Online privacy statement
Effective On: 2019-05-01

Introduction and Scope

Your privacy is very important to us at Bitta Group Inc. (“BGI,” “we,” “us,” “our”). Accordingly, BGI has developed this Privacy Policy (this “Policy”) for you to understand how we collect, use, communicate, disclose and make use of personal data through the Phoenix Connect and Phoenix Time and Expense web applications and the Phoenix Time and Expense mobile application (collectively, the “Apps”). This Policy does not apply to personal data we collect by other means, such as personal data that we receive directly through BGI’s own publicly accessible website.

For more details on our overall data protection efforts, including with the European Union’s General Data Protection Regulation (the “GDPR”), see the section below titled “BGI’s GDPR Compliance Efforts and You”.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

With respect to personal data processed within the scope of this Policy, BGI complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”) as adopted and set forth by the U.S. Department of Commerce regarding the processing of personal data transferred from the European Union, the European Economic Area, the United Kingdom, and Switzerland to the United States or otherwise received in reliance on the Privacy Shield. BGI commits to adhere to and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

To learn more about the Privacy Shield, and to view BGI’s certification, please visit and, respectively.

Regulatory Oversight

BGI is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

VeraSafe Privacy Program

BGI is a member of the VeraSafe Privacy Program, meaning that with respect to personal data processed within the scope of this Policy, VeraSafe has assessed BGI’s data governance and data security for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.

Dispute Resolution

Where a privacy complaint or dispute cannot be resolved through BGI’s internal processes, BGI has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here:

Binding Arbitration

If your dispute or complaint can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield.

Categories of Personal Data

We may process the following types of personal data:

  • biographical information, such as first and last name;
  • company name and personnel number;
  • contact information, such as email address and postal addresses; and
  • device information, such as IP addresses.

Collection or Storage of Other Data

We may collect information about your computer hardware and software such as your browser type, domain names, use and access times, and referring website addresses, if applicable, for purposes of operating and maintaining the quality of our service.

Data Subject Rights

BGI acknowledges the right of EU and Swiss individuals to access their personal data pursuant to the Privacy Shield and will grant individuals reasonable access to personal information it received pursuant to these Principles. In addition, BGI will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or incomplete. An individual may request to access his or her information, or otherwise correct, amend, or delete his or her information pursuant to the EU-U.S. and Swiss-U.S. Privacy Shield Principles by contacting us using the information listed in the “Contact Us” section of this Policy.

Use of Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies for session management. If you would prefer not to accept cookies, you can alter the configuration of your browser to reject all cookies or some cookies. Note, if you reject certain cookies, you may not be able to access all of our Apps features. For more information, please visit

You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit Please note that our services do not have the capability to respond to “Do Not Track” signals received from web browsers.


Within the scope of this Policy, BGI acts as an agent, also known as a data processor, for the personal data we process. This means that our clients determine the types of personal data they provide for us to process on their behalf. We typically have no direct relationship with the individuals whose personal data we receive from our customers.

Basis of Processing

Within the scope of this Policy, we process your personal data based on the documented instructions of our clients, acting as data controllers.

Purposes of Processing

We may process your personal data for the purposes of:

  • enabling the use of our Apps, which provide time and expense tracking and contractor onboarding tools;
  • responding to your requests or questions; and
  • sending you email marketing communications about our business which we think may interest you.

In order to utilize our software and enable its use, we need to collect and store personal data in order to record time and expenses for our clients.

How Long Does BGI Retain Personal Data?

We retain personal data for as long as instructed by the applicable client. We delete the personal data submitted to us within six months of the end of our service agreement with the client, unless applicable laws require otherwise.

How Does BGI Receive Personal Data?

We may receive your personal data when you provide it directly to us when using our systems or when our clients provide it to us.

Sharing Personal Data with Third Parties

We share personal data with our service provider, Amazon Web Services (“AWS”), which provides cloud hosting services. We require that AWS maintains at least the same level of confidentiality that we maintain for personal data.

BGI remains liable for the protection of your personal data that we transfer to AWS, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.

Other Disclosure of Your Personal Data

We may disclose your personal data (i) to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, or (ii) if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change, or (iii) to our subsidiaries or affiliates only if necessary for business and operational purposes as described in the section above.

If we must disclose your personal data in order to comply with official investigations or legal proceedings initiated by governmental agencies or law enforcement officials, we may not be able to ensure that such recipients of your personal data will maintain the privacy or security of your personal data.

Our website may contain links to other websites; however, BGI will not share your personal data with any linked website. Please note that BGI is not responsible for the privacy policy and practices of any linked website. We encourage you to learn more about the privacy policies of those websites.

We use and may transfer, sell, and share aggregated, anonymous data for any legal business purpose, such as analyzing usage trends and seeking compatible business opportunities. Such data does not include any personal data.

Data Integrity and Security

BGI has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect personal data against loss or theft as well as unauthorized access, disclosure, copying, use or modification.

Access and Review

If we have received your personal data in reliance on the Privacy Shield, you may also have the right to request access to your personal data, opt out of having your personal data shared with third parties and to revoke your consent to our sharing your personal data with third parties. You may also have the right to opt out if your personal data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.

Requests should be sent directly to the client that provided your personal data to us. BGI has limited rights to access personal data our clients submit to us. Therefore, if you contact us with such a request, please provide the name of our client that submitted your personal data to us (generally, the client for which you are a contractor). We will forward your request to that client and will provide any needed assistance as they respond to your request.

Changes to this Privacy Policy

If we make any material change to this Policy, we will post the revised Policy to this webpage and update the “Effective” date above to reflect the date on which the new Policy became effective.

Contact Us

If you have any questions about this Policy or our processing of your personal data, please write to our data protection officer by email or by postal mail as follows. Please allow up to four weeks for us to reply.

Bitta Group Incorporated
Attention: Data Protection Officer
7251 Crest Lane
Indianapolis, IN 46256, USA
+ 1 317 455 5244

In addition to us, you may also contact VeraSafe, our outside data privacy consultant that serves as our EU Representative on data protection matters pursuant to Article 27 of the GDPR. To contact VeraSafe, please use this contact form:

Alternatively, VeraSafe can be contacted at:

VeraSafe Czech Republic s.r.o
Klimentská 46
Prague 1, 11002
Czech Republic

BGI’s GDPR Compliance Efforts and You

At BGI, we are well aware of the new data protection requirements brought about GDPR, which took effect on May 25, 2018. We’re proud to announce that BGI’s services are fully compatible with its GDPR obligations.

Let’s talk a little bit about the GDPR and what to expect from us.

What Is the GDPR?

The GDPR is a European Union (“EU”) regulation intended to harmonize, update, and strengthen data protection laws in the EU. It’s a comprehensive privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU and the European Economic Area. The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” What constitutes personal data is interpreted broadly by regulators. Name, home address, email address, and identification card number are obvious examples of personal data, but the term can also include geolocation data, IP address, cookie ID and device identifiers, among many other types of data.

Although promulgated by the EU, the GDPR has global impact. Practically speaking, nearly every organization that collects or processes the personal data of EU residents or monitors their behavioral activity online is now required to comply with the GDPR, whether or not such companies have any physical or legal presence in the EU.

How Is BGI Complying with the GDPR?

As the initial step in our GDPR compliance initiative, we mapped our information systems to create a dashboard view of our IT systems, our data, and our data flows, with an emphasis on privacy impacts. We’re taking steps to ensure that our information systems and processes allow us to adequately and efficiently respond to individuals exercising their data privacy rights, and that these systems and processes allows us to demonstrate compliance with the new regulation. We’ve also implemented technical and organization security measures to protect personal data that we process.

We have finalized a data processing addendum (“DPA”) for our clients in order to meet the data processing and transfer requirements of the GDPR. The DPA adds GDPR-related privacy and security provisions into our service contract with our clients and helps ensure that personal data is processed in BGI’s systems in a way that fully respects the requirements of the GDPR.

Furthermore, as mentioned above under the heading “Contact Us”, we have appointed an outside data privacy consultant, VeraSafe, to act as our EU Representative on data protection matters pursuant to Article 27 of the GDPR and appointed an internal data protection officer pursuant to Article 37 of the GDPR.

As discussed above under the heading “VeraSafe Privacy Program”, we have joined VeraSafe’s Privacy Program. VeraSafe has assessed BGI’s data governance and data security for compliance under its Certification Criteria, which require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.

Finally, as discussed above under the heading, “EU-U.S. and Swiss-U.S. Privacy Shield Frameworks”, BGI has become Privacy Shield certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles, thereby allowing BGI to receive GDPR-regulated personal data in compliance with the GDPR.