PRIVACY POLICY

For MILES Mobility GmbH, handling your data in accordance with data protection regulations is more than just a legal requirement. Regardless of whether you use our mobility services, obtain information about our services or our company, are in contact with us as a service provider or partner, or work for us or want to work for us as an employee or applicant - you can rely on us to handle your data correctly. For easy understanding and accessibility we have refrained from using both the feminine and masculine forms of language in the following. All personal terms apply equally to all genders.

In this privacy policy you can find out how, to what extent and for what purposes we process your data, whether we pass on your data to partners and service providers, when we delete your data and other points that may be important to you.

Who we are

Contact details of the responsible person

Managing Directors: Oliver Mackprang, Eyvindur Kristjansson MILES Mobility GmbH Leibnizstrasse 49 10629 Berlin

Email: hello@miles-mobility.com Phone: +49 (0) 30 83 799 699

Website: miles-mobility.com

Contact details of the data protection officer

Pridatect S.L. Carrer de Tarragona 161, Planta 11ª 08014 Barcelona, Spain

Email: data-protection@miles-mobility.com

Website: www.pridatect.de

General information on data processing

1. Scope of the processing of personal data

As a matter of principle, we only process personal data of our users insofar as this is necessary for the provision of a functional website as well as our contents and services. The processing of personal data of our users is regularly only carried out with the consent of the user. An exception applies in those cases in which obtaining prior consent is not possible for actual reasons and/or the processing of the data is permitted by legal regulations.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.

3. Data deletion and storage period

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

Data transfer and commissioning of processors

4. Data transfer and commissioning of processors

If, in the course of our processing, we disclose data to other persons and companies (order processors, jointly responsible persons or third parties), transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1) lit. b GDPR), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interests.

If we commission the processing of data on the basis of a so-called "order processing contract", this is done on the basis of Art. 28 GDPR.

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this only occurs if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. GDPR are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").

Rights of the data subjects

5. Rights of the data subjects

Revocation of consent

+

5.1 Revocation of consent

You have the right to revoke declarations of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Right of objection

+

5.2 Right of objection

Pursuant to Article 21 of the GDPR, you have the right, under certain conditions, to object to the processing of your personal data at any time on grounds relating to your particular situation. If you object to such processing, we will terminate or interrupt this data processing process and re-examine whether we can demonstrate compelling legitimate grounds for the processing that outweigh your interest.

If personal data is processed for direct marketing purposes, you have the right to object to this processing at any time. An objection to direct advertising means that we will no longer use your data for advertising purposes.

Right to complain to a supervisory authority

+

5.3 Right to complain to a supervisory authority

You have the right to complain to the competent supervisory authority if you have the impression that we are violating applicable data protection law. To do this, you can contact the state data protection commissioner or the state data protection commissioner at your place of work, residence or stay.
As a rule, your request will be forwarded to the office responsible for us.

Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219
Visitor entrance: Puttkamerstr. 16 - 18
(5th floor)
10969 Berlin

Phone: 030 13889-0
Fax: 030 2155050

Email: mailbox@datenschutz-berlin.de

Right to information / right to rectification

+

5.4 Right to information / right to rectification

You have the right to receive information about the processed data. We have already compiled all the necessary information in accordance with Article 15 (1) of the Data Protection Regulation here on the privacy statement. Article 15 (3) GDPR also grants you the right to receive a copy of your data. If you are not sure whether we process your data, we will be happy to send you a confirmation.

You may have the right to ask us to correct any inaccurate personal data relating to you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, also by means of a supplementary declaration. Partially, your data can be changed in the customer account. If you are unable to correct your data yourself, we will support you in exercising your right to rectification in accordance with Article 16 of the GDPR.

Right to restriction of processing / right to erasure

+

5.5 Right to restriction of processing / right to erasure

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 of the GDPR.

In accordance with Article 17 of the GDPR, you can request that your data be deleted without delay. We are obliged to delete your data immediately if one of the legally prescribed reasons of Art. 17 (1) of the GDPR applies and none of the exceptions according to Art. 17 (3) or similar provisions apply. We are legally authorised under Art. 17 (3) (e) of the GDPR to retain data relating to journeys. The relevant limitation periods of § 14 StVG of up to 30 years are decisive here.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted in accordance with Art. 18 GDPR. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or to enforce our own legal claims. In particular, we reserve the right to permanently store data of blocked users (e.g. due to accidental driving, fraud, non-payment) in order to prevent re-registration. This is a legitimate interest according to Art. 6 para. 1 lit. f) GDPR.

According to Article 18 (1) of the GDPR, you may, under certain circumstances, request the restriction of the processing of your data. If processing has been restricted, this personal data may - apart from being stored - only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

Right to data portability

+

5.6 Right to data portability

According to Article 20 of the GDPR, you have the right to request that we assist you in transferring your contractual data or data that we process on the basis of consent to third parties if we process the data using automated processes, e.g. if you want to switch to a competitor. Let us know who you would like us to transfer your data to and we will contact the service provider. Alternatively, you can also receive this data in a machine-readable format.

Right to information

+

5.7 Right to information

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

Furthermore, you have the right to be informed about these recipients.

Privacy policy for users of the website and visitors to our social media presence

6. Privacy policy for users of the website and visitors to our social media presences

Below we explain how we handle the data of the users of our website and our presences in social media.

Overview of our web presences

+

6.1 Overview of our web presences

We operate this website (www.miles-mobility.com) with some sub-sites (including www.support.miles-mobility.com).

You can also find us on Twitter, Facebook, Instagram, LinkedIn, Xing and YouTube.

General information on data processing

+

6.2 General information on data processing

6.2.1 Affected persons
Data subjects of the data processing are visitors to our website or our channels in the social media (hereinafter also users or interested parties).

6.2.2 Purposes
The purpose of the processing is to provide information about our company and our services, to offer communication channels to our company, to address interested parties in an advertising manner, to analyse the effectiveness of our advertising measures, to conduct anonymised market research and to ensure the security of our websites.

6.2.3 Categories of data / types of data
The following data types can be processed:

- IP address
- Access times and approximate location of users
- Meta/communication data (e.g. device information)
- Visited websites
- Interest in content
- Demographic characteristics (via our advertising partners)

The data is usually collected when the offers are used.

6.2.4 Recipients / categories of recipients The recipients of data are primarily the integrated service providers. Below we list an overview of the service providers. Further information can be found in the respective paragraphs on processing.

- Strato (Hosting)
- Osano (Consent Management)
- Google (Statistics/Marketing/Map Clippings/Videos)
- Facebook (Marketing)
- Ultimate.ai (Chat)
- Zendesk
- Hotjar
- Braze

6.2.5 Reservation(s) on the location of storage and processing of data Please note that our company works with partners in third countries (Osano, Google, Facebook, Braze Inc, Sentry & Paypal), in particular the United States. Personal information we collect from you may be processed in the United States or other third countries. Some of these third countries, for example the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same level of protection there as under the GDPR.

Until new decisions are made regarding data transfers to the United States or other third countries, we rely on exemptions for specific situations as set out in Article 49 of the GDPR and, where applicable, the safeguards set out in Article 46 of the GDPR. In particular, we only collect and transfer personal data to the United States or third countries with your explicit consent, or to perform a contract with you. We and our processors aim to apply appropriate measures to protect the privacy and security of your personal data and to use it only in accordance with your relationship with us and the practices described in this Privacy Policy.

The data processing operations in detail

+

6.3 The data processing operations in detail

6.3.1 Server log files / log files
Each time the website is visited, a log file is created by the web server. The following characteristics are recorded in this file.

- Browser type and browser version of the user
- Operating system used by the user
- Referrer URL Host name of the accessing computer
- Date and time of access
- IP address of the user
- Internet service provider of the user

This data is not merged with other data sources. The provider may collect this data and store it for a period of 7 days. The collection of this data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the secure operation of a technically error-free presentation and the optimisation of our website - for this purpose, the server log files must be collected. In order to ensure data protection-compliant processing, we have concluded an order processing contract with our hoster.

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. We use encryption to meet the requirements of Art. 32 GDPR, which requires that we take appropriate measures for the security of the website. If SSL or TLS encryption is activated, the data you send to us cannot be read by third parties.

Cookies and personalised tracking

+

6.4 Cookies and personalised tracking

Our website uses so-called cookies. Cookies do not cause any damage to your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognise your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

Cookies that are required to carry out the electronic communication process or to provide certain functions desired by you are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. Insofar as other cookies (e.g. cookies for the analysis of surfing behaviour) are stored, these are dealt with below in this data protection declaration and used with the corresponding consent.

6.4.1 Cookie consent with Osano's Consent Manager
This website uses Osano's cookie consent technology to obtain your consent to the storage of certain cookies on your terminal device and to document this in accordance with data protection law.

The provider of this technology is Osano, Inc, 3800 N Lamar Blvd, Ste 200, Austin, TX 78756 Website: https://https://www.osano.com/ (hereinafter "Osano").

When you open our website, we ask for your consent or refusal to the cookies and tracking tools. Your IP address, information about your browser and the terminal device used are transmitted to Osano.

Osano stores a cookie in your browser in order to be able to allocate the consents given or their revocation. The data collected in this way is stored until we are asked to delete it. You can also delete the cookie yourself, in which case you will be asked again the next time you visit the website. Osano is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 (1) lit. f GDPR, as we as the website operator have a legitimate interest in the implementation of the cookie guidelines in accordance with data protection. Please read section 6.2.5 for more information on this provider.

6.4.2 Managing the analysis tools using Google Tag Manager
We use the Google Tag Manager in order to be able to integrate and manage website evaluations centrally and via a user interface. Tags are different tracking codes (JavaScript code lines) with which we can record and track your activities on our website.

The advantage of the tag manager is that we can use it not only to manage Google services, but also to centrally manage other analytics services. In this way, we can better identify which tracking technology provides us with the information we need and avoid unnecessary data collection. The tag manager itself does not process any data, but helps us organise the data from Google Analytics, Facebook or Instagram.

We use the tag manager to make our website as useful, comfortable and usable as possible for you and other visitors. For this purpose, we need the analysis data. We use the tag manager on the basis of Art. 6 para. 1 lit. f GDPR, which allows processing on the basis of a balance of interests. We have a legitimate interest in seeing which content appeals to our prospective customers. This allows us to realign our marketing to attract more people to our offers. Please read section 6.2.5 for more information about this provider.

6.4.3 Cookies and other tools for the purpose of range measurement and statistics
We use cookies for reach measurement and to create statistical evaluations of our website and social media interactions. For this purpose, we rely, among other things, on Google Analytics.

6.4.4 Google Analytics
The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called "cookies" and similar technologies. Cookies are text files that are stored on your computer and enable an analysis of your use of the website (target group reports, conversion reports, interaction and behaviour reports, real-time reports, etc.). The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. When using Google Analytics, your IP address is usually shortened to make subsequent identification more difficult.

Google Analytics cookies are stored on the basis of Art. 6 para. 1 lit. a GDPR, in accordance with the corresponding consent of the user.

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the collection of your data during future visits to this website: Deactivate Google Analytics.
Our goal in using Google Analytics is to further optimise our service and offer more to potential users. The Google Analytics statistics help us to better understand our customers and support us in achieving this goal.

Google Analytics sets the following cookies:

Name: _ga (Google Analytics js)
Purpose: Google uses this cookie to store the user ID and distinguish users. Expiry date: after 2 years

Name:_gid
Purpose: Expiry date: after 24 hours

Name: _gat_gtag_UA_<property-id>
Intended use: If Google Analytics is provided via the Google Tag Manager, this cookie is given this name. Expiry date: after 1 minute

Storage period: We have limited the storage period to 14 months in order to comply with the principle of storage limitation from Art. 5 GDPR. This retention period applies to data linked to cookies, user recognition and advertising IDs. Results of reports are based on aggregated data and are stored independently of user data.

You can find more information on the handling of user data with Google Analytics in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

6.4.5 Facebook Pixel
The Facebook pixel is a JavaScript code that is embedded on websites. The pixel can link people's behaviour on the website to Facebook user profiles. It collects data that helps track conversions, optimise ads and create target groups.

This website uses the visitor action pixel from Facebook for conversion measurement.

The provider of this service is:
Facebook Ireland Limited,
4 Grand Canal Square,
Dublin 2,
Irland.

According to Facebook, the data collected is transferred to the USA and other third countries.

On the basis of Art. 6 para. 1 lit. a GDPR, the use of Facebook Pixel takes place exclusively with your consent. For this purpose, we obtain your consent when you visit the site for the first time (together with your consent to the storage of cookies). This consent can be revoked at any time.

You can find more information about protecting your privacy in Facebook's privacy policy: https://de-de.facebook.com/about/privacy/. Please read section 6.2.5 for more information about this provider.

As an example, we show you the cookies that are set by integrating the Facebook pixel. Please note that these are only example cookies.

Different cookies are set depending on the interaction on our website.

Name: _fbp
Purpose: Facebook uses this cookie to display advertising products and track the customer's interaction with the advertising. Expiry date: after 3 months

Name: fr
Purpose: This cookie is used to allow the Facebook Pixel to track the response to the ad beyond the interaction. Expiry date: after 3 months

6.4.6 Facebook Custom Audiences
With the help of the Facebook pixel, it is possible for Facebook to determine the visitors to our online offer as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called "Custom Audiences").

The processing of data by Facebook takes place within the framework of Facebook's data usage policy. Accordingly, you can find general information on the display of Facebook ads in Facebook's data usage policy: https://www.facebook.com/policy. For specific information and details on the Facebook Pixel and how it works, please visit Facebook's help section: https://www.facebook.com/business/help/651294705016616.

You can opt out of the Facebook Pixel's collection and use of your data to display Facebook ads. To control which types of ads are displayed to you within Facebook, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are applied to all devices such as desktop computers or mobile devices. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.

You can also opt out of the use of cookies for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

6.4.7 Hotjar
In order to statistically evaluate visitor data, we use the analysis tool Hotjar on our website.

This is offered by:
Hotjar Limited Level 2,
St Julian's Business Centre, 3,
Elia Zammit Street,
St Julian's STJ 1000, Malta.

Hotjar is a service that evaluates visitor behaviour and feedback through combined analytics and feedback tools. We receive heatmaps, conversion funnels, visitor recordings, incoming feedback, feedback polls and surveys.

We use these evaluations to optimise the usability and user experience of the site and to additionally collect customer opinions via the feedback channel. We receive reports and visual representations from Hotjar that show us where and how users "move" on our site.

The personal data is automatically anonymised. Neither can we assign the interactions to a user nor is the data transmitted to Hotjar. Hotjar automatically collects usage data. For this purpose, a tracking code of the website is linked to a cookie.

The following data is collected and stored:
- Time of the visit
- Screen size and resolution.
- Browser version
- Approximate location (IP location)
- Language
- Visited subpages
- Date and time of access to one of our sub-pages (web pages)
- IP address (anonymised)

Name: _hjid
Purpose: The cookie is used to maintain a Hotjar user ID that is unique to the website in the browser. This allows user behaviour to be associated with the same user ID on subsequent visits. Expiry date: after one year

6.4.8 Newsletter dispatch
We send out mandatory information about the Miles Mobility GmbH offer via our newsletter. Furthermore, users of the app can subscribe to a newsletter and receive information about additional offers and promotions. To do this, we require your email address and consent to receive the newsletter, which we obtain via a so-called double opt-in procedure. Further data will not be collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties, apart from the respective newsletter senders.

In principle, the data is processed on the basis of your consent (Art. 6 para. 1 lit. a GDPR). In some of the cases mentioned below, which are directly related to the sending of newsletters, the processing is based on our legitimate interests (Art. 6 para. 1 lit. f GDPR).

You receive all newsletters of an advertising nature on the basis of your consent to the storage and use of the data; you can revoke this consent at any time. You can unsubscribe at any time by clicking on the "unsubscribe" link in the newsletter. The legality of the data processing already carried out remains unaffected by the revocation.

We also send newsletters as customer information letters with relevant technical and organisational information on terms of use, changed tariffs or business areas.

We consider it imperative that this information reaches our customers, so you cannot automatically unsubscribe here. Your right to object according to Art. 21 GDPR remains unaffected, but in this case it is your duty to actively inform yourself.

We use the services of Braze Inc. and PostMarks to send the newsletters.
Braze Inc 330 West 34th Street,
18th Floor New York
NY 10001 USA.

We have concluded a so-called "Data Processing Agreement" with Braze Inc. in which we oblige the service provider to protect our customers' data and not to pass it on to third parties.

We use a method to analyse the reach of our newsletter. When you open one of our emails, a file contained in the email connects to the servers of Braze Inc. in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. In addition, technical information is recorded (e.g. time of retrieval, IP address, browser type and operating system). However, this information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients. If you do not want any analysis, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message.

After unsubscribing from the newsletter distribution list, the email address is stored by us or the newsletter service provider in a blacklist, if necessary, in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interest outweighs our legitimate interest. However, you may then be contacted by us again.

Google Maps

+

6.5 Google Maps

This site uses the mapping service Google Maps via an API. Provider is:

Google Ireland Limited ("Google"),
Gordon House,
Barrow Street,
Dublin 4, Ireland.

In order to use the functions of Google Maps, it is necessary to save your IP address and to transmit it to a Google server and it is also saved on this server. The provider of this site has no influence on the specific content of this data transmission. The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of our business areas.

This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de. 8.

Contact form, chat request by e-mail or telephone

+

6.6 Contact form, chat request by e-mail or telephone

You can send us enquiries via contact form, chat, e-mail or telephone. In this case, your enquiry with the contact details and, if applicable, further details from the enquiry form or the enquiry will be stored in our CRM system for processing the enquiry and for possible follow-up enquiries.

The processing of this data is based on Art. 6 (1) lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries sent to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested.

We keep your data until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions - in particular retention periods - remain unaffected.

Youtube

+

6.7 Youtube

We have embedded YouTube videos on our website. This allows us to present videos from our YouTube channel directly on our site. The portal is operated by YouTube, a Google company. When you call up a page on our website that has a YouTube video embedded, your browser automatically connects to the YouTube or Google servers. In the process, various data are transferred (depending on the settings).

Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe. If you want to find out more, we recommend that you read the data protection declaration at https://policies.google.com/privacy?hl=de.

Zendesk

+

6.8 Zendesk

We have integrated various services from Zendesk on our website. Zendesk serves as our service provider for the provision of the chat, our support page and our contact forms. Various personal data may be shared with Zendesk. For more information, please see Zendesk's privacy policy https://www.zendesk.de/company/privacy-and-data-protection/ and section 7.9.2 of this privacy policy (appropriate safeguards for data transfers to third countries, among others).

Privacy policy for users of the app and mobility services

7. privacy policy for users of the app and mobility services

Overview of the purposes, the type of data as well as the categories of recipients and the storage period.

The processing of data via apps of partner companies which offer joint mobility services with MILES Mobility GmbH takes place in accordance with the privacy policy of the respective app.

Purposes of data processing

+

7.1 Purposes of data processing

- Customer management, customer approach and customer support
- Registration with identification and verification of the driver's licence
- Vehicle booking via the app / service provision (provide vehicle)
- Billing and payment tracking
- Processing of violations of the law, in particular against the StVO
- Receivables management and collection
- Security checks and fraud control
- Claims settlement

The following of your data will be processed

+

7.2 The following of your data will be processed

- First name, last name
- Address
- Date of birth
- Language
- Email address
- Telephone (mobile)
- Device-Key (Number of the device)
- Password
- Bank details / Preferred payment method
- Schufa - extract
- Customer number/ reference number
- Verification of driving licence, driving licence number, identity document
- Geolocation data (for vehicle search / and vehicle booking)
- Location data at registration (city / business area)
- Contract data / Tariffs / Discounts
- (E-mail) correspondence / contact history
- Trip log
- Black box in the vehicle (no personal data collection, but can be related to individuals)
- (e.g. subject matter of the contract, term, customer category)

Nature and origin of the data

+

7.3 Nature and origin of the data

The following data is collected directly from the data subject during registration:

- First name, last name
- Date of birth
- Language
- Address
- E-mail address
- Telephone (mobile)
- Bank details
- Customer number/ reference number
- Verification of driving licence, driving licence number, identity card number
- Location data (city)
- Contract data / Tariffs / Discounts

The following data is collected in the course of using the offer:

- Device-Key (Number of the device)
- Geolocation data (for vehicle search / vehicle booking / during the journey)
- (E-mail) correspondence / contact history
- Trip log for accounting purposes.
- Black box in the vehicle (no personal data collection, but can be related to individuals)
- Contract data / tariffs / discounts (in case of changes)

The following data is collected via third parties:

- Schufa score as part of the credit report (Schufa)
- Reports on driving behaviour by other road users
- Master data and, if applicable, verification data from mobility partners (Jelbi, FreeNow)

Automated decision

+

7.4 Automated decision

An automated decision takes place within the framework of our security checks.

Furthermore, an automated decision is made within the framework of the Schufa statement, although the responsibility for this does not lie with MILES Mobility GmbH.

You have the right to make your point of view known to us and to challenge these decisions. In this case, we will be happy to carry out a manual review of the automated decision.

Storage period

+

7.5 Storage period

7.5.1 Deletion on request
For processing operations based on consent: Withdrawal of consent concerns the receipt of the newsletter.

As a rule, the withdrawal of consent is implemented immediately and automatically by the mailing service provider's systems. In rare cases, the synchronisation of the unsubscription from different mailing lists may take a few hours.

If customers request their right to data deletion for data processed on a legal basis other than consent, the customer account will be deleted in accordance with the following information:

The personal data of the data subject to be deleted will be blocked in the Miles Mobility system, partially made unrecognisable or blacked out and access to the data strictly restricted. After two years, the data listed above will be automatically deleted from the system, with the exception of personal data, which must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Tax Code (AO). After ten years, this data is also automatically and irrevocably deleted.

Recipients of the data will be informed of the deletion request.

If overriding interests of MILES Mobility GmbH stand in the way of deletion, the customer will be informed of the reasons for the restriction of the right to deletion. This is particularly the case if MILES Mobility GmbH requires the data to enforce or defend legal claims.

7.5.2 Deletion after the purpose has ceased to exist
If data is processed for the fulfilment of the contract, the data is generally stored for the duration of the contractual relationship. This does not apply to usage data in particular, which is only stored for period of 2 years.

Following the termination of the contractual relationship (cessation of the purpose), the personal data of the data subject to be deleted will be blocked in the Miles Mobility system, partially rendered unrecognisable or blacked out and access to the data strictly restricted. After two years, the data listed above will be automatically deleted from the system, with the exception of personal data which must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Tax Code (AO). After ten years, this data is also automatically and irrevocably deleted.

If data is processed to comply with legal requirements, the rights of the data subjects to have the data deleted shall lapse until the expiry of the respective time limits with regard to the data to be stored. MILES Mobility GmbH does not use this data for any further purposes. This expressly includes storage for the purpose of proving proper accounting. For violations of the StVG, the retention periods are based on the limitation periods. These are up to 30 years.

MILES Mobility reserves the right to permanently store data of blocked users in order to prevent re-registration. This is a legitimate interest according to Art. 6 para. 1 lit. f) GDPR.

Registration with verification

+

7.6 Registration with verification

The registration of the customer account takes place via the app. The surname, first name and contact details are requested, the preferred language, the date of birth (as proof of age as well as an identification feature) the email address (along with the option to consent to receiving the newsletter), the banking and payment details as well as verification of the driving licence and a valid identification document. The approximate location (city) and date of registration as well as the activation of the email address are stored for the duration of the customer relationship. We sometimes use the services of order processors to verify your data. You confirm your email address with the help of an activation email. We validate the telephone number via a processor (Clickatell).

For the verification of the driving licence and the ID document, the user is asked to create a video of the documents to be verified and to film his/her face. The recording of the face is compared with the image on the driving licence/ID document, and the documents are also assessed by the service provider on the basis of recognition features.

MILES Mobility GmbH uses the verification service provider Jumio (Jumio Software Development GmbH - Linz, Lunaplatz 5, A-4030 Linz) to verify the driving licence and the identity of the users.

This company is subject to the strict security regulations of the PCI DSS (Payment Card Industry Data Security Standard) and, as a processor, is bound by the instructions of MILES Mobility GmbH.

The legal basis for the verification of the driving licence results from Art. 6 para. 1 lit c GDPR in conjunction with § 21 para. 1 no. 2 StVG. Accordingly, MILES Mobility GmbH, as the vehicle owner, is obliged to verify the user's driving licence. In addition, a copy of a customer's identity document is requested in order to be able to prove the customer's identity beyond doubt in the event of accidents, for the settlement of claims, but also in the case of criminal offenses and administrative offences and older and international driver's licenses. In addition to the driver's license, a second document is requested to make identity theft harder. The legal basis for this verification also results from Art. 6. para. 1. lit c GDPR in conjunction with § 21 para. 1 no. 2 StVG.

This purpose remains in principle for the duration of a customer relationship. Even at a later point in time (especially in the event of damage), MILES Mobility GmbH is obliged to be able to prove that the legal obligations have been fulfilled. In the event of damage, this proof may also be required vis-à-vis insurance companies and state authorities, which is why the data from the driver's licence verification is stored at least for the duration of the customer relationship.

Use of the app

+

7.7 Use of the app

7.7.1 Vehicle booking and trip accounting
The app is used during the customer relationship to locate and book the vehicles.

We need access to the location of your device. When a request is made, we collect the current location via GPS in order to be able to quickly provide information about the vehicles in the immediate vicinity. We also use location data of the device at the moment of the opening of the vehicle to check the distance to the vehicle. This serves the purpose of preventing vehicle misidentification, theft or unauthorized vehicle handovers. Data about your location is only used to process the request, i.e. at the beginning and end of a journey and in the event of interruptions.

During the journey, the location data of the vehicle is regularly compared with the data of the device; this is done via an encrypted connection. The location data is anonymised after the end of the request and statistically analysed to improve our service.

The vehicle's location data is primarily processed for billing purposes; we reserve the right to also use the location data query for fraud prevention and to match the device location with the route driven.

For the determination of the location data, we rely on the services of our order processor Locationq, which is provided to us by the company Unwired Labs (India) Pvt Ltd. ("Unwired"), 128, Prashasan Nagar, Rd 72, Jubilee Hills, Hyderabad, TS, IN - 500033.

7.7.2 Customer data management
In the app, the user's data can be accessed via the login area. Here you will find the trip log, the master data and contact data as transmitted during verification. Furthermore, the payment and billing data. The data from the app is transmitted in encrypted form and stored in a CRM system.

The provider of the CRM system is Braze Inc. Braze Inc 330 West 34th Street, 18th Floor New York, NY 10001 USA.

We have concluded a so-called "Data Processing Agreement" with Braze Inc. in which we oblige the service provider to protect our customers' data and not to pass it on to third parties. The transfer to the USA takes place on the basis of suitable guarantees.

Furthermore, we use order processors to store the data.

As this data is collected and processed for the purpose of fulfilling contracts or legal requirements, users' rights to erasure or blocking may be limited. The right to rectification and information is unaffected.

7.7.3 App security, usage analysis
We have a legitimate interest according to Art. 6. para. 1. lit. f GDPR in a secure and reliable operation of the app as well as in the further development of the app and the optimisation of the economic operation.

We use the tool Sentry, which is provided to us by the company Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, to evaluate error messages and to analyse system parameters of the app. Sentry transmits error reports to servers in the USA and provides us with evaluations, e.g. about programming errors and compatibility problems. We only have access to data about the version of the operating system and the type of device.

We have concluded an order data processing contract with the provider and have ensured that there are sufficient guarantees for the data transfer to the USA in accordance with data protection requirements. We cannot see any countervailing interest on the part of the users. You can still prevent the transmission of bug reports at any time.

With your express consent, which can be revoked at any time, we also use Google Analytics for Firebase and Firebase Crashlytics. The legal basis is Art. 6 para. 1 lit. a GDPR. When you first start the app, you can select whether Google Analytics for Firebase and Firebase Crashlytics should be used; you can deactivate the collection of analytics data in the app.

Firebase / Crashlytics transmits your anonymised IP address, your anonymised advertising ID as well as usage and analysis data to a Google server in the USA and stores them there. The IP anonymisation in Analytics is done by shortening the addresses. If you have agreed to the use of Google Analytics for Firebase and Firebase Crashlytics, we use the app usage data for statistical, anonymous evaluations and to improve the app.

Credit assessment

+

7.8 Credit assessment

As a company, we have a legitimate interest in protecting ourselves against payment defaults. In accordance with our General Terms and Conditions, we are entitled to verify the creditworthiness of customers with credit agencies or Schufa.

The processing of personal data in the context of the credit assessment is based on Art. 6.1.f GDPR. We assume that the check and confirmation of solvency is usually also in the interest of the customers, as this form of credit assessment does not pose any significant risks to rights and freedoms, in this way the transmission of additional data on creditworthiness can be avoided and a simple and convenient process can be provided.

The credit assessment is necessary for the enforcement of rights and claims of MILES Mobility GmbH.

The credit checks serve to protect MILES Mobility GmbH from payment defaults and are intended to ensure that MILES Mobility GmbH has recourse to the originator in the event of a claim (please refer to the price list https://miles-mobility.com/preise/).

When determining your creditworthiness, your data will be transmitted to Schufa. This can be e.g. name, address, date of birth and bank details, insofar as these are necessary for establishing your identity. We receive a scoring value from Schufa or other credit agencies involved, as well as other information from which the risk of non-payment can be derived. These are, for example, outstanding debts, deferments due to insolvency, current insolvency proceedings, participation in debt counselling. If we receive a too low scoring value in the course of the credit assessment, we can temporarily deactivate the user account. You have the right to explain your point of view to us and to challenge the decision. In this case, we will gladly carry out a manual review of the automated decision.

As a rule, we do not report any payment defaults to Schufa. However, we reserve the right to do so if the legal requirements for a report are met. In this case, the customers will be reminded repeatedly in compliance with formal requirements and the possibility of transmission will be pointed out in the reminder.

SCHUFA processes your data and also uses it for profiling purposes (scoring). Schufa is responsible for passing on your data to companies in the EEA and Switzerland and, if applicable, to third countries outside the EEA. Further information on the activities of SCHUFA can be obtained at www.schufa.de/datenschutz. Data processing and profiling is carried out by Schufa; Schufa is the body responsible for this processing within the meaning of data protection law. Therefore, Schufa is also responsible for the lawfulness of the processing.

General information about the data used by Schufa can be found here: https://www.schufa.de/de/faq/privatpersonen/daten/. To find out exactly what data Schufa processes about you, please contact Schufa.

Customer management, customer approach and customer support

+

7.9 Customer management, customer approach and customer support

7.9.1 Customer management
We use the CRM system of the provider Braze to manage customer data.

Braze Privacy Policy Issues 330 West 34th Street, 18th Floor New York, NY 10001 USA

We have concluded an order processing contract with Braze. The service provider has provided us with appropriate safeguards for transfers to non-European jurisdictions.

All data from the registration as well as billing data and the customer history are stored in the customer database. We use the customer administration to be able to organise customer care quickly and effectively and to be able to respond to enquiries.

In principle, this data is not passed on to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with Art. 6 Para. 1 lit. c. GDPR.

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services. The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying contractual relationship.

Furthermore, we use the contact data to inform users about relevant changes to our services. In the context of the use of our service, we process inventory data, communication data, contract data, location data and payment data of the users.

Processing is carried out for the purpose of providing contractual services, billing, customer service, customer communication, accident investigation and claims settlement.

The processing is based on Art. 6 para. 1 lit. b (data processing for the performance of contractual services) and Art. 6 para. 1 lit. c GDPR (fulfilment of legal obligations). Legally prescribed processing results, for example, in archiving or from the keeper obligations of the StVG.

Insofar as we make use of service providers who process data in a third country, the conditions of Art 44. ff. GDPR are checked.

7.9.2 Customer support
We use the CRM system "Zendesk", from the provider Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA, in order to be able to process user enquiries more quickly and efficiently (legitimate interest pursuant to Art. 6 Para. 1 lit. f. GDPR).

Zendesk has provided us with appropriate safeguards in accordance with Art. 44 et seq. GDPR and has undertaken to comply with European data protection law. Zendesk only uses the users' data for the technical processing of the requests and does not pass them on to third parties. In order to use Zendesk, at least a correct email address must be provided. A pseudonymous use is possible. In the course of processing service requests, it may be necessary to collect further data (name, address).

If users do not consent to data collection via and storage in Zendesk's external system, we provide them with alternative means of contact to submit service requests by email, telephone or post.

For more information, users should refer to Zendesk's privacy policy: https://www.zendesk.de/company/customers-partners/privacy-policy/.

The customer approach for private customers is carried out via Customer Care using Zendesk and the customer database. We use the master data, contact data and the stored language to contact customers.

For customer support, we also use the telephone service provider Aircall: Aircall SAS (GmbH & Co.KG) 11 Rue Saint-Georges, 75009 Paris, France

Accounting, bookkeeping and payment tracking

+

7.10 Accounting, bookkeeping and payment tracking

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services and to invoice them.

We process data that are required for the justification and fulfilment of the contractual services and point out the necessity of their provision, unless this is evident to the contractual partners.

The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

As a rule, this data is not passed on to third parties, unless it is necessary for the pursuit of our claims pursuant to Art. 6 Para. 1 lit. f. GDPR or there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c. GDPR. We expressly reserve the right to use the services of legal service providers (debt collection, lawyers, etc.) to assert claims and to transmit data of the contractual partners and customers to them to the extent necessary.

The deletion of the data takes place when the data is no longer required for the fulfilment of contractual or legal duties of care and for dealing with any warranty and comparable obligations. Statutory retention obligations remain unaffected.

In order to be able to process payments efficiently, securely and conveniently, we use other payment service providers in addition to banks and credit institutions.

It is necessary to pass on data to the payment service providers so that they can carry out the transaction. The payment service providers receive the name and address, the stored payment method and, if applicable, bank data, a pseudonymous ID and the invoice data. MILES Mobility GmbH will be informed by the payment service providers of any payment made or missed.

We use the following service providers:
LogPay: LogPay Financial Services GmbH, Schwalbacher Str. 72, 65760 Eschborn, Germany
Privacy policy: https://documents.logpay.de/en/datenschutzinformationen.pdf

Stripe: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Privacy policy: https://stripe.com/de/privacy
An order processing agreement was concluded with Stripe. In addition, it was verified whether the requirements according to Art. 44-49 of the GDPR for the transfer of personal data are met.

Outstanding receivables/collections

+

7.11 Outstanding receivables/collections

MILES Mobility GmbH works together with collection service providers.

eCollect AG, Neuhofstrasse 21, 6340 Baar ZG, Switzerland
Atriga GmbH, Pittlerstr. 47, 63225 Langen, Germany
Pair Finance GmbH, Hardenbergstraße 32, 10623 Berlin, Deutschland

The involvement of a debt collection service provider is a legal service within the meaning of the Legal Services Act § 10 para. 1 sentence 1. It is the free decision of MILES Mobility GmbH to use the services of a lawyer or a debt collection agency in disputes regarding an - even if only alleged - outstanding debt. In these cases, MILES Mobility GmbH may and must pass on personal data of the debtor (in particular name and address, the reason for the claim, the amount and due date of the claim, etc.) to the collection agency.

The following data will be passed on within the framework of the collection procedures.
- First name, last name (title, if recorded and e.g. name component)
- Name of the company (for commercial customers)
- Address (business) (for commercial customers)
- Address (private)
- Invoice address (if different and recorded)
- E-mail address
- Telephone number
- Date of birth
- Customer number
- Contact history (as far as relevant)
- Bank details
- Contract data
- Data on solvency

Only with this data is it possible for the collection agency to approach the debtor and assert the claim. The user's/customer's consent for the transfer of data to a legal service provider is not required, as it is based on the legal facts of Art. 6 para. 1 sentence 1 lit. b) and lit. f) DS-GVO (data processing for the performance of the contract, data processing based on the legitimate interest of the creditor).

Violations of the law, esp. against the StVG

+

7.12 Violations of the law, esp. against the StVG

Unfortunately, user accounts are blocked time and again due to reports of unusual driving behaviour.

MILES Mobility GmbH may become aware of this in various ways:
- Reporting by other road users
- Notification via police / public order office

In the event of a report by another road user (third person), the driving behaviour described is recorded together with the telephone number/email of the reporting person.

No automated decision is made; rather, the support staff check the information for plausibility. For the protection of third parties and in order to comply with the owner's obligations under Article 21 of the German Road Traffic Act (StVO), MILES Mobility blocks the accounts of registered users as a precautionary measure if there is any suspicion of driving misconduct. This measure results not least from the special situation that MILES Mobility GmbH only checks the existence of a driving licence and fitness to drive by means of a query at the beginning of the contractual relationship and thus grants its users a high degree of trust.

A review of reported allegations only takes place in the event of an objection by the person concerned or in the event of enquiries by government agencies. In addition to the data transmitted by the app during the journey, the data from a black box, which is installed in all vehicles, is evaluated.

The black box determines the G-forces and activities of the driver. These are e.g. (acceleration and deceleration, steering movements, indicators, jolts). These data are not collected on a personal basis (but can be related to individuals); they are only evaluated by the staff in case of suspicion and linked to the last journeys.

Data will only be passed on to legal counsel or government agencies if MILES Mobility GmbH is legally obliged to do so or if this is necessary to enforce legal claims against the user. The data is processed in the European legal area.

Breaches of the GTC, fraud prevention and security checks

+

7.13 Breaches of the GTC, fraud prevention and security checks

As a company, we have a legitimate interest in protecting ourselves against fraud attempts and breaches of our T&Cs. The processing of personal data in the context of fraud prevention is based on Art. 6.1.f. GDPR. We assume that these checks are generally also in the interest of the customers. The type of security checks do not represent a significant interference with the rights and freedoms of our users. Fraud prevention measures are necessary for the enforcement of rights and claims of MILES Mobility GmbH.

Furthermore, MILES Mobility GmbH reserves the right, with reference to § 32 para. 1 no. 4 BDSG, to publicly present the security checks carried out in detail.

In addition to the driving licence verification, further details from the registration are checked. This can be the e-mail address, telephone number and bank account details. Newly entered data is regularly compared with the existing data in order to prevent multiple registrations. In addition, data transmitted from the vehicle is randomly compared with data transmitted from the app using defined parameters in order to prevent account disclosure. In addition, the individual device key of personal devices is used to impede and prevent the sharing, sale, and multiple use of account data.

If an irregularity is detected during the security checks, the account will initially be blocked. You have the possibility to object to this and explain your point of view to us.

Settlement of claims

+

7.14 Settlement of claims

In the event of damage, it is unfortunately necessary to process further data.

The purposes of the processing are the
- Support for our customers in the event of damage (Art. 6.1.b GDPR)
- Reconstruction of the course of the accident (Art. 6.1.f GDPR possibly in conjunction with Art. 6.1.c GDPR as well as § 24 BDSG)
- Settlement/liquidation of damages (Art. 6.1.b and c GDPR)
- Pursuit of own legal claims. (Art. 6.1.f GDPR)

For these purposes, we process your master data, usage data, data from the vehicles, statements and information from third parties (police, other parties involved in the accident, witnesses, other Miles users) and payment data.

Under certain circumstances, we may also receive health-related data in this context. Examples of this are injuries or indications of alcohol and narcotic consumption. In this case, Art. 9 (2) lit. f GDPR is relevant.

In the event of damage, we are legally obliged to cooperate in documenting the course of the accident. Furthermore, there are contractual obligations towards, among others, claims adjusters, the fulfilment of which constitutes a legitimate interest to process the data of those who caused the damage. As the defence of legal claims of MILES Mobility GmbH or third parties is decisive here, the right to object is subject to the restrictions of Art. 21 GDPR.

Privacy policy for business customers, partners and service providers

8. Privacy policy for business customers, partners and service providers

Data protection business customers

+

8.1 Business customers

For business customers, essentially all the points described above apply to users of the app. However, company-related contact data and billing data may also be stored.
For the administration and support of business customers, we use the service provider Pipedrive OÜ, Paldiski mnt 80, Tallinn, 10617, Estonia, in addition to our general customer administration.

We have concluded a contract with Pipedrive with so-called standard contractual clauses, in which Pipedrive undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. You can access Pipedrive's privacy policy here: https://www.pipedrive.com/en/privacy.

We use the CRM system Pipedrive of the provider Pipedrive OÜ on the basis of our legitimate interests (efficient and fast processing of user enquiries, existing customer management, new customer business).

General Administration, Accounting and Corporate Development

+

8.2 General Administration, Accounting and Corporate Development

We process data in the context of administrative tasks as well as organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the context of providing our contractual services. The legal processing bases are Art. 6 para. 1 lit. c. GDPR, as well as for all processing not affected by a legal obligation our legitimate interest according to Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

In this context, we disclose or transmit data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is stored permanently.

Business analyses

+

8.3 Business analyses

In order to run our business economically, to be able to recognise market trends, wishes of the contractual partners and users, we analyse the data we have on business transactions, contracts, enquiries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with information, e.g. on the services they have used. The analyses serve us to increase user-friendliness, to optimise our offer and to improve business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised values.

If these analyses or profiles are personal, they will be deleted or anonymised upon termination of the users, otherwise after two years from the conclusion of the contract. Otherwise, the macroeconomic analyses and general tendency determinations are created anonymously if possible.

Applicants and employees

9. Applicants and employees

We only process the applicant data for the purpose of and within the scope of the application procedure in accordance with the legal requirements. The processing of the applicant data is carried out to fulfil our (pre)contractual obligations within the scope of the application procedure within the meaning of Art. 6 para. 1 lit. b. GDPR. Art. 6 para. 1 lit. f. GDPR is applicable insofar as the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, Section 26 BDSG also applies).

The application procedure requires that applicants provide us with the applicant data. The necessary applicant data are marked if we offer an online form, or otherwise result from the job descriptions and generally include personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.

By submitting an application to us, applicants consent to the processing of their data for the purposes of the application process in the manner and to the extent set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are voluntarily provided within the scope of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2) lit. b GDPR (e.g. health data, such as severely disabled status). Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are requested from applicants in the context of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2) a GDPR (e.g. health data, if this is necessary for the exercise of the profession). If provided, applicants can submit their applications to us using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Furthermore, applicants can send us their applications via e-mail. Please note, however, that e-mails are generally not encrypted and applicants must ensure that they are encrypted themselves. We cannot therefore accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend rather using an online form or sending by post. This is because instead of applying via the online form and e-mail, applicants still have the option of sending us the application by post.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a vacancy is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified revocation by the applicant, deletion takes place after the expiry of a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

Talent pool

+

9.1 Talent pool

As part of the application process, we offer applicants the opportunity to be included in our "talent pool" for a period of two years on the basis of consent within the meaning of Art. 6 Para. 1 lit. a. and Art. 7 GDPR.

The application documents in the talent pool will be processed solely within the framework of future job advertisements and the employee search and will be destroyed at the latest after the deadline. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future.

Handling of applicant data

+

9.2 Handling of applicant data

We offer you the opportunity to apply to us (e.g. by e-mail, post or via the online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated as strictly confidential.

Scope and purpose of data collection

+

9.3 Scope and purpose of data collection

When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes in the context of job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and - if you have given us consent - Art. 6 para. 1 lit. a GDPR. This consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG and Art. 6 Para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

Retention period of the data

+

9.4 Retention period of the data

If we are unable to make you a job offer, if you reject a job offer or if you withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for continued storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if legal storage obligations prevent deletion.

Status: 1st July 2021