Cookies Policy

Preamble

This cookies policy (the “Cookies Policy”) describes the cookies and other trackers placed or read by Bedrock Financial Bank (BFB) when you browse the website www.bfb.bi and, where applicable, its mobile applications or online banking interfaces. It supplements, and does not replace, the Privacy Policy v3.0 (JAN26), to which it refers for any matter relating to the processing of personal data.

The Bank has chosen a unified approach: in accordance with the principle set out in section 2 of the Privacy Policy, it applies to all visitors of its websites and applications, regardless of their jurisdiction of residence, the strictest standard of protection — that resulting from European Directive 2002/58/EC (“ePrivacy”), as interpreted by the guidelines of the European Data Protection Board (EDPB), the GDPR and the recommendations of EU supervisory authorities.

1. Definitions

For the purposes of this Cookies Policy, the following terms are defined as follows:

Cookie: small text file placed on the user’s device (computer, tablet, smartphone) when browsing a website, allowing information to be recorded or read on subsequent visits.
Tracker: any technology allowing the writing, storage or reading of information on a user’s device, whether cookies in the strict sense, invisible pixels, identifiers stored in the browser’s local storage, digital fingerprinting or any equivalent device.
Session cookie: cookie automatically deleted when the browser is closed.
Persistent cookie: cookie retained on the user’s device until its lifespan expires or it is manually deleted.
Third-party cookie: cookie placed by a domain different from that of the website visited, generally a partner or service provider of the Bank.

2. Applicable legal framework

This Cookies Policy is governed by the following texts, the unified application of which reflects the Bank’s choice to align its practice with the strictest standard:

Directive 2002/58/EC of July 12, 2002 (“ePrivacy”), as amended, and its national transpositions in EU Member States;
Regulation (EU) 2016/679 of April 27, 2016 (GDPR), in particular Articles 4, 6, 7 and 13;
EDPB Guidelines 03/2022 on deceptive design patterns, and the guidelines applicable to consent (Guidelines 05/2020);
Resolutions and recommendations of national supervisory authorities (in particular CNIL, APD, Garante, AEPD) on cookies;
Beyond the European Union: the strictest requirements identified in the jurisdictions where BFB operates (UK GDPR / PECR; Swiss nFADP; Singapore PDPA; Brazilian LGPD; CCPA / CPRA for California). Where local requirements exceed the European standard, the provision most favourable to the user prevails.

This Cookies Policy is a continuation of section 11 of the Privacy Policy v3.0 (JAN26), to which it provides the necessary technical details.

3. Principles applied by BFB

The Bank applies the following principles to all visitors of its websites and applications:

No non-strictly-necessary cookie is placed before obtaining the user’s prior, free, specific, informed and unambiguous consent.
Refusal is as easy to express as acceptance: the “Accept all” and “Reject all” buttons appear on the same visual level, without graphic hierarchy intended to influence the choice.
Consent is granular: the user can accept certain categories of cookies and reject others.
Continued browsing, scrolling or closing the banner does not amount to consent.
Withdrawal of consent is as simple as giving it and is permanently accessible from a preferences management panel.
No essential service of the website is conditional on accepting non-strictly-necessary cookies.

4. Types of cookies used

BFB uses several categories of cookies, the characteristics and legal regime of which differ.

4.1. Strictly necessary cookies

These cookies are essential to the operation and security of the website. Without them, certain core functionalities could not be provided (authentication to your client area, securing the banking session, fraud prevention, server load balancing, retention of form-filling steps). In accordance with the ePrivacy Directive, these cookies do not require your prior consent. They are placed on the basis of the Bank’s legitimate interest and the performance of the contract.

4.2. Exempted audience measurement cookies

Certain audience measurement cookies may, under strict conditions defined by European supervisory authorities, be exempted from consent (audience measurement strictly limited to BFB, IP address anonymisation, no cross-referencing with other processing, no transmission to third parties, limited retention period). They are then placed on the basis of the Bank’s legitimate interest in measuring the audience of its website.

4.3. Non-exempted audience measurement cookies

Where the conditions for exemption are not met (for example, where audience measurement involves a third-party provider or cross-referencing of data), analytics cookies are placed only with your prior consent.

4.4. Personalisation cookies

These cookies allow the content, display or functionalities of the website to be adapted to your preferences (language, currency, theme). They are placed with your prior consent, except where personalisation results from an explicit action on your part (e.g. manual language selection) and is strictly limited to that purpose.

4.5. Marketing and targeted advertising cookies

These cookies allow BFB and its partners to analyse your interests and to deliver personalised content or advertising to you on the BFB website or on third-party websites. They are placed exclusively with your prior consent.

4.6. Third-party cookies (social networks, partners)

Where the website integrates functionalities provided by third parties (social media share buttons, videos hosted on external platforms, chat services, etc.), these third parties may place their own cookies on your device. The Bank does not have access to the data thus collected by these third parties, which act as independent controllers. These cookies are placed with your prior consent, and the details of their operation are governed by the privacy policies of the relevant third parties.

5. Detailed list of cookies used

The list below sets out the main categories of cookies placed by BFB and its partners. Items marked as pending IT audit are to be validated, completed or replaced by BFB’s IT and compliance teams following the technical audit of the website. This audit is carried out prior to publication and the list is updated whenever a significant change occurs.

5.1. Strictly necessary cookies

Cookie name	Issuer	Purpose	Lifespan
bfb_session	BFB (first-party)	Maintaining the user session on the client area	Session
bfb_csrf	BFB (first-party)	Protection against cross-site request forgery (CSRF) attacks	Session
bfb_auth	BFB (first-party)	Strong authentication and maintenance of the secure context	30 minutes
bfb_lb	BFB (first-party)	Load balancing across servers	Session
bfb_consent	BFB (first-party)	Storing the choices you have made via the cookies banner	6 months
bfb_lang	BFB (first-party)	Storing the display language chosen by the user	12 months
bfb_fraud	BFB (first-party)	Detection of fraudulent behaviour and securing of transactions	6 months

Legal basis: legitimate interest of the Bank and performance of the contract. No consent required.

5.2. Audience measurement cookies

Cookie name	Issuer	Purpose	Lifespan
_audit_analytics	To be specified after audit (first or third party depending on retained provider)	Measurement of website traffic, pages viewed and visit duration	13 months maximum
_audit_perf	To be specified after audit	Measurement of website technical performance (loading times, errors)	13 months maximum

Legal basis: depending on the configuration retained, legitimate interest (exempted cookies) or prior consent (non-exempted cookies). The distinction will be specified in the cookies banner.

5.3. Marketing and personalisation cookies

Cookie name	Issuer	Purpose	Lifespan
_audit_marketing	To be specified after audit (advertising networks, partners)	Delivery of personalised content and advertising on the website and on third-party sites	13 months maximum
_audit_perso	To be specified after audit	Adaptation of the user experience to expressed preferences	6 months

Legal basis: prior explicit consent.

5.4. Third-party cookies

Category	Issuer	Purpose	Lifespan
Social networks	To be specified after audit (LinkedIn, X, etc.)	Sharing content to social networks and engagement measurement	Variable depending on provider
Embedded videos	To be specified after audit (YouTube, Vimeo, etc.)	Playback of videos hosted by third parties	Variable depending on provider

Legal basis: prior explicit consent. The privacy policies of third parties apply in addition.

6. Consent collection arrangements

On your first visit to the website, an information banner appears and allows you to set your choices. This banner complies with the following requirements:

Clear prior information on the categories of cookies used and their purposes;
“Accept all” and “Reject all” buttons presented on equal footing, with equivalent graphic design;
Possibility of finely setting consent by category of cookies (audience measurement, personalisation, marketing, third parties);
Possibility of changing your choices at any time via the accessible at the bottom of every page;
No placement of non-strictly-necessary cookies before consent has been expressed.

7. Retention period of your choices

Your choices expressed via the cookies banner (acceptance or refusal, in whole or in part) are retained for a period of six (6) months, in line with the recommendations of European supervisory authorities. After that period, the banner will be presented again to obtain your updated preferences.

An express refusal of cookies is retained for the same duration as acceptance, so as not to prompt you again during that period.

You may at any time, before the end of that period, reset or modify your choices from the preferences management panel.

8. Withdrawing or modifying your preferences

You may withdraw your consent or modify your choices at any time, by the following means:

By clicking on the “” link accessible at the bottom of every page on www.bfb.bi;
By configuring your browser to block cookies, delete already placed cookies or be alerted before any placement. The procedures vary across browsers and are accessible via their publishers’ online help pages;
For third-party cookies, by using the mechanisms offered by the relevant publishers (privacy policies, opt-out platforms for behavioural advertising).

Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of your prior consent. Blocking strictly necessary cookies may prevent the website from operating properly and the access to certain online services.

9. Your rights regarding data collected via cookies

Data collected through cookies (in particular technical identifiers, browsing statistics and, where applicable, personalisation data) constitutes personal data within the meaning of the GDPR. With respect to such data, you benefit from all the rights described in section 9 of the Privacy Policy v3.0 (JAN26), namely the right of access, rectification, erasure, restriction, objection, portability and withdrawal of consent.

To exercise these rights, you can write to the Data Protection Officer: dpo@bfb.bi. You are also entitled to lodge a complaint with the competent supervisory authority, the contact details of which are set out in the jurisdictional annexes of the Privacy Policy.

10. Updates of the Cookies Policy

This Cookies Policy may evolve to reflect technical changes (new cookies placed, change of provider), legal changes (new regulatory requirements or new guidelines from supervisory authorities) or contractual changes. The version in force is always the one published on www.bfb.bi at the date of your visit. Substantial amendments will be signalled to you by an information banner on your next visit.

The effective date of this version appears at the top of this page. Previous versions may be communicated upon request to the DPO.

11. Contact

For any question relating to this Cookies Policy or the exercise of your rights:

Email address: dpo@bfb.bi
Postal address: Bedrock Financial Bank, 9 Chaussée du Peuple Murundi, Bujumbura — for the attention of the DPO