Data privacy policy of the Mainzer Mobilität app2.7.2021

Table of contents

 

DATA PRIVACY POLICY OF THE MAINZER MOBILITAET APP

 

1. DATA PROCESSING CONTROLLER

2. CONTACT DETAILS OF OUR DATA PROTECTION OFFICER:

3. GENERAL PURPOSE OF THE APP

4. INFORMATION COLLECTED DURING DOWNLOAD

5. INFORMATION COLLECTED AUTOMATICALLY (LOG DATA)

6. PURCHASE OF TICKETS

6.1. CREATION OF A USER ACCOUNT (REGISTRATION) AND LOG-IN

6.2. BOOKING OF TICKETS

6.3. RECEIVER OF THE DATA

6.4. LEGAL BASIS

7. APP AUTHORISATIONS

8. FORWARDING AND TRANSMISSION OF DATA

9. DATA TRANSFER TO THIRD COUNTRIES

10. DATA STORAGE PERIOD

11. USE OF MAP SERVICES

12. USE OF TRACKING TOOLS

12.1. SENTRY

12.2. MATOMO

13. USE OF PUSH SERVICES

14. NEWSLETTER

15. FEEDBACK- AND HELP FUNCTION

16. YOUR RIGHTS AS THE DATA SUBJECT

17. RIGHT TO OBJECT

18. RIGHT TO LODGE A COMPLAINT

19. CHANGES OF THIS DATA PRIVACY POLICY

 

1. Data processing controller

 

This service (hereafter referred to as “app) is made available by

 

Mainzer Verkehrsgesellschaft mbH,

Mozartstraße 8,

55118 Mainz

 

Email: verkehrscenter@mainzer-mobilitaet.de

Telephone: (06131) 12 77 77

 

(hereafter referred to as “MVG”, “we” or “us”) as the controller as defined by applicable data protection law.


2. Contact details of our data protection officer:

 

Email: datenschutz@mainzer-mobilitaet.de

 

3. General purpose of the app

Our app allows you to use various services related to our transportation offer in our rail and bus service network. The following functions are available to you:

 

  •  Information about connections
  •  Display of the departure monitors of our stops
  •  Local map with bus & tram stops as well as book-n-drive and meinRad stations
  •  Local map with bus & tram stops as well as book-n-drive and meinRad stations
  •  Mailing of push messages
  • Sale of tickets via your user account

When you use the app, we process your personal data. Personal data means any information referring to a specific or identifiable natural person.

 

In the following passages, we inform you about details concerning the processing of your data when you use the app.

 

4. Information collected during download

 

When you download the app, certain necessary items of information are transferred to the App Store you selected (e.g. Google Play or Apple App Store); during download, especially the user name, the email address, the customer number of your account, the point of time of the download, payment information and the individual device ID can be processed. The processing of these data is exclusively carried out by the respective App Store and is beyond our sphere of influence.

 

5. Information collected automatically (log data)

 

Within the scope of your utilisation of the app, we collect certain data automatically which are required for the utilisation of the app. These include:

 

  •  Internal device ID,
  • Version of your operating system,
  • Point of time of access,
  • Determination of your location when you book a ticket.

In the event of communication problems or interrupted connections between the app and the background system, we store the data in connection with the error (request, error) in your account.

 

These data are automatically transmitted to us, but not stored (1) in order to make the service and the related functions available to you; (2) in order to improve the functions and the performance features of the app; and (3) in order to prevent and eliminate misuse and malfunctions.

The processing of these data is justified, because (1) the processing is necessary for the performance of the contract between you as the data subject and us pursuant to Article 6 Section 1 Clause 1 (b) GDPR for the utilisation of the app, or because (2) we have a legitimate interest as defined by Article 6 Section 1 Clause 1 (f) GDPR to ensure the proper function and trouble-free operation of the app and to be able to offer a service that is in line with the market and with interests.

 

6. Purchase of tickets

 

6.1. Creation of a user account (registration) and log-in

 

To enable you to buy tickets in our ticket shop, it is necessary to open a user account. To do so, you have to carry out the registration process in the mobility app.

The data required for registration and verification are identified as mandatory fields in the app. The following categories of data are collected:

 

- First and last name, date of birth, address, email address, account details, credit card data, telephone number (voluntary) and, if applicable, your banking details

 

The mandatory information is required for the creation of the user account and the related possibility of purchasing tickets. If you do not provide these data, you will not be able to create a user account.

When you create a user account or log in, we use your access data (email address and password) to grant you access to your user account and enable you to manage it.

 

6.2. Booking of tickets

 

The app enables you to purchase tickets for trips in various tariff zones of the area we service. Below you can find information about which data will be collected about your person:

When you book a ticket, the following booking data will be collected:

 

- IP address;

- Ticket information: customer ID, trip ID, date and time of the request, desired start of the trip (date, time, departure stop), desired destination (date, time, destination stop);

- Booking data: invoice address (address, city, post code, country), booking number, booking date, method of payment.

 

6.3. Receiver of the data

 

We use various service providers to process the purchase of a ticket. The respective service providers receive the data generated for the booking to the respective extent required.

We use the following service providers:

 

(1) Fluidtime Data Services GmbH, Neubaugasse 12-14/25, A–1070 Vienna: Fluidtime makes the backend and the MaaS platform available so that all customer data are hosted there.

(2) insertEFFECT GmbH, Hessestr. 5-7, 90443 Nuremberg: insertEFFECT makes the frontend for the customer available.

(3) HanseCom Public Transport Ticketing Solutions GmbH, Amsinckstraße 34, 20097 Hamburg: Creation of the tickets (QR code)

(4) ZOHO CORPORATION B. V., Beneluxlaan 4B, 3527 HT UTRECHT, The Netherlands (“Zoho Netherlands”): preparation and mailing of invoices

 

These service providers process your personal data exclusively as per our instructions under a third-party data processing contract pursuant to Article 28 Section 1 GDPR.

 

(5) The payment service provider LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, for credit standing check, processing of payments and collection management:

 

We forward your personal data (first and last name, date of birth, address, email address, bank account details, credit card data, telephone number, if applicable, and data relating to your ticket purchases) and any changes to LogPay Financial Services GmbH for the purpose of the sale and assignment of our receivables from you arising in connection with your ticket purchase.

 

LogPay itself is responsible for the data it processes. You can object to the transfer of these data to LogPay Financial Services GmbH at any time, but in this case ordering tickets via the electronic distribution channel is no longer possible.

 

You can retrieve the data privacy policy information of LogPay Financial Services GmbH at https://www.logpay.de/DE/datenschutzinformationen/.

 

6.4. Legal basis

 

The registration and log-in data and the data generated when tickets are booked are processed on the basis of Article 6 Section 1 Clause 1 (b) GDPR for the completion and performance of ticket sales (purpose of the contract).

 

In addition to this, we and LogPay process the data on the basis of Article 6 Section 1 Clause 1 (f) GDPR (legitimate interest). Our legitimate interest is the outsourcing of the processing of payments and collection management. The legitimate interest of LogPay Financial Services GmbH is the processing of payments, collection management, evaluation of the admissibility of payment methods and the prevention of shortfalls in payment.

 

In case a booking transaction is aborted, we process the data generated until the abort for the purpose of tracking whether malfunctions occurred during the booking process, whether all the relevant information was available to you and to respond to your queries or complaints, if any. In this respect, we process your data on the basis of our legitimate interest pursuant to Article 6 Section 1 Clause 1 (f) GDPR.

 

7. App authorisations

 

In addition to this, the app requires the following authorisations:

- Mobile data: for updating and refinement of the location, updating of the real-time data, traffic hold-up messages and connections and, if applicable, the transmission of the data relevant for the booking.

- Location: to determine the location to provide information about connections

 

Legal basis:

 

The geographic location of your device is only recorded with your consent (Article 6 Section 1 Clause 1 (a) GDPR) to provide location-based services. Your authorisation is required by according system settings which we request during your registration. In this way, you give your consent pursuant to Article 6 Section 1 Clause 1 (a) GDPR. You can withdraw your consent at any time by changing the system settings.

 

8. Forwarding and transmission of data

 

Besides the cases explicitly stated in this data privacy policy, your personal data will not be forwarded without your express prior consent unless this is permitted and/or required by law. Inter alia, this may the case when processing is necessary to protect the vital interests of the user or of another natural person.

 

If required for the investigation of an unlawful or abusive utilisation of the app or for prosecution, personal data are transferred to the prosecuting or other authorities and to injured third parties, if applicable, or legal advisors. This is, however, only done if there is evidence to indicate unlawful and/or abusive behaviour. Data can also be forwarded if this serves the enforcement of utilisation conditions or other legal claims. We are also obliged by law to provide information to public authorities upon request. These include prosecution authorities, authorities prosecuting offences subject to an administrative fine and the fiscal authorities.

 

Our possible forwarding of personal data is justified where (1) the processing is necessary for compliance with a legal obligation we are subject to pursuant to Article 6 Section 1 Clause 1 (c) GDPR in combination with national legal requirements relating to the transfer of data to prosecution authorities, or (2) we have a legitimate interest in transferring data to the third parties specified if there is evidence to indicate abusive behaviour or to enforce our utilisation conditions, other conditions or legal claims and your rights to and interest in the protection of personal data as defined by Article 6 Section 1 Clause 1 (f) GDPR are not overriding.

 

9. Data transfer to third countries

 

When we process your billing data, ZOHO CORPORATION PVT. LTD. Estancia IT Park, Plot No. 140 & 151, GST Road, Vallancherry Village, Chengalpattu Taluk, Kanchipuram District 603 202, INDIA (“Zoho India”), the parent company of ZOHO Netherlands, may access your data based on our cooperation with this software provider. Any access is carried out exclusively for the purpose of technical support.

When we process your billing data, ZOHO CORPORATION PVT. LTD. Estancia IT Park, Plot No. 140 & 151, GST Road, Vallancherry Village, Chengalpattu Taluk, Kanchipuram District 603 202, INDIA (“Zoho India”), the parent company of ZOHO Netherlands, may access your data based on our cooperation with this software provider. Any access is carried out exclusively for the purpose of technical support.


In order to guarantee an adequate level of data protection on the part of the third-country receiver of the data, we have concluded an EU standard contract relating to data transfer to third-party processors in third countries with the Indian company. You can find more detailed information about the standard contract here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087.

 

10. Data storage period

 

We usually store the data for the following periods:

 

Your registration data including your banking details are processed for the term of your utilisation of your customer account. When you delete your customer account, all data in your customer account will be deleted.

 

We delete the log data within 30 days at the latest.

 

The tickets you purchased are kept for one year. Invoicing documents, purchasing documents and contractual data are retained for ten years as required by tax law and business letters are retained for six years.

 

11. Use of map services

 

Android operating system

 

This app uses the map service Google Maps. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you use this app, you agree with the collection, processing and utilisation of the automatically collected data and the data you entered by Google, one of Google’s representatives or a third-party provider.

 

You can find the terms of use for Google Maps here: www.google.com/intl/de_US/help/terms_maps.html. You can find detailed information about Google’s data privacy policy here: www.google.de/intl/de/policies/privacy/.

 

The opt-in consent for the use of your location data is requested in the app.

 

iOS operating system

 

This app uses the map service Apple Maps. Apple Maps is operated by Apple Inc., 1 Infinite Loop, Cupertino, California, USA, 95014, USA. When you use this app, you agree with the collection, processing and utilisation of the automatically collected data and the data you entered by Apple, one of Apple’s representatives or a third-party provider.

 

You can find the terms of use for Apple Maps here: www.apple.com/legal/internet-services/maps/terms-de.html. You can find detailed informationabout Apple’s data privacy policy here: www.apple.com/legal/privacy/de-ww/ .

The opt-in consent for the use of your location data is requested in the app.

 

12. Use of tracking tools

 

12.1. Sentry

 

We use the Sentry service provided by Functional Software Inc., 132 Hawthorne Street, San Francisco, California 94107, in order to improve the technical stability of our service by monitoring the stability of the system and detecting code errors.

The data of the users, such as device information or the time at which the error occurred are collected anonymously, are not used as personal data and are deleted afterwards.

 

12.2. Matomo

 

In our app, we use the Matomo open-source service provided by InnoCraft Ltd in order to analyse the behaviour of users of our app and to accordingly optimise our app and its contents based on such analysis. We do not obtain any information that directly identifies you through such analysis.

 

In connection with the application of Matomo, pseudonyms are used which allow a statistical analysis of the utilisation of this app. For this purpose, data relating to your behaviour as a user are collected, pseudonymised and processed in a utilisation profile for analysis (including the operating system, app version, functions of the app called).

 

The data obtained in this process are not used without your separate consent in order to identify you personally, and the data are not merged with personal data about you as the carrier of the pseudonym.

 

Where IP addresses are collected, these are anonymised immediately after collection through the deletion of the last set of numbers.

As we host Matomo on our own servers, third-party processing is not necessary for analysis. We delete your data automatically after 180 days.

 

We process the data on the basis of your consent pursuant to Article 6 Section1 Clause 1 (a) GDPR. You can withdraw your consent for the future at any time in the settings.

 

13. Use of push services

 

The app uses push services provided by the operating system manufacturers. These are short messages that can be shown on the user’s device display and which actively inform the user.

 

When push services are used, a device token is assigned by Apple or a registration ID by Google. These are only encrypted, anonymised device IDs assigned for the sole purpose of providing the push services. It is not possible to draw conclusions about the individual user. If required, the push service can be adapted within the app settings. You can also turn off the receipt of push messages via the operating system of your smartphone.

 

14. Newsletter

 

We only use the email address you provided for mailing our newsletter if you have ticked the according box during your registration, i.e. only with your consent.

 

You can withdraw your consent for the subscription to the newsletter via an opt-out in the app after log-in. Your email address will then be disabled for the newsletter.

 

We will only forward your email address to rapidmail GmbH in Freiburg, our technical mailing service provider, which as a third-party processor as defined by Article 28 GDPR mails our newsletter to its subscribers according to our instructions.

 

15. Feedback- and help function

 

This app gives you the possibility to send us a message, e.g. a feedback message or a request for help. When we receive the message, we store the information about the app version running on your device and the device name. When you request an answer via this function, we need your email address. Any further information (e.g. your name) is provided on a voluntary basis.

 

The legal basis for the processing of these data is Article 6 Section 1 Clause 1 (f) GDPR (legitimate interest). Our legitimate interest is to meet the customer’s expectations and ensure and/or optimise customer satisfaction.

 

We store these data for a period of two months.

 

16. Your rights as the data subject

 

Under the GDPR, you as the data subject have the rights specified below. Please use our above-stated contact details to assert your rights.

Right to request information

 

Under Article 15 GDPR, you have the right to request information from us at any time about the personal data we process.

Right to rectification of inaccurate data

 

You have the right to obtain from us the rectification of your personal data without undue delay should these data be inaccurate (Article 16 GDPR).

Right to erasure (right to be forgotten)

 

Under the prerequisites described in Article 17 GDPR, you have the right to obtain from us the erasure of the personal data concerning you. These prerequisites provide especially a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if the data were unlawfully processed, if you objected to the processing or if the personal data have to be erased for compliance with a legal obligation in Union or Member State law we are subject to. As regards the data storage period, see Section 8 of this data privacy policy.

 

Right to restriction of processing

 

Pursuant to Article 18 GDPR, you have the right to obtain from us restriction of the processing, especially if the accuracy of the personal data is contested between the user and us, for a period required by us to verify the accuracy of the personal data; and in case the user, notwithstanding his/her right, opposes the erasure of the personal data and requests the restriction of their processing instead; furthermore, if we no longer need the data for our purposes, but they are required by the user for the establishment, exercise or defence of legal claims and if the successful objection is still in dispute between us and the user.

 

Right to data portability

 

Pursuant to Article 20 GDPR, you have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.

 

17. Right to object

 

Under Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based, inter alia, on point (e) or (f) of Article 6 Section 1 Clause 1 GDPR. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves the establishment, exercise or defence of legal claims.

 

18. Right to lodge a complaint

 

Under Article 77 GDPR, you further have the right to lodge a complaint with a supervisory authority. To lodge such complaint, you can usually turn to the supervisory authority of your habitual residence or place of work or of our head office. The competent supervisory authority of our head office is:

 

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz,

[The Officer for Data Protection and Freedom of Information of the State of Rhineland-Palatinate]

Hintere Bleiche 34, 55116 Mainz.

 

19. Changes of this data privacy policy

 

We always keep this data privacy policy up to date. This is why we reserve the right to change it from time to time and to subsequently make adjustments regarding changes, the processing or utilisation of your data.

You can always retrieve the most recent version of the data privacy policy at “[Designation]” within the app.

Status: 2.7.2021