We would like to inform you about the nature, scope and purpose of the collection and use of your personal data when using our Services on our website www.bitwala.com (the “Website”) and the associated Platform for digital Assets and Banking (the “Platform”) consisting of the Web Interface (the “Web App”) and the Mobile Interface (the “Mobile App”), which Bitwala GmbH, Prinzessinenstraße 19/20, 10969 Berlin, Germany (“Bitwala”) provides in cooperation with solarisBank AG, Anna-Louisa-Karsch-Straße 2, 10178 Berlin, Germany (“Partner Bank”).
I. Data Processing for the purposes of our Website
If you visit our Website for informational purposes without signing up for the Platform, Bitwala will be considered the sole controller within the meaning of the EU data protection regulation (GDPR) and the federal data protection law (BDSG) for any processing related to your visit.
1. Collection and processing of data
Bitwala gathers, uses and saves your personal data to provide access to the Website.
This includes any information you provide manually as well as technical information that is required for the communication between your end-device and our applications.
The technical information we collect for our website www.bitwala.com includes:
- Email Address
- IP Address (anonymised)
- Evaluation of website activity and internet usage
- User website activity on the website and the location they came from (e.g. URL and referrer)
- Operating system
With every access to our Website or our App, usage data are transmitted through the respective internet browser and stored in log files, the so-called server log files. The records stored in this case contain the following data: date and time of retrieval, page name, IP address, referrer URL (i.e. the page you have previously visited), the amount of data transferred, as well as the product and version information of the browser used. The IP addresses of users will be deleted or anonymized after the end of use. In the case of anonymization, the IP addresses are changed in such a way that the details of personal or factual circumstances can no longer be assigned to a specific or identifiable natural person, or only with a disproportionate amount of time, cost and manpower.
We use the log data and log files only for statistical evaluations for the purpose of operation, security and optimization of our offer.
Additionally you may provide us certain information by your own choice to use certain features of our Website.
With our Newsletter we inform you about important product updates , special announcements and our offers. To register for the newsletter, we need your e-mail address. In addition, we record your IP address and the date of registration upon registering to ensure that no third party misuses your e-mail address and hereby logs in without your knowledge to receive the newsletter. This data is stored and used for the sending of the newsletter. After registering, you will receive an e-mail to confirm your affiliation to the newsletter e-mail list. Unless you confirm your registration for our newsletter within 24 hours, we will delete your provided data for signing up for the newsletter (email address, IP address, date of registration) 24h after sending out the confirmation e-mail, provided that no statutory storage requirements are in conflict.
At the end of each newsletter, there is a link through which you can unsubscribe from the newsletter at any time. You can also unsubscribe from the newsletter at any time via a message to the imprint of our website or with a message to the contact details provided in Paragraph 1. Upon cancellation of the newsletter, the personal data provided for the purpose of providing of the newsletter have been deleted, unless a statutory retention requirement precludes this.
Additionally we, collect certain data on your interactions with our Newsletter, using graphic elements integrated in each Newsletter (so called Pixels). We use these data in pseudonymised form for general statistical evaluation and to optimize our customer communication further. The Processing is based on Art. 6 para. 1 lit. f) GDPR.
You can revoke your consent or object to the storage of data, the e-mail address and their use for sending the newsletter at any time. The revocation or objection can be declared via a link in the newsletter itself or by message to the in Paragraph 1 mentioned contact options.
With our surveys and questionnaires, we would like to adapt and improve the service offering to the needs of our participants. You can participate in our surveys by clicking on a button on our website or our app. If you participate in a survey, we will store your e-mail address and your name so that we can identify you and classify you in the pre-signup list.
In the survey we collect and process data on the basis of Art. 6 para. 1 lit. f) GDPR, including the following information:
- E-Mail Address
- Individually provided data, that you have given us in the pre-sign up
We use this data to provide customer-oriented demographics for improving marketing strategies and products.
Hosting of our Website
Our Website is hosted by a third party service provider based in the US. To protect your privacy when transferring data outside the EEA we have concluded Standard Contractual Clauses provided by the EU commission. Furthermore, our hosting service provider is contractually bound to our instructions under a Data Processing Agreement. Additionally, this service provider is bound to our instructions by a data processing agreement.
Third Party Content
Occasionally, we may include third-party content on our site, such as videos from YouTube, Maps from Google Maps, RSS feeds or graphics from other websites, based on our legitimate interest to provide additional content on our Website, Art. 6 para. 1 lit. f) GDPR. In order to display the content, the providers of this content perceive the IP address of the users. We have no influence on storage and further use of the IP address by the third providers.
On our website, we are using Zendesk Inc., a tool for customer support communication. Zendesk Inc. is headquartered at 1019 Market St., San Francisco, CA 94103, USA.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in communication with the customer.
The personal data processed is stored on a server in the USA. Zendesk has committed itself to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield. In addition to it, Zendesk is subject our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission.
We use the chatbot tool which is provided by Solvemate GmbH, Tempelhofer Ufer 1, 10961 Berlin(“Solvemate”) to help your requests better and provide easy communication between you and customer service. Your name, email address and attachments that you provide us through the chatbot are shared with Solvemate.
The legal basis for data processing is Art. 6 para. 1 lit. b GDPR processing requests of the customers with whom Bitwala has a contract, Art. 6 para. 1 lit. f GDPR our legitimate interest in providing a smooth customer service experience.
Solvemate is subject to our instructions by a data processing agreement.
We use the call center software platform provided by Babelforce GmbH, Mindspace Friedrichstr. 68, 10117 Berlin to provide you calls with customer service.
The legal basis for data processing is Art. 6 para. 1 lit. b GDPR processing requests of the customers with whom Bitwala has a contract, Art. 6 para. 1 lit. f GDPR our legitimate interest in providing a smooth customer service experience
Incoming and outgoing calls to the service numbers offered are recorded and documented by Babelforce, with information in the form of the date and time of the call, the duration of the call.
Babelforce is subject to our instructions by a data processing agreement.
We are using Trustpilot, as service from Trustpilot A/S, Pilesstraede 58, 5th floor, 1122 Copenhagen, Denmark. Trustpilot allows you to review our services and give us feedback. Trustpilot will process your e-mail address.
The legal ground for processing your data is Art. 6 para. 1 lit. f) GDPR based on our legitimate interest to be reviewed and receive rating and the legitimate interest to optimize our services based on the reviews.
For a part of our service it is necessary for us to store cookies on your end device. Cookies do not execute programs on your computer. Instead, the main purpose of cookies is to provide customisation features when using our services (the “Functional Cookies”).
We use our own Functional Cookies for:
- Log-in identification
- Load distribution
- To remember your settings
- To remember your cookie consent The processing of data collected via our cookies is based on our legitimate interest to provide you a convenient and individualised service on our website, Art. 6 para. 1 lit. f) GDPR.
Performance and Marketing Analytics
To improve our Website we use data collected by cookies and similar technologies (e.g. web beacons) for the statistical collection and analysis of general usage patterns. We also use this data for advertising and marketing purposes and to show personalised ads to you on our Websites and other websites.
Data collected by these cookies (the “Analytics Cookies”) will be processed by us or third party service providers, based on your consent, Art. 6 para. 1 lit. a) GDPR or on the basis of one of our legitimate interest according to Art. 6 para. 1 lit. f) GDPR.
The data collected by Analytics Cookies usually includes
- IP address of your device,
- Date and time of the access
- Cookie ID number
- Device ID of mobile devices
- Technical information on browser and operating system (the “Device Fingerprint”)
This data is only collected and stored in pseudonymous form and is never used to identify you individually or to draw conclusions other than on a general, aggregated level.
Opt-out of tracking and withdrawal of consent
You can withdraw your consent for cookie processing at any time by clicking on this link or contacting us via our email address provided above. Please keep in mind that withdrawal is only effective towards Bitwala and Partner Bank, therefore you may be tracked by other websites using the services listed below.
If you wish to disable tracking in general, you can always configure your browser to decline cookies, in which case we will not be able to process data in the above mentioned way. Alternatively you can prevent cookies on your device, using the services of Trustee and YourAdChoices.
In the following section we will further describe the cookies and services we use for marketing and analytics purposes as well as alternatives to generally prevent being tracked by the respective service.
Services used for Performance and Marketing Analytics
Our Website and our Mobile Application uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). According to Google, the contact person for all data protection concerns is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in the needs-based design and continuous optimization of our website.
Your IP address will be truncated before the usage statistics are evaluated so that no inference can be made about your identity. For this purpose, Google Analytics has been enhanced on our website with the code "anonymizeIP" to ensure an anonymous collection of IP addresses.
We use Google Analytics with cross-device tracking enabled through a unified user ID. This allows us to associate interaction data from different devices and from different sessions with a unique ID. This allows us a more accurate visitor analysis. For more information, see: https://support.google.com/analytics/answer/3123662?hl=en
Google will process the information obtained through cookies in order to evaluate your use of the website, to compile reports on website activity for website operators and to provide other services related to website activity and internet usage.
Google AdWords Conversion-Tracking and Remarketing
Our Website uses the services of “AdWords Conversion-Tracking” and “AdWords Remarketing” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“). “AdWords Conversion Tracking” allows us to comprehend and analyse defined customer actions (such as clicking on an advertisement, page views, downloads). “Adwords Remarketing” allows us to show you individualised advertisement messages of our products on partner-websites from Google. Both services are using Cookies and similar technologies. The data collected in this context can be transmitted for evaluation for Google to a server in the USA and can be stored there.
In the event that personal data is transferred to the USA, Google has committed itself to self-certification by the US Department of Commerce to adhere to the framework of the EU-US Privacy Shield.
If you are using a Google Account, Google may associate your web and app browsing history with your Google Account and use information from your Google Account to personalize your advertisement, based on the settings stored in your Google Account. If you do not want this connection to your Google Account, you have to log out of your Google account, before visiting our website.
As described before, you can configure your browser in order to reject cookies. You can also disable the Personalized Advertising button in the Google Ads Settings. In this case, Google will only display general advertising that has not been selected based on the information collected about you.
We use Facebook Pixel Codes on this website, an analytical tool from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The use of Facebook Pixel causes that Facebook is aware of your visit on our website and thereby allows to initiate personal advertisements. In the event that you are logged into your Facebook account while visiting our website, Facebook will allocate your Facebook account to the visit on our website.
The legal basis for processing your personal data is Art. 6 para. 1 lit. f) GDPR. You can change your settings for advertisements from Facebook here, if you are logged into your Facebook account. By using YourAdChoices, you can change your preferences regarding individual online advertisement here.
The use of Twitter Pixel causes that Twitter is aware of your visit on our website and thereby allows to initiate personal advertisements. In the event that you are logged into your Twitter account while visiting our website, Twitter will allocate your Twitter account to the visit on our website.
The legal basis for processing your personal data is Art. 6 para. 1 lit. f) GDPR.
You can change your settings for advertisements from Twitter here, if you are logged into your Twitter account. By using YourAdChoices, you can change your preferences regarding individual online advertisement here.
We use Quora, a service of Quora, Inc. represented in Europe by VeraSafe Ireland Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland.
Quora enables us to use target-group based advertising, re-targeting and conversion measurements for online advertising using the so-called visitor interaction pixel. Here, offers for specific target groups are played out based on a selection of general criteria, such as demographic characteristics, regions or interests. Quora also allows us to target ads based on your previous page views. For example, if you are interested in specific services, information, or offers on our site, you may see ads and references to our offerings and content. Quora's data processing also takes place at Quora's headquarters in the USA. If data is transferred to the USA, Quora will ensure that this is based on appropriate guarantees, such as the use of the standard contractual clauses of the European Commission.
We use a solution for our marketing campaigns of Adjust GmbH (‘Adjust’), Saarbrücker Str. 37A 10405 Berlin, to acquire new users, analyze user behavior and optimize our marketing campaigns. As part of this, Adjust may process your advertising ID (IDFA and Android-ID) on our behalf and temporary device identification numbers, if not disabled by you in the system settings of your device.
The data processed in this way is only used to see the external website or app that leads the user to Bitwala and to determine which campaign users were aware of our app, for example which campaign link or banner users clicked before they downloaded our app.
The legal basis for processing your personal data is Art. 6 para. 1 lt. f GDPR, our legitimate interest.
If you do not want us to process your advertising ID, you can always disable or change this on your device. Please see the guide for iOS devices and the guide for Android devices.
Additionally, this service provider is bound to our instructions by a data processing agreement.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in the needs-based design and continuous optimization of our website.
The information generated by the cookie about the use of this website is stored on a server in the USA. Segment is subject our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission with additional safeguards.
We use the product analytics tool Amplitude which is provided by Amplitude, Inc. 631 Howard St. Floor 5 San Francisco, CA 94105 (“Amplitude”) to evaluate user access and activity. The data shared is pseudonymized.
The legal basis for data processing is Art. 6 para 1. lit. b GDPR, based on our contractual obligation to provide our services; Art. 6 para 1. lit. f GDPR, based on our legitimate interest in the need of identifying the problems regarding user access, improving the product experience and Art. 6 para. 1. lit.c GDPR to comply with our legal obligations regarding applicable tax laws.
Amplitude is subject to our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission.
Our website is using AdRoll Pixel, a so-called retargeting technology from the service provider AdRoll Limited; Level 6; 1 Burlington Plaza Burlington Road; Dublin 4, Ireland.
AdRoll Pixel allows us to place personalized advertisements for you, by using a Cookie-based analysis of the user’s former behaviour.
The legal basis for the processing is Art. 6 para. 1 f) GDPR, based on our legitimate interest in conducting a user analysis and personalising advertising.
Our Website is using Finative Pixel, a analysis tool from Finative GmbH, Im Mediapark 5, 506070 Cologne, Germany.
We are using Finative Pixel to analyse the user’s behaviour on our website. The analysis helps us with the evaluation and recording of the user’s conversion rate. The conversion rate identifies the number of users, which have sign up with us, after they have clicked on an advertisement from us that has redirected the user to our website. The Finative Pixel allows us to improve our advertisements and our marketing.
You can, as described above, configure your browser in a manner that no personal data is processed.
We use the marketing tool customer.io for contextual e-mailing. Customer.io is a service of Peaberry Software Inc. d / b / a Customer.io, 921 SW Washington Street, Suite 820, Portland, Ore., 97205, USA. Your personal data (e-mail address, name) provided upon the registration for the Pre-Signup process will be transmitted to a server of the company Peaberry Software Inc. in the USA and stored there.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in sending transactional and informational communication.
On the basis of your consent, we use the same provider to send you marketing related communications.
Customer.io is subject our instructions by a data processing agreement, incorporating Standard Contractual Clauses with the third-party provider, with additional safeguards.
We use the promotion marketing tool Talon.One for customization of our referral campaigns (e.g. ‘The Refer-a-Friend Program’), which is provided by Talon.One GmbH, Wiener Str. 10, 10999 Berlin (“Talon.One”). The referral status to your account, account and crypto wallets’ creation time are shared with them in a pseudonymized format.
The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR, based on our legitimate interest in the needs of customization of referrals and campaigns based on customer segmentation and automation of campaigns workflow.
Talon.One is subject to our instructions by a data processing agreement.
Social Media Plug Ins
Our website uses social-media plug-ins of the following social networks:
- Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA.
- Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA.
- LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
- Reddit Inc., 101 New Montgomery St, San Francisco, CA 94105, USA
The legal basis for processing is Art. 6, para. 1, lit. f) GDPR, based on our legitimate interest in you sharing our contents via social media and in our expanding our reach in this way. Should personal data be transmitted to the USA, these social networks have acceded to the EU-US Privacy shield. The social network may receive the information that you have called up the corresponding page of our online site. This will be done irrespective of whether you have an account with the provider and are logged-in there. If you are logged-in, these data will be assigned directly to your account. If you turn on the activated plug-in and e.g. link the page, the social network may also store this information, including data and time, in your user account and inform your contacts of this publicly if you have activated the relevant function. If you do not wish for assignment with your profile at the respective social network, you must log-out before activating the plug-in.
The providers may store these data as usage profiles and use them for purposes of advertising, market research and/or needs-based design of its website. Such an evaluation will be made in particular (for users not logged-in, too) for the display of needs-based advertising and to inform other users of the social network about your activities on our website.
You may object to being profiling by social media providers:
- as a Facebook user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Facebook social media plug-ins by using supplementary programs for your browser, e.g. Facebook Blocker. You will find more detailed information in Facebook’s Privacy Statement.
- as a Twitter user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Twitter social media plug-ins by using supplementary programs for your browser. You will find more detailed information in Twitter’s Privacy Statement.
- as a Reddit user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Facebook social media plug-ins by using supplementary programs for your browser. You will find more detailed information in Reddit’s Privacy Statement.
- as a LinkedIn user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of LinkedIn social media plug-ins by using supplementary programs for your browser. You will find more detailed information in LinkedIn’s Privacy Statement.
II. Data Processing for the purposes of our Banking Platform
If you use our Banking Platform, Bitwala and Partner Bank will be considered Joint Controllers within the meaning of the EU data protection regulation (GDPR) and the federal data protection law (BDSG) for any processing related to your use of the Platform.
For the use of custodian-wallet services, Bitwala and Solaris Digital Assets GmbH (‘Solaris Digital Assets’) are considered Joint Controllers.
If you have opened a BTC interest account, Bitwala and Celsius Network Ltd. will be considered Separate Controllers.
1. Responsibility for Platform related requests and inquiries
a. Banking Platform
As Joint Controllers both Bitwala and Partner Bank are responsible for any Platform related requests and inquiries. Please address any privacy related matters to: firstname.lastname@example.org or email@example.com.
As our Bitwala Customer Support Team has a special division for privacy related issues, your request is most likely processed faster if you contact us on firstname.lastname@example.org.
While you can reach out to either Bitwala or Partner Bank, we have shared privacy related tasks according to our contribution to the Platform. Therefore, any banking and digital asset related request will be redirected to and handled by Partner Bank, even if you contact Bitwala. Vice Versa, inquiries regarding the technical provision and marketing use of the Platform will effectively be processed by Bitwala. Bitwala and Partner Bank work closely together in any case to provide the best service to you.
b. Custodian Wallet
As Joint Controllers both Bitwala and Solaris Digital Assets are responsible for any Platform related requests and inquiries. Please address any privacy related matters regarding custodian wallet email@example.com or firstname.lastname@example.org.
While you can reach out to either Bitwala or Solaris Digital Assets, we have shared privacy related tasks according to our contribution to the custodian wallet. Therefore, any digital asset related request will be redirected to and handled by Solaris Digital Assets, even if you contact Bitwala. Vice Versa, inquiries regarding the technical provision and marketing use of the Platform will effectively be processed by Bitwala. Bitwala and Solaris Digital Assets work closely together in any case to provide the best service to you.
c. BTC Interest Account
As Separate Controllers Bitwala and Celsius Network Ltd. (“Celsius”) are responsible separately for any requests and inquiries related to Bitcoin Interest Account. Please reach out email@example.com your inquiries related to your Bitcoin Interest Account.
We will redirect your inquiries to Celsius if a joint action regarding your personal data is required.
Alternatively you can address your request to firstname.lastname@example.org.
2. Overview over data processing for our services
Our Platform provides you the opportunity to create and manage a bank account and a wallet, which allows you to easily connect your digital assets to the euro world. To perform these services, we need to process your personal data, including:
- Banking Information (IBAN, BIC, transaction history, personal data)
- Digital asset Information (public keys, transaction history)
- Trading Information (order information, transaction history)
- Card Payment Data (transaction data, transaction history)
- Account Information (Address Data, Contact Information, Identification Documentation, Tax Information)
3. Processing of data for your User Account
Bitwala will be considered the responsible Joint Controller for processing of personal data for the provision of your User Account and will therefore handle any of your account related requests.
To use our Platform you need a User Account. For this reason and based on Art. 6 para. 1 lit. b) GDPR, we process your Account Information.
4. Processing of data for our Blockchain Interface
The Partner Bank will be considered the responsible Joint Controller for processing of personal data for the provision of our Blockchain Interface and will therefore handle any of your blockchain related requests.
Core feature of our banking services is a Blockchain Interface that allows you to interact with your Wallet and the respective Blockchain. While we have no control over the processing of personal data on the respective Blockchain, we are processing your data to create and manage the access to your wallet.
Your wallet will be provided by a third party service provider. For the creation process you have to generate a pair of keys which will be used to access your wallet. The original generation of the keys takes place exclusively on your own end device. At no point will Bitwala or BitGo have access to the funds in your wallet.
Please remember to save guard your keys with the appropriate measures and to always use strong password encryption. Bitwala will not be able to help with lost access to wallets and/or lost funds. As the wallet provider is located in the USA, digital asset Information in will be transferred to the US upon any of your interactions with the wallet, including its creation.
Initiating and receiving transactions
Any incoming or outgoing transactions will be initiated on our Platform and sent via your Wallet to the respective Blockchain. Therefore, for each transaction, one of the addresses stored in your wallet will be published to the respective open public blockchain and be publicly available over the internet. While the transaction data may not seem to be personally identifiable information it is still considered personal data under GDPR as it is possible for us to match single addresses to our users for the provision of our services.
While we are not able to control any processing that happens on the Blockchain, we take industry standard precautions to ensure that your privacy is protected.
Our Platform provides you an overview over any transaction sent or received from both your wallet and bank account. To maintain an overview of your digital asset transaction we keep a history of all incoming and outcoming transactions on your wallet.
Blockchain Security Aspects
Your digital assets are stored on the blockchain and can be accessed or transferred using the wallet. Neither Bitwala or Partner Bank nor the wallet provider can cause transactions from your wallet except on your request. Any request issued via our Blockchain Interface to the wallet provider must be signed with a private key which is exclusively known to you and serves as you “wallet password”.
To further increase security, our Blockchain Interface is whitelisted with the wallet provider. Therefore, any interaction from another interface with your wallet will be blocked by default. If you wish, however, to transfer your wallet and make it accessible from third party interfaces, you may transfer your wallet by following the instructions in the Bitwala Help Center.
5. Processing of data for our Banking Interface
Partner Bank will be considered the responsible Joint Controller for processing of personal data for the provision of our Banking Interface and will therefore handle any of your banking related requests.
6. Hosting of Web- and Mobile-Applications
Partner Bank will be considered the responsible Joint Controller for processing of personal data for the hosting of the applications that enable you to interact with your bank accounts and wallet and will therefore handle any of your requests related to the technical provision of the Banking and Blockchain Interface.
In addition to the data processed to provide the functionality of our Blockchain and Banking Interfaces, whenever you access our Platform via the Website or Bitwala Mobile App, we will process the above mentioned technical data to establish the communication between your end-device and our applications.
Accessing our Platform via the Bitwala Mobile Application
Additionally, when you access our Platform via the Bitwala Mobile Application, we collect certain App Specific Data to provide our Services, based on on Art. 6 para. 1 lit. b) GDPR, as well as to optimize and market our product, based on our legitimate interest to do so, Art. 6 para. 1 lit. f) GDPR.
If you enable push notifications, we will process your App ID in order to send you relevant information which may be triggered by certain events on your account, wallet or mobile device. This Processing is based on your implicit consent given when you choose to what extent you would like to receive notifications, Art. 6 para. 1 lit. a) GDPR.
In our App, we also use tracking devices for performance and marketing analytics purposes. While technically different, effectively these tracking devices work similar to cookies by enabling us to assign a pseudonymous identifier to a certain device. Based on your consent, provided when first accessing our App, we use Google Analytics, Customer.io and Mixpanel for mobile devices. Please see above for relevant information on how we transfer data to these services and how we protect your data when doing so or how you can prevent these services from tracking you.
Hosting our Applications
The web and mobile applications on which our Platform runs are hosted on servers provided by Amazon Web Services Inc., 410 Terry Avenue North, Seattle, Washington 98109, USA (“AWS”). The servers we use are located within the European Economic Area. For certain technical services, however, data may be processed outside the EEA, especially in the USA.
AWS is Privacy Shield certified, asserting an adequate level of protection according to the adequacy decision of the European Commission 2016/1250. Additionally, AWS is bound to our instructions by a data processing agreement, implementing Standard Contractual Clauses of the European Commission.
Further Transmission of data
Otherwise, we transfer data to Third Parties only if:
- You have given an express declaration of consent for this, pursuant to Art. 6, para. 1, lit. a) GDPR,
- Further transmission is necessary, pursuant to Art. 6, para. 1 lit. f) GDPR, for bringing, exercising or defending legal claims, and no reason exists to suppose that you have a predominant and properly protected interest in preventing your data from being passed on,
- We have a legal duty to pass on your data pursuant to Art. 6 para. 1 lit. c) GDPR, or
- This is legally permissible and requisite, pursuant to Art. 6 para. 1 lit. b) GDPR, for the handling of contracts with yourself or for the execution of pre-contractual actions which are being carried out at your request.
Duration of storage
We store personal data only as long as necessary to fulfil our contractual or statutory duties. This means that, as long as your account is active, we will keep any data required to provide our Services. Upon your deletion of your account, we will delete any of your data, provided it is not required for purposes of evidence, in which case we keep it until expiration of statutory periods of limitation, or for statutory retention periods.
In particular, Bitwala and Partner Bank may be subject to retention periods under German Tax and Commercial Law up to 10 years for relevant information. This may include certain technical information related to the initiation or the receipt of payments.
Rights of the persons concerned
You have the right to information about the processing of your personal data at any time and free of charge. This information includes an overview of the data relating to you, as well as a copy of such data (Right to Access). Should data be or become inaccurate, we are obliged to correct the information on your request (Right to Rectification). You may at any time request the deletion of data (Right to Erasure). Wherever we are not able to delete your data, as may be the case when we are subject to statutory retention periods, data processing will be restricted. Processing will also be restricted upon your request, if you believe that the data we have stored are not correct or if there is a dispute over the legality of the processing (Right to Restriction of Processing). You may at any time request us to transfer your personal data to you or a third party of your choice (Right to Data Portability). You additionally have the right to lodge a complaint a complaint with a supervisory authority (Right to lodge a complaint).
You can exercise your rights with either Joint Controller, i.e. Bitwala or Partner Bank, by using the above contact details. However, for your convenience we have implemented a special data privacy team at Bitwala which will handle and, where necessary, forward all requests, which can be reached at:
Right to withdraw consent
Under Art. 7 para. 3 GDPR you have the right to withdraw any consent you may have given to us at any time. In this case, data processing will no longer take place based on your consent. The withdrawal however does not affect the lawfulness of past processing activities. If you would like to withdraw any consent given to us, please contact either of the Joint Controllers using their contact details provided above or direct your request to:
Alternatively you may use features provided within our applications to withdraw your consent.
Right to objection to processing based on legitimate interest
Wherever we process your data on the basis of legitimate interests under Art. 6 para. 1 lit. f) GDPR you have the right to object to the processing of your data according to Art. 21 GDPR.
You may at any time object to data processing for direct marketing purposes.
If you would like to object to any of our performance or marketing analytics purposes, please use one of the above listed opt-out methods or contact:
III. Data Processing for the Purpose of Exercising Data Subject Rights
For exercising your data subject rights, we use the file sharing platform Egnyte to send files to third parties in a secure way, e.g. with an encrypted link and password, which is provided by Egnyte, Inc.1350 W. Middlefield Road, Mountain View, California 94043 (“Egnyte”). When you ask for your personal data from us, we use Egnyte to provide you your data. Egnyte itself has no access to the data which is uploaded to the platform.
The legal basis for data processing is Art. 6 para. 1. lit. c GDPR, based on our compliance with the legal obligation arising from Art. 15 and 20 of GDPR and other legal obligations.
Egnyte is subject to our instructions by a data processing agreement, incorporating Standard Contractual Clauses of the European Commission.