Privacy Policy
Last updated: 2026-06-06
1. Who we are
This privacy policy applies to www.btc2h.com ("the site"), the home of the book Bitcoin Zero to Hero.
Data controller — BiCatalyst GmbH, Dammstrasse 16, 6300 Zug, Switzerland (Handelsregister: CHE-169.814.326). Contact: privacy@btc2h.com.
For Swiss residents, the supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). For EU/EEA residents, you may contact your national data protection authority — a list is maintained by the European Data Protection Board.
2. Applicable law
We process personal data under:
- The Swiss Federal Act on Data Protection (FADP/DSG), SR 235.1 in force since 1 September 2023 — full text at fedlex.admin.ch.
- The EU General Data Protection Regulation, Regulation (EU) 2016/679 — eur-lex.europa.eu.
- The ePrivacy Directive, Directive 2002/58/EC, as transposed by the national law of each EU member state — eur-lex.europa.eu.
Where the FADP and GDPR diverge, we apply whichever standard is stricter for the data subject.
3. What we collect and why
3.1 Server logs (necessary, legitimate interest)
Every request to www.btc2h.com generates a short-lived log entry containing the request path, HTTP status, response time, and a hashed IP fingerprint. We use it to detect outages and abuse. Logs are retained for 30 days, then deleted.
Legal basis — FADP Art. 31(2)(c) (overriding legitimate interest); GDPR Art. 6(1)(f) (legitimate interest).
3.2 Google Analytics 4 (consent only)
If you accept the analytics category in the cookie banner, we load Google Analytics 4 (GA4). GA4 sets _ga and _ga_<id> cookies that store a randomly-generated client identifier so we can see which chapters readers reach and where they drop off. IP anonymisation is enabled at the GA4 property level. We do not enable Google Signals, demographics, or advertising features. No cross-site profile is built.
Legal basis — FADP Art. 6(6) (explicit consent for personality profiling-adjacent processing); GDPR Art. 6(1)(a) (consent).
Transfer to the United States — GA4 transfers data to Google LLC servers in the US. Google is certified under the EU-US Data Privacy Framework and the Swiss extension. You can withdraw consent at any time from the "Cookie settings" link in the footer.
3.3 Stripe Checkout (only if you order the book)
When you buy a physical copy, the checkout button redirects you to checkout.stripe.com. Stripe processes your name, email, billing address, shipping address, phone number, and card details under its own privacy policy. We receive the order metadata (SKU, shipping address, contact) so we can print and ship the book; we never see your full card number.
Legal basis — FADP Art. 31(2)(a) (contract); GDPR Art. 6(1)(b) (contract performance).
3.4 Ebook download form (only if you request it)
If you submit your email on /download to receive the free PDF/EPUB, we store your email, locale, the file you requested, and a hashed IP. We use this to send the download link and a short follow-up sequence. You can unsubscribe at any time using the link in every email.
Legal basis — GDPR Art. 6(1)(a) (consent); FADP Art. 6(7) (consent for marketing).
4. Cookies
See the separate Cookie Policy for the complete list of cookies, durations, and providers.
5. Your rights
Under both FADP and GDPR you have the right to:
- Access — receive a copy of the personal data we hold about you (FADP Art. 25, GDPR Art. 15).
- Rectification — correct inaccurate data (FADP Art. 32(1), GDPR Art. 16).
- Erasure — request deletion where the legal basis no longer applies (FADP Art. 32(2), GDPR Art. 17).
- Restriction — limit processing while a complaint is under review (GDPR Art. 18).
- Portability — receive your data in a machine-readable format (FADP Art. 28, GDPR Art. 20).
- Object — refuse processing based on legitimate interest (GDPR Art. 21).
- Withdraw consent — at any time, without affecting prior processing (FADP Art. 6(7), GDPR Art. 7(3)).
Send requests to privacy@btc2h.com. We answer within 30 days. Identity verification may be requested where the request is ambiguous, as permitted by GDPR Art. 12(6) and FADP Art. 25(3).
You also have the right to lodge a complaint with the FDPIC (edoeb.admin.ch) or your national EU data protection authority.
6. Data retention
| Data | Retention |
|---|---|
| Server logs | 30 days |
| GA4 analytics events | 14 months (the GA4 minimum we configured) |
| Ebook subscriber email | Until you unsubscribe |
| Stripe order metadata | 10 years (Swiss CO Art. 958f bookkeeping retention) |
7. Recipients and processors
We use the following processors. Each is bound by a data processing agreement under FADP Art. 9 / GDPR Art. 28.
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Web hosting, CDN | US/EU |
| Google LLC (Google Analytics 4) | Analytics, only if consented | US |
| Stripe Payments Europe Ltd. | Payment processing | Ireland |
We do not sell personal data and do not share it with advertisers.
8. International transfers
Where data leaves Switzerland or the EEA (Vercel, Google, Stripe), we rely on:
- EU-US Data Privacy Framework + the Swiss extension for Google and Vercel.
- Standard Contractual Clauses approved by the European Commission, where the DPF does not apply.
Copies of the safeguards are available on request.
9. Security
We use HTTPS site-wide, hashed IPs in logs, and the principle of least privilege for processor access. Despite our best effort, no system is fully secure — the FADP and GDPR do not impose absolute security, only state-of-the-art measures (FADP Art. 8, GDPR Art. 32).
10. Children
The site is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, write to privacy@btc2h.com and we will delete it.
11. Changes
Material changes are flagged in the consent banner via a revision bump, which re-prompts you to review your cookie choices. Minor wording fixes are reflected in the lastUpdated date at the top of this page.
12. Contact
Questions, complaints, or rights requests — privacy@btc2h.com.
Last updated: 2026-06-06.