A. Why is data protection important?
We, Hamburger Hochbahn AG, are pleased about your interest in hvv Any. With our hvv Any service, we offer you the opportunity to use hvv transportation without having to deal with choosing a suitable hvv ticket in advance. You check in the hvv Any app before starting your journey and hvv Any automatically recognizes the route you have taken.
Within this privacy policy we would like to inform you about the handling of your personal data in the context of hvv Any. Your personal data includes all information that can be assigned to you as a person. This includes name, e-mail address, mobile phone number, location and payment data.
The protection of your privacy is very important to us. Your personal data will only be processed in accordance with data protection regulations. You can find more details about the purpose and legal basis of the respective processing under C. Purpose and legal basis of processing.
B. Who is responsible?
The responsible party for the processing of your personal data in connection with the use of the hvv Any App is Hamburger Hochbahn AG, Sales and Transportation Department, Steinstraße 20, 20095 Hamburg (HOCHBAHN).
If you have any questions about this privacy policy or about the processing of your personal data, please feel free to contact our data protection officer by e-mail: datenschutzbeauftragter@hochbahn.de.
If you have general questions about hvv Any, please contact hvv.any@hochbahn.de.
C. Purpose and legal basis of the processing
Below we provide you with an overview of the purpose and legal basis for the processing of your personal data. A more detailed description of the processing of your personal data as well as the respective purpose of processing can be found under D. Which personal data are processed for which purpose?
Provision of services
First and foremost, we process your data in order to be able to perform and bill you for the services you have used. This includes, for example, the creation of your user account ("hvv switch profile") and the use of hvv Any. In addition, we transmit personal data to our payment service provider for the payment process. The legal basis for the data processing is the necessity for the fulfillment of the contract with (Art. 6 para. 1 lit. b of Regulation (EU) 2016/679 (General Data Protection Regulation, DSGVO) or the protection of legitimate interests (Art. 6 para. 1 lit. f DSGVO).
Legal obligations
We process your personal data if and to the extent necessary to comply with legal obligations (e.g., tax retention obligations) (Art. 6(1)(c) DSGVO).
Enforcement of legal claims
Furthermore, we process your personal data if this is necessary to enforce claims or other legal claims. The legal basis for data processing in these cases is the necessity for the fulfillment of the contract with HOCHBAHN (Art. 6 para. 1 lit. b DSGVO) or the protection of legitimate interests (Art. 6 para. 1 lit. f DSGVO).
Security of the systems, prevention of criminal acts.
Another purpose of the processing is to ensure the security of our systems and, for example, the prevention and detection of fraud and other criminal acts. The legal basis for the data processing is the protection of legitimate interests by HOCHBAHN (Art. 6 (1) f DSGVO).
Improvement of our services
We are constantly improving our services. For this purpose, we use anonymized data. The legal basis for data processing is the safeguarding of legitimate interests by HOCHBAHN (Art. 6 (1) lit. f DSGVO).
D. Which personal data is processed for which specific purpose?
1. informational use
If you use the hvv Any App for informational purposes, i.e. you have not registered, we only process personal data that is necessary for us to enable you to use the hvv Any App. This includes, for example, the device identification number (DeviceID for Android, IDFA for iOS), language and version of the app, operating system and date and time of the request. These automatically collected personal data are processed by us in order to be able to ensure a functional, stable hvv Any App, to enable an optimization of the hvv Any App (e.g. through appropriate adaptations of the App for your mobile device) and also to ensure the security of our information technology systems.
The data processing for informational use is based on Art. 6 para. 1 lit. f DSGVO.
2. registration in the hvv Any App
When you register in the hvv Any App, you use it to set your login details (email address and password). We process this personal data by using it to set up your hvv switch user account. Your user account is the prerequisite for you to be able to use our hvv Any service in the hvv Any App. If you already have an hvv switch user account, you can use it for your registration in the hvv Any App.
The data processing for registration is based on Art. 6 para. 1 lit. b DSGVO.
3 Activation for hvv Any
With the hvv Any App, we offer you the possibility to use our service hvv Any. For this use, additional information of personal data as well as validations of your personal data are necessary.
This concerns the specification of
Your first and last name,
your date of birth and
your payment data
Without this information it is not possible to use the hvv Any service. Additional information in your user account is optional for you.
The data processing for activation is based on Art. 6 para. 1 lit. b DSGVO.
With successful activation, we process your contact and, if applicable, address data in order to inform you about contract-relevant changes to our service hvv Any as well as to send you other legally required information.
4 Booking and use of hvv Any
With our service hvv Any we offer you the possibility to use the hvv means of transport without having to deal with the selection of a suitable hvv ticket in advance. You check in to the hvv Any app before starting your journey and hvv Any automatically recognizes the route you have taken. For this we need access to the following system services of your smartphone for the purpose mentioned below:
Location Services (GPS)
The location services (GPS) are important for determining your locations (e.g. your current location, start stop, start and destination).
Motion sensors
The motion sensor technology of your smartphone serves as a support to distinguish walking and cycling from the use of our means of transport, among other things.
Bluetooth and WLAN
Bluetooth and WLAN of your smartphone also serve as support to be able to secure the trip determination results, especially in tunnels.
Internet connection
The internet connection is necessary to ensure a smooth communication with our background system. Only there the formation of the journeys and the determination of the prices takes place.
Therefore it is necessary that you also activate or keep active these services during the whole time of using hvv Any.
We use the aforementioned information collected within the framework of hvv Any to record your use of the hvv means of transport. This happens regardless of whether the hvv Any app is open - but only after check-in has taken place. If the required system services are active, this is usually indicated by corresponding icons or functions on your mobile device. You can activate or deactivate these system services at any time via the settings in the operating system of your mobile device. Before using our service hvv Any, i.e. before each so-called check-in, we inform you that the system services and the location detection have to be activated. By using hvv Any you agree that the mentioned systems are used and that the access to your personal data and your movement data is generally permitted for the maintenance of the system operation and the clarification of your customer request. You can find additional information on this under E.2 Service providers for determining journeys and prices within the framework of hvv Any.
We use this data from you to correctly record your journeys with the hvv means of transport. We do not collect this data to create a movement profile.
The data processing for location recording as well as the use of the aforementioned system service data is based on Art. 6 (1) lit. b DSGVO. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 Telecommunications Telemedia Data Protection Act (TTDSG). The consent can be revoked at any time.
If you use our hvv Any service via the hvv Any app, we assign the associated usage or purchase data to your user account. In this context, we also process, for example, your name and necessary location data. We display the hvv Any services you have used (active and completed) in your user account.
If there are disruptions or similar in connection with the use of our hvv Any service, we will use your contact data to inform you about this, e.g. via email, SMS, in-app or push message.
5. payment and billing
In order for you to use our service hvv Any via the hvv Any App, it is necessary to store a valid means of payment in your user account.
To carry out the payment process and for the purpose of selling and assigning our receivables from you, we transmit personal data to our payment service provider LogPay Financial Services GmbH ("LogPay"). Our payment service provider processes and stores your personal data for the purpose of processing payments, assessing the admissibility of payment methods and avoiding payment defaults, as well as for receivables management. You can find additional information on this under E.1 Payment service provider.
If you choose credit card as a payment method, the necessary payment information (e.g. credit card provider, holder, number, expiration date and verification number) will be stored directly at LogPay. The processing of personal data is carried out in each case by LogPay as its own controller.
If you want to use PayPal as a payment method, it is necessary in a first step that you link your PayPal account with your hvv switch user account. In the context of this account linking, you have the option of transferring personal data already stored in your PayPal account (e.g. name and billing address) to your hvv switch user account and saving it there. Thus, we offer you the option of a faster and more convenient entry of personal data.
The transfer of your data to PayPal is based on Art. 6 para. 1 lit. a DSGVO and Art. 6 para. 1 lit. b DSGVO. You can find additional information about this under E.1 Payment service provider.
You also have the option to pay for the hvv Any Service via a mobility budget provided by your employer. For this purpose we have integrated hvv-m DB Bonvoyo as a possible means of payment. You can find more information about this under E.1. payment service provider.
For each day on which you use the hvv Any service via the hvv Any app, we create an invoice and process your personal data in this context (e.g. your name, date and place of use of the respective service). We send the invoices exclusively by e-mail.
6. customer service
When you contact us, for example, by submitting an inquiry or providing feedback, we store this information in order to process your inquiry or respond to your feedback. We will contact you about your inquiry or feedback when necessary to address your concerns.
The data you send us by contact request will remain with us until you ask us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g., after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected.
In case of service and for the purpose of error analysis, you have the option to provide us with additional information from your mobile device. A function linked in the version display of the hvv Any app can be used for this purpose. As a rule, our customer service will ask you to click on this link. When you click on the link, an event log file will be created for the exact day and limited to the period of use of the hvv Any App. This file will be forwarded to us after your confirmation. A direct personal reference cannot be established on the basis of the information available in the file. The processing of this data is based on Art. 6 (1) lit. b DSGVO, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a DSGVO), if this has been requested; the consent can be revoked at any time.
E. Is data passed on?
1. payment service provider
LogPay
To enable and carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn ("LogPay"). In addition, we also pass on personal data for the settlement of further claims (e.g. settlement of damages incurred) arising from the booking/use. Our payment service provider processes and stores your personal data for the purpose of processing payments, evaluating the admissibility of payment methods and avoiding payment defaults, as well as for receivables management.
For more information about the data processing by LogPay, please visit https://www.logpay.de/DE/datenschutzinformationen/. Please note that this information also states that if you are not yet known to LogPay, LogPay will transmit your data to credit agencies (such as SCHUFA) to verify your information and creditworthiness in order to avoid a payment default.
PayPal
We have integrated a SDK (Software Developer Kit) from PayPal into the hvv Any App to offer you an easy way to pay with PayPal. Provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. PayPal uses this SDK for risk management reasons to protect its services and its customers from fraud and abuse. By means of the SDK, PayPal collects and processes your IP address as well as device information, technical usage data and location data. We have no influence on this data transmission and processing. You can find more information about PayPal's data processing at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
Mobility budget hvv-m DB Bonvoyo
In order to give you the possibility to settle our service hvv Any in the hvv Any app via a mobility budget provided by your employer, we have integrated hvv-m DB Bonvoyo as a possible means of payment. The provider of hvv-m DB Bonvoyo is Deutsche Bahn Connect GmbH ("DB Connect"), Mainzer Landstraße 169, 60327 Frankfurt am Main. If you use this function, the data required for use will be transferred between DB Connect and us. We have no influence on the data processing within DB Connect. You can find more information about data processing within the mobility budget at https://www.deutschebahnconnect.com/produkte/mobilitaetsbudget/DSE_Bonvoyo_App.pdf.
2. service provider for determining journeys and prices within the framework of hvv Any
The determination of the distance traveled and the subsequent calculation of the fare to be paid is carried out with the involvement of the order processor Scheidt & Bachmann GmbH, Breite Str. 132, 41238 Mönchengladbach. For this purpose, we have built an SDK (Software Developer Kit) of the provider into the hvv Any App. In doing so, we adhere to all provisions of the applicable European data protection laws. We have secured compliance with these provisions through corresponding agreements with the company processing the order.
3 Other service providers used
We use various service providers who process personal data from you on our behalf. These have been carefully selected by us and process the personal data exclusively according to the instructions and under the control of us. In particular, these are the following service providers:
Hosting and operation:
Claranet GmbH, Hanauer Landstraße 196, 60314 Frankfurt am Main, Germany.
Bechtle GmbH, Bernhard-Nocht-Str. 113, 20359 Hamburg, Germany
Sending e-mail and SMS:
Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland
F. What analytics tools do we use and why?
Google Firebase
We have integrated an SDK (Software Developer Kit) from Google Firebase into the hvv Any App in order to better understand how our app is used and to improve our offering. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase provides various products, of which we use Analytics for Firebase and Crashlytics. The pseudonymized information about the use of our app collected via Google Firebase provides us with information about, for example, the number of app openings in a period of time, app crashes, provides insights into particularly popular features as well as the number of in-app purchases and the total number of users in a certain period of time. For more information on data processing by Google Firebase, please visit https://www.firebase.com/terms/privacy-policy.html .
Legal basis of processing for Analytics for Firebase: You actively decide whether you want to allow the use of Analytics for Firebase to optimize our offer. For this purpose, we ask for your consent once when you first start the hvv Any app. In addition, you have the option to adjust your consent in the privacy settings of the hvv Any App at any time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv Any App at any time (revocation of consent).
Legal basis of processing at Crashlytics: At Crashlytics, data on the operation of the app, including the type of operating system used, information on malfunctions during operation (type, time and duration of the malfunction as well as use of the app at the time of the malfunction) and device information are processed. Based on this data, we can obtain an overview of various malfunctions when malfunctions or problems occur during the operation of the hvv Any App and weight them based on their relevance for use in order to ensure efficient troubleshooting and to ensure the stability of the App. The data processing is based on Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in identifying and fixing stability issues that affect the quality of the hvv Any App. In this way, we also increase the user-friendliness of the hvv Any App for our customers. Since the processing of the data is done in pseudonymized form and you can at any time prevent the use of this data by the hvv Any App in the privacy settings of the hvv Any App (objection), an overriding opposing legitimate interest is not apparent.
G. How long will my data be stored?
As your contractual partner, we process and store your personal data only as long as it is necessary for the fulfillment of contractual and legal obligations. In doing so, we differentiate between the various categories of data. Basically, we keep data only from registered customers. This is done only at the request of the customer, so as not to have to store personal data again in the event of repeated use of our offer.
If data is no longer required for the immediate fulfillment of contractual or legal obligations, for example because it relates to sales that have already been invoiced, it is regularly deleted. This does not apply to data whose (temporary) continued storage is required for the following purposes:
Compliance with retention periods under commercial or tax law: These include, for example, the German Commercial Code and the German Fiscal Code. The retention and documentation periods stipulated there are up to 10 years.
Preservation of evidence within the framework of the statute of limitations: According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods are generally 3 years, but can also be up to 30 years in individual cases.
Movement data for the determination of journeys in the context of the use of hvv Any will be stored for a maximum of four months from the time of the determination of the movement data. Data on journeys and journey chains from the use of hvv Any will be stored for a maximum of seven months from the time the journey was determined. The storage takes place for the clarification and traceability of possible complaints.
H. What rights do you have in connection with data protection
The GDPR grants data subjects whose personal data is processed by us certain rights, which we would like to inform you about at this point. For this purpose, as well as for further questions regarding data protection at hvv Any, you are welcome to contact us as the responsible party or our data protection officer. You can find the contact details under B. Who is responsible?
1. information, deletion and correction
You have the right to request information about your personal data stored by us free of charge at any time. This includes information about the purpose of processing, the category of data used, its recipients and the planned duration of data storage or, if this is not possible, the criteria for determining this duration. Furthermore, you have the right to erasure and/or rectification of the data, in particular if the data is incomplete or inaccurate, it is no longer necessary for the purpose for which it was collected, or the consent to the processing has been revoked by you.
2. revocation of consent
Insofar as the data processing is carried out with your consent, you can revoke this consent at any time. An informal message by e-mail is sufficient for this purpose. You can revoke consent given for the analysis of your usage behavior in the privacy settings under Settings in the hvv Any app. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.
3. right of objection
Insofar as the data processing is based on a legitimate interest on our part, you have the right to object to the data processing. The prerequisite for this are reasons arising from your particular situation (Article 21 (1) DSGVO).
4. right to restriction of processing
You have the right to request the restriction of the processing of your personal data. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we usually need time to verify this.
- For the duration of the review, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data has happened/is happening unlawfully, you may request the restriction of data processing instead of erasure.
- If we no longer need your personal data, but require it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of the erasure.
- If you have lodged an objection pursuant to Art. 21 (1) DSGVO, a balancing of your and our interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
5. right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as this is technically feasible.
6. right of complaint to a supervisory authority
If you are of the opinion that we are violating data protection law, you have the right to lodge a complaint with a supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies. In Hamburg, you can reach the responsible supervisory authority at: The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg, e-mail: mailbox@datenschutz.hamburg.de.
Status: February 2023