Privacy Policy

I. Processor Details

BIBB PowPCo Digital Communities Inh. Martinez Valero (hereinafter “BIBB”, “we” or “us”) is the responsible party for the processing of personal data collected through your use of any of our web pages https://bibb.pro and http://prvn.pro (hereinafter “Web Page”), in particular, the Swiss Data Protection Act (DPA) and – if applicable to your personal data – the European General Data Protection Regulation (GDPR).

For any queries regarding your personal data, please contact us at contact_bibb@bibb.pro.

This terms are valid from September 30th 2025

---

II. How We Process Your Personal Data

1. Scope

a) Website

We only process your personal data if this is necessary to provide a functional website or to deliver our contents and services. The processing of personal data only takes place on the appropriate legal basis and as permitted by law.

2. Legal Basis for Processing under GDPR

Legal Basis	When It Applies
Art. 6 (1) a GDPR	We have obtained your prior consent for the processing of personal data.
Art. 6 (1) b GDPR	Processing is necessary for the performance of a contract to which you are a party or for pre‑contractual steps requested by you.
Art. 6 (1) c GDPR	Processing is required to fulfil a legal obligation to which we are subject.
Art. 6 (1) d GDPR	Processing is necessary to protect vital interests of you or another natural person.
Art. 6 (1) f GDPR	Processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

3. Duration of Processing

We store your personal data only for as long as necessary to serve the purpose of the processing and delete or block it as soon as that purpose ceases to apply. Further storage may occur where required by applicable law (e.g., bookkeeping or mandatory archiving). Data will also be blocked or deleted when a legally prescribed retention period expires, unless further storage is needed to conclude or fulfil a contract.

---

III. Website Access and Logfiles

1. Automated Data Processing

Every time you visit our website, our system automatically collects the following data and information about the computer system you use to access our website:

• Browser information (type and version)
• Operating system
• Your internet service provider
• Your IP address
• Date and time of access
• Websites from which your system reaches our website
• Websites accessed by your system via our website

This data is also stored in the log files of our system and is not stored together with other personal data.

Legal basis (GDPR): Art. 6 (1) f GDPR (legitimate interests).

2. Cookies, Browser Storage, and Related Technologies

We use cookies and other browser storage technologies (such as localStorage) on our site. Cookies are small files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, etc.) when you visit our site. localStorage is a persistent storage area in your browser used to retain data across sessions without an expiry date unless explicitly cleared. Information stored in either mechanism relates to the device used. This does not mean we immediately become aware of your identity.

Purposes of cookies

1. Necessary cookies – Essential for website functionality including security, session management, and core features.
2. Analytics cookies – Statistically record the use of our website and help optimise it.
3. Marketing cookies – Support advertising and retargeting campaigns.
4. Preference cookies – Remember your settings and personalise your experience.

Legal basis (GDPR):

• Necessary cookies: Art. 6 (1) f GDPR (legitimate interests) - essential for website operation
• Analytics, Marketing & Preference cookies: Art. 6 (1) a GDPR (consent) - require your explicit consent

Most browsers automatically accept cookies, but you can configure your browser to reject them or to notify you before a cookie is stored. Disabling cookies may limit website functionality.

Third‑party Services

We use the following third-party analytics services, which only activate when you grant explicit consent:

• Google Analytics 4 (Google Ireland Ltd. / Google LLC) - Website traffic analysis and user engagement tracking
• Microsoft Clarity (Microsoft Ireland Ltd. / Microsoft Corp.) - User behavior insights and session recordings

These services may set permanent cookies and analyse your usage of our website. They may combine this information with data from other websites and use it for their own purposes (e.g., advertising optimization). When you deny consent, these services either don’t load at all or operate in cookieless mode with minimal data collection.

For Google’s privacy policy, see https://policies.google.com/; for Microsoft’s privacy policy, see the Microsoft Privacy Statement.

3. Purpose of Processing

Data is stored in log files to ensure website functionality, optimise the site and safeguard our IT systems. Analytics data is only collected and processed when you provide explicit consent via our cookie banner. Data is not evaluated for marketing purposes unless you specifically consent to marketing cookies.

4. Duration of Processing

• Website provision: Data is deleted when the session ends.
• Log files: Deleted after 7 days at the latest unless further storage is necessary; in such cases, IP addresses are deleted or anonymised.
• Consent preferences: Stored for 365 days after which we request renewal.
• Analytics cookies: Automatically expire according to service-specific retention periods (see cookie table in Section III-bis).

5. No Objection

Collecting data for website provision and storing it in log files is strictly necessary for website operation. Consequently, you have no possibility to object.

---

III‑bis. Cookie Banner & Consent Management

On first visit you will see a banner offering Accept All / Reject All / Customise choices with equal visual prominence. No analytics or marketing scripts load before you grant consent. You can reopen the settings at any time via the “Cookie Settings” link in the footer. Consent expires after 365 days and we will ask again.

Category	Default	Examples	Retention
Necessary	Always active	bibb-consent-preferences	365 days
Authentication	Set on sign-in	Supabase session token (localStorage), sub_* subscription status cache (localStorage), auth-return-to redirect path (localStorage)	Session token: until sign-out or expiry; subscription cache: 24 hours; redirect path: cleared on use
Analytics	Off	Google Analytics 4 (_ga*), Microsoft Clarity (_clck, _clsk)	14 months
Marketing	Off	Google Ads (future)	90 days
Preferences	Off	Theme settings, user interface preferences	30 days

The banner implements Google Consent Mode v2; when you refuse Analytics, only aggregate, cookieless pings are sent.

---

III‑ter. User Accounts and Authentication

1. Account Creation and Sign-in

BIBB Pro offers optional user accounts to access certain features (such as the Power BI Theme Generator JSON export). Accounts are created and authenticated using a magic link sent to your email address. No password is required or stored.

Authentication is provided by Supabase (see Section III‑quater for transfer details). When you sign in, Supabase issues a JSON Web Token (JWT) that is stored in your browser’s localStorage. This token identifies your session and expires automatically.

Legal basis (GDPR): Art. 6 (1) b GDPR (performance of a contract / delivery of a requested service).

2. Data Stored

Data	Where	Purpose	Retention
Email address	Supabase (Zurich)	Authentication identity	Until account deletion
Authentication session (JWT)	Browser localStorage	Maintaining your signed-in state	Until sign-out or token expiry
Subscription status cache	Browser localStorage	Avoiding repeated newsletter-list lookups	24 hours

3. Newsletter Subscription Cross-reference

When you sign in, your email address is automatically checked against our newsletter subscriber list (managed via Mailjet) to determine your access tier. This check is performed server-side via our API and the result is cached locally for 24 hours. No additional data is retained from this check beyond the cached boolean result.

Legal basis (GDPR): Art. 6 (1) f GDPR (legitimate interest — verifying entitlement to a feature tied to newsletter subscription).

4. Account Deletion

You may request deletion of your account and all associated authentication data at any time by contacting contact_bibb@bibb.pro. Upon deletion, your email address and session records are removed from Supabase. Locally cached data in your browser can be cleared via your browser’s storage settings.

---

III‑quinquies. Newsletter Subscription Data

1. Data Collected at Signup

When you subscribe to the BIBB newsletter, the following data is collected via the subscription form hosted by Mailjet:

Data	Purpose	Required
Email address	Newsletter delivery and account authentication	Yes
Industry	Sending relevant, industry-specific content	Yes
Role	Tailoring content to your professional context	Yes

2. Purpose and Legal Basis

Subscriber profile data is used exclusively to personalise the newsletter content you receive and to segment our mailing list so that communications are relevant to your professional context.

Legal basis (GDPR): Art. 6 (1) a GDPR (consent) — you freely choose to subscribe and may unsubscribe at any time.

3. Retention

Your subscriber data is retained in Mailjet for as long as your subscription is active. Upon unsubscribing, your data is deleted from active lists within 30 days. You may also request full deletion by contacting contact_bibb@bibb.pro.

4. No Automated Decision-Making

Industry and role data is used only for manual segmentation (e.g., sending a finance-focused article to finance subscribers). No automated decisions are made based on this data.

---

III‑quater. International Transfers & AI Disclosure

Recipient	Location	Safeguard
Google Ireland Ltd. / Google LLC	EU / USA	Standard Contractual Clauses 2021/914 + Swiss annex; IP‑truncation enabled
Microsoft Ireland Ltd. / Microsoft Corp.	EU / USA	SCCs + Swiss annex; sensitive fields masked
Azure Switzerland North (OpenAI)	Switzerland	No cross‑border transfer; 30‑day retention
MailJet SAS	EU / USA	SCCs + Swiss annex; subscriber profile data (email, industry, role) stored for content personalisation; unsubscribe any time
Supabase Inc.	Switzerland (data hosted in Zurich) / USA (corporate)	SCCs + Swiss annex; authentication data only; no data shared with third parties

AI palette suggestions are clearly labelled “Generated by AI”. A summary of copyright‑relevant training data is available on request.

---

IV. Your Rights

Under applicable data‑protection laws, you have the following rights:

1. Right of Information

You may request confirmation of whether we process personal data concerning you. If so, you may obtain information about:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients of the personal data
• The planned duration of storage or the criteria used to determine that duration
• The existence of rights to rectification, deletion, restriction of processing or objection
• The right to lodge a complaint with a supervisory authority
• The source of the data (if not collected from you)
• The existence of automated decision‑making, including profiling (Art. 22 GDPR)
• Transfers to third countries or international organisations and the appropriate safeguards in place

2. Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed without delay.

3. Right of Restriction

You may request restriction of processing if:

1. You contest the accuracy of the data (for a period enabling verification);
2. Processing is unlawful and you oppose deletion;
3. We no longer need the data for processing purposes, but you need it for legal claims; or
4. You objected under Art. 21 (1) GDPR and verification is pending.

4. Right to Deletion (“Right to be Forgotten”)

a) Obligation to Delete

We must delete your personal data without undue delay if:

• It is no longer necessary for the purposes collected.
• You withdraw consent (Art. 6 (1) a or Art. 9 (2) a GDPR) and no other legal basis exists.
• You object under Art. 21 (1) GDPR and no overriding legitimate grounds exist, or you object under Art. 21 (2) GDPR.
• The data was processed unlawfully.
• Deletion is required by legal obligation.
• The data was collected in relation to information‑society services per Art. 8 (1) GDPR.

If we have made the data public, we will take reasonable steps (including technical measures) to inform other controllers processing the data that you requested deletion of links, copies or replications.

b) Exceptions

The right to deletion does not apply where processing is necessary:

• To exercise freedom of expression and information;
• To comply with a legal obligation or perform a task in the public interest/exercise of official authority;
• For public‑interest reasons in public health (Art. 9 (2) h, i and 9 (3) GDPR);
• For archiving in the public interest, scientific/historical research or statistical purposes (Art. 89 (1) GDPR) where deletion would seriously impair those objectives; or
• To assert, exercise or defend legal claims.

5. Right to Notification

If you exercise rights to rectification, deletion or restriction, we will notify each recipient of your personal data unless impossible or involving disproportionate effort.

6. Data Portability

You have the right to receive personal data you provided to us in a structured, commonly used and machine‑readable format and to transmit it to another controller where processing is based on consent (Art. 6 (1) a GDPR / Art. 9 (2) a GDPR) or contract (Art. 6 (1) b GDPR) and carried out by automated means. Where technically feasible, you may request direct transmission.

7. Right to Objection

You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6 (1) e or f GDPR (including profiling). We shall cease processing unless we demonstrate compelling legitimate grounds overriding your interests or for legal claims.

Where personal data is processed for direct marketing, you may object at any time, including to profiling related to such marketing; we will then no longer process data for that purpose.

8. Right to Withdraw Consent

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

9. Right of Appeal to a Supervisory Authority

Without prejudice to other remedies, you may lodge a complaint with a supervisory authority if you believe processing of your personal data contravenes applicable law.

---

V. Change Log

This section tracks major changes to these Privacy Policy to help users understand what has been updated over time.

Version 2.1 - Valid from April 12th 2026

– Added Section III‑ter on User Accounts and Authentication, covering magic-link sign-in via Supabase, data stored, newsletter cross-reference disclosure, and account deletion rights. Added Authentication row to the browser storage table in Section III‑bis. Added Supabase Inc. to the international transfers table in Section III‑quater (formerly III‑ter). Expanded cookie/storage section heading to cover localStorage explicitly.

– Added Section III‑quinquies on Newsletter Subscription Data, covering industry and role fields collected at signup, their purpose (content personalisation), legal basis (consent), and retention. Updated Mailjet row in the international transfers table to reflect subscriber profile data.

Version 2.0 - Valid from September 30th 2025

– Added Sections III‑bis and III‑ter, granular cookie table, 365‑day consent renewal, international transfer disclosures and AI transparency note. No other substantive changes.

Version 1.0 - Valid until - September 30th, 2025

• Initial Terms of Service

---