Data Privacy

As of 15 December 2025

We, Hamburger Hochbahn AG (HOCHBAHN), as the operator of the mobility service hvv switch, take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations.

When you use this website, the hvv switch app or our social media channels, various types of personal data are collected. Personal data is data that can be used to identify you personally.

This privacy policy informs you about what data is processed for what purposes when you use the hvv-switch.de website or our social media channels. You will also find information about how long the data is stored, how it is passed on to third parties and your rights.

You can find the privacy policy of the hvv switch app here. Further information on data protection at HOCHBAHN can be found here.

A. Responsible body and data protection officer

Responsible body

The responsible body is the natural or legal person who, alone or jointly with others, decides on the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

The responsible body for hvv switch in terms of data protection law is:

Hamburger Hochbahn AG
Sales and Transport Management Division
Steinstraße 20
20095 Hamburg

Telephone: +49 40 3288-6363
Email info@hvv-switch.de

Data Protection Officer

We have appointed a data protection officer; you can contact them as follows:

Hamburger Hochbahn AG
Data Protection Department
Steinstr. 20
20095 Hamburg

Email datenschutzbeauftragter@hochbahn.de

B. Registration for hvv switch

When you register for hvv switch, you specify your login details (e-mail address and password). We process this personal data as part of setting up your user account. Your user account is a prerequisite for you to be able to use mobility services in the hvv switch app (via corresponding activations).

Data processing for registration purposes is carried out on the basis of Art. 6 para. 1 lit. b of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter „GDPR“).

C. Use of our website hvv-switch.de

C.1 Hosting

We host the content of our website with Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (hereinafter referred to as Hetzner). Details on data protection at Hetzner can be found in Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy/.

The use of Hetzner is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in ensuring that our website is as reliable as possible. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Sec. 25 para.1 Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (Telecommunications Digital Services Data Protection Act, hereinafter „TDDDG“), insofar as the consent covers the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

C.2 Data collection on this website

C.2.1 Use of cookies

We use so-called "cookies". Cookies are small data packets that are temporarily stored on your terminal device when you visit this website. They contain, for example, information about the language, page settings, your e-mail address and your name (when you log in).

Cookies have various functions. Numerous cookies are technically necessary, as certain website functions are not available without them (e.g. the shopping basket function or the display of videos). Other cookies are used to evaluate user behaviour or display advertising.

Cookies are either stored temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or your web browser automatically deletes them.

In some cases, cookies from third-party companies may also be stored on your device when you visit our site (third-party cookies). These enable us and you to use certain services provided by the third-party company (e.g. cookies for processing payment services).

Cookies that are necessary for the electronic communication process, for the provision of certain functions you have requested (e.g. for the shopping basket function) or for the optimisation of the website (e.g. cookies for measuring the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR (overriding legitimate interest), unless another legal basis is specified.

We have a legitimate interest in storing necessary cookies for the technically error-free and optimised provision of our services. If consent to the storage of cookies and similar recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Art. 6para. 1 lit. a GDPR and Sec. 25 para.1 TDDDG); consent can be revoked at any time.

You can set your browser to notify you when cookies are set. This allows you to allow cookies in individual cases or for certain cases, or to generally exclude them, as well as to activate the automatic deletion of cookies when you close your browser. If you deactivate cookies, the functionality of this website may be limited.

If cookies from third-party companies or for analysis purposes are used, we will inform you separately in this privacy policy and, if necessary, ask for your consent.

You can edit your cookie settings here: Go to the german data protection site and you can find the cookie button right on top of the page.

C.2.2 Cookie consent with Cookiebot

Our website uses Cookiebot's consent technology to obtain your consent to store certain cookies on your device or to use certain technologies and to document this in accordance with data protection regulations. This technology is provided by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter "Cookiebot").

When you visit our website, a connection is established to Cookiebot's servers in order to obtain your consent and other declarations regarding the use of cookies. Cookiebot then stores a cookie in your browser to assign the consents given or their revocation. The data collected in this way is stored until you request us to delete it, delete the Cookiebot cookie yourself or the purpose for data storage no longer applies. Mandatory legal retention obligations remain unaffected.

Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

C.2.3 Server log files

Our website provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• browser type and browser version,

• Operating system used,

• referrer URL,

• Host name of the accessing computer,

• Time of the server request,

• IP address.

This data is not merged with other data sources.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR (overriding legitimate interest). We have a legitimate interest in the technically error-free presentation and optimisation of our website – for this purpose, the server log files must be collected.

C.2.4 Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Art. 6para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), if this has been requested. Consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g. after your enquiry has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

When processing enquiries and complaints that you send us via the contact form, this data may be forwarded to the departments responsible for handling the respective issues and questions. These responsible departments are primarily other transport companies in the Hamburg Transport Association (hereinafter „hvv“), which have provided the transport service or are responsible for certain sales channels and the operation of infrastructure. The same applies to mobility service providers whose services are made available via hvv switch, or to the payment service providers used. Depending on the content of an enquiry or complaint, it may also be forwarded to other departments. This applies in particular to the affiliated companies associated with HOCHBAHN, but also to external companies such as Stadtreinigung Hamburg (Hamburg City Cleaning) or the relevant authorities. Forwarding only takes place to the extent that it is necessary and appropriate for processing the request. We base such forwarding to other competent bodies for the purpose of processing enquiries and complaints on an overriding legitimate interest on our part (Art. 6 para. 1 lit f GDPR). Forwarding enables the quick and comprehensive processing of the matter in question by the body that also has the information required for processing. It relieves you, the customer, of the need to find out in advance about the distributed responsibilities within hvv, in the hvv switch environment or within the HOCHBAHN shareholding structure. We do not see any conflicting overriding legitimate interest, as the enquiries and complaints in question are submitted to us precisely with the aim and desire that they be processed by the responsible body.

C.2.5 Form for reporting illegal parking, littering and damage at hvv switch points

If you send us information about illegal parking at hvv switch points using the reporting form, your details, including your first and last name and your email address, will be recorded for the purpose of reporting and processing the illegal parking. Your personal data will not be stored by HOCHBAHN, but will be forwarded to our parking space monitoring service provider (PRS Parkraum Service GmbH, Kirchplatz 7, 58739 Wickede (Ruhr); hereinafter referred to as PRS) when you submit the form and will be processed there. Only the photo of the illegally parked vehicle will be stored by HOCHBAHN for a period of three months for the purpose of preserving evidence and will then be deleted (statute of limitations according to Section 26 para.3 of the Straßenverkehrsgesetz (Road Traffic Act). Information on data protection and the handling of your personal data at PRS can be found in their privacy policy.

If you send us information about dirt or damage at hvv switch points, you have the option of providing your name and email address. This information is voluntary. This data is processed by HOCHBAHN. The data you provide will be used exclusively for the purpose of processing your report. If you have provided your name and email address, this information will be deleted immediately after the necessary measures to remove the dirt or repair the damage have been completed. If you decide to report anonymously at , no personal data will be stored.

In principle, the information provided on the forms and your personal data are voluntary. We base the processing on Art. 6 para. 1 lit. f GDPR (overriding legitimate interest). We have a legitimate interest in eliminating contractual disruptions (illegal parking) as well as dirt and damage at hvv switch points and in making the available car-sharing parking spaces available to our hvv switch customers in the best possible condition. Due to the voluntary nature of your report, we do not see any legitimate interest on your part that conflicts with or outweighs our legitimate interest.

We use ProcessWire, a content management system (CMS), to display the forms described here. By using ProcessWire, we process certain personal data in order to provide you with a user-friendly and personalised online experience. The personal data processed by ProcessWire is used for the purpose of providing and maintaining our website. This includes displaying content and improving website functionality. ProcessWire enables us to process data such as IP addresses, browser information and, if provided, personal data such as your name and email address, which you have provided to us, for example, via the contact form provided. The processing of your data by ProcessWire is based on our legitimate interest in the efficient provision and maintenance of the functions of our website (Art. 6 para. 1 lit. f GDPR) and, where applicable, on the basis of your consent, which you have given us, for example, for the use of cookies (Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG).

C.3 Plugins and tools

C.3.1 YouTube with enhanced data protection

This website embeds videos from the YouTube website. The operator of the site is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the extended data protection mode does not necessarily exclude the transfer of data to YouTube partners. YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to YouTube's servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, YouTube allows you to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve user-friendliness and prevent fraud attempts.

After starting a YouTube video, further data processing operations may be triggered over which we have no control.

The use of YouTube is in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Further information on data protection at YouTube can be found in their privacy policy at:https://policies.google.com/privacy?hl=en.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

C.3.2 Google Maps

This site uses the Google Maps map service. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. We have no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform font display. When you access Google Maps, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the locations we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/gdprcontrollerterms/ and here:
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

For more information on how user data is handled, please refer to Google's privacy policy:
https://policies.google.com/privacy?hl=en.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

C.3.3 Spotify

This website incorporates features from the Spotify music service. The provider is Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm, Sweden. You can recognise the Spotify plugins by the logo on this website. An overview of the Spotify plugins can be found at:
https://developer.spotify.com.

By integrating Spotify, a direct connection between your browser and the Spotify server can be established via the plugin when you visit this website. Spotify receives the information that you have visited this website with your IP address. If you click on the Spotify button while you are logged into your Spotify account, you can link the content of this website to your Spotify profile. This allows Spotify to associate your visit to this website with your account.

Please note that when using Spotify, cookies from Google Analytics are used so that your usage data can also be passed on to Google when using Spotify. Google Analytics is a tool from the Google Group based in the USA for analysing usage behaviour. Spotify is solely responsible for this integration. We, as the website operator, have no influence on this processing.

The storage and analysis of data is based on Art. 6 para. 1 lit. f GDPR (overriding legitimate interest). We have a legitimate interest in the appealing acoustic design of our website. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG, insofar as the consent covers the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Further information on this can be found in Spotify's privacy policy:
https://www.spotify.com/de-en/legal/privacy-policy/.

If you do not want Spotify to associate your visit to this website with your Spotify user account, please log out of your Spotify user account.

C.4 Analysis tools and advertising

C.4.1 Google Analytics

We use functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables us to analyse the behaviour of website visitors. In doing so, we receive various data from users, such as page views, length of stay, operating systems used and the origin of the user. This data is assigned to the respective end device of the user. It is not assigned to a user ID.

Furthermore, we can use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modelling approaches to supplement the data sets collected and employs machine learning technologies in data analysis.

Google Analytics uses technologies that enable the recognition of users for the purpose of analysing usage behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the USA and stored there.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

Browser plugin

You can prevent Google from collecting and processing your data by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en.

For more information on how Google Analytics handles user data, please refer to Google's privacy policy:
https://support.google.com/analytics/answer/6004245?hl=en.

Google Signals

We use Google Signals. When you visit our website, Google Analytics collects your location, search history, YouTube history and demographic data (visitor data), among other things. This data can be used for personalised advertising with the help of Google Signals. If you have a Google account, Google Signals links the visitor data to your Google account and uses it for personalised advertising messages. The data is also used to create anonymous statistics on the usage behaviour of our visitors.

Order processing

We have concluded a contract with Google for order processing and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

C.4.2 Google Ads

We use Google Ads. Google Ads is an online advertising programme from Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms in Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available to Google (e.g. location data and interests) (target group targeting). As website operators, we can evaluate this data quantitatively, for example by analysing which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://policies.google.com/privacy/frameworks and here:
https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information on this can be found under point F. EU-U.S. Data Privacy Framework.

C.4.3 Adjust

In order to optimise our marketing activities, we use the service provider Adjust (Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin). The purpose of data processing with Adjust is to analyse user behaviour and the path by which the user arrived at the hvv switch app. The usage analyses are evaluated and used to optimise user communication. Data is collected during the measurement and processed in pseudonymised form. The data is determined by Adjust using various methods. These include the use of advertising IDs, device IDs, Adjust reftags and the so-called "hashed fingerprint" (use of publicly available device statistics). The data collected via Adjust provides information, for example, about the download of the hvv switch app, the online advertising channel through which the download was generated, and the time at which the hvv switch app was opened.

The analysis by Adjust helps us to continuously improve our communication and tailor it to your needs. Further information on data processing by Adjust can be found at
https://www.adjust.com/terms/privacy-policy/.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG. Consent can be revoked at any time.

Here you can access the App Store and the Play Store without being redirected via Adjust:

App Store (Apple)
Google Play Store

C.4.4 Google Looker Studio

We use Google Looker Studio – software from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Google Looker Studio is used to manage and visualise data from the aforementioned analysis tools. We can only evaluate data in Google Looker Studio if you have permitted the use of the respective tool.

We use Google Looker Studio for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. By statistically evaluating usage behaviour, we can improve our offering and make it more interesting for you as a user.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and Sec. 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/gdprcontrollerterms/ and here:
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

For more information on how Google Looker Studio processes your data, please visit
https://cloud.google.com/looker/privacy-policy/

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

C.4.5 Meta Pixel

We use Meta's visitor action pixel to measure conversions. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter "Meta"). However, according to Meta, the data collected is also transferred to the United States and other third countries.

This allows the behaviour of our website visitors to be tracked after they have been redirected to our website by clicking on a Meta advertisement. This enables the effectiveness of Meta advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimised.

The data collected is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Meta, so that a connection to the respective user profile on Facebook or Instagram is possible and Meta can use the data for its own advertising purposes in accordance with the Meta Data Use Policy (https://www.facebook.com/about/privacy/). This enables Meta to place advertisements on Facebook or Instagram pages and other advertising channels. As the website operator, we have no influence over this use of the data.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG. Consent can be revoked at any time.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Meta, we and Meta are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transfer to Meta. The processing by Meta after the transfer is not part of the joint responsibility. Our joint obligations have been set out in a joint processing agreement. The wording of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Meta tool and for the data protection-compliant implementation of the tool on our website. Meta is responsible for the data security of Meta products. You can assert your rights as a data subject (e.g. requests for information) regarding the data processed by Facebook or Instagram directly with Meta. If you assert your rights as a data subject with us, we are obliged to forward them to Meta.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found at:
https://www.facebook.com/legal/EU_data_transfer_addendum and https://www.facebook.com/help/566994660333381.

You can find further information on the protection of your privacy in Meta's privacy policy:
https://www.facebook.com/about/privacy/.

You can also deactivate the "Custom Audiences" remarketing function in the ad settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.

If you do not have a Facebook or Instagram account, you can deactivate usage-based advertising from Meta on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). For more information, see section F. EU-U.S. Data Privacy Framework.

C.4.6 TikTok Pixel

We have integrated the TikTok Pixel into this website. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter "TikTok").

With the help of TikTok Pixel, we can display interest-based advertising on TikTok (TikTok Ads) to visitors to our website who have viewed our offers. At the same time, we can use TikTok Pixel to determine how effective our advertising on TikTok is. This allows us to evaluate the effectiveness of TikTok advertisements for statistical and market research purposes and to optimise them for future advertising measures. Various usage data is processed in this process, such as IP address, page views, length of stay, operating systems used and origin of the user, information about the ad that a person clicked on TikTok or an event that was triggered (timestamp). This data is summarised in a user ID and assigned to the respective end device of the website visitor.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and Sec. 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to third countries is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.tiktok.com/legal/page/eea/privacy-policy/en and here:
https://ads.tiktok.com/i18n/official/policy/controller-to-controller.

C.4.7 The Trade Desk

We use the services of The UK Trade Desk Ltd., 1 Bartholomew Close, London, EC1A 7BL, United Kingdom (hereinafter "Trade Desk"), as a demand-side platform (DSP) to run digital advertising campaigns on various channels (web, apps, audio, connected TV), measure their success and optimise their delivery. In addition, the platform is used for device/household mapping to ensure consistent delivery. Other purposes include limiting ad frequency, fraud detection and reporting.

When using the platform, cookie IDs, IP addresses, device and browser information, usage and event data, timestamps and referrers are processed in particular. If the UID2/EUID function is used, a pseudonymous advertising identifier is also generated from an email address or telephone number. This data is hashed or tokenised so that it cannot be traced back. The identifier is used for cross-channel addressability.

Trade Desk cookies are set and read exclusively on the basis of your consent in accordance with Sec. 25 para. 1 TTDSG in conjunction with Art. 6 para. 1 lit. a GDPR. These technologies will not be activated without your consent. The further processing of data by us for marketing and optimisation purposes is also based on Art. 6 para. 1lit. a GDPR.

International data transfers may occur, in particular to the USA. These transfers are described in The Trade Desk's Platform Privacy Policy. The UK Trade Desk Ltd. is designated as the controller or processor for processing within the European Economic Area. We tie such transfers to your consent and appropriate safeguards.

Cookie-based identifiers and DSP data are stored in accordance with the terms specified in the consent banner. After you revoke your consent, the cookies are deactivated and deleted. The Trade Desk describes its storage and security measures here:
https://www.thetradedesk.com/legal/privacy.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

D. hvv switch on social networks

We maintain publicly accessible profiles on social networks.

This section of the privacy policy applies to the following social media sites where we provide information about hvv switch:

• https://www.facebook.com/hvvswitch/

• https://www.instagram.com/hvv_switch/

• https://www.youtube.com/@hvvswitch620

• https://www.tiktok.com/@hvvswitch

Detailed information on the individual social networks we use can be found below.

D.1 Data processing by social networks

Social networks can usually analyse your usage behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media sites triggers numerous data processing operations relevant to data protection, which are described below.

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection is carried out, for example, via cookies stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which preferences and interests are stored. In this way, interest-based advertising can be displayed to you both within and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed to you on all devices on which you are or have been logged in.

Please note that we cannot track all processing operations on social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

D.1.1 Legal basis

Our social media presence is intended to ensure the most comprehensive presence possible on the internet. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit f GDPR. The analysis processes initiated by social networks may be based on different legal grounds, which must be specified by the operators and operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

D.1.2 Responsible parties and assertion of rights

When you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operators of the respective social media portal (e.g. Facebook).

Please note that despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

You have the right to obtain information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to object, the right to data portability and the right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

D.1.3 Storage period

The data collected directly by us via our social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see the following section).

D.2 Social networks in detail

D.2.1 Facebook

We operate the "hvv switch" profile on Facebook. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as Meta). According to Meta, the data collected is also transferred to the USA and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Meta. This agreement specifies which data processing operations we and Meta are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum and
https://www.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy:
https://www.facebook.com/about/privacy/.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

D.2.2 Instagram

We have a profile called "hvv_switch" on Instagram. This service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Data transfer to the USA is based on the standard contractual clauses of the European Commission. Details can be found here:
https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and
https://www.facebook.com/help/566994660333381.

For details, please refer to Instagram's privacy policy:
https://help.instagram.com/519522125107875.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information can be found under point F. EU-U.S. Data Privacy Framework.

D.2.3 YouTube

We have a channel called "@hvvswitch620" on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For details, please refer to YouTube's privacy policy:
https://policies.google.com/privacy?hl=en.

The company is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Additional information on this can be found under point F. EU-U.S. Data Privacy Framework.

D.2.4 TikTok

We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

Data transfers to non-secure third countries are based on the standard contractual clauses of the EU Commission.

For details on data transfer and the handling of your personal data, please refer to TikTok's privacy policy:
https://www.tiktok.com/legal/privacy-policy?lang=en.

E. Customer service enquiries

If you contact us by e-mail, telephone or fax, your enquiry, including all resulting personal data (name, enquiry), will be stored and processed by us for the purpose of processing your request.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR, provided that your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), if this has been requested; consent can be revoked at any time.

The data you send us via contact request will remain with us until you request us to delete it, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions – in particular statutory retention periods – remain unaffected.

When processing enquiries and complaints that you send us, this data may be forwarded to the departments responsible for handling the respective issues and questions. These responsible departments are primarily other transport companies in the hvv that have provided the transport service or are responsible for certain sales channels and the operation of infrastructure. The same applies to mobility service providers whose services are made available via hvv switch, or to the payment service providers used. Depending on the content of an enquiry or complaint, it may also be forwarded to other departments. This applies in particular to the affiliated companies associated with HOCHBAHN, but also to external companies such as Stadtreinigung Hamburg (Hamburg City Cleaning) or the relevant authorities. Forwarding only takes place to the extent that it is necessary and appropriate for processing the request. We base such forwarding to other competent bodies for the purpose of processing enquiries and complaints on an overriding legitimate interest on our part (Art. 6 para. 1 lit. f GDPR). Forwarding enables the quick and comprehensive processing of the matter in question by the body that also has the information required for processing. It relieves you, the customer, of the need to find out in advance about the distributed responsibilities within hvv, in the hvv switch environment or within the HOCHBAHN shareholding structure. We do not see any conflicting overriding legitimate interest, as the enquiries and complaints in question are submitted to us precisely with the aim and desire that they be processed by the responsible body.

F. EU-U.S. Data Privacy Framework

We also use service providers who are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The EU-U.S. DPF is an agreement between the European Union and the United States that aims to ensure compliance with European data protection standards when data is processed in the United States. Every company certified under the EU-U.S. DPF undertakes to comply with these data protection standards. Further information on this can be found at the following link: https://www.dataprivacyframework.gov/.

If a company is certified under the EU-U.S. DPF, data is transferred to the United States in accordance with Art. 45 GDPR on the basis of an adequacy decision by the European Commission dated 10 July 2023. Such an adequacy decision makes it possible to transfer personal data from the EU to the third country in question without the need for further transfer instruments or additional measures.

G. Storage period

Unless a specific storage period is specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods). If there are legally permissible reasons, the deletion will take place after these reasons no longer apply.

H. Data protection rights

The GDPR grants certain rights to data subjects whose personal data is processed by us, which we would like to explain to you here. If you have any questions about this or other data protection issues at hvv switch, please feel free to contact us as the controller or our data protection officer. You will find the contact details in section A.

H.1 Information, deletion and correction

You have the right to request information about your personal data stored by us at any time and free of charge. This includes information about the purpose of the processing, the category of data used, its recipients and the planned duration of data storage or the criteria for determining this duration. Furthermore, you have the right to have the data deleted and/or corrected, in particular if the data is incomplete or incorrect, is no longer necessary for the purpose for which it was collected, or if you have revoked your consent to its processing.

H.2 Withdrawal of consent

If data processing is carried out with your consent, you can revoke this consent at any time. An informal notification by e-mail is sufficient for this purpose. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

H.3 Right to object

If data processing is carried out on the basis of a legitimate interest on our part, you have the right to object to the data processing. This requires reasons arising from your particular situation (Art. 21para. 1 GDPR).

H.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. The right to restriction of processing exists in the following cases:

• If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.

• If the processing of your personal data was or is unlawful, you can request the restriction of data processing instead of erasure.

• If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of its erasure.

• If you have lodged an objection pursuant to Art. 21para. 1 GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.

H.5 Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a structured, commonly used and machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically feasible.

H.6 Right to lodge a complaint with a supervisory authority

If you believe that we are violating data protection law, you have the right to lodge a complaint with a supervisory authority. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies . In Hamburg, you can contact the competent supervisory authority at: Hamburger Beauftragter für Datenschutz und Informationsfreiheit (The Hamburg Commissioner for Data Protection and Freedom of Information), Ludwig-Erhard-Str. 22, 20459 Hamburg, email: mailbox@datenschutz.hamburg.de.