Select country and language

Privacy Policy

Last updated: 25 May 2026

1. Controller

The controller responsible for the processing of personal data on this website and in connection with the digital insurance and information services offered here is:

bitsurance GmbH
Dammstr. 41
31134 Hildesheim
Germany

Commercial register: HRB 207867
Register court: Local Court of Hildesheim
Represented by: Christian Wind and Philipp Oehler

Phone: +49 5121 3035545
Email: service@bitsurance.eu

VAT identification number: DE348409096
Insurance agent with permission pursuant to Section 34d (1) of the German Trade Regulation Act (GewO)
Insurance intermediary register number: D-MUID-JWLDV-00

You may also send data protection enquiries to service@bitsurance.eu.

2. General Information

We take the protection of personal data seriously. This Privacy Policy explains which personal data we process, for which purposes we process it, on which legal bases processing takes place, to whom data may be transferred, how long data is stored and which rights data subjects have.

Personal data means any information relating to an identified or identifiable natural person. This includes, in particular, contact data, contract data, payment data, communication data, technical online identifiers such as IP addresses and, in connection with our insurance offering, wallet-related information such as xPub data, derived addresses, signatures, signature texts, transaction contexts or hash values generated from such data, insofar as these can be linked to a person.

We treat wallet-related information with particular care. An xPub is not a private key and does not allow anyone to dispose of Bitcoin. However, an xPub may allow addresses and transaction histories to be linked. We therefore treat xPub data, information derived from it and related evidence as particularly sensitive personal or person-related data.

This Privacy Policy applies to visitors to the website, interested parties, newsletter and waiting list contacts, applicants, policyholders, payers, claimants in the event of a claim, and persons who communicate with us.

In the event of translated versions of this Privacy Policy, the German text shall prevail.

3. Legal Bases for Processing

We process personal data only where there is a legal basis for doing so. Depending on the processing activity, the following legal bases may apply in particular:

Article 6(1)(a) GDPR:
Consent, for example for newsletters, waiting lists, product information or the active loading of external media.

Article 6(1)(b) GDPR:
Performance of a contract or steps prior to entering into a contract, for example in the case of insurance enquiries, insurance applications, contract conclusion, contract management, payment processing and claims handling.

Article 6(1)(c) GDPR:
Compliance with legal obligations, for example commercial, tax, insurance, regulatory, sanctions-related or compliance-related obligations.

Article 6(1)(f) GDPR:
Legitimate interests, for example IT security, error analysis, prevention of misuse and fraud, legal defence, documentation, improvement of our services and secure operation of the website.

Section 25(2) TDDDG:
Storage of information or access to information in terminal equipment, insofar as this is technically necessary to provide the digital service expressly requested.

Section 25(1) TDDDG:
Consent for non-essential access to terminal equipment, insofar as such access is used in individual cases.

Where we base processing on legitimate interests, you may object to the processing in accordance with Article 21 GDPR. Where we process data on the basis of consent, you may withdraw your consent at any time with effect for the future.

4. Accessing the Website and Server Log Files

When our website is accessed, the technical infrastructure automatically processes data required for delivering the website, ensuring stability and security, analysing errors and performing privacy-friendly statistical usage analysis. This may include in particular:

  • IP address.
  • Date and time of access.
  • Requested URL.
  • HTTP method.
  • HTTP status code.
  • Amount of data transferred.
  • Referrer URL.
  • Browser type and browser version.
  • Operating system.
  • User agent.
  • Technical header data.
  • Information about request processing by our servers and API systems.

We use this data to provide the website, perform privacy-friendly statistical analysis of website use, detect technical errors, prevent attacks and misuse, ensure system availability and make security-relevant events traceable.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the secure and stable operation of the website, technical troubleshooting, privacy-friendly usage analysis and the prevention of attacks.

Server and API log files are generally stored for up to 90 days. Longer storage only takes place where individual log extracts are required to investigate security incidents, remedy errors, combat misuse or establish, exercise or defend legal claims. In such cases, we store the affected data until final clarification and thereafter only insofar as statutory retention periods or limitation periods require this.

5. Hosting, DNS and Technical Delivery

Our public website is technically delivered as a static website. Content is maintained internally in a content management system, built with Astro and then provided as static files via our internet infrastructure. The internal editorial system is not accessed by visitors during normal use of the public website and does not process visitor data in that context.

We host our internet infrastructure with:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Hetzner processes technical operational data as a processor pursuant to Article 28 GDPR.

We currently use Cloudflare as an authoritative DNS service. According to our current configuration, Cloudflare is not used as an HTTP proxy, CDN, TLS proxy, Web Application Firewall or bot protection service for the website. During normal access to the website, HTTP or HTTPS traffic therefore does not pass through Cloudflare.

As a DNS provider, Cloudflare may process DNS queries and technical DNS metadata. This may include, in particular, the requested domain name, the time of the request, technical DNS information and the IP address of the requesting recursive DNS resolver. According to the current status, we have not configured any additional DNS log exports or logpush destinations. Cloudflare’s standard DNS analytics and log settings apply.

Provider:

Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
USA

Cloudflare may also process data outside the EU or the EEA. According to Cloudflare, transfers to the USA are based, among other things, on the EU-U.S. Data Privacy Framework and standard contractual clauses.

The legal basis for using Cloudflare as a DNS service is Article 6(1)(f) GDPR. Our legitimate interest lies in reliable, secure and resilient DNS resolution for our domains.

6. Security Reports and Content Security Policy Reports

Our website uses technical security mechanisms, including a Content Security Policy. If security rules are violated, technical reports may be generated. These reports may contain information about the page accessed, the blocked content, the browser, the referrer URL, the IP address and technical context data.

We use this data exclusively to detect and remedy security and configuration problems and to prevent attacks.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the secure operation of our website and technical systems.

Security reports and Content Security Policy reports are stored for as short a period as possible, generally for no more than 7 days. If a report clearly no longer needs to be assigned to an open security or configuration issue, it is deleted earlier. Longer storage of individual reports occurs only in the case of specific security incidents or to establish, exercise or defend legal claims.

7. Cookies and Session Storage

According to the current setup, we do not use our own cookies on the public website for country or language selection and we do not use tracking cookies for advertising user profiles. However, in the application process we use technically required session storage so that the multi-step insurance application works.

Session storage in the application process:
In the multi-step insurance application, entries may be temporarily stored in the browser so that you can navigate between steps and the application process remains technically functional. Storage usually ends when the browser tab is closed or when the browser deletes the data.

The legal bases are Section 25(2) TDDDG and Article 6(1)(b) GDPR.

You can delete or block web storage through your browser settings. If you block technically necessary storage functions, the multi-step application process in particular may be limited.

8. Language, Country and Local Georouting Functions

We offer content in several languages and for different markets. To select suitable content, we process the language path in the URL, country and language parameters in the URL, and your selection in the language and country dialogue.

According to the current setup, the country and language selection is not stored in a separate cookie, but passed on via the URL.

Where automatic country assignment is used, it is carried out using a locally operated GeoIP database. No external GeoIP request is sent to a third-party provider for each website visit.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in displaying suitable language and market information and avoiding misrouting.

9. Contact by Email

If you contact us by email, we process your email address, your name, the content of your message, technical email metadata and any further information that you voluntarily provide to us. We process this data to handle your enquiry, communicate with you, document the communication and, where necessary, fulfil contractual or legal obligations.

The legal basis is Article 6(1)(b) GDPR where your enquiry relates to a contract or pre-contractual measures. Otherwise, the legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in handling incoming enquiries and maintaining traceable communication.

For email transport and internal mailboxes, we use external email service providers. For general business communication, we use Google Workspace/Gmail from:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

For confidential customer data transfer and encrypted communication, we use, where required:

Posteo e.K.
Methfesselstr. 38
10965 Berlin
Germany

and

mailbox.org, operated by Heinlein Hosting GmbH
Schwedter Straße 8/9B
10119 Berlin
Germany

For technical notifications and alerts, we use:

Brevo GmbH
Köpenicker Straße 126
10179 Berlin
Germany

During email communication, recipient addresses, sender addresses, subject lines, technical metadata and message content may be processed in particular. Where emails contain confidential contract or customer data, we use internal encryption and access protection measures.

Please note that email communication over the internet may generally involve security risks. Please send particularly confidential information only via suitable secure communication channels.

10. Newsletters, Waiting Lists and Product Information

If you sign up for our newsletter, a waiting list or product information, we process the data required for this purpose. This may include in particular:

Contact data:
Email address, optionally first name, name or alias.

Interest data:
Desired product, wallet type, product interest, country and language.

Context data:
Source of registration, language, time of registration and technical form information.

Evidence data:
Consent and unsubscribe information, evidence of registration, confirmation, amendment or unsubscribe, and public entry ID without email address.

We use this data to send you the requested information, manage your registration, implement unsubscribes, prevent misuse and prove consent.

The legal basis for sending communications is your consent pursuant to Article 6(1)(a) GDPR. Where promotional email communication is concerned, we also take into account the requirements of Section 7 of the German Act Against Unfair Competition (UWG). The processing of evidence data is based on Article 6(1)(f) GDPR. Our legitimate interest lies in documenting consent, complying with legal requirements and defending legal claims.

You may withdraw your consent at any time with effect for the future. To do so, use the unsubscribe link, the unsubscribe function provided on the website or contact us at service@bitsurance.eu.

The data is stored for as long as you are registered. After you unsubscribe, we delete or block the data, unless statutory retention obligations or legitimate interests in retaining evidence prevent this. Evidence of consent may be stored until the expiry of statutory limitation periods. Where required, we may store an email address or a corresponding hash value in a suppression list to prevent future messages from being sent to that address.

11. Insurance Application and Conclusion of Contract

If you request or conclude insurance through our digital application process, we process the data required to review, create, perform and manage the insurance contract. This may include in particular:

Identity data:
First name, last name, date of birth and comparable information.

Contact data:
Email address, postal address, country, language and communication data.

Risk data:
Place of insurance, different risk location, insured amount, wallet type and other information required for risk assessment.

Wallet and evidence data:
xPub, information derived from the xPub, signature, signature text, verification status, hash values, technical evidence and verification results.

Contract data:
Policy ID, invoice number, contract status, premium, insurance start date, term, consent records and checkbox records.

Payment data:
Payment provider, amount, currency, invoice status, payment status, payment references and allocation data.

Marketing, partner and referral data:
Voucher, partner or referral codes, insofar as you use such codes.

We process this data for application review, proof of wallet control, contract creation, provision of contract documents, payment processing, contract support, misuse prevention, compliance with legal obligations and legal defence.

The legal basis is Article 6(1)(b) GDPR. Where legal obligations exist, we process data on the basis of Article 6(1)(c) GDPR. Where we process data for IT security, fraud and misuse prevention, legal defence or internal quality assurance, the legal basis is Article 6(1)(f) GDPR. Where you expressly consent to specific processing activities, the legal basis is Article 6(1)(a) GDPR.

The legal consents, confirmations and acknowledgements required for conclusion of the contract are requested in the digital conclusion process and recorded with time and context information. These include, in particular, privacy information, contractual declarations, consent to the processing of the wallet-related data provided and the checkbox records required for the application.

12. Wallet, xPub, Signature and Blockchain Checks

For our insurance offering, we must verify whether you can prove control over the specified wallet account and whether the wallet-related data provided is suitable for the intended insurance cover. For this purpose, we process in particular xPub data, signatures, signature texts, derived Bitcoin addresses, verification results and hash values.

This processing serves in particular the following purposes:

Proof of wallet control:
We verify whether a requested message was signed with a suitable key.

Plausibility and risk assessment:
We technically verify whether the specified wallet account and the provided data are suitable for the requested insurance cover.

Contract management:
We may generate hash values in order to recognise an insured wallet account without having to use the plaintext xPub again for every processing activity. Hash values may continue to be personal or person-related data if they can be linked to a person or a contract.

Misuse and compliance checks:
We may perform checks against public blockchain, misuse, sanctions or compliance reference data where this is required and legally permissible.

For technical blockchain and compliance checks, internal services and public reference data may be used. In the regular application process, according to the current setup, we do not use an external AML service provider. Sanctions checks are carried out using sanctions lists published by state or governmental authorities and comparable compliance reference data. According to the current setup, no direct identity or contact data is transmitted to operators of such lists.

For technical blockchain plausibility checks, derived Bitcoin addresses, transaction contexts or technical request data may, where necessary, be checked against our own nodes or public blockchain or mempool interfaces. Your xPub data, signatures and signature texts transmitted to us are not thereby published on the blockchain. They are not part of the public Bitcoin ledger. Direct identity and contact data are generally not transmitted to such technical data sources unless this is required for the respective check.

Public market data, in particular BTC/EUR price data, may be used to assess Bitcoin values.

In the event of a claim, we may, as part of manual case-by-case processing before payment of compensation, engage external specialised AML, blockchain analytics or compliance service providers where this is necessary to fulfil legal obligations, conduct sanctions checks, prevent misuse, examine the asserted claim or defend legal claims. Such engagement does not occur as an ongoing automated check in the application process, but only on an event-driven basis in a specific claim.

The legal bases are Article 6(1)(b) GDPR for contract-related checks, Article 6(1)(c) GDPR for legally required compliance checks and Article 6(1)(f) GDPR for misuse prevention, IT security, risk management and legal defence.

13. Necessity of Providing Data

The provision of personal data is partly necessary in order to use our website, communicate with us, receive information, submit an insurance application, conclude an insurance contract or assert benefits under an insurance contract.

For the conclusion and performance of an insurance contract, we require in particular the necessary identity, contact, risk, wallet, evidence, contract and payment data. Without this data, we will generally be unable to review the application, conclude a contract, perform the contract or process a claim.

The provision of voluntary data is marked accordingly or follows from the relevant context. If you do not provide voluntary information, you will not suffer any disadvantages, unless such information is required for the specific service you have requested.

14. Insurers, Insurance Partners and Service Providers in the Contract Process

To carry out the insurance offering, we may transmit personal data to insurers, insurance partners, service providers for contract documents, payment service providers, email service providers, hosting service providers and internal specialist systems.

Recipients may include in particular:

Insurers and risk carriers:
Transmission of contract, risk, customer, payment and claims data insofar as required for offers, contracts, bordereaux, administration, billing or claims handling.

Internal contract and logistics systems:
Management of policies, invoices, contract status, vouchers, email lists and communication processes.

Internal PDF and document services:
Creation of applications, policies, invoices, evidence and internal documents.

Secure email and dispatch systems:
Sending, receiving, encryption, forwarding and archiving of contract-related communication.

Payment service providers:
Payment processing, payment status, amount and invoice information.

Hosting and security service providers:
Operation, protection, availability and logging of technical systems.

Risk carrier and insurer:

Liberty Mutual Insurance Europe SE
5-7 rue Léon Laval
L-3372 Leudelange
Luxembourg
Luxembourg Commercial Register: B232280

In Germany, Liberty Mutual Insurance Europe SE operates through its German branch:

Liberty Mutual Insurance Europe SE
Direktion für Deutschland
Im Klapperhof 7-23
50670 Cologne
Germany
Commercial register of the Local Court of Cologne: HRB 53435

According to the contract documents, the insurance contract is concluded through:

Liberty Specialty Markets Europe S.à r.l.
German Branch
Im Klapperhof 7-23
50670 Cologne
Germany

as underwriting agency with authority to conclude contracts on behalf of the insurer. Liberty Specialty Markets Europe S.à r.l., German Branch, is registered with the commercial register of the Local Court of Cologne under HRB 92327.

Insurers, risk carriers and underwriting agencies may process personal data under their own responsibility under data protection law where they determine the purposes and means of processing themselves. Their own privacy notices apply in addition.

Wallet-related raw data is disclosed only insofar as this is required for technical verification, the contract, legal obligations, misuse prevention or claims handling. Where a hash value, status or derived proof is sufficient for the insurer or other recipients, we preferentially use such reduced data.

15. Payment Processing

If you make a payment, we process payment data to carry out and allocate the payment. Depending on the selected payment method, payment data may be transmitted to the respective payment service provider.

15.1 PayPal

When paying via PayPal, payment data is transmitted to PayPal. The provider for users in the European Economic Area is:

PayPal (Europe) S.à r.l. et Cie, S.C.A.
22-24 Boulevard Royal
L-2449 Luxembourg

PayPal also processes data as an independent controller. PayPal’s privacy information applies in addition.

The legal basis is Article 6(1)(b) GDPR. Where PayPal data is processed for accounting, fraud prevention or legal defence, Article 6(1)(c) GDPR and Article 6(1)(f) GDPR may also apply.

15.2 Bitcoin Payment and BTCPay

If you pay with Bitcoin, we process payment and invoice data as well as the payment status. Technical payment allocation is carried out via a BTCPay Server operated by us or through our own Bitcoin payment infrastructure. BTCPay is therefore not an external processor and not a separate recipient of personal data.

Bitcoin transactions are processed on the public blockchain. Publicly visible transaction data may be analysed by third parties and linked with further information. We use payment information to allocate and process the payment, for invoicing, accounting and, where required, legal defence.

The legal basis is Article 6(1)(b) GDPR. Where commercial, tax, insurance or regulatory obligations exist, the legal basis is Article 6(1)(c) GDPR. Where we process payment data for misuse prevention or legal defence, the legal basis is Article 6(1)(f) GDPR.

16. Contract Documents, Invoices and Archiving

We create and store contract documents, invoices, application documents, internal evidence, communication records and comparable documents insofar as this is required for the contract, billing, customer support, legal obligations or legal defence.

Contract, invoice, insurance and claims data are retained in accordance with the commercial, tax, insurance and civil-law requirements applicable to us. Commercial and tax-relevant documents, in particular invoices, booking documents and contract- and billing-relevant correspondence, are generally retained for up to 10 years after the end of the calendar year in which the last relevant processing or booking took place. Shorter or longer statutory periods may apply to certain documents where provided by law.

We store insurance contract and claims data for the term of the contract and thereafter for as long as this is required for evidence, billing, insurance supervision, misuse prevention, legal defence or claims purposes. In the case of open or already settled claims, ongoing proceedings, enforceable titles, downstream misuse or plausibility checks, or comparable legal-claim circumstances, storage for up to 30 years may be required in legally permissible exceptional cases.

In line with the codes of conduct of the German insurance industry, data sets are reviewed at least once a year to determine whether deletion or restriction of processing is possible. Where data is stored only due to statutory retention obligations or for legal defence, we restrict processing where possible.

Technical interim artefacts such as email confirmation data, wallet connection data without contract conclusion, signature challenges, signature/xPub binding HMACs or unassigned wallet-related verification data are deleted at short notice according to the current technical setup, unless they are required for a contract, legal obligations, security purposes or legal claims.

Hash values that describe the insured wallet account or used codes after contract conclusion may become part of the contract documents or contract management and are then subject to the retention periods applicable to contract and insurance data. If no contract is concluded, such temporary hash and verification values are not retained as a long-term data set, unless legal obligations, security purposes or legal claims prevent deletion.

According to the current setup, the following regular periods apply in particular to technical interim artefacts:

Email confirmation data:
approx. 24 hours or deletion after successful contract conclusion.

Wallet connection data without conclusion:
approx. 24 hours.

Signature challenges and signature/xPub binding HMACs:
expiry generally after approx. 24 hours; technical cleanup generally approx. 48 hours after expiry or use.

Unassigned xPub, account or hash verification data without contract reference:
approx. 30 days.

Aborted or cancelled policies without continuation:
approx. 30 days, unless obligations or legitimate interests prevent deletion.

Backups and security copies are stored encrypted on Hetzner infrastructure. Technically, we use Proxmox Backup Server or comparable encrypted backup procedures for this purpose. Revision or archive copies containing contract, invoice, booking, insurance or claims data may be stored for up to 10 years and, in legal-claim cases, exceptionally for up to 30 years. Purely technical rolling system backups without an independent archiving purpose are generally stored for up to 12 months, insofar as this is required for recovery, operational security and misuse investigation.

17. Self-Hosted Web Analytics with Umami

We use a self-hosted Umami installation to statistically analyse the use of our digital offering and to improve the application process technically and substantively. The analysis is carried out without tracking cookies and without storing personal entries such as name, email address, address, date of birth, PIN, xPub or signature.

The following may be collected in particular:

Page and event data:
Page accessed, technical event name or event ID.

This may also include visibility and interaction events for page sections, scroll depth, and clicks on call-to-action elements or embedded media.

Technical context data:
Browser, device type, language, referrer and rough location derivation such as country, region or city.

Rough offer metadata:
Wallet type, country, insured amount category or partner/marketing code, provided no personal free-text information is included.

IP address and user agent on input:
Only for short-term technical session formation or hash generation; no permanent storage as plaintext in the analytics database.

According to the current technical setup, IP address and user agent are not permanently stored in plaintext by Umami, but are hashed for pseudonymous or anonymous session formation. Rough location information may be derived from the IP address and stored as a statistical attribute. Recognition across different websites does not take place. Analytics data is stored on our own infrastructure and is not used for advertising profiles.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in privacy-friendly reach measurement, error detection and improvement of the application process. According to the current technical setup, the regular retention period for analytics data is 12 months.

If the productive configuration should in future use tracking cookies, external analytics providers, session replays or personal event data, we will provide separate information and, where required, obtain consent.

18. Google Search Console (No Google Analytics)

We use Google Search Console to monitor the technical visibility of our website in Google Search, check sitemaps and indexing status, evaluate crawling, security and quality messages, and understand aggregated search performance data.

Google Search Console is not Google Analytics and is not a web tracking service on our website. We do not use Google Analytics scripts, Google Tag Manager containers or Google Search Console cookies on our website for this purpose. According to the current technical setup, visiting our website does not trigger an additional browser request to Google through Google Search Console.

Google may provide us with aggregated or technical information in Search Console, for example aggregated search queries, impressions, clicks, average positions, affected URLs, rough country and device data, indexing status, crawling errors, sitemap status and security or quality messages. This information originates from Google Search, Google crawling and Google's indexing systems, not from a tracking code embedded by us on the website.

Provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Where Google processes data in connection with Google Search, Googlebot, Search Console or a Google account, this is partly done under Google's own responsibility under data protection law. Google's privacy information applies in addition. Through Google Search Console, we do not receive full IP addresses of individual website visitors, personal form contents, contract data or personal wallet data from our application process.

The legal basis for our use of Google Search Console is Article 6(1)(f) GDPR. Our legitimate interest lies in technical monitoring of the public website, troubleshooting, secure and correct indexing, misuse and security monitoring, and improving the visibility of our content without using Google Analytics.

Google may also process data outside the EU or the EEA. According to Google, transfers to the USA are based, among other things, on the EU-U.S. Data Privacy Framework and standard contractual clauses.

19. Embedded YouTube Videos

Our website may embed YouTube videos in enhanced privacy mode via youtube-nocookie.com. According to the current technical setup, videos are loaded only when you actively click the play button or otherwise actively select the video. Before this, a locally provided preview image is used where technically possible.

When you activate a video, a connection to YouTube or Google is established. In this context, in particular your IP address, technical browser data, the page accessed and information about video use may be transmitted to Google.

Provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Google may also transfer data to Google LLC in the USA. According to Google, it bases transfers among other things on the EU-U.S. Data Privacy Framework and standard contractual clauses.

The legal bases for loading the video are your consent pursuant to Article 6(1)(a) GDPR and Section 25(1) TDDDG. You can avoid giving consent for the future by not activating the video or by reloading the page without clicking play again.

20. Appointment Booking and External Links

Our website may contain links to external services, for example appointment booking services, social media profiles or partner websites. When you click an external link, you leave our website. From that point onward, the respective provider processes data under its own responsibility.

For appointment bookings, we use Calendly. Provider:

Calendly LLC
115 E Main St.
Ste A1B
Buford, GA 30518
USA

If you book an appointment via Calendly, in particular your name, email address, appointment details, time zone, technical access data and voluntary messages are processed. Calendly processes data in the USA and, according to its own statements, bases third-country transfers on the EU-U.S. Data Privacy Framework and, where required, standard contractual clauses.

The legal basis is Article 6(1)(b) GDPR where the appointment booking concerns pre-contractual or contractual communication. Otherwise, the legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in simple and reliable appointment organisation.

For external profiles on X/Twitter, LinkedIn, Nostr/Primal or other platforms, the privacy information of the respective provider applies. Merely visiting our website does not result in data being transmitted to these platforms through such links, provided no external content from the platforms is embedded.

21. Claims, KYC and Additional Checks

If you report a claim or assert benefits under an insurance contract, additional data may be processed. This may include in particular:

Claims data:
Date of loss, place of loss, description of the loss event, evidence, photos and documents.

Contract data:
Policy, insured amount, premium, payment history and contract status.

Identity and KYC data:
ID document data or further evidence, where required and legally permissible.

Wallet and transaction data:
Wallet-related evidence, signatures, derived addresses, transaction contexts and verification results.

Communication data:
Email correspondence, support and processing notes.

Processing is carried out to review and handle the claim, perform the contract, prevent misuse and fraud, comply with legal obligations, conduct sanctions and compliance checks and defend legal claims.

Even after a claim has been closed or settled, we may continue to process required contract, claim and wallet-related evidence data in order to perform downstream plausibility and misuse checks, for example where later publicly observable developments may give rise to doubts about an asserted loss or about proper claims settlement.

The legal bases are Article 6(1)(b) GDPR, Article 6(1)(c) GDPR and Article 6(1)(f) GDPR. Our legitimate interest lies in particular in misuse prevention, downstream investigation of possible irregularities, safeguarding the insurance portfolio, fulfilling regulatory and evidence-related requirements, and establishing, exercising or defending legal claims.

Please do not transmit any special categories of personal data within the meaning of Article 9 GDPR unless we expressly request such data or it is strictly necessary for processing in the individual case.

22. Data Sources Where Data Is Not Collected Directly

As a rule, we collect personal data directly from you. In some cases, data may also originate from other sources. These may include in particular:

Wallet app or partner interface:
xPub, address, signature, technical integration data or other wallet-related information if you actively initiate the transmission.

Payment service providers:
Payment status, payment reference, amount, currency and allocation information.

Insurers or insurance partners:
Contract, status, billing and claims data, insofar as required for administration, performance or claims handling.

Public blockchain and compliance data sources:
Transaction contexts, public blockchain information, sanctions, compliance or misuse indicators, insofar as required and legally permissible.

Where Article 14 GDPR applies, we inform you about the processing of data not collected directly from you in accordance with the statutory requirements.

23. Recipients and Processors

We disclose personal data only where this is required, where a legal basis exists or where you have consented. Recipients or categories of recipients include in particular:

Hetzner Online GmbH:
Hosting and server operation.

Cloudflare, Inc.:
Authoritative DNS service; according to the current configuration, no HTTP proxy, CDN, TLS proxy, WAF or bot protection for website access.

Google Ireland Limited / Google Workspace / Gmail:
General business communication and email mailboxes.

Google Ireland Limited / Google Search Console:
Technical monitoring of indexing, crawling, sitemaps, security messages and aggregated search performance; no Google Analytics.

Posteo e.K.:
Confidential customer data transfer and encrypted email communication.

Heinlein Hosting GmbH / mailbox.org:
Confidential customer data transfer and encrypted email communication.

Brevo GmbH:
Technical notifications, alerts and, where applicable, sending processes for requested information.

PayPal (Europe) S.à r.l. et Cie, S.C.A.:
Payment processing for PayPal payments.

Liberty Mutual Insurance Europe SE:
Risk carrier and insurer; insurance offering, contract, bordereau, administration, billing and claims handling.

Liberty Specialty Markets Europe S.à r.l., German Branch:
Underwriting agency with authority to conclude contracts on behalf of the insurer.

State or governmental sanctions lists:
Sanctions and compliance reference data. According to the current setup, no direct identity or contact data is transmitted to operators of such lists.

External AML, blockchain analytics or compliance service providers:
Only in manual case-by-case processing in the event of a claim or comparable event-driven cases, insofar as required for payment, legal obligations, misuse prevention, claim assessment or legal defence.

Google Ireland Limited / YouTube:
Video embedding after active selection.

Calendly LLC:
Appointment booking.

Internal IT, contract, analytics, document and logistics systems:
Operation, contract processing, document creation, secure communication, analytics, internal administration and documentation.

Where required, we conclude data processing agreements with processors pursuant to Article 28 GDPR.

24. Third-Country Transfers

Processing outside the EU or the EEA may occur in particular in connection with Cloudflare as DNS provider, Google Search Console, Google/YouTube, Google Workspace/Gmail, Calendly, PayPal, Brevo subprocessors, technical blockchain or mempool data sources and, in the event of a claim, manually engaged AML, blockchain analytics or compliance service providers.

In the case of Cloudflare, according to the current configuration, this concerns only DNS data and not HTTP content or website access via a Cloudflare proxy.

A third-country transfer takes place only where there is a legal basis for it. In particular, the following may apply:

  • An adequacy decision by the European Commission pursuant to Article 45 GDPR.
  • The EU-U.S. Data Privacy Framework for certified US providers.
  • Standard contractual clauses pursuant to Article 46 GDPR.
  • Additional safeguards, where required.
  • Your consent.
  • A statutory exception pursuant to Article 49 GDPR.

Where providers supply their own privacy information, data processing terms or transfer mechanisms, we refer to that information and maintain the corresponding contractual bases internally.

25. Automated Decisions

In the digital application process, technical plausibility, wallet, payment, misuse and risk checks may be supported automatically.

According to the current setup, no solely automated decision within the meaning of Article 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you without suitable human review being possible.

If solely automated decisions within the meaning of Article 22 GDPR are used in the future, we will separately inform you about the logic involved, the scope and intended effects, and your rights.

26. Storage Period

We store personal data only for as long as this is required for the respective purposes or as long as statutory retention obligations exist. The specific storage period depends on the data category, purpose, legal obligations and possible legal claims.

The following regular periods apply in particular:

Server and API logs:
Generally up to 90 days, longer in the case of security incidents, misuse investigation or legal claims.

Content Security Policy and security reports:
Generally no more than 7 days, earlier if the purpose has been fulfilled, longer only in the case of specific security incidents or legal claims.

Session storage in the application process:
Until the browser tab is closed or until deletion by the browser.

Newsletter, waiting list and product information data:
Until withdrawal or unsubscribe; evidence may be retained until expiry of statutory limitation periods.

Email enquiries:
Until processing has been completed; longer where there is a contractual, evidential, legal or retention-related connection.

Contract, invoice, booking and business documents:
Generally up to 10 years after the end of the relevant calendar year, insofar as legally required or required for documentation.

Insurance and claims data:
For the term of the contract and thereafter in accordance with statutory retention, evidence, misuse-prevention and limitation periods; in exceptional cases up to 30 years.

Technical interim artefacts in the application process:
Depending on the type of data, generally between 24 hours and 30 days, unless contractual, legal, security-related or legal-claim-related reasons prevent deletion.

Analytics data:
According to the current technical setup, 12 months.

Backups and archive copies:
Archive and revision copies generally up to 10 years, in legal-claim cases exceptionally up to 30 years; technical rollback backups generally up to 12 months.

If data is no longer required and no obligations or legitimate interests prevent deletion, we delete or anonymise it.

27. Data Security

We use technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration and disclosure. These include in particular:

  • TLS encryption.
  • Separation of internet and intranet systems.
  • Access restrictions.
  • Role-based permissions.
  • Encryption of confidential communication channels.
  • Reduced data disclosure.
  • Logging of security-relevant events.
  • Secure backup procedures.
  • Regular technical checks.
  • Internal rules for handling wallet-related data.

Our security measures are further developed in accordance with risk, state of the art, implementation effort and the type of data processed.

Please note that email communication over the internet may generally involve security risks. Please send particularly confidential information only via suitable secure communication channels.

28. Your Rights

You have the following rights under the GDPR:

Right of access under Article 15 GDPR:
You may request information about the data processed about you.

Right to rectification under Article 16 GDPR:
You may request the rectification of incorrect or incomplete data.

Right to erasure under Article 17 GDPR:
You may request the deletion of your data, unless statutory obligations or overriding legitimate reasons prevent this.

Right to restriction of processing under Article 18 GDPR:
You may request restriction of processing under the statutory conditions.

Right to data portability under Article 20 GDPR:
You may receive certain data in a structured, commonly used and machine-readable format.

Right to object under Article 21 GDPR:
You may object to processing based on Article 6(1)(e) GDPR or Article 6(1)(f) GDPR. If we process personal data for direct marketing purposes, you may object to this at any time.

Right to withdraw consent under Article 7(3) GDPR:
You may withdraw consent you have given at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.

Right to lodge a complaint under Article 77 GDPR:
You may lodge a complaint with a data protection supervisory authority.

To exercise your rights, you may contact us at service@bitsurance.eu. In order to process your request, we may need to verify your identity in an appropriate manner.

The supervisory authority responsible for us is:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstr. 5
30159 Hanover
Germany
https://lfd.niedersachsen.de

You may also contact any other competent data protection supervisory authority.

29. Changes to This Privacy Policy

We amend this Privacy Policy if our services, technical systems, service providers, processing activities or legal requirements change. The version published on this website at the relevant time applies.

Last updated: 1 May 2026