Privacy Policy for TimeBank HSLU

Last Updated: October 30, 2025

At TimeBank HSLU (the “Platform” or “we/us/our”), we are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and protect personal data in accordance with the Swiss Federal Act on Data Protection (FADP/DSG, revised as of September 1, 2023) and its implementing ordinances. As a student project developed by students in the International Project Management course at Lucerne University of Applied Sciences and Arts (HSLU), we process data in a transparent and secure manner.

This Policy applies to all users of our website (www.timebank-hslu.com), including visitors, registered users, and participants in our peer-to-peer credit exchange system. If you do not agree with this Policy, please do not use our Platform.

1. Who We Are and Our Contact Details

  • Responsible Entity: TimeBank HSLU, a group project by students of the International Project Management course, Lucerne University of Applied Sciences and Arts (HSLU), Technikumstrasse 21, 6048 Horw, Switzerland.
  • Contact: For data protection inquiries, please email [timebank@hslu.ch] or use our contact form at /contact.
  • Data Protection Officer: As a small student project, we do not appoint a separate Data Protection Officer (DPO). The project team acts as the responsible party under Art. 19 FADP.

We process personal data as the data controller. If we use third-party services (e.g., WordPress hosting), we ensure they comply with Swiss data protection standards.

2. What Personal Data We Collect

We collect only the personal data necessary for the Platform’s operation. This includes:

  • Registration and Profile Data: Name, email address, HSLU student ID (for verification), username, password (hashed), skills offered, and profile photo (optional).
  • Usage Data: IP address, browser type, device information, and timestamps of logins/sessions (for security and analytics).
  • Transaction Data: Help requests, credits earned/spent, chat messages, and session bookings (including timestamps and user IDs).
  • Comments and Communications: Messages in chats or forms, including email correspondence.
  • Cookies and Tracking: Essential cookies for functionality (e.g., session management). We do not use non-essential cookies or tracking tools without consent.

We do not collect sensitive personal data (e.g., health, religious beliefs) unless voluntarily provided in profiles (which we discourage).

3. How We Collect Personal Data

  • Directly from You: When you register, create a profile, submit help requests, book sessions, or send messages.
  • Automatically: Via server logs (e.g., IP addresses) and cookies for site functionality.
  • From Third Parties: HSLU verification (if integrated) or WordPress plugins (e.g., Forminator for forms). We obtain your consent where required.

4. Purposes and Legal Basis for Processing

We process personal data for specific, legitimate purposes under Art. 6 FADP (principles of lawfulness, fairness, and transparency):

  • Platform Functionality: To enable registration, profiles, help exchanges, and credit tracking (legal basis: necessity for contract performance, Art. 6 para. 1 lit. b FADP).
  • Communication: For chats, notifications, and support (legal basis: legitimate interest in smooth operation, Art. 6 para. 1 lit. f FADP).
  • Security and Fraud Prevention: To detect abuse and ensure fair use (legal basis: legitimate interest, Art. 6 para. 1 lit. f FADP).
  • Analytics: Anonymized usage statistics to improve the Platform (legal basis: legitimate interest, Art. 6 para. 1 lit. f FADP; no individual profiling).
  • Legal Compliance: To respond to authorities or enforce terms (legal basis: legal obligation, Art. 6 para. 1 lit. c FADP).

We apply “privacy by design” and “privacy by default” (Art. 4 para. 2 FADP), minimizing data collection and ensuring secure defaults.

5. Sharing and Disclosure of Personal Data

We do not sell or rent personal data. Sharing occurs only as necessary:

  • Within the Platform: Anonymized transaction data (e.g., credits) is visible to other users for matching help requests.
  • Third-Party Services:
    • WordPress.com (hosting): Data is processed in the EU/USA under standard contractual clauses compliant with FADP.
    • Forminator (forms): Data stored on our servers; no external sharing.
    • HSLU (verification): Limited student ID data for eligibility checks.
  • Legal Requirements: If required by law (e.g., court order) or to protect rights (e.g., abuse reports).

All recipients are bound by FADP-equivalent protections. No automated decision-making (Art. 10 FADP) occurs.

6. International Data Transfers

Data is primarily stored in Switzerland (HSLU servers) or the EU (WordPress). Transfers outside (e.g., to USA) use safeguards like standard data protection clauses (Art. 16 FADP) to ensure equivalent protection.

7. Data Storage and Security

  • Retention Period: Data is kept as long as needed for the purpose (e.g., profiles until account deletion; transactions for 5 years for auditing). Inactive accounts are deleted after 2 years.
  • Security Measures: We use encryption (HTTPS, hashed passwords), access controls, and regular audits (Art. 8 FADP). As a student project, we follow HSLU’s IT security guidelines.

8. Your Rights Under the FADP

You have the following rights (Art. 25 FADP). Contact us to exercise them (response within 30 days):

  • Access: Request confirmation and details of your data.
  • Rectification: Correct inaccurate data.
  • Erasure (“Right to be Forgotten”): Delete data when no longer needed (except legal retention).
  • Restriction: Limit processing in disputes.
  • Portability: Receive data in structured format.
  • Objection: Oppose processing based on legitimate interests.
  • Withdraw Consent: If processing relies on consent (though most is necessity-based).

We do not charge for these requests unless manifestly unfounded. Complaints can be filed with the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.

9. Children’s Privacy

Our Platform is for HSLU students (age 18+). We do not knowingly collect data from children under 16 without parental consent (Art. 10 FADP).

10. Changes to This Policy

We may update this Policy to reflect legal changes or Platform updates. Changes will be posted here with the “Last Updated” date. Continued use constitutes acceptance.

11. Contact Us

For questions, contact [notify@timebank-hslu.com]. This Policy complies with FADP as of October 30, 2025. For legal advice, consult a qualified attorney.