BwendiLocation Intelligence

Legal

Privacy Policy

BWENDI is a read-only spatial intelligence API. We do not store, process, or profile end-user personal data on behalf of our Developer customers. This policy explains what data we do collect, why we collect it, how long we keep it, and the rights you hold under Swiss data protection law (nDSG) and the EU General Data Protection Regulation (GDPR).

Effective Date: March 2026 · Controller: OSIH, operating as Bwendi, 89 Kappelenstrass, 3472 Wynigen, Bern, Switzerland

Identity

Who We Are

BWENDI ("BWENDI", "we", "us", "our") is a brand operated by OSIH, registered in the Canton of Bern, Switzerland under company ID CHE-249.165.749. We provide a location context API that returns economic and spatial intelligence for geographic coordinates. Our service is business-to-business (B2B): our direct customers are software developers, enterprises, and data teams ("Developers") who integrate BWENDI into their own products.

For data protection purposes, BWENDI is the data controller for information collected through our Developer Portal, website, and billing systems. Developers are independently responsible as controllers for any personal data belonging to their own end-users that they choose to transmit to the BWENDI API (we strongly advise against transmitting personally identifiable information as part of API coordinates).

Data protection enquiries: team@bwendi.com

Collection

Data We Collect & Why

AccountEmail address, optional account name, company name, countryDeveloper Portal authentication, account access, invoicing, supportContract

BillingPayment method (tokenised), billing address, VAT numberCredit charging, invoicing, fraud preventionContract / Legal obligation

API LogsAPI key identifier, request timestamp, endpoint path, response status, credit cost, originating IP prefix (/24)Credit metering, abuse detection, platform security, SLA monitoringLegitimate interest / Contract

WebsiteStrictly necessary session cookies, language preference in localStorage, basic request metadata needed to serve pages securelySession continuity, language selection, abuse prevention, and secure delivery of the siteLegitimate interest

SupportEmail thread content, attachments you voluntarily submitResolving technical and billing issuesContract / Consent

BWENDI never requests or requires personal data about your end-users. For website and portal access, we only collect the information required to operate the service, such as your email address, essential account metadata, strictly necessary session tokens, and a local language preference stored in your browser. Coordinates submitted to the API are processed transiently to generate a spatial context response and are not stored beyond the immediate request-response cycle.

Processing

How We Use Your Data

Providing and operating the BWENDI API, Developer Portal, and associated tooling.
Metering credit consumption and generating accurate invoices.
Sending transactional communications: key issuance, usage threshold alerts, invoice receipts, and policy change notifications.
Detecting and preventing abuse, scraping, API key sharing, and other violations of our Acceptable Use Policy.
Improving platform reliability, latency, and spatial data quality through aggregated, anonymised usage metrics.
Responding to support requests and fulfilling our contractual obligations.
Complying with applicable Swiss, EU, and international legal obligations.

We do not use your data for advertising, sell it to third-party data brokers, or build marketing profiles. We do not use API request payloads — including coordinate data — for any purpose beyond serving your immediate response and the security audit trail described above.

Retention

How Long We Keep It

90 days

API request logs

Rolling 90-day window for abuse detection and SLA verification. Automatically purged thereafter.

7 years

Billing & invoicing records

Swiss commercial and tax law (OR Art. 958f) requires retention of financial records for 10 years. We apply a conservative 7-year minimum.

Life of account + 30 days

Account & profile data

Retained while your account is active. Upon account deletion, profile data is purged within 30 days. Billing records are retained as noted above.

3 years

Support correspondence

Retained for 3 years from ticket closure to enable continuity of technical support and dispute resolution.

Sharing

Who We Share Data With

We do not sell data. We share limited data only with the following categories of sub-processors, each bound by data processing agreements:

Payment processors — Stripe, Inc. (USA) for card and bank-transfer payments; PawaPay Ltd (UK) for mobile money payments across emerging markets (M-Pesa, MTN MoMo, Airtel Money, Orange Money, and others). Both operate under PCI-DSS. BWENDI never stores raw card or wallet credentials.
Cloud infrastructure — Cloudflare, Inc. (USA). Operates the global edge network and Workers runtime that serves the BWENDI API. Cloudflare processes request metadata under a DPA and EU Standard Contractual Clauses.
Authentication — Cloudflare, Inc. (USA). Developer Portal access control and API key authentication are handled by Cloudflare Access / Zero Trust, operating on the same edge network and under the same DPA and EU Standard Contractual Clauses as our infrastructure layer.
Email delivery — Transactional email provider for invoice and alert delivery. Your email address is transmitted solely for delivery purposes.

BWENDI may disclose data to competent authorities or courts where required by applicable Swiss or EU law, or where necessary to protect the safety and security of the platform.

Transfers

International Data Transfers

BWENDI is headquartered in Switzerland. Switzerland has been recognised by the European Commission as providing an adequate level of data protection. Where we transfer personal data to sub-processors in the United States or other third countries, we rely on:

EU Standard Contractual Clauses (SCCs, 2021 Commission Decision) for transfers to EU sub-processors operating US infrastructure.
The Swiss–US Data Privacy Framework (where applicable) for US-based processors that have self-certified.
Binding contractual safeguards and technical measures (encryption in transit and at rest) for all international transfers.

A current list of sub-processors and their data transfer mechanisms is available on request at team@bwendi.com.

Your Rights

Rights Under nDSG & GDPR

Depending on your jurisdiction, you may hold the following rights with respect to your personal data. We will respond to verified requests within 30 days.

↗

Access

Obtain a copy of the personal data we hold about you.

✎

Rectification

Correct inaccurate or incomplete personal data.

Erasure

Request deletion of your data where no overriding retention obligation applies.

⊘

Restriction

Ask us to limit processing in specific circumstances, e.g. while a dispute is resolved.

⇄

Portability

Receive your data in a structured, machine-readable format for transfer to another controller.

✗

Object

Object to processing based on legitimate interest, including profiling.

To exercise any of these rights, email team@bwendi.com with the subject line "Data Subject Request". We may ask you to verify your identity before processing the request. If you believe we have not addressed your concern, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.

Cookies & Local Storage

The BWENDI website uses a minimal, privacy-first approach to browser storage. We do not use marketing, profiling, or analytics cookies. Only the following storage is used to operate the site and sign-in flow:

Session cookie (strictly necessary) — A short-lived session token issued during Developer Portal authentication. Expires when you close your browser or after 24 hours of inactivity. No consent required.
Language preference (localStorage) — A single key (bwendi:site-lang:v1) storing your selected display language. Contains no personal data. Stored locally and never transmitted to BWENDI servers.
No third-party advertising, analytics, or tracking cookies. We do not deploy Google Analytics, Meta Pixel, behavioural advertising tags, or similar third-party tracking SDKs on this website.

Security

Security Measures

BWENDI implements technical and organisational measures proportionate to the sensitivity of data processed:

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256.
API keys are hashed and never stored in plaintext. Access to production systems requires hardware-based multi-factor authentication.
Internal access to production data is role-restricted, logged, and reviewed quarterly.
Security incidents affecting personal data will be reported to the FDPIC and affected Developers within 72 hours of discovery, in accordance with nDSG Article 24 and GDPR Article 33.
Penetration tests are conducted annually by independent third-party auditors.

Governance

Policy Updates & Contact

We may update this Privacy Policy periodically to reflect changes in law, technology, or our practices. Material changes will be communicated to registered account holders by email at least 14 days before taking effect. The "Effective Date" at the top of this page will be updated accordingly.

This policy is governed by Swiss law (nDSG / revFADP) and, where applicable to EU data subjects, by the GDPR. Nothing in this policy limits rights granted to you by mandatory provisions of your local law.