We, Hamburger Hochbahn AG, are pleased about your interest in hvv switch. With the hvv switch app, hvv switch offers you the possibility to buy hvv tickets as well as to use various mobility offers in Hamburg with only one app and without separate registrations with the individual mobility providers. The long-term goal of hvv switch is to create a simple and reliable alternative to private car use with the hvv switch app and the integrated mobility offers.
This privacy policy informs you about which data is processed for which purposes when you use the hvv switch app. Furthermore, you will receive information on the storage period of the data, on the transfer to third parties and on the rights to which you are entitled. Your personal data includes all information that can be assigned to you as a person. This includes, among other things, name, e-mail address, mobile phone number, location and payment data.
A. Responsible party and data protection officer
Responsible entity
The responsible body is the natural or legal person who alone or jointly with others decides on the purposes and means of the processing of personal data (e.g. names, e-mail addresses or similar).
The responsible body in the data protection sense for the hvv switch app is:
Hamburger Hochbahn AG
Sales and Transportation Department
Steinstr. 20
20095 Hamburg
Phone: +49 40 3288-6363
E-Mail:info@hvv-switch.de
In the context of the processing of a mobility service booked by you via the hvv switch app, the respective mobility provider is also responsible for the processing of your personal data. You can find more details on this under C. Transfer of personal data.
Data protection officer
We have appointed a data protection officer; you can reach him as follows:
Hamburger Hochbahn AG
Data Protection Office
Steinstr. 20
20095 Hamburg
E-mail: datenschutzbeauftragter@hochbahn.de
B. Use of the hvv switch App
B.1 Informational use
If you use the hvv switch App for informational purposes, i.e. you have not registered, we only process personal data that is necessary for us to enable you to use the hvv switch App. This includes, for example, the device identification number (DeviceID for Android, IDFA for iOS), language and version of the app, operating system and date and time of the request. These automatically collected personal data are processed by us in order to be able to ensure a functional, stable hvv switch app, to enable optimization of the hvv switch app (e.g., by making appropriate adjustments to the app for your mobile device) and also to ensure the security of our information technology systems.
The data processing for informational use is based on Art. 6 para. 1 lit. f DSGVO.
B.2. hvv Information
Within the framework of hvv information, we collect stops, date as well as desired departure and arrival time, time of request as well as the device type (e.g. iPhone or Android).
To make it easier for you to enter starting points or destinations, you can store favorites in the hvv switch app. In this case, the data is only stored locally in the app. Any further processing will not take place. Furthermore, you can allow the hvv switch app to access your current location, for example, to determine a nearby stop and the cheapest way to get there or the cheapest way from the stop to your desired destination.
We process this data in order to be able to show you journey connections based on the search parameters and to adapt the information displayed in the hvv switch app to your needs. The legal basis for the processing of this data is Art. 6 (1) lit. b DSGVO (contract performance) and Art. 6 (1) lit. f DSGVO (overriding legitimate interest). We base the legitimate interest on our part on the goal of providing information to our passengers as promptly and efficiently as possible. The provision of such information also serves a more effective passenger guidance.
B.3 Location data and location recording
When you request a mobility service via the hvv switch app, e.g. select an hvv ticket, a MOIA ride, a car sharing offer or an e-scooter, we use the location data included in the request (e.g. your current location, start stop, start and destination). This allows us to issue you a valid hvv ticket, show booking options for MOIA or available car sharing vehicles or e-scooters in your area and the route to the respective vehicles. Furthermore, we use this information to better adapt our offers in the hvv switch app to the demand. This is done without establishing a personal reference.
We do not use the location data to create a movement profile of you.
In order to offer you the easiest possible user experience with the hvv switch app, we recommend that you enable location tracking for the hvv switch app. This requires that you allow the hvv switch app to access location services by means of the operating system of the mobile device you are using as well as its authorization system. In this context, we then only record the location determined by your device, provided that the hvv switch app is open. If location tracking is active, this is usually indicated by a corresponding function on your mobile device. You can allow or revoke the option of location tracking at any time via the settings in the operating system of your mobile device. We ask you once when you first start the hvv switch app whether you want to activate automatic location tracking.
The data processing for location recording is based on Art. 6 (1) lit. f DSGVO. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO) and § 25 para. 1 Telecommunications Telemedia Data Protection Act (TTDSG), insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. for device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.
B.4 Registration for hvv switch
When you register for the hvv switch app, you set your login data (email address and password). We process this personal data in the context of setting up your user account. Your user account is the prerequisite for you to be able to use mobility services in the hvv switch app (by means of corresponding activations).
The data processing for registration is based on Art. 6 para. 1 lit. b DSGVO.
If you use the identification function of hvv switch to access further offers in the hvv, such as hvv Plus, the advantage program of Hamburger Verkehrsverbund GmbH, our data processing also includes what is necessary to enable these functions. This means that in such a case we pass on your data from the hvv switch account to Hamburger Verkehrsverbund GmbH or the transport company in the hvv that offers the service you have requested as the responsible body under data protection law. Conversely, we receive data from this entity to the extent necessary to enable the access to the service requested by you. You can find out which company this is in each case in the separate data protection notices for the individual offers.
It is important to note that while you have full access to the data generated by the use of the additional offers of transport companies with your hvv switch login, we as Hamburger Hochbahn AG do not. If you decide to use an offer for which you need an hvv switch account, only the corresponding authorization or an ID is stored in our database, which allows you to "cross over" to the connected system. Hamburger Hochbahn AG does not have access to the connected system and does not gain knowledge of the data processed there.
As part of providing the identification function, we also record certain usage parameters such as a history of log-ins. This enables us to assist users who have problems with their customer account in solving the problem.
B.5 hvv ticket purchase
With an existing hvv switch user account, you can purchase certain hvv tickets according to the hvv community tariff directly in the hvv switch app and download them for retrieval. For this purpose Hamburger Hochbahn AG processes the following data:
- Type of ticket,
- Starting stop (if required by the tariff),
- Tariff information,
- First and last name of the main user of the hvv ticket,
- E-mail address (corresponds to user name),
- address (if required), date of birth or age (if required),
- details of the selected means of payment, and
- Device information (including operating software, version and build).
The above data is necessary to process the hvv ticket purchase. The legal basis is Art. 6 para. 1 lit. b DSGVO (contract performance). In addition, we process your personal data if and insofar as this is necessary for the fulfillment of legal obligations (e.g. tax law retention obligations) (Art. 6 para. 1 lit. c DSGVO).
In addition, we transmit personal data to our payment service provider for the payment process.
B.6 Mobility services
For the booking and use of mobility services, you enter into a separate contractual relationship with the respective mobility provider with our participation. We transmit the data required for the respective contract to the corresponding mobility provider, who processes this data under its own responsibility for the purpose of processing the contract. In addition, we transmit personal data to our payment service provider for the payment process and, in the case of a required driver's license validation, to our validation service provider.
B.6.1 Activation for mobility services
With the hvv switch app, we offer you the possibility of using mobility services from various mobility providers, and in the case of hvv ticketing, also from ourselves. For this use, depending on the respective mobility service, additional information of personal data as well as validations of your personal data are necessary.
For example, this may include the specification and validation
- your first and last name
- your date of birth,
- your pplace of birth,
- your mobile phone number,
- your address,
- your driver's license data and
- your payment data
must be provided. Without the corresponding information and validation, it is not possible to use the corresponding mobility service.
For certain mobility services, it is also necessary to create a personal PIN. This PIN is then requested again for additional identification of the user before the start of each rental. This is the case, for example, when renting a car sharing vehicle from SIXTshare.
Within the scope of the activation for the respective mobility service, only the personal data that is required for the use of the respective mobility service is requested, validated if necessary, and stored in your user account. Additional information in your user account is optional for you.
Once you have successfully activated a selected mobility service, you can no longer delete certain personal data from your user account yourself, as it is absolutely necessary for the use of the selected mobility service. You can make changes to your personal data in connection with a new validation. If you would like to delete certain personal data that is absolutely necessary for the use of a mobility service, you can do so via our customer service. It will then no longer be possible to use the corresponding mobility service.
With regard to hvv Ticketing, we process your contact and address data after successful activation in order to inform you about contract-relevant changes to our products and our mobility service as well as to send you other legally required information.
The data processing for the activation of mobility services is based on Art. 6 para. 1 lit. b DSGVO.
B.6.2 Validation of the driving license
In order to use a car sharing service, you must have a valid driver's license to drive a car. Therefore, we offer you the possibility to have your identity and your driver's license checked via the hvv switch app with the help of a video call as part of the activation for a car sharing offer.
With the validation, your identity (by means of a presented, admissible, valid identification document) and the ownership of an admissible, valid driver's license is determined. Furthermore, it is checked whether the data you have already entered in the hvv switch app, which is necessary for the activation of car sharing offers, matches the information on your ID document and driver's license.
We use the service provider IDnow GmbH for identification and verification. You can find additional information about this under C.4. service provider for driver's license validation.
If you use the option of validation via video call in the hvv switch app, recordings of identification documents and driver's license are made during the video call. The recordings of your driver's license will be stored by us for the duration of the business relationship between you and us as proof that we have checked your driver's license. However, this is not done as part of an active customer profile. Rather, the corresponding data is excluded from ongoing use and blocked via a strict authorization concept.
Data processing for validation of the driver's license is based on Art. 6 (1) lit. b and c DSGVO.
B.6.3 Booking and use of mobility services
If you reserve or book a mobility service via the hvv switch app, we assign the associated reservation/booking data to your user account. In this context, we also process, for example, your name and the location data you provided in your request for a mobility service. We display the mobility services you have used (active and completed) in your user account.
Furthermore, we transmit the reservation/booking data required for the respective mobility service to the corresponding mobility provider, who processes this data under his own responsibility for the purpose of handling the mobility service. You can find out more about the transfer of data by us under C. Transfer of personal data.
We also process personal data for the settlement of further claims (e.g. settlement of damages incurred) resulting from a booking and/or use.
If disruptions or the like occur in connection with the provision of mobility services, we use your contact data to inform you about them, e.g. by e-mail, SMS, in-app or push message.
Data processing for booking and using mobility services is based on Art. 6 (1) lit. b DSGVO.
B.6.4 Booking and use of hvv Any
With our service hvv Any we offer you the possibility to use the hvv means of transport without having to deal with the selection of a suitable hvv ticket in advance. You check in the hvv switch app before you start your journey and hvv Any automatically recognizes the route you have taken. From the moment you use hvv Any, i.e. make a so-called "check-in", we use your location data (e.g. your current location, start stop, start and destination) to record your use of hvv transport until the so-called "be-out" or "check-out". For this purpose, we need access to the following system services of your smartphone for the purpose mentioned below:
- Location services (GPS): Location services (GPS) are important for determining your locations (e.g. your current location, start stop, start and destination).
- Motion sensor technology: The motion sensor technology of your smartphone is used as a support to distinguish walking and cycling trips from the use of our means of transport.
- Bluetooth and WLAN: Bluetooth and WLAN of your smartphone also serve as support in order to be able to secure the trip determination results, especially on tunnel routes. For the correct recording of your journeys, we send Bluetooth signals using our transmitters (so-called beacons) in vehicles and at stops.
- Internet connection: Internet connection is required to ensure smooth communication with our background system. Only there the formation of the journeys and the determination of the prices takes place.
Therefore, it is necessary that you also activate or keep active these services during the entire period of use of hvv Any.
We use the aforementioned information collected in the context of hvv Any to record your use of the hvv means of transport. This happens regardless of whether the hvv switch app is open - but only after check-in has taken place. If the required system services are active, this is usually indicated by corresponding icons or functions on your mobile device. You can activate or deactivate these system services at any time via the settings in the operating system of your mobile device. Before using our service hvv Any, i.e. before each so-called check-in, we inform you that the system services and the location detection have to be activated. By using hvv Any you agree that the mentioned systems are used and that the access to your personal data and your movement data is generally permitted for the maintenance of the system operation and the clarification of your customer request. You can find additional information on this under C.5. service providers for determining journeys and prices within the framework of hvv Any.
We use this data from you to correctly record your journeys with the hvv means of transport. We do not collect this data to create a movement profile.
The following data is processed within the scope of use:
- Name
- Address
- Birthday
- Location data of the mobile device during active use of hvv Any (period between check-in & check-out)
- Device information (including operating software, version and build).
The processing of data for location tracking as well as the use of the aforementioned system service data is based on Art. 6 Para. 1 lit. b DSGVO. If a corresponding consent was requested, the processing is based exclusively on Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 (TTDSG). The consent can be revoked at any time.
If you use our service hvv Any via the hvv switch app, we assign the associated usage or purchase data to your user account. In this context, we also process, for example, your name and necessary location data. We display the hvv Any services you have used (active and completed) in your user account.
If disruptions or similar occur in connection with the use of our hvv Any service, we will use your contact data to inform you about them, e.g. via e-mail, SMS, in-app or push message.
B.7 Payment and billing of mobility services
To carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LOGPAY Financial Services GmbH ("LOGPAY"). You can find additional information about this under C.2. payment service provider.
In order to be able to use a mobility service via the hvv switch app, it is necessary to store a valid means of payment in your user account.
If you choose credit card or SEPA direct debit as payment method, the necessary payment information (e.g. credit card provider, credit card holder, credit card number, expiration date and check number or account holder and IBAN as well as BIC, if applicable) will be stored at LOGPAY. The processing of personal data is carried out by LOGPAY as its own responsible entity.
If you want to use PayPal as a payment method, it is necessary in a first step that you link your PayPal account with your hvv switch user account. Within the framework of this account linkage, you have the option of transferring personal data already stored in your PayPal account (e.g. name and billing address) to your hvv switch user account and saving it there.
The transfer of your data to PayPal is based on Art. 6 para. 1 lit. a DSGVO and Art. 6 para. 1 lit. b DSGVO. You can find additional information on this under C.2 Payment service providers.
You also have the option of billing the mobility services in the hvv switch app via a mobility budget provided by your employer. For this purpose, we have integrated hvv-m DB Bonvoyo as a possible means of payment. You can find additional information on this under C.2. payment service providers.
For each mobility service that you use via the hvv switch app, we create an invoice and process your personal data in this context (e.g. your name, date and place of use of the respective service). We send our own invoices and invoices that we issue on behalf of individual mobility providers exclusively by e-mail.
B.8 Optimization of the hvv switch App
We have integrated an SDK (Software Developer Kit) from Google Firebase into the hvv switch App in order to better understand the use of our App and to improve the offer. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase provides various products, of which we use Analytics for Firebase and Crashlytics. The pseudonymized information about the use of our app collected via Google Firebase provides us with information about, for example, the number of app openings in a period of time, app crashes, provides insights into particularly popular features as well as the number of in-app purchases and the total number of users in a certain period of time. You can find more information about Google Firebase's data processing at https://www.firebase.com/terms/privacy-policy.html .
Crashlytics processes data on the operation of the app, including the type of operating system used, information on malfunctions during operation (type, time and duration of the malfunction as well as use of the app at the time of the malfunction) and device information. Based on this data, we can obtain an overview of various malfunctions when malfunctions or problems occur during the operation of the hvv switch app and weight them based on their relevance for use in order to ensure efficient troubleshooting and to ensure the stability of the app.
You actively decide in each case whether you want to allow the use of Analytics for Firebase or Crashlytics to optimize our offer. For this purpose, we ask for your consent once when you start the hvv switch app for the first time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) as defined by the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv switch app at any time (revocation of consent).
B.9 Optimization of marketing activities for the hvv switch App
B.9.1 Adjust
In order to optimize our marketing activities, we use the service provider Adjust (Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin) and have integrated its SDK (Software Developer Kit) into the hvv switch App. The purpose of the data processing with Adjust is the analysis of the usage behavior and the way in which the user arrived at the hvv switch App. The usage analyses are evaluated and used to optimize user communication. In the process, data is collected in the measurement and processed pseudonymously. The data is determined by Adjust by means of various methods. These include the use of advertising IDs, device IDs as well as Adjust reftags and the so-called "hashed fingerprint" (use of publicly accessible device statistics). The data collected via Adjust informs, for example, about the download of the hvv switch App, the online advertising channel through which the download was generated, and the time at which the hvv switch App was opened.
The analysis by Adjust helps us to continuously improve the communication and specifically adapt it to your needs. You can find more information about data processing by Adjust at https://www.adjust.com/privacy-policy/.
You actively decide whether you want to allow the use of Adjust to optimize our marketing activities. For this purpose, we ask for your consent once when you start the hvv switch app for the first time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) within the meaning of the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv switch app at any time (revocation of consent).
B.9.2 CleverTap
In order to optimize our marketing activities with regard to communication with you, we use the service provider Wizrocket Inc. (607 W Dana St. Suite A Mountain View, CA 94041, USA) and have integrated its SDK (Software Developer Kit) CleverTap into the hvv switch App. The purpose of the data processing with CleverTap is the analysis of your behavior in the hvv switch App in order to optimize our communication with you and to be able to inform you about our products and services according to your needs. In addition to your personal data (device ID, first name, last name, date of birth, email address and place of residence), your behavior in the hvv switch app is also recorded in CleverTap (e.g. which products you inform yourself about and which services you book). You can find more information about data processing by CleverTap at https://clevertap.com/privacy-policy.
You actively decide whether you want to allow the CleverTap application to optimize our marketing activities. For this purpose, we ask for your consent once when you start the hvv switch app for the first time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) within the meaning of the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv switch app at any time (revocation of consent). When giving your consent, you consent to the transfer of data to the USA in accordance with Art. 49 (1) lit. a DSGVO. We would like to point out that the USA does not currently have a level of data protection comparable to that of the EU and that US companies can be obliged by US authorities to hand over their data without you having any effective legal protection options against this.
B.10 Google Tag Manager and Google Consent Mode
We use the Google Tag Manager and Google Consent Mode. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager is a tool that allows us to embed tracking or statistical tools and other technologies into our app. The Google Tag Manager itself does not create user profiles or perform any independent analyses. It is only used to manage and play out the tools integrated via it. However, the Google Tag Manager collects your IP address, which may also be transferred to Google's parent company in the United States.
Google Consent Mode allows us to customize the behavior of Google Tags and scripts based on your consent status. Tags are loaded in the app before the consent dialog appears, so tag behavior is dynamically adjusted based on what privacy settings you've chosen. Analytics tools are only used for specifically defined purposes if you have given your consent for them. The consent status of the user is transmitted by Google Consent Mode to Google for further processing. No personal data is sent to Google, only information about the consent decisions of the individual user, e.g. permission to use certain marketing tools.
You actively decide whether you want to allow the use of Google Tag Manager as well as Google Consent Mode and embedded tools. For this purpose, we ask for your consent once when you start the hvv switch app for the first time. In addition, you have the option to adjust your consent in the privacy settings of the hvv switch app at any time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv switch app at any time (revocation of consent).
B.11 Requests to customer service
If you contact us, your inquiry or feedback including all resulting personal data (name, inquiry/feedback) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.
In case of service and for the purpose of error analysis, you have the option to provide us with additional information from your mobile device. A function linked in the version display of the hvv switch app can be used for this purpose. As a rule, our customer service will ask you to click on this link. When you click on the link, an event log file will be generated for the exact day and limited to the period of use of the hvv switch app. This file will be forwarded to us after your confirmation. A direct personal reference cannot be established based on the information available in the file.
The processing of this data is based on Art. 6 (1) lit. b DSGVO, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests sent to us (Art. 6 para. 1 lit. f DSGVO) or on your consent (Art. 6 para. 1 lit. a DSGVO), if this was requested; the consent can be revoked at any time.
The data you send to us by contact request will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected.
C. Disclosure of personal data
C.1 Mobility provider
For the booking and use of mobility services, with the exception of hvv tickets, you enter into a separate contractual relationship with the respective mobility provider with our involvement. You decide which mobility services you want to use and which contract you want to enter into in connection with them. We then transmit the data required for the respective contract exclusively to the corresponding mobility provider, who processes it for the purpose of handling the contract. You explicitly agree to the transfer of the required data in the process.
We currently work with the following mobility service providers:
MILES Mobility GmbH, Leipnizstraße 49, 10629 Berlin, Germany.
Mobile phone number, validated address, validated driver's license data; data on the booking request, e.g. location data; on request, proof that the driver's license has been checked
https://miles-mobility.com/datenschutz
MOIA GmbH, Alexanderufer 5, 10117 Berlin and MOIA Operations Germany GmbH, Podbielskistraße 306, 30655 Hannover, Germany
Data for activation or as a result of changes made by you, e.g. first and last name, validated e-mail address, validated mobile phone number; data on booking request, e.g. starting point and destination
https://www.moia.io/de-DE/datenschutz
Sixt GmbH & Co. Autovermietung KG, Zugspitzstraße 1, 82049 Pullach, Germany
Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driver's license data; data on the booking request, e.g. location data; on request proof of the driver's license check carried out
https://www.sixt.de/fileadmin/sys/agb/DSGVO_DE_de.pdf
TIER Mobility GmbH c/o WeWork, Eichhornstraße 3, 10785 Berlin, Germany
Data for activation in the form of your hvv switch customer number; data on booking request, e.g. location data; on request first and last name, address, validated e-mail address
https://www.tier.app/de/privacy-notice/
Voi Technology Germany GmbH, Kaufinger Straße 24, 80331 Munich, Germany
Data for activation in the form of your hvv switch customer number; data on booking request, e.g. location data; on request first and last name, address, validated e-mail address
https://www.voiscooters.com/de/impressum/voi-privacy-policy
C.2 Payment service provider
C.2.1 LOGPAY
In order to carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LOGPAY, Schwalbacher Straße 72, 65760 Eschborn ("LOGPAY"). In addition, we also pass on personal data for the settlement of further claims (e.g. settlement of damages incurred) arising from the booking/use. Our payment service provider processes and stores your personal data for the purpose of processing payments, evaluating the admissibility of payment methods and avoiding payment defaults, as well as for receivables management.
For more information about the data processing by LOGPAY, please visit https://www.logpay.de/DE/datenschutzinformationen/.
Please note that it also follows from this information that LOGPAY transmits your data to credit agencies (such as SCHUFA) to verify your information and creditworthiness to avoid a payment default, if you are not yet known to LOGPAY.
C.2.2 PayPal
We have integrated a SDK (Software Developer Kit) from PayPal into the hvv switch app to offer you an easy payment method with PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. PayPal uses this SDK for risk management reasons to protect its services and its customers from fraud and abuse. By means of the SDK, PayPal collects and processes your IP address as well as device information, technical usage data and location data. We have no influence on this data transmission and processing. You can find more information about data processing by PayPal at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
C.2.3 Mobility budget hvv-m DB Bonvoyo
In order to give you the possibility to settle the mobility services in the hvv switch app via a mobility budget provided by your employer, we have integrated hvv-m DB Bonvoyo as a possible means of payment. The provider of hvv-m DB Bonvoyo is Deutsche Bahn Connect GmbH ("DB Connect"), Mainzer Landstraße 169, 60327 Frankfurt am Main. If you use this function, the data required for use will be transferred between DB Connect and us. We have no influence on the data processing within DB Connect. You can find more information about data processing within the mobility budget at https://www.deutschebahnconnect.com/produkte/mobilitaetsbudget/DSE_Bonvoyo_App.pdf.
C.3 Service providers for the display of map services
We have integrated an SDK (Software Developer Kit) of the map service Mapbox into the hvv switch app to enable you to use the hvv switch app easily and reliably. The provider is Mapbox Inc. with headquarters at 740, 15th Street NW, Washington DC, 20005, USA. To use the functions of Mapbox, it is necessary to store your IP address. In addition, device information and location data are also collected and temporarily stored. This information is usually transferred to a Mapbox server in the USA and may be processed there. You can find more information about data processing by Mapbox at https://www.mapbox.com/privacy/.
You actively decide whether you want to help improve OpenStreetMap and Mapbox maps by collecting anonymized usage data. Mapbox uses location data from all integrations to improve their maps, directions, and travel times and provide aggregate insights. To do this, we ask for your consent once when you first launch the hvv switch app. If a corresponding consent has been requested, the processing will be carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and Section 25 para. 1 Telecommunications Telemedia Data Protection Act (TTDSG), insofar as the consent includes the storage of cookies or access to information in the end device of the user (e.g. device fingerprinting) as defined by the TTDSG. You have the option to adjust your consent in the privacy settings of the hvv switch app at any time.
By giving your consent, you agree to the transfer of data to the USA in accordance with Art. 49 (1) lit. a DSGVO. We would like to point out that the USA currently does not have a level of data protection comparable to the EU and US companies can be obliged by US authorities to hand over your data without you having any effective legal protection options against this.
C.4 Service provider for driver's license validation
In the event that identification and verification are required as part of the driver's license validation process, we transmit personal data to our service provider IDnow GmbH, Auenstraße 100, 80469 Munich, Germany, which completes the identification and verification process for us and acts as a processor on our behalf. All personal data is deleted from our service provider seven days after completion of the processing and provision to us.
C.5 Service provider for the determination of journeys and prices within the framework of hvv Any.
The determination of the distance traveled and the subsequent calculation of the fare to be paid is carried out with the involvement of the order processor Scheidt & Bachmann GmbH, Breite Str. 132, 41238 Mönchengladbach. For this purpose, we have integrated an SDK (Software Developer Kit) of the provider into the hvv switch app. In doing so, we adhere to all provisions of the applicable European data protection laws. We have secured compliance with these provisions through corresponding agreements with the company processing the order.
C.6 Other service providers
We use various service providers who process personal data from you on our behalf. These have been carefully selected by us and process the personal data exclusively according to the instructions and under the control of us. In particular, these are the following service providers:
Hosting and operation:
Claranet GmbH, Hanauer Landstraße 196, 60314 Frankfurt am Main, Germany.
Bechtle GmbH, Bernhard-Nocht-Str. 113, 20359 Hamburg, Germany
Sending e-mail and SMS:
Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland
rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg im Breisgau, Germany
D. Storage period
As your contractual partner, HOCHBAHN processes and stores your personal data only for as long as is necessary to fulfill its contractual and legal obligations. We differentiate between the various categories of data. In principle, we only retain data from registered customers. This is only done at your request in order to avoid having to store personal data again in the event of repeated use of our offer.
If data is no longer required for the immediate fulfillment of contractual or legal obligations, for example because it relates to sales that have already been invoiced, it is regularly deleted. This does not apply to data whose (temporary) continued storage is required for the following purposes:
- Compliance with retention periods under commercial or tax law: These include, for example, the German Commercial Code and the German Fiscal Code. The retention and documentation periods stipulated there are up to 10 years.
- Preservation of evidence under the statute of limitations: According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods are generally 3 years, but can also be up to 30 years in individual cases.
Movement data for determining journeys in the context of using hvv Any will be stored for a maximum of four months from the time the movement data is determined. Data on journeys and journey chains from the use of hvv Any will be stored for a maximum of seven months from the time the journey was determined. The storage takes place for the clarification and traceability of possible complaints.
E. Data protection rights
The GDPR grants data subjects whose personal data is processed by us certain rights, which we would like to inform you about at this point. For this purpose, as well as for further questions regarding data protection at hvv switch, you are welcome to contact us as the responsible party or our data protection officer. You can find the contact details in section A.
E.1 Information, deletion and correction
You have the right to request information about your personal data stored by us free of charge at any time. This includes information about the purpose of processing, the category of data used, its recipients and the planned duration of data storage or, if this is not possible, the criteria for determining this duration. Furthermore, you have a right to erasure and/or rectification of the data, in particular if the data is incomplete or inaccurate, it is no longer necessary for the purpose for which it was collected, or the consent to the processing has been revoked by you.
E.2 Revocation of consent
Insofar as data processing is carried out with your consent, you can revoke this consent at any time. An informal communication by e-mail is sufficient for this purpose. You can revoke consent given for the analysis of your usage behavior in the privacy settings under Settings in the hvv switch app. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.
E.3 Right to object
Insofar as the data processing is based on a legitimate interest on our part, you have the right to object to the data processing. The prerequisite for this are reasons arising from your particular situation (Article 21 (1) DSGVO).
E.4 Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. The right to restriction of processing exists in the following cases:
If you dispute the accuracy of your personal data stored by us, we usually need time to verify this.
For the duration of the review, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data has happened or is happening unlawfully, you may request the restriction of data processing instead of erasure.
If we no longer need your personal data, but require it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of the erasure.
If you have lodged an objection pursuant to Art. 21 (1) DSGVO, a balancing of your and our interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
E.5 Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done insofar as this is technically feasible.
E.6 Right of complaint to a supervisory authority
If you are of the opinion that we are violating data protection law, you have the right to lodge a complaint with a supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies. In Hamburg, you can reach the responsible supervisory authority at: The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg, e-mail: mailbox@datenschutz.hamburg.de.
Status: October 2023