Data Privacy Statement TWINT AG
This information is aimed at TWINT users (they/their) and employees of partner companies of TWINT AG/TWINT Acquiring AG (TWINT, we/us) who use the prepaid TWINT app (TWINT app) and/or visit TWINT’s websites and social media channels.
The aim of this information is
- to provide comprehensive information regarding the way in which we process your personal data;
- to outline your rights in relation to the processing of your personal data; and
- to provide the contact details of the body responsible for the processing of your personal data and of TWINT’s data protection officer.
Your trust is important to us, which is why we take the issue of data protection seriously and maintain an appropriate level of security. We undertake to handle your personal data in a responsible manner. We do, of course, adhere to the provisions of the Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP), the Telecommunications Act (TCA) and, if applicable, other data protection regulations.
Please take note of the following information to find out what personal data we collect from you and for what purposes we use this information.
2. What personal data do we process for what purpose?
Depending on your activity, we process the following personal data about you:
2.1 Visiting the website
When you visit our website, our servers temporarily store the details pertaining to each access in a log file. During this process, the following data is collected without any action on your part and stored by us for no more than 26 months, after which point it is automatically deleted:
- the IP address of the requesting computer (truncated)
- the name of your Internet service provider (usually your Internet service provider)
- the date and time of the access
- the name and URL of the file requested
- the page and address of the website from which you were forwarded to our website and, if applicable, the search term used
- the country from which our website is accessed
- the operating system of your computer and the browser used (provider, version and language)
- the transmission protocol used (e.g. HTTP/1.1)
This data is collected and processed for the purpose of facilitating the use of our website (to create a connection), ensuring long-term system security and stability, enabling us to optimise our online service and for internal statistical purposes.
The IP address is only analysed for the purpose of investigating and preventing an attack on the network infrastructure or in the event of suspicion of other unauthorised use or misuse of the website and, if applicable, during criminal proceedings for identifying and prosecuting the relevant users under civil and criminal law.
2.2 Using the TWINT app
When you use our services in the TWINT app, we process the following personal data:
- Last name, first name
- Date of birth
- Telephone number
- Bank account details
- Proof of identity
- E-mail address
- Location data (if consent has been given)
The processing of your personal data is necessary in order for us to be able to provide certain services in the TWINT app, such as payment processing, credit rating check, providing information about availability, preventing fraud or dealing with complaints and refunds, as well as for the purpose of fulfilling regulatory requirements. If you do not provide us with this information, you cannot use the TWINT app.
The data is deleted once it is no longer required for the provision of services. The foregoing does not apply, however, to data that has to be stored for longer by law, e.g. payment data. We also store contract data for longer as this is stipulated by statutory retention obligations. Retention obligations, which oblige us to retain data, are based on accounting and tax regulations. In accordance with these regulations, business communications, concluded contracts and accounting documents are stored for up to ten years. Pursuant to money laundering legislation, certain data is also stored for up to ten years after termination of the business relationship. This data is blocked if we no longer require it for the purpose of providing services to you. In this case, the data may only be used for the relevant purposes.
Users can also transmit their location data to us. Depending on the settings of your smartphone, you will be asked to consent to this prior to the transmission of the data. We only store location data in an inexact manner (radius of 16 kilometres) and delete it after six months at the latest.
2.3 Marketing purposes
2.3.1 E-mail newsletter
You can register to receive our TWINT newsletter on our website. We send the newsletter to make you aware of our latest offers and news. In relation to this activity, we collect the following data from you:
- First name
- Last name
- E-mail address
Our newsletter and other e-mail communications contain a so-called web beacon (tracking pixel) or similar technical means. Every time a newsletter or other marketing communication is sent, we collect information pertaining to the address file used, the subject and the number of e-mails sent. We can also see which addresses are yet to receive the newsletter or other communication, the addresses to which these have been sent and the addresses to which they failed to be delivered. In addition to this, we can see which addresses have opened the newsletter or other communication and how often they have clicked on which content. Finally, we can see which addresses have unsubscribed from this service. We use this data for statistical purposes and to optimise the content and structure of the newsletter or our other communications. This allows us to better align the information and offers contained in our newsletter and marketing communications in general to the individual interests of the recipient. The tracking pixel is deleted if you delete the newsletter or e-mail without having opened it beforehand.
To prevent the use of web beacons (tracking pixels) in our newsletter or other communications, please adjust the settings of your e-mail program so that no HTML is displayed in messages, provided this is not already the case by default. On the pages below, you can find a series of explanations as to how you can adjust your settings as such in common e-mail programs.
You can unsubscribe from the newsletter at any time by contacting us or by clicking on the unsubscribe link at the end of every newsletter or other communication.
The personal data processed for the purpose of sending the e-mail newsletter is deleted when you unsubscribe from the newsletter.
If you would like to take part in a competition, the following personal data pertaining to you is processed for the purpose of conducting the competition:
- Last name and first name
- Telephone number
- Bank account details (depending on the type of competition)
The personal data processed for the purpose of conducting competitions is deleted once the competition is over, unless specified otherwise or unless other statutory retention obligations apply.
2.3.3 Marketing campaigns
In order for you to be provided with personalised information and offers from TWINT or in connection with TWINT (TWINT campaigns) in the TWINT app, your payment data is analysed and evaluated to personalise what is displayed to you. To do this, the following information and data is used:
- Name, industry category and location of the payment recipient
- Time and date of the payment
- Payment amount
Type of payment (e.g. in the online shop or in store). Information pertaining to the offers that you view, activate and redeem in the TWINT app is also collected and evaluated. TWINT does not, however, have the ability to view the contents of your shopping basket and thus does not evaluate data of this kind.
You can also consent to having campaigns by third-party providers displayed to you and further data pertaining to you analysed and evaluated for the purpose of personalisation together with your payment data. You can revoke this consent at any time in the TWINT app. The following personal data is processed for this purpose:
- Date of birth
2.3.4 Customer loyalty cards
You have the option to save selected employee ID cards, customer loyalty programmes and other incentive-based offers from third-party providers (customer loyalty cards) in the TWINT app. For the purpose of displaying or transmitting customer loyalty cards, the following data is processed by us:
- Type and name of the Visual Cards
- Number of Visual Cards
The personal data processed for the purpose of displaying or transmitting customer loyalty cards is deleted if you remove the customer loyalty card in the TWINT app.
2.4 Partner functions
You can purchase goods and services (e.g. SuperDeals or digital vouchers) or make use of other offers (e.g. parking or cash withdrawals) directly in the TWINT app. These offers are subject to the provisions and data privacy statements mentioned and listed in the respective offer.
2.5 During the application process
If you submit an application to us, we process the following personal data for the purpose of reviewing your application:
- Last name, first name
- Date of birth
- Telephone number
- Marital status
- Debt collection and criminal record extracts
- Information from your CV
- Further data received from you during the application process
Personal data processed during the application process is deleted six months after the completion of the application process at the latest.
2.6 Employees of partner companies
If you are an employee of one of our partner companies, the following personal data is processed by us for the purposes of providing information about the service (e.g. availability or technical problems), maintaining the business relationship with your company, marketing and complaint/fraud management and invoicing:
- Last name and first name
- E-mail address
- Telephone number
Employee contact details are deleted immediately upon request to do so by you or your company.
3. From which sources do we collect personal data?
As a general rule, we collect personal data directly from you, e.g. when you install and use the TWINT app, through forms, during communication with us or when you use our website.
Insofar as this is not unlawful and is required for the provision of our services, we also collect data from publicly accessible sources (e.g. debt enforcement register, commercial register), from other companies within our Group, from authorities and from other third parties (e.g. contractual partners, Internet analytics services, etc.).
The categories of personal data about you that we receive from third parties particularly comprise information taken from public registers, information we learn in relation to official and legal proceedings, information in relation to your professional roles and activities, information about you in correspondence and discussions with third parties, information about you provided to us by people from your environment (e.g. family members, advisors, legal representatives) for the purpose of concluding or executing contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney, information on compliance with legal provisions such as those pertaining to combating fraud, money laundering and terrorism and export restrictions, information from banks, insurance companies and our distribution and other contractual partners about the use or provision of services by you [e.g. payments, purchases], information about you from the media and the Internet [provided this is indicated in the specific case, e.g. in the context of an application, marketing/sales]) and data in connection with the use of third-party websites and online offers, where this use can be attributed to you.
4. Special processing of your personal data
We can analyse some of your personal characteristics automatically (“profiling”) if we want to determine data concerning your preferences, but also to identify the risk of misuse and security risks, to make statistical assessments or for operational planning purposes. By using the app, you agree that your transaction data may be evaluated for the purpose of showing you personalised offers from TWINT. You can find further information on this topic in section 2.3.3.
During the provision of our services, the application process or the operation of our website, we may make a decision based solely on automated processing that has legal implications for you or could affect you to a significant extent. In this case, we will notify you accordingly and take the necessary measures pursuant to applicable legislation.
5. Where do we store your personal data?
We store your personal data on secure servers in Switzerland or the European Union.
6. For how long do we process personal data?
We process your data for as long as our processing purposes, statutory retention periods and our legitimate interests in processing for documentation and evidence purposes require or as long as storage is necessary from a technical perspective. You can find further information on the storage and processing periods for the individual data categories in section 2 and the cookie categories in section 10. If there are no legal or contractual obligations to the contrary, we delete or anonymise your data after the storage or processing period has expired.
Documentation and evidence purposes include, in particular, our interest in documenting processes, interactions and other facts in the event of legal claims, discrepancies, IT and infrastructure security purposes and evidence of good corporate governance and compliance. Storage may be necessary from a technical perspective if certain data cannot be separated from other data and we therefore need to store it together with this data (e.g. in the case of backups or document management systems).
7. To whom do we disclose personal data?
In relation to the use of the TWINT app or website or during the application process, we disclose your personal data to the following categories of recipients:
- TWINT AG / TWINT Acquiring AG: Within the framework of intra-Group services, we can disclose your personal data within the Group to TWINT AG or TWINT Acquiring AG.
- Service providers: We work together with service providers from Switzerland and abroad who process data pertaining to you received by us on our behalf, as joint controllers with us or as independent controllers (e.g. IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, banks, insurance companies, debt collection agencies). See section 9 for the service providers consulted for the website. We disclose to these service providers the data necessary for the provision of their services, which may also concern you. These service providers may also use data of this kind for their own purposes, e.g. to find out about outstanding claims and your payment behaviour in the case of credit bureaus or anonymised data to help improve services. We conclude contracts with these service providers, which contain provisions on the protection of your personal data. Our service providers may also process data about how their services are used and other data arising from the use of their service as independent data controllers for their own legitimate interests (e.g. for statistical assessments or for preparing statements). The service providers provide information about their data processing practices in their own data privacy statements.
- Authorities: We may disclose personal data to offices, courts and other authorities or regulatory organisations in Switzerland and abroad if we are legally obliged or entitled to do so, or if this appears necessary to protect our interests. The authorities process data about you received by us as independent controllers.
All of these categories of recipients may engage third parties, meaning that your data may also be made accessible to these parties. We can limit processing by certain third parties (e.g. IT providers), but not others (e.g. authorities, banks, etc.).
We also allow certain third parties to collect personal data from you on our website and at events organised by us (e.g. media photographers, providers of tools we have integrated into our website). These third parties alone are responsible for data processing, unless we play a decisive role in these data collection activities. Please contact these third parties directly if you have any concerns or wish to assert your data protection rights.
8. Transmission of your personal data abroad
As explained in section 7, we also disclose data to third parties. These parties are not located exclusively in Switzerland. Your data may, therefore, also be processed in Europe (particularly Germany) and the US (e.g. when using Google Analytics); in exceptional cases, however, in any country of the world.
Some of the third-party service providers referred to in this data privacy statement are headquartered in the US. For the sake of completeness, we would like to point out that, in the US, surveillance measures are enforced by the US authorities, which generally allow for the storage of all personal data pertaining to anyone who has transmitted their data from Switzerland or the EU to the US. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the US authorities to the data and its subsequent use to very specific, strictly limited purposes that are capable of justifying the intervention associated with both the access to and use of this data. We would also like to point out that, in the US, data subjects from Switzerland have no recourse to remedies that would allow them to gain access to the data pertaining to them and have it rectified or deleted, and have no recourse to effective judicial protection against general access rights of US authorities. We are drawing your attention explicitly to this legal and factual situation so that you can make an appropriately informed decision as to whether or not to consent to the use of your data.
If a recipient is located in a country without an adequate level of statutory data protection (e.g. the US), we contractually oblige the recipient to comply with applicable data protection legislation (we use the revised Standard Contractual Clauses of the European Commission, which can be accessed here), provided the recipient is not already subject to a legally recognised regulatory framework to ensure data protection and we cannot rely on a derogation. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if it concerns data that you have made generally accessible and you have not objected to its processing.
Please also be aware that data exchanged over the Internet is often transmitted via third countries. Your data may, therefore, also be transmitted abroad, even if the senders and the recipient are located in the same country.
9. Do we use online tracking and online advertising techniques?
a. Google Analytics (including Google Analytics for Firebase)
In the TWINT app and on our websites, we use Google Analytics (including Google Analytics for Firebase), an analytical tool provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google). Google Analytics uses methods that make it possible to analyse visits to our websites, such as cookies. The information about your use of our website generated through the cookie, such as
- App updates,
- Browser information,
- Click path,
- Date and time of visit,
- Device information,
- Flash version,
- Approximate location information (country and city),
- IP address,
- Pages visited,
- Purchasing activity,
- Referrer URL,
- Usage data,
- Widget interactions,
- Navigation path that a visitor follows on the websites,
- Time spent on the websites and subpages,
- The subpage from which the website is left,
- The country, region or city in which access is made,
- End device (type, version, colour depth, resolution, width and height of the browser window),
- Returning or new user,
- Browser provider/version,
- The operating system used,
- The referrer URL (website visited previously),
- Host name of the accessing computer (IP address),
- Time of server request,
is usually transferred to a Google server in the US and stored there. During this process, the IP address is truncated by activating IP anonymisation (“anonymizeIP”) before being transmitted to a Member State of the European Union or to other states party to the European Economic Area Agreement or Switzerland. According to Google, the masked IP address transmitted in connection with Google Analytics is not associated with other data held by Google. Only in exceptional cases is the full IP address transferred to a Google server in the US and truncated there. In these cases, you will be asked to consent to the processing of the data in advance.
The information is used to evaluate the use of our websites, to prepare reports on the activities undertaken on our websites and to provide additional services associated with the use of our websites for the purposes of market research and designing our websites to meet the needs of our users. This information may also be transmitted to third parties insofar as this is required by law or insofar as third parties process this data on our behalf.
Users can prevent the collection and processing by Google of the data concerning their use of our websites generated by the cookie (incl. the IP address) by preventing cookies or by selecting the relevant settings on the website (see section 10). In the TWINT app, the use of Google Firebase to optimise the app can also be deactivated.
You can find further information about Google and how Google processes data here.
b. Microsoft App Center
TWINT uses the App Center Software Development Kit (“SDK”) of Microsoft Corporation (“Microsoft”) in the TWINT app in order to transmit crash reports with the objective of improving the TWINT app on a continuous basis. The information collected via the SDK about crashes in the TWINT app is transmitted to Microsoft servers in the US and stored there. This data is assessed by Microsoft in order to create crash reports and to provide additional services in connection with the analysis of TWINT app error messages. You can find detailed information about the type of data and its use in the Microsoft Privacy Statement under the following link: https://privacy.microsoft.com/en-gb/privacystatement.
Cookies help with a variety of processes, one of which being to make your visit to our websites easier, more pleasant and more meaningful.
Cookies are individual codes (e.g. a serial number) which our server or a server of our service providers or advertising contractual partners transmits to your system when you connect to our website and which your system (browser, mobile) accepts and stores until the programmed expiry time. With every further access, your system transmits these codes to our server or the server of the third party. This allows you to be identified even if your identity is unknown.
This means that, whenever you access a server (e.g. when you use a website or an app or because an image is integrated into an e-mail, visibly or not), your visits can be tracked. If we integrate offers from an advertising contractual partner or analytics tool provider into our website, they may track you in the same way, even if you cannot be identified in individual cases.
Most devices/Internet browsers accept cookies automatically. You can, however, adjust the settings of the device/Internet browser so that cookies are disabled or so that a message is displayed whenever you receive a new cookie. On the pages below, you can find a series of explanations as to how you can configure the processing of cookies:
Please note that the deactivation of cookies may result in you being unable to use all functions of our services.
Cookies can be classified as follows:
- Essential cookies: Some cookies are essential for the functioning of the website or some of its features. For example, they ensure that you can switch between pages without losing information entered in a form. They also ensure that you stay logged in. These cookies are only stored temporarily (“session cookies”). If you block them, the website may not work. Other cookies are essential for ensuring that the server can save decisions or entries made by you beyond one session (i.e. one use of the website) if you request this function (e.g. language selected, consent given, the function for automatic login, etc.). These cookies have an expiry date of up to 24 months.
We may also integrate further third-party offers into our websites, particularly those from social media providers. These offers are deactivated as standard. As soon as you activate them (e.g. by clicking a button), the corresponding providers can determine that you are on our website. If you have an account with the social media provider in question, it can assign this information to you and thus track your use of online offers. These social media providers process this data as independent controllers.
11. What data do we process on our pages on social networks?
You can find links to our social media networks on our websites. Behind the buttons to the social media networks is merely a link to our presence on the social media network. No user data is transmitted from TWINT to the social media network.
When you click on a link to one of our social media profiles, a direct connection is established between your end device and the server of the social network concerned. This notifies the network that you have visited our website and clicked on the link. If you click on a link to a network while you are logged into your account with the network concerned, the contents of our website can be linked to your profile with the network, which means that the network can assign your use of our website directly to your user account. If you wish to prevent this, you should log out before clicking on the corresponding links. In any case, this activity will be assigned to you when you log into the network concerned after clicking on the link.
We have also integrated social media plug-ins from various social networks on our website. These social media plug-ins may include, for example, the “Like” button or other functionalities, such as the ability to share content on social networks. You can identify the social media plug-ins by the logos of the social networks concerned.
A direct connection to the provider’s server is only established when you activate the respective plug-in by clicking on the associated button (consent). As soon as you activate the plug-in, the respective provider is notified that you have visited/used our website. If you are logged into your respective social media account (e.g. Facebook) at the same time, the respective provider can assign the visit/use of our website to your user account. If you wish to prevent this, you should log out before clicking on the plug-in. In any case, this activity will be assigned to you when you log into the network concerned after clicking on the plug-in.
Links and plug-ins are linked to the following networks:
- Facebook, of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
- Instagram Inc., 1601 Willow Road, Meno Park, CA 94025, USA;
- Twitter, of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA;
- LinkedIn, of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA; and
- YouTube, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
12. How do we protect personal data?
We take appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
We also take internal data protection very seriously. Our employees and the service providers engaged by us have been obliged by us to maintain confidentiality and to comply with data protection provisions.
13. What rights do you have?
You have the following rights:
Right to information: You have the right to request access to your personal data stored by us at any time and free of charge when we are processing it. This gives you the opportunity to check what personal data pertaining to you we are processing and to ensure that we are using it in accordance with applicable data protection regulations.
Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be notified of the rectification. In this case, we will inform the recipients of the data concerned of the amendments made, unless this is impossible or involves disproportionate effort.
Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, the right to erasure may be excluded.
Right to data transmission: Under certain circumstances, you have the right to obtain from us free of charge in a machine-readable format the personal data you have provided to us.
Right of revocation: If data processing is based on consent, you have the right to revoke your consent at any time with effect for the future. Processing activities performed in the past based on your consent do not become unlawful as a result of your revocation. Revocation of consent may result in the discontinuation of the TWINT service.
If you wish to assert your rights, please contact us in writing. The contact details are provided in section 14 below.
If you have any questions about TWINT’s data protection, would like information or would like to have your data deleted, please contact us by sending an e-mail to firstname.lastname@example.org.
If you wish to contact us via letter, please direct your concerns to the following address:
Data Protection Officer
15. Amendment of the data privacy statement
This data privacy statement does not form part of any contract with you. We may amend this data privacy statement at any time. The version published on this website is the most recent version.
Last update: 29 March 2023