, place orders, fill out online forms, take part in surveys or contests, correspond with us online or offline, or contact us via social media, blogs, or other interactive media.

As a rule, we collect your personal master data (name, address, and email address) and the settings required for the respective service. Additional information on which data we process for which purposes can be found in Appendix A to the Commissioned Processing Agreement.

By entering your data (registration), you consent to the processing, use, and disclosure of your personal data within the framework and scope of the purposes described in the Privacy Policy.

Trustee Partner Program
Under bexio’s Trustee Partner Program, end customers can share their data with their personal trustees. By using the Trustee Partner Program, the user agrees that bexio may provide the trustee with or access to all data of the relevant user. The end customer retains full control over the trustee’s access rights to the end customer’s data at all times and can restrict or deny access at any time.

Payroll Accounting
When using bexio’s optional payroll accounting software, personal data of the end customer’s employees is naturally transmitted to bexio. bexio treats this data with due care and ensures its security in accordance with the standards set out in the Privacy Policy. The end customer declares its consent and releases bexio from any claims that may be raised by the end customer’s employees against bexio. The end customer further declares that it is solely responsible for informing its employees of the possible storage, use, processing, and transmission of data by bexio in accordance with the guidelines in the Privacy Policy. Should the individual employees of the end customer not agree with the intended data processing, the end customer is responsible for accordingly deleting the respective data of its employees in its bexio cloud.

Banking Functions
When using the optional banking functions of bexio or when linking your own account to a bank, data is exchanged between bexio and the respective bank. This also includes payment and bank-specific information such as IBAN, account information, etc.

Other Partner Functions
When using any other optional partner functions of bexio or when connecting your own account to a partner, data is exchanged between bexio and the relevant partner.

4. Data Security

We use technical and organizational security measures in accordance with the recognized market standards to protect personal data stored with us against unintentional, illegal or unauthorized manipulation, deletion, modification, access, disclosure, or use, as well as against partial or complete loss. bexio servers are located at a secure data center in Switzerland with multiple certifications. The connection to our servers takes place via SSL encryption. We back up customer data on a regular basis. In order to prevent data loss even in extreme cases (e.g. destruction of the data center by an earthquake), the encrypted backups are stored at several data centers in Switzerland and abroad at the same time. Our security measures are continuously adapted and improved in line with technological developments. We assume no liability for the loss of data or for such data becoming known to and being used by third parties. Furthermore, we cannot guarantee the security of data transmission over the Internet. In particular, there is a risk of access by third parties when data is transmitted by email. However, access is protected by HTTPS. If explicitly requested by the customer, the customer can opt for two-factor authentication at any time.

5. Purpose of Processing Personal Data / Recipients of Data

We process the collected data in order to continuously improve the products and services requested by you; to manage your use of and access to our applications, products, and information; to maintain our business relationship with you; to monitor and improve the performance of our services; to detect, prevent, or clarify illegal activities; and to provide you with advertising, information, or marketing materials about products or services that we believe may be of interest to you based on the data. The data may also be disclosed to our partner companies and service providers, selected third-party companies, institutes and/or legally authorized state authorities in Switzerland and abroad for processing, storage, and use within the scope of the above-mentioned purposes. If the processing or storage of personal information takes place in countries that do not guarantee adequate data protection in comparison to Swiss data protection law, we require the commissioned processor to fully comply with the relevant provisions of the DPA or – as far as data of customers from the EU area is concerned – the GDPR under contractual obligation.

We make sure that each of the aforementioned processes and services is carried out by service providers that are commissioned in compliance with data protection regulations and are based within the EU or in Switzerland. These are companies from the categories of IT services, payment transactions, printing service providers, billing, collection, and consulting, as well as sales and marketing, and service providers that we use in the context of commissioned processing relationships.

6. Cookies

Cookies help make your visit to our website easier, more enjoyable, and more efficient. Cookies are data files that your web browser automatically stores on your computer’s hard drive when you visit our website and use our services.

You can manage your security settings in your browser independently and thereby block or disable cookies used by us. However, it is possible that in this case you will not be able to use certain bexio services (to the full extent) any longer.

Tracking and Analytics / Social Media
The use of our digital offerings is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be carried out in an anonymous or personalized form. The collected data may be transmitted by us or the third-party providers of such technical systems to third parties in Switzerland and abroad for processing. The most frequently used and the most popular analysis tool is Google Analytics, a service provided by Google Inc. This means that the collected data is generally transmitted to a Google server in the United States.

Our website uses Google Analytics, a web analysis service of Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies, which are text files stored on your computer to help analyze your use of the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored on a Google server in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us, and providing other services relating to website activity and Internet usage. Google may also transmit this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will never associate your
IP address with any other data held by Google.
If you do not want your website activity to be available to Google Analytics, you can install the browser add-on to disable Google Analytics [link: https://support.google.com/analytics/answer/181881?hl=en].

This prevents the JavaScript (ga.js, analytics.js and dc.js) running on the websites from sharing any activity data with Google Analytics.

The analysis of data by other tools of the website owner is not disabled when you use the add-on. Data may still be sent to the website or other web analytics services.

Integration of Third-Party Offerings / Social Media
Our digital services are networked with third-party functions and systems in many ways, for example through the integration of plugins from third-party social networks such as Facebook, Twitter, etc. If you have a user account with these third parties, they may also be able to measure and evaluate your use of our digital offerings. Further personal data such as IP address, browser settings, and other parameters may be transmitted to and stored by these third parties. We have no control over the use of such personal data collected by third parties and assume no responsibility or liability for it. In all other respects, bexio does not have any detailed knowledge of which data is transmitted to third parties, where it is transmitted to, and whether it is made anonymous.

7. Automatic Decisions

bexio does not use any profiling or automatic decision-making techniques. Should bexio use these procedures in individual cases, you will be informed of it separately insofar as this is required by law.

8. Communication via Email

You can unsubscribe from electronic mailings at any time or adjust the type and scope of this marketing service. The electronic mailings each contain a corresponding link.

9. Storage Duration

bexio processes and stores your personal data as long as you use the service. It should be noted that the contractual relationship is a continuing obligation that lasts for years.

Should the data no longer be required for the fulfillment of contractual or legal obligations, it is regularly deleted unless its – limited – further processing is necessary for the following purposes:

  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in Switzerland: In particular, these include the ten-year period for retaining and
    maintaining the accounting records (Swiss Code of Obligations, 958f); special laws may also
    impose longer time periods.
  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in Germany: In particular, these include the German Commercial Code and the
    German Tax Code. The time periods for retention and documentation specified therein range
    from two to ten years; special laws may also impose longer time periods.
  • Fulfillment of retention obligations under commercial and tax law, and other retention
    obligations in other countries insofar as bexio operates there.
  • Preservation of evidence within the framework of the respective statutory periods of limitations,
    whereby such periods of limitations can amount to up to 30 years and more.

10. Information, Correction, Deletion, Blocking, and Consent

You have the following rights with regard to your personal data. bexio explicitly grants these rights contained in the GDPR also to the Swiss customers insofar as they are not already entitled to the analogous rights under the DPA:

  • the right to information under Article 15 of the GDPR,
  • the right to correction under Article 16 of the GDPR,
  • the right to cancellation under Article 17 of the GDPR,
  • the right to restrict processing under Article 18 of the GDPR,
  • the right to data portability under Article 20 of the GDPR, and
  • the right of objection under Article 21 of the GDPR.

The aforementioned rights are subject to any restrictions of the GDPR and the applicable national data protection laws or other national laws.

If you are asked to provide your consent in connection with bexio services, you can do it by clicking on the corresponding checkbox to confirm that bexio may collect, process, use, and transmit your personal data accordingly.

Of course, you may revoke your consent at any time without affecting the legality of the processing carried out on the basis of the consent until revocation. The consent revocation request may be sent in writing to the aforementioned bexio’s address. Sending an email to datenschutz@bexio.com should also be sufficient. Please note that some of the services and features will no longer be available to you afterwards.

11. Links to Other Websites

The website of bexio contains hyperlinks to third-party websites that are not operated or controlled by bexio. bexio is not responsible for their content or data protection practices.

12. Additional Regulations for Customers from the EU Area

The following provisions are only applicable to customers from the EU area; they do not apply to Swiss customers.

Legal Basis for the Processing
The processing of your data for the purposes mentioned in Section 5 takes place in accordance with Article 6(1)(b) of the GDPR for the fulfillment of the contract. The subject matter of the contract is the services mentioned above.

Likewise, your data will be processed as described above to protect the legitimate interests of bexio (Article 6(1)(f) of the GDPR). These are the improvement of products and services (including delivery of direct mail advertising) in order to monitor and improve the performance of the offering, and to recognize, prevent, or clear up any illegal activities.

In addition, the data is processed in accordance with Article 6(1)(c) of the GDPR for the fulfillment of legal obligations (e.g. retention and documentation requirements). This includes, in particular, your personal master data.

If you believe that one or more of the purposes mentioned in Section 5 is not covered by the legal bases mentioned above, you may request that we no longer process your personal data for certain individual purposes (opt out). Opting out does not prevent you from continuing to use bexio’s cloud software provided that such use does not necessarily require the corresponding data processing. You can send the opt-out request in writing to the bexio’s address mentioned above. Sending an email to datenschutz@bexio.com should also be sufficient.

Right of Appeal
If you believe that the processing of your personal data violates the GDPR, you have the right to appeal to a competent supervisory authority in accordance with Article 77 of the GDPR. Of course, bexio will be happy to answer your questions and address your requests in advance of a complaint. Please feel free to contact us by email at datenschutz@bexio.com.

 

Last update: July 2018