We would like to inform you about the nature, scope and purpose of the collection and use of your personal data when using our Services on our website www.bitwala.com (the “Website”) and the associated Platform for Crypto and Fiat Banking (the “Platform”) consisting of the Web Interface (the “Web App”) and the Mobile Interface (the “Mobile App”), which Bitwala GmbH, Ohlauer Straße 43, 10999 Berlin, Germany (“Bitwala”) provides in cooperation with solarisBank AG, Anna-Louisa-Karsch-Straße 2, 10178 Berlin, Germany (“Partner Bank”).
I. Data Processing for the purposes of our Website
If you visit our Website for informational purposes without signing up for the Platform, Bitwala will be considered the sole controller within the meaning of the EU data protection regulation (GDPR) and the federal data protection law (BDSG) for any processing related to your visit.
1. Collection and processing of data
Bitwala gathers, uses and saves your personal data to provide access to the Website.
This includes any information you provide manually as well as technical information that is required for the communication between your end-device and our applications.
The technical information we collect for our website www.bitwala.com includes:
- Email Address
- IP Address (anonymised)
- Evaluation of website activity and internet usage
- User website activity on the website and the location they came from (e.g. URL and referrer)
- Operating system
With every access to our Website or our App, usage data are transmitted through the respective internet browser and stored in log files, the so-called server log files. The records stored in this case contain the following data: date and time of retrieval, page name, IP address, referrer URL (i.e. the page you have previously visited), the amount of data transferred, as well as the product and version information of the browser used. The IP addresses of users will be deleted or anonymized after the end of use. In the case of anonymization, the IP addresses are changed in such a way that the details of personal or factual circumstances can no longer be assigned to a specific or identifiable natural person, or only with a disproportionate amount of time, cost and manpower.
We use the log data and log files only for statistical evaluations for the purpose of operation, security and optimization of our offer.
Additionally you may provide us certain information by your own choice to use certain features of our Website.
Newsletter and Pre-Sign Up
In order to participate and register for the Pre-Sign Up process and our Newsletter, you have to enter your e-mail address and your name via the Website or the App, which we will then collect and save on the basis of Art. 6 para. 1 lit. b) GDPR.
We need your e-mail address and your name, in order to categorize you in the Pre-Sign Up list (places on the list) and to identify you in the list. Furthermore, we need your e-mail address to confirm your registration in the pre-sign up process and to communicate with you.
With our Newsletter we inform you about important product updates , special announcements and our offers. To register for the newsletter, we need your e-mail address. In addition, we record your IP address and the date of registration upon registering to ensure that no third party misuses your e-mail address and hereby logs in without your knowledge to receive the newsletter. This data is stored and used for the sending of the newsletter.
After registering, you will receive an e-mail to confirm your affiliation to the newsletter e-mail list. Unless you confirm your registration for our newsletter within 24 hours, we will delete your provided data for signing up for the newsletter (email address, IP address, date of registration) 24h after sending out the confirmation e-mail, provided that no statutory storage requirements are in conflict.
At the end of each newsletter, there is a link through which you can unsubscribe from the newsletter at any time. You can also unsubscribe from the newsletter at any time via a message to the imprint of our website ( https://www.bitwala.com/imprint/ ) or with a message to the contact details provided in Paragraph 1. Upon cancellation of the newsletter, the personal data provided for the purpose of providing of the newsletter have been deleted, unless a statutory retention requirement precludes this.
Additionally we, collect certain data on your interactions with our Newsletter, using graphic elements integrated in each Newsletter (so called Pixels). We use these data in pseudonymised form for general statistical evaluation and to optimize our customer communication further. The Processing is based on Art. 6 para. 1 lit. f) GDPR and performed using the third party service provider MailChimp. MailChimp is a service of The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA. By registering for our newsletter, your e-mail address, IP address and date of registration will be transmitted to and stored by a server of The Rocket Science Group in the USA. Pursuant to Commission Implementing Decision (EU) 2016/1250 of 12.07.2016, the transmission of data from a controller or processor in the EU to US organizations self-certifying to the US Department of Commerce to comply with the Framework Principles of the United States Department of Commerce EU-US Privacy Shields, including the Additional Principles, are permitted. MailChimp has committed to upholding these principles through self-certification with the US Department of Commerce. Further information on data protection at MailChimp can be found at http://mailchimp.com/legal/privacy/
You can revoke your consent or object to the storage of data, the e-mail address and their use for sending the newsletter at any time. The revocation or objection can be declared via a link in the newsletter itself or by message to the in Paragraph 1 mentioned contact options.
With our surveys and questionnaires, we would like to adapt and improve the service offering to the needs of our participants in the pre-signup process. For each participation in a survey, the registered user moves up several places on the pre-signup list. You can participate in our surveys by clicking on a button on our website or our app. If you participate in a survey, we will store your e-mail address and your name so that we can identify you and classify you in the pre-signup list.
In the survey we collect and process data on the basis of Art. 6 para. 1 lit. f) GDPR, including the following information:
- E-Mail Address
- Individually provided data, that you have given us in the pre-sign up
We use this data to provide customer-oriented demographics for improving marketing strategies and products.
Hosting of our Website
Our Website is hosted by a third party service provider based in the US. To protect your privacy when transferring data outside the EEA we have concluded Standard Contractual Clauses (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087) provided by the EU commission. Furthermore, our hosting service provider is contractually bound to our instructions under a Data Processing Agreement. Additionally, this service provider is bound to our instructions by a data processing agreement.
Third Party Content
Occasionally, we may include third-party content on our site, such as videos from YouTube, Maps from Google Maps, RSS feeds or graphics from other websites, based on our legitimate interest to provide additional content on our Website, Art. 6 para. 1 lit. f) GDPR. In order to display the content, the providers of this content perceive the IP address of the users. We have no influence on storage and further use of the IP address by the third providers.
For a part of our service it is necessary for us to store cookies on your end device. Cookies do not execute programs on your computer. Instead, the main purpose of cookies is to provide customisation features when using our services (the “Functional Cookies”).
We use our own Functional Cookies for:
- Log-in identification
- Load distribution
- To remember your settings
- To remember your cookie consent The processing of data collected via our cookies is based on our legitimate interest to provide you a convenient and individualised service on our website, ARt. 6 para. 1 lit. f GDPR.
Performance and Marketing Analytics
To improve our Website we use data collected by cookies and similar technologies (e.g. web beacons) for the statistical collection and analysis of general usage patterns. We also use this data for advertising and marketing purposes and to show personalised ads to you on our Websites and other websites.
Data collected by these cookies (the “Analytics Cookies”) will be processed by us or third party service providers, based on the consent you provided by clicking “OK” in our cookie banner, Art. 6 (1) (a) GDPR.
The data collected by Analytics Cookies usually includes
- IP address of your device,
- Date and time of the access
- Cookie ID number
- Device ID of mobile devices
- Technical information on browser and operating system (the “Device Fingerprint”)
This data is only collected and stored in pseudonymous form and is never used to identify you individually or to draw conclusions other than on a general, aggregated level.
Opt-out of tracking and withdrawal of consent
You can withdraw your consent for cookie processing at any time by clicking on this link or contacting us via our email address provided above. Please keep in mind that withdrawal is only effective towards Bitwala and Partner Bank, therefore you may be tracked by other websites using the services listed below.
If you wish to disable tracking in general, you can always configure your browser to decline cookies, in which case we will not be able to process data in the above mentioned way. Alternatively you can prevent cookies on your device, using the services of Truste and Your Online Choices.
In the following section we will further describe the cookies and services we use for marketing and analytics purposes as well as alternatives to generally prevent being tracked by the respective service.
Services used for Performance and Marketing Analytics
On our Website and in our App, we are making use of Google Analytics based on your consent. Google Analytics is a service of Google Inc (hereinafter referred to as “Google”) for web analysis. Google Analytics is using so-called cookies. Cookies are text files that are stored on your computer and which enable an analysis of your website use. The information generated by the cookie about your website usage is usually transmitted to a Google server in the US and stored there.
However, if IP anonymization is enabled on this website, Google will truncate your IP address beforehand within member states of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be sent to a Google server in the US and shortened there. On behalf of Bitwala, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage to the website operator. The IP addresses transmitted by Google Analytics will not be merged with other data provided by Google. You can prevent the storage of cookies by setting your browser software accordingly; however, we point out that in this case you may not be able to use all functions of this website in full. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading the browser plug-in available under the following link and install: http://tools.google.com/dlpage/gaoptout?hl=de
Google has committed itself to self-certification by the US Department of Commerce to adhere to the framework of the EU-US Privacy Shield.
Google AdWords Conversion-Tracking and Remarketing
Our Website uses the services of “AdWords Conversion-Tracking” and “AdWords Remarketing” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“). “AdWords Conversion Tracking” allows us to comprehend and analyse defined customer actions (such as clicking on an advertisement, page views, downloads). “Adwords Remarketing” allows us to show you individualised advertisement messages of our products on partner-websites from Google. Both services are using Cookies and similar technologies. The data collected in this context can be transmitted for evaluation for Google to a server in the USA and can be stored there.
In the event that personal data is transferred to the USA, Google has committed itself to self-certification by the US Department of Commerce to adhere to the framework of the EU-US Privacy Shield.
If you are using a Google Account, Google may associate your web and app browsing history with your Google Account and use information from your Google Account to personalize your advertisement, based on the settings stored in your Google Account. If you do not want this connection to your Google Account, you have to log out of your Google account, before visiting our website.
As described before, you can configure your browser in order to reject cookies. You can also disable the Personalized Advertising button in the Google Ads Settings. In this case, Google will only display general advertising that has not been selected based on the information collected about you.
We use Facebook Pixel Codes on this website, an analytical tool from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The use of Facebook Pixel causes that Facebook is aware of your visit on our website and thereby allows to initiate personal advertisements. In the event that you are logged into your Facebook account while visiting our website, Facebook will allocate your Facebook account to the visit on our website.
The legal basis for processing your personal data is Art. 6 para. 1 lit.) f GDPR. You can change your settings for advertisements from Facebook here, if you are logged into your Facebook account. By using YourOnlineChoices, you can change your preferences regarding individual online advertisement here.
The use of Twitter Pixel causes that Twitter is aware of your visit on our website and thereby allows to initiate personal advertisements. In the event that you are logged into your Twitter account while visiting our website, Twitter will allocate your Twitter account to the visit on our website.
The legal basis for processing your personal data is Art. 6 para. 1 lit.) f GDPR. You can change your settings for advertisements from Twitter here, if you are logged into your Twitter account. By using YourOnlineChoices, you can change your preferences regarding individual online advertisement here.
Jetpack/ Wordpress stats
Wordpress has committed to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield. Further information on the privacy of Wordpress can be found at: https://wordpress.org/about/privacy
On the basis of your consent, we use the marketing tool customer.io for contextual e-mailing. Customer.io is a service of Peaberry Software Inc. d / b / a Customer.io, 921 SW Washington Street, Suite 820, Portland, Ore., 97205, USA. Your personal data (e-mail address, name) provided upon the registration for the Pre-Signup process will be transmitted to a server of the company Peaberry Software Inc. in the USA and stored there. Customer.io has committed to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield. Further information on Customer.io's privacy can be found at: https://customer.io/privacy-policy.html
On the basis of your consent, we use Mailgun Technologies, Inc., a Delaware corporation headquartered at 535 Mission St. San Francisco, CA 94105 USA for sending and tracking emails. Mailgun is a marketing tool for sending emails for promotional purposes.
Mailgun Technologies Inc., a Delaware corporation, has committed itself to upholding the principles of the EU-US Privacy Shield by self-certification with the US Department of Commerce. For more information on the privacy of Mailgun Technologies Inc, a Delaware Corporation, please visit: https://customer.io/privacy-policy.html
On the basis of your consent, we use Intercom, headquartered at 55 2nd St. San Francisco, CA 94105, USA for sending messages in sales and after-sales service. Intercom is a customer service tool for communicating with customers. Your personal data (name, e-mail address, possibly provided documents) will be transmitted on Intercom's servers in the USA and stored there.
Intercom has committed itself to self-certification with the US Department of Commerce to uphold the principles of the EU-US Privacy Shield. Further information on the privacy of Intercom can be found at: https://www.intercom.com/de/terms-and-policies
On the basis of your consent, we use Mixpanel Inc, headquartered at 405 Howard Street, San Francisco, CA 94105, USA for analyzing mobile data service provider. Mixpanel is a tool for understanding user behavior in the interface and in the mobile application. Your personal data (name, e-mail address, IP address, personal data that you have provided us with) will be transmitted to the servers of Mixpanel Inc. in the USA and stored there.
Mixpanel has achieved self-certification with the US Department of Commerce to uphold the principles of EU-US Privacy shield. For more information about Mixpanel's privacy, please visit: https://mixpanel.com/privacy/
Social Plug Ins
Our website uses social-media plug-ins of the following social networks Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA ("Facebook"). Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA. LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA, 94043, USA Reddit Inc., 101 New Montgomery St, San Francisco, CA 94105, USA
The legal basis is Art. 6, Paragraph 1, Clause 1, Point (f) of the GDPR, based on our legitimate interest in you sharing our contents via social media and in our expanding our reach in this way. Should personal data be transmitted to the USA, these social networks have acceded to the EU-US Privacy shield. The social network may receive the information that you have called up the corresponding page of our online site. This will be done irrespective of whether you have an account with the provider and are logged-in there. If you are logged-in, these data will be assigned directly to your account. If you turn on the activated plug-in and e.g. link the page, the social network may also store this information, including data and time, in your user account and inform your contacts of this publicly if you have activated the relevant function. If you do not wish for assignment with your profile at the respective social network, you must log-out before activating the plug-in.
The providers may store these data as usage profiles and use them for purposes of advertising, market research and/or needs-based design of its website. Such an evaluation will be made in particular (for users not logged-in, too) for the display of needs-based advertising and to inform other users of the social network about your activities on our website.
You may object to being profiling by social media providers:
as a Facebook user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Facebook social media plug-ins by using supplementary programs for your browser, e.g. Facebook Blocker. You will find more detailed information in Facebook’s Privacy Statement.
as a Twitter user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Twitter social media plug-ins by using supplementary programs for your browser. You will find more detailed information in Twitter’s Privacy Statement.
as a Reddit user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of Facebook social media plug-ins by using supplementary programs for your browser. You will find more detailed information in Reddit’s Privacy Statement.
*as a LinkedIn user you can disable advertising on the basis of social actions in the Ad preferences. You can also completely prevent the loading of LinkedIn social media plug-ins by using supplementary programs for your browser. You will find more detailed information in LinkedIn’s Privacy Statement.
II. Data Processing for the purposes of our Banking Platform
If you use our Banking Platform, Bitwala and Partner Bank will be considered Joint Controllers within the meaning of the EU data protection regulation (GDPR) and the federal data protection law (BDSG) for any processing related to your use of the Platform.
1. Responsibility for Platform related requests and inquiries
As Joint Controllers both Bitwala and Partner Bank are responsible for any Platform related request and inquiries. Please address any privacy related matters to: firstname.lastname@example.org or email@example.com As our Bitwala Customer Support Team has a special division for privacy related issues, your request is most likely processed faster if you contact us on firstname.lastname@example.org.
While you can reach out to either Bitwala or Partner Bank, we have shared privacy related tasks according to our contribution to the Platform. Therefore, any banking and crypto related request will redirected to and handled by Partner Bank, even if you contact Bitwala. Vice Versa, inquiries regarding the technical provision and marketing use of the Platform will effectively be processed by Bitwala. Bitwala and Partner Bank work closely together in any case to provide the best service to you.
2. Overview over data processing for our services
Our Platform provides you the opportunity to create and manage a bank account and a wallet, which allows you to easily connect your crypto funds to the fiat world. To perform these services, we need to process your personal data, including:
- Banking Information (IBAN, BIC, transaction history, personal data)
- Crypto Information (public keys, transaction history)
- Trading Information (order information, transaction history)
- Card Payment Data (transaction data, transaction history)
- Account Information (Address Data, Contact Information, Identification Documentation, Tax Information)
3. Processing of data for your User Account
Bitwala will be considered the responsible Joint Controller for processing of personal data for the provision of your User Account and will therefore handle any of your account related requests.
To use our Platform you need a User Account. For this reason and based on Art. 6 para. 1 lit. b) GDPR, we process your Account Information.
4. Processing of data for our Blockchain Interface
The Partner Bank will be considered the responsible Joint Controller for processing of personal data for the provision of our Blockchain Interface and will therefore handle any of your blockchain related requests.
Core feature of our banking services is a Blockchain Interface that allows you to interact with your Wallet and the respective Blockchain. While we have no control over processing of personal data on the respective Blockchain, we are processing your data to create and manage the access to your wallet.
Your wallet will be provided by a third party service provider. For the creation process you have to generate a pair of keys which will be used to access your wallet. The original generation of the keys takes place exclusively on your own end device. At no point will Bitwala or BitGo have access to the funds in your wallet.
Please remember to save guard your keys with the appropriate measures and to always use strong password encryption. Bitwala will not be able to help with lost access to wallets and/or lost funds. As the wallet provider is located in the USA, Crypto Information in will be transferred to the US upon any of your interactions with the wallet, including its creation.
Initiating and receiving transactions
Any incoming or outgoing transactions will be initiated on our Platform and sent via your Wallet to the respective Blockchain. Therefore, for each transaction, one of the addresses stored in your wallet will be published to the respective open public blockchain and be publicly available over the internet. While the transaction data may not seem to be personally identifiable information it is still considered personal data under GDPR as it is possible for us to match single addresses to our users for the provision of our services.
While we are not able to control any processing that happens on the Blockchain, we take industry standard precautions to ensure that your privacy is protected.
Our Platform provides you an overview over any transaction sent or received from both your wallet and bank account. To maintain an overview of your crypto transaction we keep a history of all incoming and outcoming transactions on your wallet.
Blockchain Security Aspects
Your digital assets are stored on the blockchain and can be accessed or transferred using the wallet. Neither Bitwala or Partner Bank nor the wallet provider can cause transactions from your wallet except on your request. Any request issued via our Blockchain Interface to the wallet provider must be signed with a private key which is exclusively known to you and serves as you “wallet password”.
To further increase security, our Blockchain Interface is whitelisted with the wallet provider. Therefore, any interaction from another interface with your wallet will be blocked by default. If you wish, however, to transfer your wallet and make it accessible from third party interfaces, you may transfer your wallet by following the instructions in the Bitwala Help Center.
5. Processing of data for our Banking Interface
Partner Bank will be considered the responsible Joint Controller for processing of personal data for the provision of our Banking Interface and will therefore handle any of your banking related requests.
6. Hosting of Web- and Mobile-Applications
Partner Bank will be considered the responsible Joint Controller for processing of personal data for the hosting of the applications that enable you to interact with your bank accounts and wallet and will therefore handle any of your requests related to the technical provision of the Banking and Blockchain Interface.
In addition to the data processed to provide the functionality of our Blockchain and Banking Interfaces, whenever you access our Platform via the Website or Bitwala Mobile App, we will process the above mentioned technical data to establish the communication between your end-device and our applications.
Accessing our Platform via the Bitwala Mobile Application
Additionally, when you access our Platform via the Bitwala Mobile Application, we collect certain App Specific Data to provide our Services, based on on Art. 6 para. 1 lit. b GDRP, as well as to optimize and market our product, based on our legitimate interest to do so, Art. 6 para. 1 lit. f GDPR.
If you enable push notifications, we will process your App ID in order to send you relevant information which may be triggered by certain events on your account, wallet or mobile device. This Processing is based on your implicit consent given when you chose to which extent you would like to receive notifications, Art. 6 para. 1 lit. a GDPR.
In our App, we also use tracking devices for performance and marketing analytics purposes. While technically different, effectively these tracking devices work similar to cookies by enabling us to assign a pseudonymous identifier to a certain device. Based on your consent, provided when first accessing our App, we use Google Analytics, Customer.io and Mixpanel for mobile devices. Please see above for relevant information on how we transfer data to these services and how we protect your data when doing so or how you can prevent these services from tracking you.
Hosting our Applications
The web and mobile applications on which our Platform runs are hosted on servers provided by Amazon Web Services Inc., 410 Terry Avenue North, Seattle, Washington 98109, USA (“AWS”). The servers we use are located within the European Economic Area. For certain technical services, however, data may be processed outside the EEA, especially in the USA.
AWS is Privacy Shield certified, asserting an adequate level of protection according to the adequacy decision of the European Commission 2016/1250. Additionally, AWS is bound to our instructions by a data processing agreement, implementing Standard Contractual Clauses of the European Commission.
Further Transmission of data
Otherwise, we transfer data to Third Parties only if:
- You have given an express declaration of consent for this, pursuant to Art. 6, para. 1, lit. a GDPR,
- Further transmission is necessary, pursuant to Art. 6, para. 1 lit. f GDPR, for bringing, exercising or defending legal claims, and no reason exists to suppose that you have a predominant and properly protected interest in preventing your data from being passed on,
- We have a legal duty to pass on your data pursuant to Art. 6 para. 1 lit. c GDPR, or
- This is legally permissible and requisite, pursuant to Art. 6 para. 1 lit. b GDPR, for the handling of contracts with yourself or for the execution of precontractual actions which are being carried out at your request.
Duration of storage
We store personal data only as long as necessary to fulfil our contractual or statutory duties. This means that, as long as your account is active, we will keep any data required to provide our Services. Upon your deletion of your account, we will delete any of your data, provided it is not required for purposes of evidence, in which case we keep it until expiration of statutory periods of limitation, or for statutory retention periods.
In particular, Bitwala and Partner Bank may be subject to retention periods under German Tax and Commercial Law up to 10 years for relevant information. This may include certain technical information related to the initiation or the receipt of payments.
Rights of the persons concerned
You have the right to information about the processing of your personal data at any time and free of charge. This information includes an overview of the data relating to you, as well as a copy of such data (Right to Access). Should data be or become inaccurate, we are obliged to correct the information on your request (Right to Rectification). You may at any time request the deletion of data (Right to Erasure). Wherever we are not able to delete your data, as may be the case when we are subject to statutory retention periods, data processing will be restricted. Processing will also be restricted upon your request, if you believe that the data we have stored are not correct or if there is a dispute over the legality of the processing (Right to Restriction of Processing). You may at any time request us to transfer your personal data to you or a third party of your choice (Right to Data Portability).
You can exercise your rights with either Joint Controller, i.e. Bitwala or Partner Bank, by using the above contact details. However, for your convenience we have implemented a special data privacy team at Bitwala which will handle and, where necessary, forward all requests, which can be reached at:
Right to withdraw consent
Under Art. 7 para 3 GDPR you have the right to withdraw any consent you may have given to us at any time. In this case, data processing will no longer take place based on your consent. The withdrawal however does not affect the lawfulness of past processing activities. If you would like to withdraw any consent given to us, please contact either of the Joint Controllers using their contact details provided above or direct your request to:
Alternatively you may use features provided within our applications to withdraw your consent.
Right to objection to processing based on legitimate interest
Wherever we process your data on the basis of legitimate interests under Art. 6 para. 1 lit. f GDPR you have the right to object to the processing of your data according to ARt. 21 GDRP.
You may at any time object to data processing for direct marketing purposes.
If you would like to object to any of our performance or marketing analytics purposes, please use one of the above listed opt-out methods or contact: