Privacy Policy for the hvv switch app

A. Why is data protection important?

We, Hamburger Hochbahn AG, are grateful for your interest in hvv switch. Through the hvv switch app, hvv switch enables you to make use of a number of different mobility services in Hamburg using just one single app, without having to register separately with each individual mobility provider. The long-term goal of hvv switch is to create a simple and reliable alternative to private car use with the hvv switch app and its integrated mobility services.

Within the scope of this Privacy Policy, we would like to inform you about how your personal data is handled and processed in cases relating to hvv switch. Your personal data includes all information that can be assigned to you as a person. This includes your name, email address, mobile phone number, location and payment data, among other things.

Protecting your privacy is very important to us. Your personal data will only ever be processed in accordance with data protection regulations. You can learn more about the purpose and legal basis of all respective data processing under C. Purpose and legal basis of processing.

B. Who is responsible?

Hamburger Hochbahn AG, Steinstrasse 20, 20095 Hamburg, Germany, is responsible for the processing of your personal data in relation to your use of the hvv switch app. With regard to the processing of a mobility service booked by you using the hvv switch app, the respective mobility provider will also be responsible for processing your personal data. You can find out more about this under E. Will data be passed on to third parties?

If you have any questions about this Privacy Policy or about the processing of your personal data in general, please contact our Data Protection Officer by email: datenschutzbeauftragter@hochbahn.de.

If you have general questions about hvv switch, please contact info@hvv-switch.de.

C. Purpose and legal basis of the processing

In the following we provide you with an overview of the purpose and legal basis for any processing of your personal data. A more detailed description of the processing of your personal data and the respective purpose of this processing can be found under D. Which personal data is processed for which specific purpose?

Provision of services

First and foremost, we process your data in order to be able to provide services to you and then invoice you for the services you have used. This also involves creating a user account (“hvv switch profile”), as well as the requesting of information about our mobility services and then booking and using them. When booking and using mobility services, you enter into a separate contractual relationship with the respective mobility provider, with our involvement. We transmit the data required for the respective contract to the corresponding mobility provider, who then processes this data for the purpose of processing the contract – subject to their own responsibility. We also transmit personal data to our payment service provider for the payment process, and to our validation service provider that a user’s driving licence needs to be validated. The legal basis for the data processing is the need for fulfilment of the contract with the user (Article 6.1 (b) of the GDPR), or the protection of legitimate interests (Article 6.1 (f) of the GDPR).

Legal obligations

We will process your personal data if and insofar as this is necessary for the fulfilment of legal obligations, e.g. obligations to preserve records for tax-related reasons (Article 6.1 (c) of the GDPR).

Enforcement of legal claims

Furthermore, we will process your personal data if this is necessary to enforce claims or any other legal entitlements. The legal basis for data processing in such cases is the requirement for completion of the contract with HOCHBAHN (Article 6.1 (b) of the GDPR) or the protection of legitimate interests (Article 6.1 (f) of the GDPR).

Security of the systems, prevention of criminal offences

Another purpose of processing is to ensure the security of our systems and, for instance, to prevent and detect any instances of fraud and other criminal offences. The legal basis for data processing here is the preservation of legitimate interests by HOCHBAHN (Article 6.1 (f) of the GDPR).

Improvement of our services

We are constantly improving our services. We use anonymised data for this purpose. The legal basis for data processing is the preservation of legitimate interests by HOCHBAHN (Article 6.1 (f) of the GDPR).

D. Which personal data is processed for which specific purpose?

1. Informational use

If you use the hvv switch app for informational purposes, i.e. you haven’t yet registered, we will only process personal data that is necessary for us to enable you to use the hvv switch app. This will include, for instance, the device identification number (DeviceID for Android, IDFA for iOS), the language and version of the app, the operating system, and the date and time of the request. This personal data that is automatically collected is then processed by us in order to be able to ensure a functioning and stable hvv switch app, to enable us to optimise the hvv switch app (e.g. by adapting the app to best suit your mobile end device), as well as to safeguard the security of our information technology systems.

Any data processing for informational use is based on Article 6.1 (f) of the GDPR.

2. Location data & location tracking

Whenever you request a mobility service using the hvv switch app, e.g. select a hvv ticket, book a MOIA shuttle or request a car sharing service like SIXT share), we will use the location data contained in your request (e.g. your current location, and start and destination locations) in order to issue a valid hvv ticket to you, show you booking options for MOIA, or show you available car sharing vehicles in your area and the route to your chosen car sharing vehicle. This information will be used without establishing a personal reference to you, so that we can better adapt the services in the hvv switch app to meet the demand.

With a view to offering the simplest and most convenient user experience with the hvv switch app, we recommend that you activate location sharing for the hvv switch app. This requires you to permit the hvv switch app to access location services through the operating system of the mobile device you are using and its authorisation system. We will then only record the location determined by your device, provided that the hvv switch app is open. If location tracking is activated, this is usually indicated by a corresponding function on your mobile device. You can allow or revoke the option of location tracking at any time simply by going to the settings in the operating system of your mobile end device. We will ask you once only, when you first start the hvv switch app, whether you want to activate automatic location tracking.

Any data processing for identifying a location is based on Article 6.1 (f) of the GDPR.

We do not ever use location data to create a movement profile of you.

3. Registration for hvv switch

You choose your login details (email address and password) when you register for the hvv switch app. We will process this personal data when setting up your user account. You need a user account in order to be able to make use of mobility services in the hvv switch app (subject to the respective service providers activated in the app).

Any data processing required for registration is based on Article 6.1 (b) of the GDPR.

4. Activation for mobility services

The hvv switch app gives you the option to make use of the mobility services of various mobility providers, and in the case of hvv ticketing to also avail of our own services. Depending on the mobility service you want to use, additional personal data and validations of your personal data will be required.

For example, this might include specifying and validating your:

  • First and last name
  • Date of birth
  • Mobile phone number
  • Address
  • Driving licence details
  • Payment details

If you don’t provide the required information or complete the required validation you will not be able to make use of the respective mobility service.

For some mobility services you will also have to create a personal PIN. This PIN is then requested again as additional user identification before the start of each rental. This is the case, for instance, when renting a car sharing vehicle from SIXT share.

Any data processing for activation is based on Article 6.1 (b) of the GDPR.With regard to activating a particular mobility service, the only personal data that will be requested is that which is required for using the respective service. This information might need to be validated and will be saved in your user account. Any additional information you provide in your user account is optional.

Once you have successfully activated a particular mobility service, you will no longer be able to delete certain personal data from your user account yourself, as it is required and mandatory for using the mobility service you selected. You can make changes to your personal data, but this new data might have to be validated again. If you want to delete certain personal data that is absolutely necessary for use of a mobility service, you can do this by contacting our customer service. However, you will then no longer be able to use that service.

With regard to hvv ticketing, we will process your contact and address data, after your account has been successfully activated, in order to inform you about contract-relevant changes to our products and our mobility services, and to send you other information that is legally required.

In order to use a car sharing service, you must be in possession of a valid driving licence to drive a car. We offer you the option of having your identity and driving licence checked through the hvv switch app, with a video call, as part of the activation process for a car sharing service. Alternatively, you can also have your personal data and documentation validated in person at one of the hvv service points.

Validation involves your identity being confirmed (by means of a valid identification document that you present), in addition to ownership of a valid driving licence. The data you have already entered in the hvv switch app, which is necessary for activating car sharing services, will also be checked to see if it matches the information on your ID document and driving licence.

If you take advantage of the option of validation via video call in the hvv switch app, i.e. if you don’t go to a hvv service point to have your information validated in person, recordings of your identity documents and driving licence will be made during the video call. The recordings of your driving licence will be saved by us for the duration of the contractual relationship between you and us, as proof that we have checked and validated your driving licence, but it will not be stored as part of an active customer profile. Rather, the data is blocked by a strict authorisation concept and cannot be accessed on an ongoing basis.

Any data processing in order to validate a driving licence is based on Article 6.1 (b) and (c) of the GDPR.

5. Booking and use of mobility services

Whenever you purchase, reserve or book a mobility service using the hvv switch app, we will assign the associated purchase, reservation or booking data to your user account. This means that we will also process, for instance, your name and the location data you provide in your request for a mobility service. We will display the mobility services you have used (active and past) in your user account.

Any data processing for the booking and use of mobility services is based on Article 6.1(b) of the GDPR.

In addition, we will transmit the purchase, reservation or booking data required for the respective mobility service to the corresponding mobility provider, who will then process this data for the purpose of handling the mobility service in ways subject to its own responsibility. You can find out more about the forwarding of data by us under E. Will data be passed on to third parties?

We will also process personal data in order to realise the settlement of any further claims (e.g. settlement of damages incurred) resulting from a booking and/or usage.

If any disruptions or similar incidents occur in connection with the provision of any mobility services, we will use your contact details to inform you about this, e.g. via email, SMS, in the app, or by push message.

6. Payment and billing

You must enter a valid method of payment in your user account in order to be able to use a mobility service through the hvv switch app.

We currently offer PayPal as a method of payment. To begin with, you will need to link up your PayPal account with your hvv switch user account. While setting this up, you will have the option of transferring personal data already saved in your PayPal account (e.g. name and billing address) to your hvv switch user account and saving it there. This gives you the chance to save time and effort entering personal data that you need to provide to be able to use certain mobility services.

Any transfer of your data to PayPal is based on Article 6.1(a) of the GDPR (consent) and Article 6.1(b) of the GDPR (processing for the performance of a contract).

We will forward personal data to our payment service provider LogPay Financial Services GmbH, in order to realise a payment process and for the purpose of selling and assigning any claims against you. Our payment service provider will process and save your personal data for the purpose of processing payments, managing receivables, assessing the permissibility of methods of payment, and avoiding any defaults on payment.

For every mobility service you use through the hvv switch app, we will create an invoice and process your personal data for this (e.g. your name, and the date and place of use of the respective service). We will only send out our own invoices, and invoices issued on behalf of individual mobility providers, by email.

Due to statutory obligations to preserve records for a particular period, including obligations arising from commercial and tax legislation, we keep invoices we issue for a period of ten years. This period will begin at the end of the year in which the invoice was issued. During this period, this personal data will be completely inaccessible and no longer available for any further data processing.

7. Customer service

When you contact us, for example by submitting an enquiry or providing us with feedback, we will store this information in order to process your enquiry or respond to your feedback. We will contact you about your enquiry or feedback if this is required in order to resolve the particular matter involved.

E. Will data be passed on to other parties?

Mobility service providers

Whenever you book and make use of a mobility service you enter into a separate contractual relationship with the respective mobility provider, with our involvement. You decide which mobility services you wish to use and which contract you wish to enter into with them. We then forward the data required for the respective contract exclusively to the respective mobility provider in each case, who will then process that data for the purpose of processing the contract. You must explicitly agree to the transfer of the data required for this process.

We currently work with the following mobility service providers:

Mobility provider

Required data

Privacy Policy

MOIA GmbH, Alexanderufer 5, 10117 Berlin

und

MOIA Operations Germany GmbH, Podbielskistraße 306, 30655 Hanover

Data for activation or changes made by you, e.g. first and last name, validated e-mail address, validated mobile phone number; data relating to a booking request, e.g. start and destination points

https://www.moia.io/en/privacy-policy

Sixt GmbH & Co. Autovermietung KG, Zugspitzstrasse 1, 82049 Pullach, Germany

Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated email address, validated mobile phone number, validated address, validated driving licence details; data relating to a booking request, e.g. location data; proof on request that a driving licence check has been carried out

https://about.sixt.com/websites/sixt_cc/English/8100/privacy-policy.html

Payment service providers

In order to complete a payment process and for the purpose of selling and assigning of any claims against you, we will transmit your personal data to our payment service provider LogPay Financial Services GmbH, Schwalbacher Strasse 72, 65760 Eschborn. We will also pass on any personal data required for the settlement of further claims (e.g. settlement of damages incurred) arising from a booking or usage. Our payment service provider will process and store your personal data for the purpose of processing payments, managing claims, evaluating the permissibility of payment methods, and avoiding any defaults on payment.

You can find more about data processing by LogPay by visiting https://www.logpay.de/EN/datenschutz/.

Service provider for driving licence validation

In cases of required identification and verification are required, we will transfer personal data to our service provider, identity Trust Management AG, Lierenfelder Strasse 51, 40231 Düsseldorf, Germany, who then conducts the identification and verification process on our behalf and assumes the role of data processor for us. All personal data will be deleted by our service provider seven days after the processing has been completed and the relevant information provided to us.

Service providers used

We use a number of different service providers who may process your personal data on our behalf. These service providers have been carefully selected by us and will process any personal data exclusively in accordance with our instructions and under our jurisdiction. In particular, this shall include the following service providers:

Hosting and operation:

Claranet GmbH, Hanauer Landstrasse 196, 60314 Frankfurt am Main, Germany

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

DATAGROUP SE, Wilhelm-Schickard-Strasse 7, 72124 Pliezhausen, Germany

Mailings:

Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Text messaging:

sms4.de - mobile messaging e.K, Andre Probst, Theodor-Ott-Ring 34, 89182 Bernstadt, Germany

Mapbox

We have integrated an SDK (Software Developer Kit) of the map service Mapbox into the hvv switch app, to allow for easy and reliable use of the hvv switch app. The provider is Mapbox Inc. with headquarters at 740, 15th Street NW, Washington DC, 20005, USA. In order for you to use the features of Mapbox, it is necessary to save your IP address. Information about your device and location are also collected and temporarily saved. This information is usually transferred to a Mapbox server in the USA and may be processed there. We have no influence over this data transmission. You can find out more about data processing by Mapbox by visiting https://www.mapbox.com/privacy/.

PayPal

We have integrated a PayPal SDK (Software Developer Kit) into the hvv switch app, in order to provide you with an easy way of paying using PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. PayPal uses this SDK for risk management reasons to protect its services and its customers from fraud and abuse. In addition to your IP address, PayPal will also collect and process information about your device, technical usage data and location data using the SDK. We have no influence over this data transmission and processing. You can find out more about data processing by PayPal by visiting https://www.paypal.com/en/webapps/mpp/ua/privacy-full.

F. Which analysis tools do we use and why?

Adjust

In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany) and have integrated its SDK (Software Developer Kit) into the hvv switch app. The anonymised data collected using Adjust provides us with information, for instance, about the downloading of the hvv switch app, the online advertising channel through which the download was generated, and the time at which the app was opened. You can find out more about data processing by Adjust by visiting https://www.adjust.com/privacy-policy/.

You actively decide whether you want to allow Adjust to optimise our marketing activities. To this end, we ask for your consent once when you start the hvv switch app for the first time. In addition, you have the option of adjusting or revoking your consent in the privacy settings of the hvv switch app at any time.

Use of this analysis tool is based on Article 6.1 (a) of the GDPR.

Google Firebase

We have integrated an SDK (Software Developer Kit) from Google Firebase into the hvv switch app in order to better understand how our app is used and to be able to make improvements to the app. The provider is Google Inc, 1600 Amphitheatre Party, Mountain View, CA 94043, USA. The anonymised information about use of our app is collected using Google Firebase and provides us with information about, for example, the number of times the app is opened in a certain period of time. It also provides us with insights into particularly popular features, in addition to the number of in-app purchases and the total number of users within a certain time period. For this purpose, the data is transferred to Google in the USA and stored there. You can find out more about data processing by Google Firebase by visiting https://www.firebase.com/terms/privacy-policy.html.

You actively decide whether you want to permit the use of Google Firebase to optimise our app offer. For this purpose, we request your consent once when you start the hvv switch app for the first time. You have the option to alter and revoke your consent in the privacy settings of the hvv switch app at any time.

Any use of this analysis tool is based on Article 6.1 (a) of the GDPR.

G. What are your rights with regard to data protection?

The GDPR grants certain rights to data subjects whose personal data is processed by us. We would like to outline these rights in the following. If you have any questions regarding data protection with respect to hvv switch, please feel free to contact us as the data controller, or to get in touch with our Data Protection Officer. You can find the contact details under B. Who is responsible?

1. Information, deletion & correction

You have the right to request information about which of your personal data is saved by us, free of charge, at any time. This includes information about the purpose of processing, the category of data used, who receives the information, and the planned period the data will be saved. Or, if this is not possible, the criteria for determining how long the data will be saved. You also have the right to request that the data be deleted and/or corrected, particularly in cases where the data is incomplete or incorrect, if it is no longer required for the purpose for which it was originally collected, or if you have withdrawn your consent to this processing.

2. Revocation of consent

If data processing is carried out with your consent, you have the option to revoke this consent at any time. An informal email is sufficient here to make this happen. The legality of the data processing carried out up until the date of revocation will remain unaffected by the revocation.

3. Right of objection

If any data processing is carried out on the basis of a legal interest on our part, you will have the right to object to that data processing. Required grounds for this would involve reasons arising from your particular individual situation (Article 21.1 of the GDPR).

4. Right to restriction of processing

You have the right to request that the processing of your personal data be restricted. This right to restriction of processing applies in the following cases:

  • If you query the accuracy of your personal data stored by us. We will usually need some time to check this.
  • For the duration of this review period, you will have the right to request the restriction of the processing of your personal data.
  • If your personal data has been processed/ is being processed in a way that is unlawful, you can request the restriction of data processing rather than having your data deleted.
  • If we no longer need your personal data, but require it for the exercising, defence or assertion of any legal claims, you will have the right to request the restriction of the processing of your personal data rather than having your data deleted.
  • If you have lodged an complaint as per Article 21(1) of the GDPR, a balance must be struck between your interests and our interests. As long as it has not yet been determined whose interests prevail, you will have the right to demand the restriction of the processing of your personal data.

5. Right to data portability

You have the right to have data that we process automatically, based on your consent and/or to fulfil a contract, provided to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of data to another data controller, this will only be implemented provided it is technically feasible.

6. Right of complaint to a supervisory authority

In the event of any breaches to the GDPR, you have the right to lodge a complaint with a supervisory authority. The right of complaint will not affect your right to any other administrative or judicial remedies in any way. In Hamburg, you can contact the official data protection officer at: The Hamburg Officer for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany.