Privacy Policy

DE EN

Last updated: October 27, 2025

1. Data Controller

The controller responsible for data processing under GDPR and the Swiss Federal Data Protection Act (DSG) is:

BanioBits Software Development and IT Solutions

Owner: Stefan Studhalter

Kürsiacherweg 10

3203 Mühleberg, Switzerland

Legal Form: Sole Proprietorship

UID: CHE-430.822.150

Data Protection Officer:

Email: datenschutz@baniobits.dev

Phone: +41 79 152 81 09

2. Types of Data Processed

We process the following categories of personal data:

2.1 Master Data

  • First and last name
  • Email address
  • Phone number
  • Postal address
  • Date of birth
  • Employee number

2.2 Employment Data

  • Department assignment
  • Role and permissions
  • Qualifications and skills
  • Availability and shift preferences
  • Absences (vacation, sick leave, etc.)
  • Working hours and shift assignments

2.3 Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Access timestamps
  • Session cookies (session management, 12-hour validity)

2.4 Springer-Specific Data

  • Mobility (travel willingness, vehicle ownership)
  • Location and department preferences
  • Travel expense claims
  • Performance ratings and matching scores

3. Purpose of Data Processing

We process your personal data for the following purposes:

  • Personnel Management: Management of employee data, qualifications, and availability
  • Shift Planning: Creation and management of shift requests and assignments
  • Springer Matching: Automatic assignment of springers to open shifts based on qualifications and availability
  • Absence Management: Recording and approval of vacations, sick leave, and other absences
  • Reporting and Analytics: Generation of reports on personnel utilization and performance analysis
  • Travel Expense Management: Recording and reimbursement of travel expenses for springers
  • Notifications: Sending notifications about shift requests, approvals, and system events
  • System Security: Maintaining audit logs for traceability of system access and changes

4. Legal Basis for Processing

The processing of your personal data is based on the following legal grounds:

  • Art. 6(1)(b) GDPR: Processing necessary for the performance of an employment contract (personnel management, shift planning)
  • Art. 6(1)(c) GDPR: Processing necessary for compliance with legal obligations (e.g., retention requirements)
  • Art. 6(1)(f) GDPR: Processing necessary for legitimate interests (system security, audit logs)
  • Art. 6(1)(a) GDPR: Consent (where obtained for specific processing activities)

5. Data Recipients

5.1 Internal Recipients

Within the organization, the following groups have access to your data:

  • Administrators (full access)
  • Regional and operations managers (access to assigned regions/locations)
  • Team leaders (access to own teams)
  • Employees (access to own data)

5.2 External Recipients

Your data is shared with the following external service providers:

  • Hosting Provider: Hetzner Cloud (Germany) - for server infrastructure
  • Email Delivery: Postmark (EU servers) - for transactional emails
  • Error Monitoring: Sentry (EU servers) - for system error tracking

All external service providers are contractually obligated to comply with GDPR and process data exclusively on our behalf.

6. Retention Periods

We store your personal data only as long as necessary for the fulfillment of purposes or as required by legal retention obligations:

Data Type Retention Period Deletion Method
Active employee records Duration of employment + 10 years Soft-delete → Hard-delete after 10 years
Shift requests 3 years Archived after 1 year, deleted after 3 years
Audit logs 7 years (legal requirement) Automated deletion after 7 years
Inactive accounts 2 years of inactivity Auto-deactivation → Manual deletion
Database backups 30 days Automated rotation
Session cookies 12 hours Automatic expiry after session ends

Detailed information on retention periods can be found in our Data Retention Policy (internal documentation).

7. Your Rights as a Data Subject

You have the following rights under GDPR and DSG:

7.1 Right of Access (Art. 15 GDPR)

You can request information about the personal data we process about you at any time.

7.2 Right to Rectification (Art. 16 GDPR)

You can request the correction of inaccurate or completion of incomplete data.

7.3 Right to Erasure (Art. 17 GDPR)

You can request the deletion of your data, provided there are no legal retention obligations. Your account will then be anonymized and fully deleted after the retention periods expire.

7.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request the restriction of processing of your data, e.g., if you contest the accuracy of the data.

7.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format. Use the export function in your profile (CSV/Excel format).

7.6 Right to Object (Art. 21 GDPR)

You can object to the processing of your data on grounds relating to your particular situation.

7.7 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority.

Exercising Your Rights: To exercise your rights, please contact our Data Protection Officer at datenschutz@baniobits.dev or by phone at +41 79 152 81 09.

8. Data Security and Protection Measures

We implement comprehensive technical and organizational measures to protect your data:

8.1 Technical Measures

  • Encryption: HTTPS/TLS encryption for all data transmissions
  • Multi-Tenancy: Strict data separation between different organizations (multi-tenant isolation)
  • Authentication: Secure password hashing (bcrypt) and optional two-factor authentication
  • Session Management: Secure session cookies with 12-hour expiry
  • Rate Limiting: Protection against brute-force attacks
  • Regular Backups: Daily backups with 30-day retention

8.2 Organizational Measures

  • Role-Based Access Control: Pundit-based authorization with 6-level role hierarchy
  • Audit Logs: Complete traceability of all system access and data changes
  • Monitoring: Automatic error monitoring and performance tracking (Sentry)
  • Security Scanning: Regular security audits (Brakeman, Bundler Audit)
  • Training: Regular data protection training for employees

9. Cookies and Tracking

9.1 Cookies Used

We use exclusively essential session cookies that are necessary for the operation of the application:

Cookie Name Purpose Validity
_flexory_session Authentication and session management 12 hours

No Tracking Cookies: We do not use any analytics, marketing, or third-party tracking cookies. Therefore, cookie consent is not required.

10. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in legal requirements or changes to our services.

For material changes, we will notify you via email or through the system.

Effective date: October 27, 2025

11. Data Protection Officer

For questions about data protection or to exercise your rights, please contact:

Data Protection Officer

Name: Stefan Studhalter

Email: datenschutz@baniobits.dev

Phone: +41 79 152 81 09

12. Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1

CH-3003 Bern, Switzerland

Phone: +41 58 462 43 95

Email: info@edoeb.admin.ch

Website: www.edoeb.admin.ch

← Back to Home