Select country and language

Privacy Policy

Status: May 1, 2026

1. Responsible Party

The party responsible for the processing of personal data on this website and in connection with the digital insurance and information services offered here is:

bitsurance GmbH
Dammstr. 41
31134 Hildesheim
Germany

Commercial Register: HRB 207867
Register Court: District Court Hildesheim
Represented by: Christian Wind and Philipp Oehler

Phone: 05121 3035545
E-Mail: service@bitsurance.eu

VAT Identification Number: DE348409096
Insurance representative with permission under § 34d para. 1 GewO
Broker Register Number: D-MUID-JWLDV-00

Data protection inquiries can also be directed to service@bitsurance.eu.

2. General Information

We take the protection of personal data seriously. This privacy policy informs you about which personal data we process, for what purposes we do so, on what legal bases the processing occurs, to whom data may be transmitted, how long data is stored, and what rights affected individuals have.

Personal data is any information relating to an identified or identifiable natural person. This includes, in particular, contact data, contract data, payment data, communication data, technical online identifiers such as IP addresses, and, in connection with our insurance offerings, wallet-related information such as xPub data, derived addresses, signatures, signature texts, transaction contexts, or hashes formed from them, as far as they can be attributed to a person.

We treat wallet-related information with particular care. An xPub is not a private key and does not allow for the disposal of Bitcoin. However, an xPub can enable the association of addresses and transaction histories. Therefore, we treat xPub data, derived information, and related evidence as particularly sensitive personal or personally identifiable data.

This privacy policy applies to visitors of the website, interested parties, newsletter and waiting list contacts, applicants, policyholders, payers, claimants in the event of a loss, and individuals who communicate with us.

In the case of translated versions of this privacy policy, the German text is authoritative.

3. Legal Bases for Processing

We process personal data only if there is a legal basis for this. Depending on the processing, the following legal bases may apply in particular:

Art. 6 para. 1 lit. a GDPR:
Consent, for example, for newsletters, waiting lists, product information, or the active loading of external media.

Art. 6 para. 1 lit. b GDPR:
Fulfillment of a contract or carrying out pre-contractual measures, for example, in the case of insurance inquiries, insurance applications, contract conclusion, contract management, payment processing, and claims handling.

Art. 6 para. 1 lit. c GDPR:
Fulfillment of legal obligations, for example, commercial, tax, insurance, supervisory, sanctions, or compliance-related obligations.

Art. 6 para. 1 lit. f GDPR:
Protection of legitimate interests, for example, IT security, error analysis, prevention of abuse and fraud, legal defense, proof, improvement of our offerings, and secure operation of the website.

§ 25 para. 2 TDDDG:
Storing information or accessing information on end devices, as far as technically necessary to provide the expressly requested digital service.

§ 25 para. 1 TDDDG:
Consent for non-essential access to end devices, as far as such is used on a case-by-case basis.

If we base processing on legitimate interests, you may object to the processing in accordance with Art. 21 GDPR. If we process data based on consent, you may revoke the consent at any time with effect for the future.

4. Accessing the Website and Server Log Files

When accessing our website, the technical infrastructure automatically processes data that is necessary for delivering the website, stability, security, error analysis, and data-efficient statistical usage analysis. This may include, in particular:

  • IP address.
  • Date and time of access.
  • Requested URL.
  • HTTP method.
  • HTTP status code.
  • Transferred data volume.
  • Referrer URL.
  • Browser type and version.
  • Operating system.
  • User-Agent.
  • Technical header data.
  • Information on request processing by our servers and API systems.

We use this data to provide the website, to statistically evaluate the use of the website in a data-efficient manner, to detect technical errors, to prevent attacks and abuse, to ensure the availability of systems, and to be able to trace security-relevant events.

The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the secure and stable operation of the website, in technical error resolution, in data-efficient usage analysis, and in the defense against attacks.

Server and API log files are regularly stored for up to 90 days. Longer storage occurs only if individual log excerpts are necessary for clarifying security incidents, troubleshooting, combating abuse, or asserting, exercising, or defending legal claims. In these cases, we store the affected data until the final clarification and subsequently only as far as statutory retention or limitation periods require.

5. Hosting, DNS, and Technical Delivery

Our public website is technically delivered as a static website. Content is maintained internally in a content management system, built with Astro, and then provided as static files via our internet infrastructure. The internal editorial system is not accessed by visitors during a normal visit to the public website and does not process visitor data.

We host our internet infrastructure at:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Hetzner processes technical operational data as a processor under Art. 28 GDPR.

We currently use Cloudflare as an authoritative DNS service. According to our current configuration, Cloudflare is not used as an HTTP proxy, CDN, TLS proxy, web application firewall, or bot protection for the website. Therefore, during a normal access of the website, the HTTP or HTTPS traffic does not go through Cloudflare.

As a DNS provider, Cloudflare can process DNS requests and technical DNS metadata. This may include, in particular, the requested domain name, the time of the request, technical DNS information, and the IP address of the requesting recursive DNS resolver. As of now, we have not set up any additional DNS log exports or log push targets. The standard DNS analytics and log settings of Cloudflare apply.

The provider is:

Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
USA

Cloudflare may also process data outside the EU or EEA. According to Cloudflare, the EU-U.S. Data Privacy Framework and standard contractual clauses are used for transfers to the USA.

The legal basis for using Cloudflare as a DNS service is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in a reliable, secure, and fail-safe DNS resolution of our domains.

6. Security Reports and Content Security Policy Reports

Our website uses technical security mechanisms, including a content security policy. In the event of violations of security policies, technical reports may be generated. These may contain information about the accessed page, blocked content, browser, referrer URL, IP address, and technical context data.

We use this data solely for the detection and resolution of security and configuration issues as well as for the defense against attacks.

The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the secure operation of our website and our technical systems.

Security reports and content security policy reports are stored for as short a time as possible, regularly for a maximum of 7 days. If a report can no longer be clearly associated with an open security or configuration issue, it will be deleted earlier. Longer storage of individual reports occurs only in the case of specific security incidents or for asserting, exercising, or defending legal claims.

7. Cookies and Session Storage

We do not use our own cookies on the public website for language or country selection and do not use tracking cookies for advertising user profiles. However, in the application process, we use technically necessary session storage to ensure the multi-step insurance application functions.

Session Storage in the application process:
In the multi-step insurance application, inputs can be temporarily stored in the browser so that you can navigate between steps and the application remains technically functional. The storage usually ends with the closing of the browser tab or with deletion by the browser.

Legal bases are § 25 para. 2 TDDDG and Art. 6 para. 1 lit. b GDPR.

You can delete or block web storage via your browser settings. If you block technically necessary storage functions, the multi-step application process may be restricted.

8. Language, Country, and Local Georouting Functions

We offer content in multiple languages and for various markets. To select appropriate content, we process the language path in the URL, country and language parameters in the URL, and your selection in the language and country dialog.

The country and language selection is not stored in a separate cookie but passed through the URL.

If an automatic country assignment is used, it is based on a locally operated GeoIP database. No external GeoIP query is sent to a third party per website visit.

The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in displaying suitable language and market information and avoiding misdirection.

9. Contacting Us via E-Mail

If you contact us via e-mail, we process your e-mail address, your name, the content of your message, technical e-mail metadata, and any other information you voluntarily provide. We process this data to handle your inquiry, to communicate with you, to document the communication, and, if necessary, to fulfill contractual or legal obligations.

The legal basis is Art. 6 para. 1 lit. b GDPR, as far as your inquiry relates to a contract or pre-contractual measures. Otherwise, the legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in processing incoming inquiries and in maintaining traceable communication.

For e-mail transport and internal mailboxes, we use external e-mail service providers. For general business communication, we use Google Workspace/Gmail from:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

For confidential customer data transfer and encrypted communication, we use, if necessary:

Posteo e.K.
Methfesselstr. 38
10965 Berlin
Germany

as well as

mailbox.org, operated by Heinlein Hosting GmbH
Schwedter Straße 8/9B
10119 Berlin
Germany

For technical notifications and notifications, we use:

Brevo GmbH
Köpenicker Straße 126
10179 Berlin
Germany

In e-mail communication, in particular, recipient addresses, sender addresses, subject lines, technical metadata, and message contents may be processed. If e-mails contain confidential contractual or customer data, we implement internal encryption and access protection measures.

Please note that e-mail communication over the internet can generally have security risks. Send particularly confidential information only through suitable secure communication channels.

10. Newsletter, Waiting Lists, and Product Information

If you sign up for our newsletter, a waiting list, or product information, we process the necessary data for this. This may include, in particular:

Contact data:
E-mail address, optionally first name, last name, or alias.

Interest data:
Desired product, wallet type, product interest, country, and language.

Context data:
Source of registration, language, time of registration, and technical form information.

Proof data:
Consent and unsubscription information, evidence of registration, confirmation, change, or unsubscription, as well as public entry ID without e-mail address.

We use this data to send you the requested information, to manage your registration, to implement unsubscriptions, to prevent abuse, and to be able to prove consents.

The legal basis for sending is your consent under Art. 6 para. 1 lit. a GDPR. As far as advertising e-mail communication is concerned, we also consider the requirements of § 7 UWG. The processing of proof data is based on Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in documenting consent, complying with legal requirements, and legal defense.

You can revoke your consent at any time with effect for the future. To do this, use the unsubscribe link, the unsubscription function provided on the website, or contact us at service@bitsurance.eu.

The data will be stored as long as you are subscribed. After unsubscribing, we will delete or block the data, as long as there are no legal retention obligations or legitimate proof interests to the contrary. Consent proofs can be stored until the expiration of statutory limitation periods. If necessary, we may store an e-mail address or a corresponding hash value in a block list to prevent future submissions to that address.

11. Insurance Application and Contract Conclusion

If you request or conclude an insurance policy through our digital application process, we process the data necessary for the examination, creation, execution, and management of the insurance contract. This may include, in particular:

Identity data:
First name, last name, date of birth, and comparable information.

Contact data:
E-mail address, postal address, country, language, and communication data.

Risk data:
Insurance location, differing risk location, insurance amount, wallet type, and other information necessary for risk assessment.

Wallet and proof data:
xPub, derived information from the xPub, signature, signature text, verification status, hash values, technical proofs, and verification results.

Contract data:
Policy ID, invoice number, contract status, premium, insurance start, duration, consent, and checkbox logs.

Payment data:
Payment provider, amount, currency, invoice status, payment status, payment references, and allocation data.

Marketing, partner, and referral data:
Coupon, partner, or referral codes, as far as you use such.

We process this data for application review, proof of wallet control, contract creation, provision of contract documents, payment processing, contract maintenance, prevention of abuse, fulfillment of legal obligations, and legal defense.

The legal basis is Art. 6 para. 1 lit. b GDPR. As far as legal obligations exist, we process data based on Art. 6 para. 1 lit. c GDPR. As far as we process data for IT security, fraud and abuse prevention, legal defense, or internal quality assurance, the legal basis is Art. 6 para. 1 lit. f GDPR. As far as you explicitly consent to certain processing, the legal basis is Art. 6 para. 1 lit. a GDPR.

The legal consents, confirmations, and acknowledgments required for the conclusion will be requested in the digital conclusion process and logged with time and context information. This includes, in particular, data protection information, contractual declarations, consent to the processing of the specified wallet-related data, and the checkbox logs required for the application.

12. Wallet, xPub, Signature, and Blockchain Checks

For our insurance offering, we must verify whether you can prove control over the specified wallet account and whether the specified wallet-related data is suitable for the intended insurance coverage. To do this, we process, in particular, xPub data, signatures, signature texts, derived Bitcoin addresses, verification results, and hash values.

This processing serves, in particular, the following purposes:

Proof of wallet control:
We check whether a requested message has been signed with a matching key.

Plausibility and risk assessment:
We technically verify whether the specified wallet account and the provided data are suitable for the requested insurance coverage.

Contract management:
We can create hash values to recognize an insured wallet account without having to use the plaintext xPub again for each processing. Hash values can still be personal or personally identifiable data if they can be attributed to a person or a contract.

Abuse and compliance checks:
We can conduct checks against public blockchain, abuse, sanctions, or compliance reference data as far as necessary and legally permissible.

For technical blockchain and compliance checks, internal services and public reference data may be used. In the regular application process, we currently do not use an external AML service provider. Sanction checks are based on state or authority-published sanction lists and comparable compliance reference data. In doing so, no direct identity or contact data is transmitted to operators of such lists according to the current configuration.

For technical blockchain plausibility checks, derived Bitcoin addresses, transaction contexts, or technical request data may be checked against our own nodes or public blockchain or mempool interfaces as necessary. Your xPub data, signatures, and signature texts transmitted to us will not be published on the blockchain. They are not part of the public Bitcoin register. Direct identity and contact data are generally not transmitted to such technical data sources unless required for the respective check.

For the evaluation of Bitcoin values, public market data, in particular BTC/EUR price data, may be used.

In the event of a claim, we may, as part of the manual individual case processing before paying compensation, engage external specialized AML, blockchain analysis, or compliance service providers as necessary to fulfill legal obligations, conduct sanction checks, prevent abuse, verify the claimed entitlement, or for legal defense. Such engagement does not occur as an ongoing automated check in the application process, but only on a case-by-case basis in the specific claim.

Legal bases are Art. 6 para. 1 lit. b GDPR for contract-related checks, Art. 6 para. 1 lit. c GDPR for legally required compliance checks, and Art. 6 para. 1 lit. f GDPR for abuse prevention, IT security, risk management, and legal defense.

13. Necessity of Providing Data

The provision of personal data is partly necessary to use our website, communicate with us, receive information, submit an insurance application, conclude an insurance contract, or assert claims under an insurance contract.

For the conclusion and execution of an insurance contract, we particularly need the necessary identity, contact, risk, wallet, proof, contract, and payment data. Without this data, we cannot regularly review the application, conclude a contract, execute the contract, or process a claim.

The provision of voluntary data is marked accordingly or arises from the respective context. If you do not provide voluntary information, you will not suffer any disadvantages as long as this information is not necessary for the specifically desired service.

14. Insurers, Insurance Partners, and Service Providers in the Contract Process

To carry out the insurance offering, we may transmit personal data to insurers, insurance partners, service providers for contract documents, payment service providers, e-mail service providers, hosting service providers, and internal specialist systems.

Recipients may include, in particular:

Insurers and risk carriers:
Transmission of contract, risk, customer, payment, and claims data as far as necessary for offering, contract, bordereau, administration, billing, or claims processing.

Internal contract and logistics systems:
Management of policies, invoices, contract status, vouchers, e-mail lists, and communication processes.

Internal PDF and document services:
Creation of applications, policies, invoices, proofs, and internal documents.

Secure e-mail and dispatch systems:
Sending, receiving, encryption, forwarding, and archiving of contract-related communication.

Payment service providers:
Payment processing, payment status, amount and invoice information.

Hosting and security service providers:
Operation, protection, availability, and logging of technical systems.

The risk carrier and insurer is:

Liberty Mutual Insurance Europe SE
5-7 rue Léon Laval
L-3372 Leudelange
Luxembourg
Commercial Register Luxembourg: B232280

In Germany, Liberty Mutual Insurance Europe SE operates through the Directorate for Germany:

Liberty Mutual Insurance Europe SE
Directorate for Germany
Im Klapperhof 7-23
50670 Cologne
Germany
Commercial Register District Court Cologne: HRB 53435

The insurance contract is concluded according to the contract documents through:

Liberty Specialty Markets Europe S.à r.l.
Branch for Germany
Im Klapperhof 7-23
50670 Cologne
Germany

as the underwriting agency with signing authority for the insurer. Liberty Specialty Markets Europe S.à r.l., Branch for Germany, is registered in the Commercial Register of the District Court of Cologne under HRB 92327.

Insurers, risk carriers, and underwriting agencies may process personal data under their own data protection responsibility, as far as they decide on the purposes and means of processing. Additionally, their own privacy information applies.

Wallet-related raw data will only be shared as far as necessary for technical verification, the contract, legal obligations, abuse prevention, or claims processing. If a hash value, status, or derived proof is sufficient for the insurer or other recipients, we prefer to use such reduced data.

15. Payment Processing

If you make a payment, we process payment data for the execution and allocation of the payment. Depending on the selected payment method, payment data may be transmitted to the respective payment service provider.

15.1 PayPal

When paying via PayPal, payment data is transmitted to PayPal. The provider for users in the European Economic Area is:

PayPal (Europe) S.à r.l. et Cie, S.C.A.
22-24 Boulevard Royal
L-2449 Luxembourg

PayPal also processes data as an independent controller. The privacy information of PayPal also applies.

The legal basis is Art. 6 para. 1 lit. b GDPR. As far as PayPal data is processed for accounting, fraud prevention, or legal defense, Art. 6 para. 1 lit. c GDPR and Art. 6 para. 1 lit. f GDPR also apply.

15.2 Bitcoin Payment and BTCPay

If you pay via Bitcoin, we process payment and invoice data as well as the payment status. The technical payment allocation is done via a BTCPay server operated by us or through our own Bitcoin payment infrastructure. BTCPay is not an external processor and not a separate recipient of personal data.

Bitcoin transactions are processed on the public blockchain. Publicly visible transaction data can be analyzed by third parties and linked with other information. We use the payment information for allocation and processing of the payment, for invoicing, for accounting, and, if necessary, for legal defense.

The legal basis is Art. 6 para. 1 lit. b GDPR. As far as commercial, tax, insurance, or regulatory obligations exist, the legal basis is Art. 6 para. 1 lit. c GDPR. As far as we process payment data for abuse prevention or legal defense, the legal basis is Art. 6 para. 1 lit. f GDPR.

16. Contract Documents, Invoices, and Archiving

We create and store contract documents, invoices, application documents, internal proofs, communication proofs, and comparable documents as far as necessary for the contract, billing, customer care, legal obligations, or legal defense.

Contract, invoice, insurance, and claims data are retained according to the applicable commercial, tax, insurance, and civil law regulations. Commercial and tax-relevant documents, in particular invoices, booking receipts, and contract and billing-related correspondence, are regularly retained for up to 10 years after the end of the calendar year in which the last relevant processing or booking occurred. For certain documents, shorter or longer statutory periods may apply as provided by law.

We store insurance contract and claims data for the duration of the contract and thereafter as long as necessary for proof, billing, insurance supervision, abuse prevention, legal defense, or claims purposes. In the case of open or already settled claims, ongoing proceedings, titled claims, subsequent abuse or plausibility checks, or comparable legal claim matters, storage may be required in legally permissible exceptional cases for up to 30 years.

In accordance with the codes of conduct of the German insurance industry, data stocks are checked at least once a year to see if deletion or restriction of processing is possible. As far as data is only stored due to legal retention obligations or for legal defense, we restrict processing as much as possible.

Technical interim artifacts such as e-mail confirmation data, wallet connection data without conclusion, signature challenges, signature/xPub binding HMACs, or unassigned wallet-related verification data will be deleted shortly according to current technical configurations, unless they are needed for a contract, legal obligations, security purposes, or legal claims.

Hash values that describe the insured wallet account or used codes after contract conclusion may, on the other hand, be part of the contract documents or contract management and are then subject to the deadlines applicable to contract and insurance data. If no contract is concluded, such temporary hash and verification values will not be kept as long-term records unless legal obligations, security purposes, or legal claims are at stake.

For technical interim artifacts, the following standard retention periods currently apply:

E-mail confirmation data:
approx. 24 hours or deletion after successful contract conclusion.

Wallet connection data without conclusion:
approx. 24 hours.

Signature challenges and signature/xPub binding HMACs:
Expiration regularly after approx. 24 hours; technical cleanup regularly approx. 48 hours after expiration or use.

Unassigned xPub, account, or hash verification data without contract reference:
approx. 30 days.

Canceled or terminated policies without continuation:
approx. 30 days, unless obligations or legitimate interests oppose.

Backups and security copies are stored encrypted on Hetzner infrastructure. We technically use Proxmox Backup Server or comparable encrypted backup methods for this purpose. Archive or revision copies containing contract, invoice, booking, insurance, or claims data may be stored for up to 10 years and in legal claim cases exceptionally for up to 30 years. Purely technical rolling system backups without independent archiving purpose are regularly stored for up to 12 months as far as necessary for recovery, operational safety, and abuse clarification.

17. Self-Hosted Web Analysis with Umami

We use a self-hosted Umami installation to statistically evaluate the use of our digital offering and to technically and content-wise improve the application process. The evaluation is done without tracking cookies and without storing personal inputs such as name, e-mail address, address, date of birth, PIN, xPub, or signature.

The following can be particularly recorded:

Page and event data:
Accessed page, technical event name or event ID. This may also include visibility and interaction events of page sections, scroll depths, and clicks on call-to-action elements or embedded media.

Technical context data:
Browser, device type, language, referrer, and rough location derivation such as country, region, or city.

Rough offer metadata:
Wallet type, country, insurance sum category, or partner/marketing code, as long as no personal free text is included.

IP address and User-Agent on entry:
Only for short-term technical session formation or hash formation; no permanent storage as plaintext in the analysis database.

According to current technical configurations, the IP address and User-Agent of Umami are not permanently stored in plaintext but hashed for pseudonymous or anonymous session formation. Rough location information can be derived from the IP address and stored as a statistical feature. Recognition across different websites does not occur. The analysis data is stored on our own infrastructure and is not used for advertising profiles.

The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in data-efficient reach measurement, error detection, and improvement of the application process. The regular retention period for analysis data is currently 12 months.

If the productive configuration should use tracking cookies, external analysis providers, session replays, or personal event data in the future, we will inform you separately and, if necessary, obtain consent.

18. Embedded YouTube Videos

Our website may embed YouTube videos in enhanced privacy mode via youtube-nocookie.com. Videos are loaded according to current technical configurations only when you actively click the play button or otherwise actively select the video. Before clicking, a locally provided preview image is used as far as technically possible.

When you activate a video, a connection to YouTube or Google is established. In doing so, your IP address, technical browser data, the accessed page, and information about video usage may be transmitted to Google.

The provider is:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Google may also transmit data to Google LLC in the USA. According to Google, transfers are based, among other things, on the EU-U.S. Data Privacy Framework and standard contractual clauses.

The legal bases for loading the video are your consent under Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. You can avoid giving consent for the future by not activating the video or reloading the page without clicking play again.

19. Appointment Booking and External Links

Our website may contain links to external services, for example, to appointment booking services, social media profiles, or partner pages. If you click on an external link, you leave our website. From that point on, the respective provider processes data under its own responsibility.

For appointment bookings, we use Calendly. The provider is:

Calendly LLC
115 E Main St.
Ste A1B
Buford, GA 30518
USA

If you book an appointment via Calendly, particularly name, e-mail address, appointment details, time zone, technical access data, and voluntary messages are processed. Calendly processes data in the USA and bases third-country transfers on the EU-U.S. Data Privacy Framework and, if necessary, standard contractual clauses.

The legal basis is Art. 6 para. 1 lit. b GDPR, as far as the appointment booking concerns pre-contractual or contractual communication. Otherwise, the legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in simple and reliable appointment organization.

For external profiles on X/Twitter, LinkedIn, Nostr/Primal, or other platforms, the privacy information of the respective providers applies. When simply visiting our website, no data is transmitted to these platforms via such links, as long as no external content from the platforms is embedded.

20. Claims, KYC, and Additional Checks

If you report a claim or assert benefits from an insurance contract, additional data may be processed. This may include, in particular:

Claim data:
Date of loss, location of loss, description of the loss event, evidence, photos, and documents.

Contract data:
Policy, insurance amount, premium, payment history, and contract status.

Identity and KYC data:
Identification data or further evidence as far as necessary and legally permissible.

Wallet and transaction data:
Wallet-related evidence, signatures, derived addresses, transaction contexts, and verification results.

Communication data:
E-mail correspondence, support, and processing notes.

The processing occurs for the examination and handling of the claim, for contract fulfillment, for abuse and fraud prevention, for fulfilling legal obligations, for sanction and compliance checks, and for legal defense.

Even after the conclusion or settlement of a claim, we may continue to process necessary contract, claim, and wallet-related proof data to conduct subsequent plausibility and abuse checks, for example, if later publicly recognizable developments raise doubts about a claimed loss or the proper settlement of the claim.

Legal bases are Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. c GDPR, and Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies particularly in abuse prevention, subsequent clarification of possible irregularities, securing the insurance portfolio, fulfilling supervisory and proof-related requirements, and asserting, exercising, or defending legal claims.

Please do not send us special categories of personal data within the meaning of Art. 9 GDPR unless we explicitly request them or they are strictly necessary for processing in the individual case.

21. Data Sources for Non-Directly Collected Data

In general, we collect personal data directly from you. However, data may also come from other sources. This may include, in particular:

Wallet app or partner interface:
xPub, address, signature, technical integration data, or other wallet-related information if you actively trigger the transmission.

Payment service provider:
Payment status, payment reference, amount, currency, and allocation information.

Insurer or insurance partner:
Contract, status, billing, and claim data as far as necessary for administration, execution, or claims processing.

Public blockchain and compliance data sources:
Transaction contexts, public blockchain information, sanctions, compliance, or abuse indicators as far as necessary and legally permissible.

As far as Art. 14 GDPR is applicable, we will inform you about the processing of non-directly collected data in accordance with legal requirements.

22. Recipients and Processors

We only share personal data if necessary, if there is a legal basis, or if you have consented. Recipients or categories of recipients include, in particular:

Hetzner Online GmbH:
Hosting and server operation.

Cloudflare, Inc.:
Authoritative DNS service; according to current configuration, no HTTP proxy, CDN, TLS proxy, WAF, or bot protection for website accesses.

Google Ireland Limited / Google Workspace / Gmail:
General business communication and e-mail mailboxes.

Posteo e.K.:
Confidential customer data transfer and encrypted e-mail communication.

Heinlein Hosting GmbH / mailbox.org:
Confidential customer data transfer and encrypted e-mail communication.

Brevo GmbH:
Technical notifications, notifications, and possibly shipping processes for requested information.

PayPal (Europe) S.à r.l. et Cie, S.C.A.:
Payment processing for PayPal payments.

Liberty Mutual Insurance Europe SE:
Risk carrier and insurer; insurance offering, contract, bordereau, administration, billing, and claims processing.

Liberty Specialty Markets Europe S.à r.l., Branch for Germany:
Underwriting agency with signing authority for the insurer.

State or authority-published sanction lists:
Sanction and compliance reference data. According to current configuration, no direct identity or contact data is transmitted to operators of such lists.

External AML, blockchain analysis, or compliance service providers:
Only in manual individual case processing in the event of a claim or in comparable cases as necessary for payment, legal obligations, abuse prevention, claim verification, or legal defense.

Google Ireland Limited / YouTube:
Video embedding after active selection.

Calendly LLC:
Appointment scheduling.

Internal IT, contract, analysis, document, and logistics systems:
Operation, contract processing, document creation, secure communication, analysis, internal management, and proof.

With processors, we conclude contracts according to Art. 28 GDPR as necessary.

23. Transfers to Third Countries

Processing outside the EU or EEA may occur, in particular, with Cloudflare as a DNS provider, Google/YouTube, Google Workspace/Gmail, Calendly, PayPal, subcontractors of Brevo, technical blockchain or mempool data sources, and in the event of a claim with manually commissioned AML, blockchain analysis, or compliance service providers.

In the case of Cloudflare, this currently only concerns DNS data and no HTTP content or website accesses via a Cloudflare proxy.

A transfer to a third country occurs only if there is a legal basis. The following may apply in particular:

  • An adequacy decision by the European Commission under Art. 45 GDPR.
  • The EU-U.S. Data Privacy Framework for certified U.S. providers.
  • Standard contractual clauses under Art. 46 GDPR.
  • Additional protective measures as necessary.
  • Your consent.
  • A legal exception under Art. 49 GDPR.

As far as providers provide their own privacy information, data processing conditions, or transfer mechanisms, we refer to this information and maintain the corresponding contractual foundations internally.

24. Automated Decisions

In the digital application process, technical plausibility, wallet, payment, abuse, and risk checks may be supported automatically.

According to current configurations, no exclusively automated decision within the meaning of Art. 22 GDPR occurs that has legal effect against you or significantly affects you in a similar way without a suitable human review being possible.

Should exclusively automated decisions within the meaning of Art. 22 GDPR be used in the future, we will inform you separately about the logic, scope, and intended effects as well as your rights.

25. Storage Duration

We store personal data only as long as necessary for the respective purposes or as long as legal retention obligations exist. The specific storage duration depends on the data category, purpose, legal obligations, and possible legal claims.

The following standard retention periods apply in particular:

Server and API logs:
Regularly up to 90 days, longer in the case of security incidents, abuse clarification, or legal claims.

Content security policy and security reports:
Regularly a maximum of 7 days, earlier if the purpose is fulfilled, longer only in the case of specific security incidents or legal claims.

Session storage in the application process:
Until the closing of the browser tab or until deletion by the browser.

Newsletter, waiting list, and product information data:
Until revocation or unsubscription; proofs possibly until the expiration of statutory limitation periods.

E-mail inquiries:
Until processing is completed; longer if there is a contractual, proof, legal, or retention reference.

Contract, invoice, booking, and business documents:
Regularly up to 10 years after the end of the relevant calendar year, as far as legally required or necessary for proof.

Insurance and claims data:
For the duration of the contract and thereafter according to legal retention, proof, abuse prevention, and limitation periods; in exceptional cases up to 30 years.

Technical interim artifacts in the application process:
Depending on the type of data, regularly between 24 hours and 30 days, as long as there are no contractual, legal, security-related, or legal reasons to the contrary.

Analytics data:
According to current technical configurations, 12 months.

Backups and archive copies:
Archive and revision copies regularly up to 10 years, in legal claim cases exceptionally up to 30 years; technical rollback backups regularly up to 12 months.

When data is no longer needed and no obligations or legitimate interests oppose, we delete or anonymize it.

26. Data Security

We implement technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration, and disclosure. These include, in particular:

  • TLS encryption.
  • Separate internet and intranet systems.
  • Access restrictions.
  • Role-based permissions.
  • Encryption of confidential communication channels.
  • Reduced data sharing.
  • Logging of security-relevant events.
  • Secure backup procedures.
  • Regular technical audits.
  • Internal guidelines for handling wallet-related data.

Our security measures are continuously developed according to risk, state of the art, implementation effort, and the type of data processed.

Please note that e-mail communication over the internet can generally have security risks. Send particularly confidential information only through suitable secure communication channels.

27. Your Rights

You have the following rights under the GDPR:

Right to information under Art. 15 GDPR:
You may request information about the data processed concerning you.

Right to rectification under Art. 16 GDPR:
You may request the rectification of inaccurate or incomplete data.

Right to deletion under Art. 17 GDPR:
You may request the deletion of your data, as long as no legal obligations or overriding legitimate reasons oppose.

Right to restriction of processing under Art. 18 GDPR:
You may request the restriction of processing under the legal conditions.

Right to data portability under Art. 20 GDPR:
You may receive certain data in a structured, commonly used, and machine-readable format.

Right to object under Art. 21 GDPR:
You may object to processing based on Art. 6 para. 1 lit. e GDPR or Art. 6 para. 1 lit. f GDPR. If we process personal data for direct marketing purposes, you may object at any time.

Right to withdraw under Art. 7 para. 3 GDPR:
You may revoke consents granted at any time with effect for the future. The lawfulness of processing until the revocation remains unaffected.

Right to complain under Art. 77 GDPR:
You may lodge a complaint with a data protection supervisory authority.

To exercise your rights, you can contact us at service@bitsurance.eu. To process your request, we must verify your identity in an appropriate manner.

The data protection supervisory authority responsible for us is:

The State Commissioner for Data Protection Lower Saxony
Prinzenstr. 5
30159 Hanover
Germany
https://lfd.niedersachsen.de

You may also contact any other competent data protection supervisory authority.

28. Changes to This Privacy Policy

We will adapt this privacy policy when our services, technical systems, service providers, processing processes, or legal requirements change. The version published on this website applies.

Status: May 1, 2026