Benetics Privacy Principles

Last revision: 04. October 2023


At Benetics, we treasure every single one of our users: we are on a journey with you, building products for you, and we want to earn your trust every single step of the way.

We commit to being good stewards of your data, and to being open and transparent with you at all times about what happens with your data when you interact with our products.

Our privacy promise to you:
  • We are transparent. We tell you exactly what data we are collecting; keep you updated when data policy changes happen on our side; and give you ways to contact us if you have questions or concerns.

  • You are always in control. Our products make it easy for you to delete data if you wish; to change your preferences on how much data our systems collect; to cleanly remove your user accounts when you wish; and to export your data when and how you wish so you can interact with other systems.

  • We keep you and your data safe. We take the security of your business and your data extremely seriously. We know that your trust in us is built slowly and carefully over a long time, and that even a single mistake would be unacceptable. We encrypt all your data both in transit and at rest, adhering to the strictest industry standards; we design, test, and audit our software with an airtight permissions system so that only people you authorize can see proprietary data; we audit all data access with detailed logs, so we can prove to you when and how data is used; and we make security reviews an ongoing part of every product release.

    We are always reachable for your privacy and security concerns at privacy@benetics.io. Don’t ever hesitate to contact us with questions, problems, ideas, and comments!

    We are committed to a long-term relationship with you and your business, protecting your data every step of the way.

Technical details:

Data storage

  • Business data is stored in Amazon S3 and in Amazon DynamoDB.

  • User login data is stored in Amazon Cognito.

  • Data is backed up at regular intervals, and we are able to restore snapshots of your data when you ask us to, up to a history of 3 months.

  • When you request deletion of your account or data associated with your account, that information is removed within minutes from our serving systems. Removing from data storage (including past snapshots, if any) may take additional time, but is guaranteed to be removed within 3 months.

  • We are able to provide you with exports of your data in most major file formats upon request.

  • Customer business data is stored in the European Union at Amazon’s Frankfurt, Germany datacenter facility

Sub-processors

  • Mentioned in Annex A

Data encryption

  • Data at rest in Amazon S3 is encrypted end-to-end using 256 bit AES (details).

  • Data at rest in DynamoDB is also encrypted end-to-end using 256 bit AES (details).

  • Data in transit is encrypted using AWS KMS and TLS on the backend. Encryption from our backend to our clients (mobile, desktop) is also based on TLS.

Who can access data

  • Data access is restricted to members of our product, engineering, and customer success teams who have been granted permission.

  • Data access is restricted to full-time employees of the Benetics AG in product, engineering, and customer success teams who have been granted permission.

  • Benetics employees are only allowed to access customer data when they’re located in Switzerland.

  • All access to customer data is logged.

  • Engineers and product managers refrain from direct access to customer data except for 4 cases:

    1) a direct request from the customer who owns the data;
    2) the need to view specific data to resolve a system crash or other failure;
    3) an investigation for security purposes or to otherwise fight misuse of our platform; or
    4) to comply with legal requirements imposed on us.

    Customer success team members analyze data to assist in response to a customer request or to analyze how to improve our features for our customers.

Why and how we process your data

  • We process your data only for certain very specific cases. Outside of the cases given here, we do not process or examine your data.

  • We process your data only for the following reasons:

    1) to fulfill requests from you or your employees in the course of business;
    2) a direct request from you;
    3) our need to resolve system crashes or other failures (“debugging”);
    4) to investigate possible security issues or otherwise fight misuse of our platform;
    5) to improve the feature offerings of our product;
    6) to comply with legal requirements imposed on us.

  • It is important to understand that under no circumstances do we share your data with other companies or entities, except as the law may require.

Annex A

Sub-processor: Amazon AWS

  • Registered Office: A100 ROW GmbH, Marcel-Breuer-Straße 12, 80807 München, Deutschland

  • Subcontracted Services: Processing, queueing, and network routing using the following services: Lambda, SQS, SNS, API Gateway, EventBridge, Translate, Transcribe

  • Place(s) of Performance: Frankfurt, Germany


Sub-processor: Amazon AWS DynamoDB

  • Registered Office: A100 ROW GmbH, Marcel-Breuer-Straße 12, 80807 München, Deutschland

  • Subcontracted Services: Data storage and processing

  • Place(s) of Performance: Frankfurt, Germany


Sub-processor: Amazon AWS S3

  • Registered Office: A100 ROW GmbH, Marcel-Breuer-Straße 12, 80807 München, Deutschland

  • Subcontracted Services: Data storage and processing

  • Place(s) of Performance: Frankfurt, Germany


Sub-processor: Amazon AWS Cognito

  • Registered Office: A100 ROW GmbH, Marcel-Breuer-Straße 12, 80807 München, Deutschland

  • Subcontracted Services: User 2-factor authentication and storage of login credentials

  • Place(s) of Performance: Frankfurt, Germany


Sub-processor: Amazon AWS Simple Email Service

  • Registered Office: Amazon Data Services Ireland Limited, 1 Burlington Plaza Burlington Road, Dublin 4, D04RH96 Ireland

  • Subcontracted Services: Email forwarding

  • Place(s) of Performance: Dublin, Ireland


Sub-processor: Google GCP Maps API

  • Registered Office: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

  • Subcontracted Services: Geocoding and reverse geocoding

  • Place(s) of Performance: Zurich, Switzerland


Sub-processor: Google Firebase

  • Registered Office: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

  • Subcontracted Services: Mobile push notifications, analytics

  • Place(s) of Performance: Zurich, Switzerland


Sub-processor: Branch Metrics Inc.

  • Registered Office: Branch Metrics, Inc., 195 Page Mill Road, Suite 101, Palo Alto, CA 94306, USA

  • Subcontracted Services: Deep linking services

  • Place(s) of Performance: Zurich, Switzerland