Privacy

In this privacy policy, we, BBT Software AG (hereinafter BBT), a company of the Volaris Group, explain how we collect and otherwise process personal data. This is not an exhaustive description; other privacy policies, general terms and conditions, and customer contracts may govern specific matters. Personal data includes all information that relates to an identified or identifiable natural person.

If you provide us with personal data of other persons (e.g. family members, colleagues, or customers), please ensure that these persons are aware of this privacy policy and only share their personal data with us if you are permitted to do so and if the data is correct.

This privacy policy is designed to comply with the requirements of the Swiss Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR). Whether and to what extent these laws apply depends on the individual case.

1. Controller, Data Protection Officer, Representative

The controller for data processing is BBT Software AG. References in this privacy policy to “BBT”, “we” or “us” refer to BBT Software AG. If you have data protection concerns, you can contact us at the following address:

By email: datenschutz@bbtsoftware.ch
By post: BBT Software AG, Data Protection Officer, Platz 4, CH-6039 Root D4

Our EU representative according to Art. 27 GDPR can be contacted via email: alexander.manz@trapezegroup.com

2. Collection and Processing of Personal Data

We primarily process personal data that we receive from our customers and other business partners as part of our business relationship, from job applications, or that we collect when operating our websites, apps, social media profiles, and other applications from their users.

This includes general personal data such as name and contact details (address, email address, or telephone number), as well as information about your position or role at the organization on whose behalf you contact us, or personal data you provide to us as part of contractual relationships (e.g. name, contact details, date of birth, employment information, income situation, or health data). If you apply for a job with us, we collect your CV and other details about your qualifications submitted as part of your application. If you use the contact form on our website, you must provide your name, email address, and a phone number. If you subscribe to our newsletter, we use your email address to send you the newsletter. You can unsubscribe at any time (via the link in every newsletter).

Where permitted, we also collect data from publicly available sources (e.g. debt collection registers, land registers, commercial registers, press, internet) or receive such data from other companies within the Volaris Group, authorities, and other third parties. In addition to the data you provide directly, the categories of personal data we receive from third parties may include information from public registers, data disclosed in official and legal proceedings, information relating to your professional functions and activities (so that we can, for example, conduct and process business with your employer with your support), data about you from correspondence and meetings with third parties, credit information (if we conduct business with you personally), data about you provided by persons in your environment (family, advisors, legal representatives, etc.) so that we can conclude or perform contracts with you (e.g. references, delivery addresses, powers of attorney, data required to comply with legal obligations such as anti-money laundering and export restrictions, data from banks, insurers, distributors, and other partners to provide or receive services from you (e.g. payments made, purchases), data from media and the internet about you (if relevant in specific cases, e.g. applications, press reviews, marketing/sales, etc.), your addresses, interests, and other sociodemographic data (for marketing purposes), data related to the use of the website (e.g. IP address, MAC address of the smartphone or computer, device details and settings, cookies, date and time of visit, pages and content viewed, functions used, referring websites, location information).

3. Purposes of Data Processing and Legal Basis

We process personal data primarily to conclude, document, and execute contracts with our customers and business partners, particularly in connection with the development and distribution of modular core systems for health, accident, and life insurers, as well as absence and claims management solutions for companies, the purchase of products and services from our suppliers and subcontractors, and to fulfill our legal obligations in Switzerland and abroad.

In addition, we also process personal data for the following purposes, in which we (and sometimes third parties) have a legitimate interest in line with the purpose:

• Offering and further developing our products, services, websites, apps, and other platforms where we are present;
• Communication with third parties and processing of their inquiries (e.g. applications, media inquiries);
• Review and optimization of needs analysis processes for direct customer engagement, including collecting personal data from publicly available sources for customer acquisition;
• Advertising and marketing, including hosting events, provided you have not objected to the use of your data;
• Market and opinion research, media monitoring;
• Enforcement of legal claims and defense in connection with legal disputes and official proceedings;
• Prevention and investigation of crimes and other misconduct (e.g. internal investigations, fraud prevention data analysis);
• Ensuring our operations, especially our IT, websites, apps, and other platforms;
• Video surveillance to protect property rights and other measures for IT, building, and system security, as well as the protection of our employees and other persons, and the values entrusted to us (e.g. access controls, visitor lists, network and mail scanners, telephone recordings);
• Purchase and sale of business units, companies, or parts of companies, and other corporate transactions, as well as the related transfer of personal data and measures for business management and compliance with legal and regulatory obligations as well as internal policies.

If you have given us your consent to process your personal data for specific purposes (for example, when subscribing to newsletters or conducting a background check), we will process your data within the scope of this consent, unless we have another legal basis. You can revoke your consent at any time by written communication (by post) or, unless otherwise specified, by email to us, effective for the future. Our contact details are listed in Chapter 1. Once we have received the notice of revocation, we will no longer process your data for the purposes you originally agreed to, unless we have another legal basis (e.g. a statutory retention or documentation obligation). The revocation does not affect the lawfulness of processing carried out based on consent before the revocation.

4. Data Disclosure and Transfer Abroad

In the course of our business activities and purposes, we may disclose personal data as described in Chapter 3 to third parties, provided this is permitted and deemed appropriate, either because they process it for us or because they wish to use it for their own purposes. These include the following recipients:

• Our service providers, including processors;
• Dealers, suppliers, subcontractors, and other business partners;
• Customers;
• Authorities, agencies, or courts in Switzerland and abroad;
• Media;
• The public, including website visitors and social media;
• Competitors, industry organizations, associations, and other bodies;
• Purchasers or potential purchasers of business units, companies, or other parts of the Volaris Group;
• Other parties in potential or actual legal proceedings;
• Other companies of the Volaris Group.

All of the above are considered recipients.

These recipients may be located in Switzerland or in any country worldwide. If a recipient is located in a country without adequate legal data protection, we contractually obligate them to comply with applicable data protection requirements, unless they are already subject to a recognized legal framework for ensuring data protection, or unless we can rely on a legal exception. An exception may apply in the case of legal proceedings abroad, overriding public interests, contract performance requiring disclosure, your consent, or if the data is publicly accessible and you have not objected to its processing.

5. Duration of Retention of Personal Data

We process and store your personal data as long as necessary to fulfill our contractual and legal obligations or for the other purposes pursued with the processing, e.g. for the duration of the entire business relationship (from initiation, execution to termination of a contract) and beyond in accordance with statutory retention and documentation obligations, as long as we have an overriding private or public interest. Personal data may be retained for the period during which claims can be asserted against our company and as long as we are otherwise legally obliged or have a legitimate business interest (e.g. for evidence and documentation purposes). Once your personal data is no longer required for the purposes above, it will generally and where possible be destroyed or anonymized. For operational data (e.g. system logs), shorter retention periods usually apply. Recordings from our video surveillance are stored as long as necessary for evidence purposes. As a rule, recordings are deleted or overwritten after one week.

6. Data Security

We take appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, to protect it against unauthorized or unlawful processing, and to counter the risks of loss, accidental alteration, unwanted disclosure, or unauthorized access.

7. Obligation to Provide Personal Data

In the context of our business relationship, you must provide the personal data required to establish and conduct the business relationship and fulfill the associated contractual obligations. Without this data, we will generally not be able to conclude or process a contract with you. Our website also cannot be used if certain information necessary to ensure data traffic (e.g. IP address) is not disclosed.

8. Profiling and Automated Decision-Making

We may evaluate certain personal characteristics for the purposes set out in Chapter 3 based on your data (Chapter 2) in an automated manner (profiling), e.g. to determine preference data, to detect misuse and security risks, to carry out statistical analyses, or for operational planning. For the same purposes, we may also create profiles, i.e. we may combine behavioral and preference data with master and contract data as well as technical data assigned to you, to better understand you as a person with your various interests and other characteristics. We may also create anonymous and – with your consent – personalized movement profiles of you.

9. Newsletter

Through our newsletter you can regularly stay informed about offers. On our website, you can subscribe to our newsletter. When registering, your contact details (title, name, first name, and email address) are transmitted from the input form to us and our partner. To ensure the security of your data, we use the so-called double opt-in procedure. This means that after you enter your email address and subscribe to the newsletter, we send you an email with a confirmation link. Only after you click this link will you receive our newsletter in the future. Subscribing requires your consent. By subscribing, you also acknowledge our privacy information. You can revoke your consent at any time by clicking the link at the end of every newsletter email for the future.

For sending emails (e.g. newsletters or surveys) and analyzing behavior in emails and on our website, we use Friendly Automate. Friendly Automate is a service of Friendly GmbH, Switzerland. All personal data in our account is stored and processed exclusively in Switzerland with providers headquartered in Switzerland. Emails are sent via Amazon AWS with locations in the EU. Details on the type, scope, and purpose of processing can be found here: https://friendly.ch/en/privacy. A list of Friendly’s subprocessors can be found here: https://friendly.ch/en/privacy/subprocessors.

10. Rights of the Data Subject

Within the framework of the applicable data protection law, you have the right to request information, correction, deletion, restriction of processing, and objection to our data processing as well as the right to data portability. Please note that we reserve the right to assert the statutory restrictions, for example, if we are obliged to retain or process certain data, have an overriding interest (if we may rely on it), or require it for asserting claims. If costs are incurred, we will inform you in advance. We have already informed you about the possibility of withdrawing your consent in Chapter 3. Please note that exercising these rights may conflict with contractual agreements and may have consequences such as premature termination of the contract or cost implications. We will inform you in advance if this is the case, unless already contractually regulated.

Exercising such rights usually requires you to clearly verify your identity (e.g. by providing a copy of your ID or another document that verifies your identity). To exercise your rights, you can contact us at the address given in Chapter 1.

Every data subject also has the right to enforce their claims in court or to lodge a complaint with the competent data protection authority. The competent authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

11. Cookies, Tracking and Other Technologies in Connection with the Use of Our Website

We typically use cookies and similar techniques on our websites to identify your browser or device. A cookie is a small file that is sent to your computer or automatically stored by your web browser when you visit our website. When you revisit this site, we can recognize you even if we do not know who you are. In addition to session cookies (deleted after your visit), cookies can also store user settings and other information for a certain period of time (persistent cookies). You can configure your browser to reject, store for a session only, or delete cookies. Most browsers are set to accept cookies by default. We use persistent cookies to save user settings, better understand how you use our offerings and content, and show you personalized offers and ads. If you block cookies, some functionalities may no longer work.

We may use Google Analytics or similar services on our website. Google Analytics is a service provided by Google Ireland, relying on Google LLC in the USA as a processor (together “Google”, www.google.com), enabling us to measure and analyze website usage (non-personalized). Persistent cookies set by the service provider are also used. We configured the service so that visitors’ IP addresses are shortened in Europe before transfer to the USA and cannot be traced back. We disabled “data sharing” and “signals”.

Although we assume the information we share with Google does not constitute personal data for Google, it is possible that Google may derive conclusions about visitors’ identities, create personal profiles, and link this data with their Google accounts. If you are registered with the service provider, they also know you. Processing of your data is then the responsibility of the provider under their privacy policy. We only receive information about website usage.

12. Changes

We may amend this privacy policy at any time without prior notice. The version published on our website applies.

To conduct video conferences, webinars, training, support, or other online meetings (hereinafter online meetings), we at BBT Software AG (hereinafter BBT) use Microsoft Teams and TeamViewer. Further information on handling personal data at BBT, in particular regarding your rights as a data subject, can be found in the privacy policy, which can be accessed via this link.

1. Controller

The controller for data processing directly related to conducting online meetings is BBT Software AG, Platz 4, CH-6039 Root D4, datenschutz@bbtsoftware.ch.

If you access the Microsoft Teams or TeamViewer website, the respective provider is responsible for data processing. Accessing the website may be required to download the software. If you do not want or cannot use the provider’s application (app), you can also use your browser. The service is then provided via the provider’s website.

Microsoft Teams:
Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland

TeamViewer:
TeamViewer Germany GmbH, Bahnhofsplatz 2, 73033 Göppingen, Germany

2. Privacy and Terms of Use

The use of Microsoft Teams or TeamViewer is subject to the privacy and terms of use of Microsoft and TeamViewer:

Privacy statement: https://privacy.microsoft.com/en-us/privacystatement
Terms of use: https://www.microsoft.com/en-us/servicesagreement/

Privacy policy: https://www.teamviewer.com/en/privacy-policy/
Terms of use: https://www.teamviewer.com/en/eula/

By using Microsoft Teams or TeamViewer, you accept the above privacy and terms of use.

3. Collection and Processing of Personal Data

When using Microsoft Teams or TeamViewer, various personal data and data categories are processed. The scope depends on what information you provide before and during participation in an online meeting.

The following personal data is processed:

User information
Display name, email address, profile picture (optional), preferred language

Meeting metadata
Date, time, start and end time, meeting ID, password, phone numbers, location

Text, audio, and video data
During an online meeting, audio, video, and screen data may be processed. You may also use the chat function. This means that the text you enter will be processed. To enable display of video, audio, and screen sharing, the data from your device’s microphone, screen, and camera will be processed during the meeting. You can turn off your camera, screen sharing, or microphone at any time.

If we record online meetings, you will be informed beforehand or notified in the meeting and – if required – asked for your consent. Consent may be verbal or by agreeing in chat and is always voluntary. If you do not wish to be recorded, you can leave the meeting. You can also deactivate your video and screen sharing or refrain from using the chat tool. In the case of recording, files of all video, audio, and presentation slides are created. Additionally, a text file of the online meeting chat may be saved for documentation purposes.

4. Purpose of Data Processing and Legal Basis

The purpose of processing is the effective conduct of online meetings. The legal bases for BBT’s data processing are in particular the legitimate interests under Art. 31 of the Swiss Federal Act on Data Protection (FADP) or, where applicable, Art. 6 para. 1 lit. b and f GDPR. Where a contractual relationship exists, BBT is authorized and obliged to process and store data.

5. Data Disclosure, Transfer Abroad, and Data Security

The personal data processed in connection with participation in online meetings is generally not shared with third parties by BBT unless intended for disclosure. Please note, however, that content from online meetings – as with face-to-face meetings – often serves precisely to exchange information with customers, prospects, or third parties. The providers of Microsoft Teams and TeamViewer necessarily receive knowledge of this data to the extent provided for in our data processing agreements with them.

Processing by Microsoft Teams and TeamViewer generally takes place on servers in data centers within the European Union (EU). We have entered into data processing agreements with both Microsoft and TeamViewer. Extensive technical and organizational measures have been agreed to ensure data security in line with current IT security standards, such as access authorization concepts and end-to-end encryption of data connections, databases, and servers.

If data is transferred outside the EU or the European Economic Area (EEA) to recipients without adequate data protection, the provider ensures data protection using standard contractual clauses.

6. Changes

We may amend this privacy and terms of use statement at any time without prior notice. The version published on our website applies.