We would like to inform you about the nature, scope and purpose of the collection and use of your personal data when using our Services on our website www.bitwala.com (the “Website”) and the associated Platform for Crypto and Fiat Banking (the “Platform”) consisting of the Web Interface (the “Web App”) and the Mobile Interface (the “Mobile App”), which Bitwala GmbH, Ohlauer Straße 43, 10999 Berlin, Germany (“Bitwala”) provides in cooperation with solarisBank AG, Anna-Louisa-Karsch-Straße 2, 10178 Berlin, Germany (“Partner Bank”).
I. Data Processing for the purposes of our Website
If you visit our Website for informational purposes without signing up for the Platform, Bitwala will be considered the sole controller within the meaning of the EU data protection regulation (GDPR) and the federal data protection law (BDSG) for any processing related to your visit.
1. Collection and processing of data
Bitwala gathers, uses and saves your personal data to provide access to the Website.
This includes any information you provide manually as well as technical information that is required for the communication between your end-device and our applications.
The technical information we collect for our website www.bitwala.com includes:
- Email Address
- IP Address (anonymised)
- Evaluation of website activity and internet usage
- User website activity on the website and the location they came from (e.g. URL and referrer)
- Operating system
With every access to our Website or our App, usage data are transmitted through the respective internet browser and stored in log files, the so-called server log files. The records stored in this case contain the following data: date and time of retrieval, page name, IP address, referrer URL (i.e. the page you have previously visited), the amount of data transferred, as well as the product and version information of the browser used. The IP addresses of users will be deleted or anonymized after the end of use. In the case of anonymization, the IP addresses are changed in such a way that the details of personal or factual circumstances can no longer be assigned to a specific or identifiable natural person, or only with a disproportionate amount of time, cost and manpower.
We use the log data and log files only for statistical evaluations for the purpose of operation, security and optimization of our offer.
Additionally you may provide us certain information by your own choice to use certain features of our Website.
With our Newsletter we inform you about important product updates , special announcements and our offers. To register for the newsletter, we need your e-mail address. In addition, we record your IP address and the date of registration upon registering to ensure that no third party misuses your e-mail address and hereby logs in without your knowledge to receive the newsletter. This data is stored and used for the sending of the newsletter.
After registering, you will receive an e-mail to confirm your affiliation to the newsletter e-mail list. Unless you confirm your registration for our newsletter within 24 hours, we will delete your provided data for signing up for the newsletter (email address, IP address, date of registration) 24h after sending out the confirmation e-mail, provided that no statutory storage requirements are in conflict.
At the end of each newsletter, there is a link through which you can unsubscribe from the newsletter at any time. You can also unsubscribe from the newsletter at any time via a message to the imprint of our website or with a message to the contact details provided in Paragraph 1. Upon cancellation of the newsletter, the personal data provided for the purpose of providing of the newsletter have been deleted, unless a statutory retention requirement precludes this.
Additionally we, collect certain data on your interactions with our Newsletter, using graphic elements integrated in each Newsletter (so called Pixels). We use these data in pseudonymised form for general statistical evaluation and to optimize our customer communication further. The Processing is based on Art. 6 para. 1 lit. f) GDPR.
You can revoke your consent or object to the storage of data, the e-mail address and their use for sending the newsletter at any time. The revocation or objection can be declared via a link in the newsletter itself or by message to the in Paragraph 1 mentioned contact options.
With our surveys and questionnaires, we would like to adapt and improve the service offering to the needs of our participants. You can participate in our surveys by clicking on a button on our website or our app. If you participate in a survey, we will store your e-mail address and your name so that we can identify you and classify you in the pre-signup list.
In the survey we collect and process data on the basis of Art. 6 para. 1 lit. f) GDPR, including the following information:
- E-Mail Address
- Individually provided data, that you have given us in the pre-sign up
We use this data to provide customer-oriented demographics for improving marketing strategies and products.
Hosting of our Website
Our Website is hosted by a third party service provider based in the US. To protect your privacy when transferring data outside the EEA we have concluded Standard Contractual Clauses provided by the EU commission. Furthermore, our hosting service provider is contractually bound to our instructions under a Data Processing Agreement. Additionally, this service provider is bound to our instructions by a data processing agreement.
Third Party Content
Occasionally, we may include third-party content on our site, such as videos from YouTube, Maps from Google Maps, RSS feeds or graphics from other websites, based on our legitimate interest to provide additional content on our Website, Art. 6 para. 1 lit. f) GDPR. In order to display the content, the providers of this content perceive the IP address of the users. We have no influence on storage and further use of the IP address by the third providers.
On our website, we are using Zendesk Inc., a tool for customer support communication. Zendesk Inc. is headquartered at 1019 Market St., San Francisco, CA 94103, USA.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in communication with the customer.
The personal data processed is stored on a server in the USA. Zendesk has committed itself to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield. In addition to it, Zendesk is subject our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission.
We are using Trustpilot, as service from Trustpilot A/S, Pilesstraede 58, 5th floor, 1122 Copenhagen, Denmark. Trustpilot allows you to review our services and give us feedback. Trustpilot will process your e-mail address.
The legal ground for processing your data is Art. 6 para. 1 lit. f) GDPR based on our legitimate interest to be reviewed and receive rating and the legitimate interest to optimize our services based on the reviews.
For a part of our service it is necessary for us to store cookies on your end device. Cookies do not execute programs on your computer. Instead, the main purpose of cookies is to provide customisation features when using our services (the “Functional Cookies”).
We use our own Functional Cookies for:
- Log-in identification
- Load distribution
- To remember your settings
- To remember your cookie consent
The processing of data collected via our cookies is based on our legitimate interest to provide you a convenient and individualised service on our website, Art. 6 para. 1 lit. f) GDPR.
Performance and Marketing Analytics
To improve our Website we use data collected by cookies and similar technologies (e.g. web beacons) for the statistical collection and analysis of general usage patterns. We also use this data for advertising and marketing purposes and to show personalised ads to you on our Websites and other websites.
Data collected by these cookies (the “Analytics Cookies”) will be processed by us or third party service providers, based on your consent, Art. 6 para. 1 lit. a) GDPR or on the basis of one of our legitimate interest according to Art. 6 para. 1 lit. f) GDPR.
The data collected by Analytics Cookies usually includes
- IP address of your device,
- Date and time of the access
- Cookie ID number
- Device ID of mobile devices
- Technical information on browser and operating system (the “Device Fingerprint”)
This data is only collected and stored in pseudonymous form and is never used to identify you individually or to draw conclusions other than on a general, aggregated level.
Opt-out of tracking and withdrawal of consent
You can withdraw your consent for cookie processing at any time by clicking on this link or contacting us via our email address provided above. Please keep in mind that withdrawal is only effective towards Bitwala and Partner Bank, therefore you may be tracked by other websites using the services listed below.
If you wish to disable tracking in general, you can always configure your browser to decline cookies, in which case we will not be able to process data in the above mentioned way. Alternatively you can prevent cookies on your device, using the services of Trustee and YourAdChoices.
In the following section we will further describe the cookies and services we use for marketing and analytics purposes as well as alternatives to generally prevent being tracked by the respective service.
Services used for Performance and Marketing Analytics
Our Website and our Mobile Application uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). According to Google, the contact person for all data protection concerns is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in the needs-based design and continuous optimization of our website.
Your IP address will be truncated before the usage statistics are evaluated so that no inference can be made about your identity. For this purpose, Google Analytics has been enhanced on our website with the code "anonymizeIP" to ensure an anonymous collection of IP addresses.
We use Google Analytics with cross-device tracking enabled through a unified user ID. This allows us to associate interaction data from different devices and from different sessions with a unique ID. This allows us a more accurate visitor analysis. For more information, see: https://support.google.com/analytics/answer/3123662?hl=en
Google will process the information obtained through cookies in order to evaluate your use of the website, to compile reports on website activity for website operators and to provide other services related to website activity and internet usage.
Google AdWords Conversion-Tracking and Remarketing
Our Website uses the services of “AdWords Conversion-Tracking” and “AdWords Remarketing” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“). “AdWords Conversion Tracking” allows us to comprehend and analyse defined customer actions (such as clicking on an advertisement, page views, downloads). “Adwords Remarketing” allows us to show you individualised advertisement messages of our products on partner-websites from Google. Both services are using Cookies and similar technologies. The data collected in this context can be transmitted for evaluation for Google to a server in the USA and can be stored there.
In the event that personal data is transferred to the USA, Google has committed itself to self-certification by the US Department of Commerce to adhere to the framework of the EU-US Privacy Shield.
If you are using a Google Account, Google may associate your web and app browsing history with your Google Account and use information from your Google Account to personalize your advertisement, based on the settings stored in your Google Account. If you do not want this connection to your Google Account, you have to log out of your Google account, before visiting our website.
As described before, you can configure your browser in order to reject cookies. You can also disable the Personalized Advertising button in the Google Ads Settings. In this case, Google will only display general advertising that has not been selected based on the information collected about you.
We use Facebook Pixel Codes on this website, an analytical tool from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The use of Facebook Pixel causes that Facebook is aware of your visit on our website and thereby allows to initiate personal advertisements. In the event that you are logged into your Facebook account while visiting our website, Facebook will allocate your Facebook account to the visit on our website.
The legal basis for processing your personal data is Art. 6 para. 1 lit. f) GDPR. You can change your settings for advertisements from Facebook here, if you are logged into your Facebook account. By using YourAdChoices, you can change your preferences regarding individual online advertisement here.
The use of Twitter Pixel causes that Twitter is aware of your visit on our website and thereby allows to initiate personal advertisements. In the event that you are logged into your Twitter account while visiting our website, Twitter will allocate your Twitter account to the visit on our website.
The legal basis for processing your personal data is Art. 6 para. 1 lit. f) GDPR.
You can change your settings for advertisements from Twitter here, if you are logged into your Twitter account. By using YourAdChoices, you can change your preferences regarding individual online advertisement here.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in the needs-based design and continuous optimization of our website.
The information generated by the cookie about the use of this website is stored on a server in the USA. Segment has committed itself to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield. In addition to it, Segment is subject our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission.
Our website is using AdRoll Pixel, a so-called retargeting technology from the service provider AdRoll Limited; Level 6; 1 Burlington Plaza Burlington Road; Dublin 4, Ireland.
AdRoll Pixel allows us to place personalized advertisements for you, by using a Cookie-based analysis of the user’s former behaviour.
Our Website is using Finative Pixel, a analysis tool from Finative GmbH, Im Mediapark 5, 506070 Cologne, Germany.
We are using Finative Pixel to analyse the user’s behaviour on our website. The analysis helps us with the evaluation and recording of the user’s conversion rate. The conversion rate identifies the number of users, which have sign up with us, after they have clicked on an advertisement from us that has redirected the user to our website. The Finative Pixel allows us to improve our advertisements and our marketing.
You can, as described above, configure your browser in a manner that no personal data is processed.
On the basis of your consent, we use the marketing tool customer.io for contextual e-mailing. Customer.io is a service of Peaberry Software Inc. d / b / a Customer.io, 921 SW Washington Street, Suite 820, Portland, Ore., 97205, USA. Your personal data (e-mail address, name) provided upon the registration for the Pre-Signup process will be transmitted to a server of the company Peaberry Software Inc. in the USA and stored there.
Customer.io has committed to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield.
On the basis of your consent, we use Mailgun Technologies, Inc., a Delaware corporation headquartered at 535 Mission St. San Francisco, CA 94105 USA for sending and tracking emails. Mailgun is a marketing tool for sending emails for promotional purposes.
Mailgun Technologies Inc., a Delaware corporation, has committed itself to upholding the principles of the EU-US Privacy Shield by self-certification with the US Department of Commerce.
On the basis of your consent, we use Mixpanel Inc, headquartered at 405 Howard Street, San Francisco, CA 94105, USA for analyzing mobile data service provider. Mixpanel is a tool for understanding user behavior in the interface and in the mobile application. Your personal data (name, e-mail address, IP address, personal data that you have provided us with) will be transmitted to the servers of Mixpanel Inc. in the USA and stored there.
Social Plug Ins
Our website uses social-media plug-ins of the following social networks
Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA ("Facebook").
Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA.
LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA, 94043, USA
Reddit Inc., 101 New Montgomery St, San Francisco, CA 94105, USA
The legal basis for processing is Art. 6, para. 1, lit. f) GDPR, based on our legitimate interest in you sharing our contents via social media and in our expanding our reach in this way.
Should personal data be transmitted to the USA, these social networks have acceded to the EU-US Privacy shield. The social network may receive the information that you have called up the corresponding page of our online site. This will be done irrespective of whether you have an account with the provider and are logged-in there. If you are logged-in, these data will be assigned directly to your account. If you turn on the activated plug-in and e.g. link the page, the social network may also store this information, including data and time, in your user account and inform your contacts of this publicly if you have activated the relevant function. If you do not wish for assignment with your profile at the respective social network, you must log-out before activating the plug-in.
The providers may store these data as usage profiles and use them for purposes of advertising, market research and/or needs-based design of its website. Such an evaluation will be made in particular (for users not logged-in, too) for the display of needs-based advertising and to inform other users of the social network about your activities on our website.
You may object to being profiling by social media providers:
- as a Facebook user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Facebook social media plug-ins by using supplementary programs for your browser, e.g. Facebook Blocker. You will find more detailed information in Facebook’s Privacy Statement.
- as a Twitter user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Twitter social media plug-ins by using supplementary programs for your browser. You will find more detailed information in Twitter’s Privacy Statement.
- as a Reddit user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Facebook social media plug-ins by using supplementary programs for your browser. You will find more detailed information in Reddit’s Privacy Statement.
*as a LinkedIn user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of LinkedIn social media plug-ins by using supplementary programs for your browser. You will find more detailed information in LinkedIn’s Privacy Statement.
II. Data Processing for the purposes of our Banking Platform
If you use our Banking Platform, Bitwala and Partner Bank will be considered Joint Controllers within the meaning of the EU data protection regulation (GDPR) and the federal data protection law (BDSG) for any processing related to your use of the Platform.
1. Responsibility for Platform related requests and inquiries
As Joint Controllers both Bitwala and Partner Bank are responsible for any Platform related requests and inquiries. Please address any privacy related matters to: email@example.com or firstname.lastname@example.org. As our Bitwala Customer Support Team has a special division for privacy related issues, your request is most likely processed faster if you contact us on email@example.com.
While you can reach out to either Bitwala or Partner Bank, we have shared privacy related tasks according to our contribution to the Platform. Therefore, any banking and crypto related request will be redirected to and handled by Partner Bank, even if you contact Bitwala. Vice Versa, inquiries regarding the technical provision and marketing use of the Platform will effectively be processed by Bitwala.
Bitwala and Partner Bank work closely together in any case to provide the best service to you.
2. Overview over data processing for our services
Our Platform provides you the opportunity to create and manage a bank account and a wallet, which allows you to easily connect your crypto funds to the fiat world. To perform these services, we need to process your personal data, including:
- Banking Information (IBAN, BIC, transaction history, personal data)
- Crypto Information (public keys, transaction history)
- Trading Information (order information, transaction history)
- Card Payment Data (transaction data, transaction history)
- Account Information (Address Data, Contact Information, Identification Documentation, Tax Information)
3. Processing of data for your User Account
Bitwala will be considered the responsible Joint Controller for processing of personal data for the provision of your User Account and will therefore handle any of your account related requests.
To use our Platform you need a User Account. For this reason and based on Art. 6 para. 1 lit. b) GDPR, we process your Account Information.
4. Processing of data for our Blockchain Interface
The Partner Bank will be considered the responsible Joint Controller for processing of personal data for the provision of our Blockchain Interface and will therefore handle any of your blockchain related requests.
Core feature of our banking services is a Blockchain Interface that allows you to interact with your Wallet and the respective Blockchain. While we have no control over the processing of personal data on the respective Blockchain, we are processing your data to create and manage the access to your wallet.
Your wallet will be provided by a third party service provider. For the creation process you have to generate a pair of keys which will be used to access your wallet. The original generation of the keys takes place exclusively on your own end device. At no point will Bitwala or BitGo have access to the funds in your wallet.
Please remember to save guard your keys with the appropriate measures and to always use strong password encryption. Bitwala will not be able to help with lost access to wallets and/or lost funds.
As the wallet provider is located in the USA, Crypto Information in will be transferred to the US upon any of your interactions with the wallet, including its creation.
Initiating and receiving transactions
Any incoming or outgoing transactions will be initiated on our Platform and sent via your Wallet to the respective Blockchain. Therefore, for each transaction, one of the addresses stored in your wallet will be published to the respective open public blockchain and be publicly available over the internet. While the transaction data may not seem to be personally identifiable information it is still considered personal data under GDPR as it is possible for us to match single addresses to our users for the provision of our services.
While we are not able to control any processing that happens on the Blockchain, we take industry standard precautions to ensure that your privacy is protected.
Our Platform provides you an overview over any transaction sent or received from both your wallet and bank account. To maintain an overview of your crypto transaction we keep a history of all incoming and outcoming transactions on your wallet.
Blockchain Security Aspects
Your digital assets are stored on the blockchain and can be accessed or transferred using the wallet. Neither Bitwala or Partner Bank nor the wallet provider can cause transactions from your wallet except on your request. Any request issued via our Blockchain Interface to the wallet provider must be signed with a private key which is exclusively known to you and serves as you “wallet password”.
To further increase security, our Blockchain Interface is whitelisted with the wallet provider. Therefore, any interaction from another interface with your wallet will be blocked by default. If you wish, however, to transfer your wallet and make it accessible from third party interfaces, you may transfer your wallet by following the instructions in the Bitwala Help Center.
5. Processing of data for our Banking Interface
Partner Bank will be considered the responsible Joint Controller for processing of personal data for the provision of our Banking Interface and will therefore handle any of your banking related requests.
6. Hosting of Web- and Mobile-Applications
Partner Bank will be considered the responsible Joint Controller for processing of personal data for the hosting of the applications that enable you to interact with your bank accounts and wallet and will therefore handle any of your requests related to the technical provision of the Banking and Blockchain Interface.
In addition to the data processed to provide the functionality of our Blockchain and Banking Interfaces, whenever you access our Platform via the Website or Bitwala Mobile App, we will process the above mentioned technical data to establish the communication between your end-device and our applications.
Accessing our Platform via the Bitwala Mobile Application
Additionally, when you access our Platform via the Bitwala Mobile Application, we collect certain App Specific Data to provide our Services, based on on Art. 6 para. 1 lit. b) GDPR, as well as to optimize and market our product, based on our legitimate interest to do so, Art. 6 para. 1 lit. f) GDPR.
If you enable push notifications, we will process your App ID in order to send you relevant information which may be triggered by certain events on your account, wallet or mobile device. This Processing is based on your implicit consent given when you choose to what extent you would like to receive notifications, Art. 6 para. 1 lit. a) GDPR.
In our App, we also use tracking devices for performance and marketing analytics purposes. While technically different, effectively these tracking devices work similar to cookies by enabling us to assign a pseudonymous identifier to a certain device.
Based on your consent, provided when first accessing our App, we use Google Analytics, Customer.io and Mixpanel for mobile devices. Please see above for relevant information on how we transfer data to these services and how we protect your data when doing so or how you can prevent these services from tracking you.
Hosting our Applications
The web and mobile applications on which our Platform runs are hosted on servers provided by Amazon Web Services Inc., 410 Terry Avenue North, Seattle, Washington 98109, USA (“AWS”). The servers we use are located within the European Economic Area. For certain technical services, however, data may be processed outside the EEA, especially in the USA.
AWS is Privacy Shield certified, asserting an adequate level of protection according to the adequacy decision of the European Commission 2016/1250. Additionally, AWS is bound to our instructions by a data processing agreement, implementing Standard Contractual Clauses of the European Commission.
Further Transmission of data
Otherwise, we transfer data to Third Parties only if:
- You have given an express declaration of consent for this, pursuant to Art. 6, para. 1, lit. a) GDPR,
- Further transmission is necessary, pursuant to Art. 6, para. 1 lit. f) GDPR, for bringing, exercising or defending legal claims, and no reason exists to suppose that you have a predominant and properly protected interest in preventing your data from being passed on,
- We have a legal duty to pass on your data pursuant to Art. 6 para. 1 lit. c) GDPR, or
- This is legally permissible and requisite, pursuant to Art. 6 para. 1 lit. b) GDPR, for the handling of contracts with yourself or for the execution of pre-contractual actions which are being carried out at your request.
Duration of storage
We store personal data only as long as necessary to fulfil our contractual or statutory duties. This means that, as long as your account is active, we will keep any data required to provide our Services.
Upon your deletion of your account, we will delete any of your data, provided it is not required for purposes of evidence, in which case we keep it until expiration of statutory periods of limitation, or for statutory retention periods.
In particular, Bitwala and Partner Bank may be subject to retention periods under German Tax and Commercial Law up to 10 years for relevant information. This may include certain technical information related to the initiation or the receipt of payments.
Rights of the persons concerned
You have the right to information about the processing of your personal data at any time and free of charge. This information includes an overview of the data relating to you, as well as a copy of such data (Right to Access). Should data be or become inaccurate, we are obliged to correct the information on your request (Right to Rectification). You may at any time request the deletion of data (Right to Erasure). Wherever we are not able to delete your data, as may be the case when we are subject to statutory retention periods, data processing will be restricted. Processing will also be restricted upon your request, if you believe that the data we have stored are not correct or if there is a dispute over the legality of the processing (Right to Restriction of Processing). You may at any time request us to transfer your personal data to you or a third party of your choice (Right to Data Portability). You additionally have the right to lodge a complaint a complaint with a supervisory authority (Right to lodge a complaint).
You can exercise your rights with either Joint Controller, i.e. Bitwala or Partner Bank, by using the above contact details. However, for your convenience we have implemented a special data privacy team at Bitwala which will handle and, where necessary, forward all requests, which can be reached at:
Right to withdraw consent
Under Art. 7 para. 3 GDPR you have the right to withdraw any consent you may have given to us at any time. In this case, data processing will no longer take place based on your consent. The withdrawal however does not affect the lawfulness of past processing activities.
If you would like to withdraw any consent given to us, please contact either of the Joint Controllers using their contact details provided above or direct your request to:
Alternatively you may use features provided within our applications to withdraw your consent.
Right to objection to processing based on legitimate interest
Wherever we process your data on the basis of legitimate interests under Art. 6 para. 1 lit. f) GDPR you have the right to object to the processing of your data according to Art. 21 GDPR.
You may at any time object to data processing for direct marketing purposes.
If you would like to object to any of our performance or marketing analytics purposes, please use one of the above listed opt-out methods or contact: