Privacy policy

Updated August 18, 2022

At Shift Crypto AG (“Shift Crypto”, “BitBox”, “we”, “us”, or “our”), protecting our users’ data is of utmost importance to us. We collect as little personally identifiable information as possible and remove it from our systems when it is no longer needed.

This Privacy Policy describes how and why we might collect, store, use and share (“process”) your information when you use our online services (“Services”), for example when you:

  • Visit our website (https://bitbox.swiss), our online shop (https://bitbox.shop), or any other website that refers to this policy
  • Download and use our software BitBoxApp, or any other software that refers to this policy
  • Engage with us in other ways, including customer support, sales, marketing, or events

We exclusively process your personal data for internal purposes and will never sell, rent, or lease it to any third parties.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

Consent

By using our website, placing an order in our shop, using one of our applications, or interacting with us personally, you hereby consent to our Privacy Policy and agree to its terms.

Collection of information

Personal information provided by you

The personal information that you are asked to provide depends on the context of your interactions with us, and the Services you use. This information might include the following:

  • Name
  • Phone number
  • Email address
  • Shipping and billing address

If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.

Payment data

When you make a purchase on our webshop, you might choose to use an external payment processor to pay for your order. They collect and process payment-related data and follow their own privacy policies:

If you pay with bitcoin, we recommend you use our self-hosted BTCPay Server, which does not collect any additional personal data except the metadata related to your Bitcoin or Lightning Network payment.

Application data

Our applications only share minimal information that is required for them to work as intended. The BitBoxApp applications check for updates on startup, without submitting any information. Our web server will see the IP address currently used by the app, but this information is not stored long-term.

When using Bitcoin or Litecoin, backend servers need to look up your wallet addresses for you. By default, these servers are operated by us, and learn:

  • The transactions sent
  • Your receiving and change addresses up to the "gap" limits (e.g., all used addresses plus the next 20 unused addresses)
  • Metadata, such as your IP address and when the app last connected to the server

We provide the option and encourage users to run their own Bitcoin and Litecoin backend servers and remove our servers from the application configuration. To avoid sharing your IP address, you can also connect to our servers via the Tor network.

For Ethereum, the BitBoxApp uses EtherScan to query the address information (balance, transactions) of enabled Ethereum and ERC20 token accounts. You can read their privacy policy here: https://etherscan.io/privacypolicy.

The BitBoxApp might need access to your device camera ('Camera permission') in order to allow you to scan cryptocurrency address QR codes.

The BitBox01 2FA App needs access to the device camera ('Camera permission') in order to enable 2FA pairing or to acquire information for completing a financial transaction.

Information collected automatically

We follow a standard procedure of using log files that process website visitor information including internet protocol (IP) addresses, browser type, internet service provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users' movement on the website, and gathering demographic information.

Like many websites, we use cookies and similar technologies. These are used to store information including visitors' preferences or your shopping cart over multiple website visits. You can change the cookie settings via the "Cookie Monster" pop-up or in your browser settings.

Usage and sharing of your information

We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and comply with the law. What data you share with us depends on how you interact with our Services.

BitBoxApp & BitBox01 2FA App

The BitBox applications do not share information with us except what’s absolutely necessary for them to work as intended, for example as listed in the section “Application data” above.

Website

When you browse our website, we collect data that is technically necessary for us to display the website to you.

In order to make your visit to our website attractive and to enable the use of certain functions, we use cookies and Google Analytics.

You can change the Cookie Settings via the "Cookie Monster" pop-up. If you cannot see the pop-up please delete your browser cookies/session and reload the page.

Webshop

Our self-hosted web shop stores personal data related to customer orders, such as names, email addresses and shipping/billing addresses.

After purchasing a product, we will send you emails related to the status of your order. If for any reason you did not finish the web-shop checkout process we will remind you by email.

This data is stored for up to 30 days and is then anonymized, which means all personally identifiable details are erased from our webshop system. If your order has not been shipped after 30 days (e.g., due to pre-order delays), your order will be anonymized once your order has been shipped.

Due to regulatory requirements, we need to retain a copy of the order invoice for up to 10 years: we keep these copies on encrypted archive storage and they are not accessible by third-party services.

For checkout data that didn't convert to an order, all information is deleted after 5 days.

In order to make your visit to our webshop attractive and to enable the use of certain functions, we use cookies and website analytics services.

You can change the Cookie Settings via the "Cookie Monster" pop-up. If you cannot see the pop-up please delete your browser cookies/session and reload the page.

Logistics

In order to ship your order we need to share information about your order (full address & items purchased) with third parties, such as the order fulfillment application used in our warehouses to generate shipping labels and with the shipping providers (e.g., UPS, DHL, domestic postal services).

The fulfillment application stores the submitted data for up to 180 days and is anonymized after.

Our shipping providers follow their own privacy policies. We work with UPS, DHL, and Swiss Post.

In general, we avoid any usage of “bitcoin” or “crypto” on data submitted to logistics partners to avoid associating personal data to such terms.

Newsletter

For marketing emails, we use Sendinblue as an external mail service provider in order to fully comply with GDPR and CCPA regulations and ISP blocklist heuristics. We only submit data to this service with your explicit consent. If you subscribed to any of our newsletters, your email address is shared without any other personal information. The data is hosted within the European Union, following all applicable data protection laws as described in their terms of use: https://www.sendinblue.com/legal/termsofuse.

For added privacy, we recommend using an anonymous or dedicated email address for newsletters in general.

You can unsubscribe with the “unsubscribe” link in the footer of every marketing email. After unsubscribing, your email address will be permanently deleted in the external email service tool within 30 days.

Customer support

Our self-hosted customer support application stores personal data related to support inquiries, such as names, email addresses and any additional information submitted by users.

Support emails are received and sent through third-party email servers. We delete incoming emails as soon as they’ve been fetched by the support application, and persistent storage is completely disabled for outgoing emails.

Support contacts receive an email notice after 10 days of inactivity to inquire if the problem has been solved. If we don’t hear back within 10 days, the ticket will be deleted.

Additional online services

For email automation purposes, we use Make. No personal data is stored in this service. They process data according to their terms and conditions: https://www.make.com/en/terms-and-conditions.

For surveys, we use Typeform. The data you enter manually in a survey is stored within Typeform, but we usually avoid asking for personal information or email addresses. They process data according to their privacy policy: https://admin.typeform.com/to/dwk6gt.

For independent customer reviews, we use Trustpilot. We ask customers and users if they consent to receive a review invitation from Trustpilot. Only after their explicit opt-in do we share the email address with Trustpilot. Trustpilot processes this data according to its own privacy policy: https://legal.trustpilot.com/for-reviewers/end-user-privacy-terms.

Keeping your data private

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

Situations when we might disclose information

Shift Crypto AG has not, does not now, and will not in the future, sell, rent or lease any of our customer lists and/or names to any third parties.

We may disclose your personal information if we are required by law to do so or if you violate our terms of service.

Third-party links and services

When you click on links on our website, they may direct you to a third-party website. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.

Third-party service providers, such as blockchain explorers, payment gateways and payment transaction processors, have their own privacy policies with respect to the information we are required to provide to them in order to fulfill our Services to you. We recommend that you read their privacy policies so you can understand how your personal information will be handled by them.

Third-party service providers may be located in or have facilities that are located in a different jurisdiction than either you or us. In this case, your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.

Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this privacy policy or our website’s terms of service.

CCPA Privacy Rights (Do Not Sell My Personal Information)

Under the CCPA, among other rights, California consumers have the right to:

Request that a business that collects a consumer's personal data disclose the categories and specific pieces of personal data that a business has collected about consumers.

Request that a business delete any personal data about the consumer that a business has collected.

Request that a business that sells a consumer's personal data, not sell the consumer's personal data.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

GDPR Data Protection Rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.

The right to erasure – You have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

Children's Information

We don’t knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.

Deleting your data

We keep your data only as long as necessary to fulfill our Services and aim to delete or anonymize your data as soon as it’s no longer required for the purposes outlined in this Privacy Policy unless otherwise required by law.

If you no longer wish to receive marketing emails, you can opt-out of our mailing lists at any time by clicking on the “unsubscribe” link present in every email. Your contact information will be deleted within 30 days.

You can withdraw your consent for us to process your data at any time by contacting us using the contact information listed at the end of this policy.

To withdraw your implicit consent for our applications to process your data, you can uninstall them anytime.

Changing this Privacy Policy

We reserve the right to modify this Privacy Policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

If we are acquired or merged with another company, your information may be transferred to the new owners so that we may continue to provide our Services to you.

Contacting us

If you have questions or comments about this Privacy Policy, you may email us at [email protected] or by post to:

Shift Crypto AG
Soodmattenstrasse 4
8134 Adliswil
Switzerland