Privacy Policy hvv switch app | hvv switch | hvv switch

Privacy Policy for the hvv switch app

A. Responsible body and data protection officer

B. Use of the hvv switch app

B.1 Informational use

B.2 hvv information

B.3 Location data and location recording

B.4 Registration for hvv switch

B.5 hvv ticket purchase

B.6 Mobility services

B.6.1 Activation for mobility services

B.6.2 Validation of the driver's license

B.6.3 Booking and use of mobility services

B.7 Payment and billing of mobility services

B.8 Optimization of the hvv switch app

B.9 Optimization of marketing activities for the hvv switch app

B.9.1 Adjust and Outbrain

B.9.2 CleverTap

B.10 Google Tag Manager and Google Consent Mode

B.11 Enquiries to customer service

B.12 Use of vouchers

C. Disclosure of personal data

C.1 Mobility service provider

C.2 Payment service providers

C.2.1 LOGPAY

C.2.2 PayPal

C.2.3 Mobility budget hvv-m DB Bonvoyo

C.3 Service provider for the display of map services

C.4 Service provider for driving license validation

C.5 Service provider for determining journeys and prices as part of hvv Any

C.6 Other service providers

D. Storage period

E. Data protection rights

E.1 Information, erasure and rectification

E.2 Revocation of consent

E.3 Right to object

E.4 Right to object to processing

E.5 Right to data portability

E.6 Right to lodge a complaint with a supervisory authority

We, Hamburger Hochbahn AG, appreciate your interest in hvv switch. With the hvv switch app, hvv switch offers you the opportunity to buy hvv tickets and use various mobility services in Hamburg with just one app and without having to register separately with the individual mobility providers. The long-term goal of hvv switch is to create a simple and reliable alternative to private car use with the hvv switch app and the integrated mobility services.

This privacy policy informs you which data is processed for which purposes when you use the hvv switch app. You will also receive information on the storage period of the data, the transfer to third parties and the rights to which you are entitled. Your personal data includes all information that can be assigned to you as a person. This includes your name, e-mail address, mobile phone number, location and payment data.

A. Controller and data protection officer

Responsible body

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

The responsible body in terms of data protection law for the hvv switch app is

Hamburger Hochbahn AG 
Sales and Transportation Department 
Steinstrasse 20 
20095 Hamburg

Telephone: +49 40 3288-6363 
E-mail: info@hvv-switch.de

As part of the processing of a mobility service booked by you via the hvv switch app, the respective mobility provider is also responsible for processing your personal data. You can find more details on this under C. Transfer of personal data

Data protection officer

We have appointed a data protection officer; you can contact him as follows

Hamburger Hochbahn AG 
Data protection department 
Steinstraße 20 
20095 Hamburg

E-mail: datenschutzbeauftragter@hochbahn.de

B. Use of the hvv switch app

B.1 Informational use

If you use the hvv switch app for information purposes, i.e. if you have not registered, we only process personal data that is necessary for us to enable you to use the hvv switch app. This includes, for example, the device ID (DeviceID for Android, IDFA for iOS), language and version of the app, operating system and the date and time of the request. This automatically collected personal data is processed by us in order to ensure a functional, stable hvv switch app, to enable optimization of the hvv switch app (e.g. by adapting the app for your mobile device) and also to ensure the security of our information technology systems.

Data processing for informational use is carried out on the basis of Art. 6 para. 1 lit. f of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR).

B.2 hvv information

As part of hvv information, we collect the stops, date and desired departure and arrival time, time of request and device type (e.g. iPhone or Android).

To make it easier for you to enter starting points or destinations, you can store favorites in the hvv switch app. In this case, the data is only saved locally in the app. No further processing takes place. Furthermore, you can allow the hvv switch app to access your current location, for example to determine a nearby stop and the cheapest way to get there or the cheapest way from the stop to your desired destination.

We process this data in order to be able to show you connections based on the search parameters and to adapt the information displayed in the hvv switch app to your needs. The legal basis for the processing of this data is Art. 6 para. 1 lit. b GDPR (fulfillment of contract) and Art. 6 para. 1 lit. f GDPR (overriding legitimate interest). Our legitimate interest is based on the aim of providing our passengers with information as promptly and efficiently as possible. The provision of such information also serves the purpose of more effective passenger routing.

B.3 Location data and location recording

If you request a mobility service via the hvv switch app, e.g. select an hvv ticket, a MOIA ride, a car sharing offer or an e-scooter, we use the location data contained in the request (e.g. your current location, start stop, start and destination). This enables us to issue you with a valid hvv ticket, show you booking options for MOIA or available car sharing vehicles or e-scooters in your area and the route to the respective vehicles. We also use this information to better adapt our offers in the hvv switch app to demand. This is done without creating a personal reference.

We do not use the location data to create a movement profile for you.

So that we can offer you the simplest possible user experience with the hvv switch app, we recommend that you activate location tracking for the hvv switch app. This requires you to allow the hvv switch app to access location services using the operating system of the mobile device you are using and its authorization system. In this context, we will only record the location determined by your device if the hvv switch app is open. If location tracking is active, this is usually indicated by a corresponding function on your mobile device. You can enable or disable location tracking at any time via the settings in the operating system of your mobile device. We will ask you once when you first start the hvv switch app whether you want to activate automatic location tracking.

Data processing for location recording is carried out on the basis of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 of the Telecommunications Digital Services Data Protection Act (TDDDG), insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. for device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

B.4 Registration for hvv switch

When you register for the hvv switch app, you enter your login details (email address and password). We process this personal data as part of setting up your user account. Your user account is the prerequisite for you to be able to use mobility services in the hvv switch app (by activating them accordingly).

Data processing for registration is carried out on the basis of Art. 6 para. 1 lit. b GDPR (fulfillment of contract).

If you use the identification function of hvv switch to access further offers in hvv such as hvv Plus, the benefits program of Hamburger Verkehrsverbund GmbH, our data processing also includes what is necessary to enable these functions. This means that in such a case, we will pass on your data from the hvv switch account to Hamburger Verkehrsverbund GmbH or the transport company in the hvv that offers the service you require as the responsible body under data protection law. Conversely, we receive data from this body to the extent necessary to enable you to access the service you have requested. You can find out which company this is in each case in the separate data protection notices for the individual services. If an application that requests a login or registration uses tracking tools, we may set corresponding parameters. The controller for the use of these tools is the operator of the requesting instance.

It is important to note that although your hvv switch login gives you full access to the data generated by the use of further offers from transport companies, we as Hamburger Hochbahn AG do not. If you decide to use an offer for which you need an hvv switch account, only the corresponding authorization or an ID is stored in our database, which allows you to “transfer” to the connected system. Hamburger Hochbahn AG has no access to the connected system and obtains no knowledge of the data processed there.

As part of providing the identification function, we also record certain usage parameters such as a history of log-ins. This enables us to help users who have problems with their customer account to solve the problem.

B.5 hvv ticket purchase

With an existing hvv switch user account, you can use the hvv switch app to purchase certain hvv tickets according to the hvv community tariff directly in the hvv switch app and download them for retrieval. Hamburger Hochbahn AG processes the following data for this purpose:

  • Type of ticket,
  • Starting stop (if required by the fare),
  • Fare information,
  • First and last name of the main user of the hvv ticket,
  • e-mail address (corresponds to user name),
  • address (if required), date of birth or age (if required),
  • details of the selected means of payment and
  • Device information (incl. operating software, version and build).

The above data is required to process the hvv ticket purchase. The legal basis is Art. 6 para. 1 lit. b GDPR (fulfillment of contract). We also process your personal data if and insofar as this is necessary to fulfill legal obligations (e.g. tax retention obligations) (Art. 6 para. 1 lit. c GDPR).

In addition, we transmit personal data to our payment service provider for the payment process (see B.7 Payment and billing of mobility services).

The hvv ticket is displayed and saved within the hvv switch app on the home screen and under “Journeys”. It automatically disappears from the home screen when it expires. If you are using a device with the iOS (Apple) or Android (Google) operating system, you can also save the hvv ticket in the Apple or Google Wallet on your device. The following data is transmitted to the Apple or Google Wallet with the hvv ticket:

  • First name and surname,
  • Start stop (if required by the fare),
  • Start and end date and time of the ticket,
  • fare product,
  • Product class (standard/reduced fare),
  • fare zone,
  • ticket ID,
  • price,
  • fare level

If you want to have the hvv ticket saved in the Apple Wallet, you must manually move the hvv ticket from the hvv switch app to the Wallet. This transfer of the hvv ticket to the Apple Wallet takes place locally on your end device, as do any necessary updates. You must manually delete hvv tickets stored in the Apple Wallet; the hvv switch app does not have access to them.

If you would like the hvv ticket to be displayed on additional iOS devices in your Apple Wallet, the ticket data will be sent to your device (e.g. Apple Watch) via iCloud. This function must first be activated on your device.

As part of the storage of ticket data in the iCloud, encrypted data is transmitted to participating sub-service providers in third countries, among others However, according to the information provided by Apple for the iCloud, the sub-service providers used do not receive the key. You can find more information about Apple Wallet at https://support.apple.com/de-de/HT204003.

If you wish to have the hvv ticket stored in Google Wallet, the data required for this will be forwarded to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland upon your confirmation of storage. We also notify Google of any necessary updates (e.g. in the event of termination) so that the hvv Ticket is correctly displayed or removed from Google Wallet.

In this case, Google acts as an independent controller for the storage and display of the hvv ticket in Google Wallet with regard to the data transferred to it. You can find more information about data processing by Google at https://policies.google.com/privacy?hl=de. We have no influence on data processing by Google. You can find more information about Google Wallet at https://wallet.google/intl/de_de/.

The legal basis for data processing is Art. 6 para. 1 lit. b GDPR (fulfillment of contract). This data is required to create and deliver a valid hvv ticket.

B.6 Mobility services

For the booking and use of mobility services, you enter into a separate contractual relationship with the respective mobility provider with our involvement. We transmit the data required for the respective contract to the relevant mobility provider, which processes it for the purpose of processing the contract under its own responsibility. In addition, we transmit personal data to our payment service provider for the payment process and to our validation service provider if validation of the driving license is required.

B.6.1 Activation for mobility services

With the hvv switch app, we offer you the opportunity to use mobility services from various mobility providers, including our own in the case of hvv ticketing. Depending on the mobility service in question, additional personal data and validation of your personal data may be required for this use.

For example, this may involve providing and validating

  • your first name and surname,
  • your date of birth,
  • your place of birth
  • your mobile phone number,
  • your address,
  • your driver's license data and
  • your payment details

be required. Without the relevant information and validation, it is not possible to use the corresponding mobility service.

For certain mobility services, it is also necessary to create a personal PIN. This PIN is then requested again for additional identification of the user before the start of each rental. This is the case, for example, when renting a car sharing vehicle from SIXTshare.

As part of the activation for the respective mobility service, only the personal data that is required for the use of the respective mobility service is requested, validated if necessary and stored in your user account. Any additional information in your user account is optional for you.

Once you have successfully activated a selected mobility service, you can no longer delete certain personal data from your user account yourself, as it is mandatory for the use of the selected mobility service. You can make changes to your personal data in conjunction with a new validation. If you wish to delete certain personal data that is absolutely necessary for the use of a mobility service, you can arrange this via our customer service. It will then no longer be possible to use the mobility service in question.

With regard to hvv Ticketing, we process your contact and address data upon successful activation in order to inform you about contract-relevant changes to our products and our mobility service as well as to provide you with other legally required information.

Data processing for the activation of mobility services is carried out on the basis of Art. 6 para. 1 lit. b GDPR (contract processing) and Art. Para. 1 lit. c GDPR (legal obligation).

B.6.2 Validation of the driving license

In order to use a car sharing service, it is necessary to have a valid driving license to drive a car. We therefore offer you the opportunity to have your identity and driving license checked via the hvv switch app using an online procedure as part of the activation process for a car sharing service.

The validation process establishes your identity (by means of an acceptable, valid ID document) and the ownership of an acceptable, valid driving license. The procedure also checks security features (e.g. holograms) by creating short video sequences and ensures that you are actually in front of the terminal. We also check whether the data you have already entered in the hvv switch app, which is required for the activation of car sharing offers, matches the information on your ID document and driving license.

We use the service provider IDnow GmbH for identification and verification. You can find additional information on this under C.4 Service provider for driving license validation.

As part of the online validation in the hvv switch app, images are taken of ID documents and driving licenses. The recordings of your driving license will be stored by us for the duration of the business relationship between you and us as proof that your driving license has been checked. However, this does not take place as part of an active customer profile. Instead, the corresponding data is excluded from ongoing use and blocked by means of a strict authorization concept.

Data processing to validate the driver's license is carried out on the basis of Art. 6 para. 1 lit. b and c GDPR.

B.6.3 Booking and use of mobility services

If you reserve or book a mobility service via the hvv switch app, we assign the associated reservation/booking data to your user account. In this context, we also process, for example, your name and the location data provided by you in your request for a mobility service. We display the mobility services you have used (active and completed) in your user account.

Furthermore, we transmit the reservation/booking data required for the respective mobility service to the corresponding mobility provider, who processes this data for the purpose of handling the mobility service under its own responsibility. You can find out more about the transfer of data by us under C. Transfer of personal data

We also process personal data for the settlement of further claims (e.g. settlement of damages incurred) resulting from a booking and/or use.

If there are disruptions or similar in connection with the provision of mobility services, we will use your contact details to inform you, e.g. by e-mail, SMS, in-app or push message.

Data processing for the booking and use of mobility services is carried out on the basis of Art. 6 para. 1 lit. b and c GDPR.

B.6.4 Booking and use of hvv Any

With our hvv Any service, we offer you the opportunity to use hvv transport without having to worry about choosing a suitable hvv ticket in advance. You check in in the hvv switch app before you start your journey and hvv Any automatically recognizes the route you are taking. From the time you use hvv Any, i.e. when you check in, we use your location data (e.g. your current location, start stop, start and destination) to record your use of hvv transport until you check out. To do this, we need access to the following system services on your smartphone for the purposes listed below:

  • Location services (GPS)
    The location services (GPS) are important for determining your location (e.g. your current location, starting stop, starting point and destination).
  • Motion sensors
    Your smartphone's motion sensors help you to distinguish between walking and cycling, for example, and the use of our means of transport.
  • Bluetooth and WLAN
    Your smartphone's Bluetooth and WLAN also provide support in order to be able to validate the journey determination results, especially on tunnel routes. To correctly record your journeys, we send Bluetooth signals using our transmitters (beacons) in vehicles and at stops.
  • Internet connection
    The internet connection is required to ensure smooth communication with our background system. This is where the journeys are created and the prices are calculated.

It is therefore necessary that you also activate or keep these services active during the entire period of use of hvv Any.

We use the aforementioned information collected as part of hvv Any to record your use of hvv transportation. This happens regardless of whether the hvv switch app is open - but only after you have checked in. If the required system services are active, this is usually indicated by corresponding icons or functions on your mobile device. You can activate or deactivate these system services at any time via the settings in the operating system of your mobile device. Before using our hvv Any service, i.e. before each check-in, we will inform you that you must activate the system services listed and the location detection. By using hvv Any, you agree that the aforementioned systems are used and that access to your personal data and your movement data is generally permitted for the purpose of maintaining system operation and clarifying your customer concerns. You can find additional information on this under C.5 Service providers for determining journeys and prices within the framework of hvv Any.

We use this data from you to correctly record your journeys with hvv transportation. We do not collect this data to create a movement profile.

The following data is processed during use

  • Name
  • Your address
  • e-mail address
  • Date of birth
  • Location data of the mobile device during active use of hvv Any (period between check-in & check-out)
  • Device information (incl. operating software, version and build).

Data processing for location recording and the use of the aforementioned system service data is carried out on the basis of Art. 6 para. 1 lit. b GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

If you use our hvv Any service via the hvv switch app, we assign the associated usage and purchase data to your user account. In this context, we also process your name and required location data, for example. We display the hvv Any services you have used (active and completed) in your user account.

If there are disruptions or similar in connection with the use of our hvv Any service, we will use your contact details to inform you, e.g. by e-mail, SMS, in-app or push message.

B.7 Payment and billing of mobility services

We transmit personal data to our payment service provider LOGPAY Financial Services GmbH (“LOGPAY”) to carry out the payment process and for the purpose of selling and assigning our claims against you. You can find additional information on this under C.2 Payment service provider.

In order for you to use a mobility service via the hvv switch app, it is necessary to enter a valid means of payment in your user account.

If you select credit card or SEPA direct debit as your payment method, the necessary payment information (e.g. credit card provider, holder, number, expiration date and verification number or account holder and IBAN and, if applicable, BIC) will be stored with LOGPAY. The processing of personal data is carried out by LOGPAY as its own controller.

If you wish to use PayPal as a payment method, the first step is to link your PayPal account to your hvv switch user account. As part of this account linking, you have the option of transferring your personal data already stored in your PayPal account (e.g. name and billing address) to your hvv switch user account and saving it there.

The transfer of your data to PayPal is based on Art. 6 para. 1 lit. a GDPR and Art. 6 para. 1 lit. b GDPR. You can find additional information on this under C.2 Payment service providers.

You also have the option of billing the mobility services in the hvv switch app via a mobility budget provided by your employer. We have integrated hvv-m DB Bonvoyo as a possible means of payment for this. You can find additional information on this under C.2 Payment service providers.

For each mobility service that you use via the hvv switch app, we create an invoice and process your personal data in this context (e.g. your name, date and place of use of the respective service). We only send our own invoices and invoices that we issue on behalf of individual mobility providers by email.

B.8 Optimization of the hvv switch app

We have integrated an SDK (Software Developer Kit) from Google Firebase into the hvv switch app in order to better understand how our app is used and to improve our offering. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase provides various products, of which we use Analytics for Firebase and Crashlytics. The pseudonymized information collected via Google Firebase about the use of our app provides us with information, for example, about the number of app openings in a period, about app crashes, provides insights into particularly popular functions as well as the number of in-app purchases and the total number of users in a certain period. You can find more information on data processing by Google Firebase athttps://www.firebase.com/terms/privacy-policy.html .

Crashlytics processes data on the operation of the app, including the type of operating system used, information on malfunctions during operation (type, time and duration of the malfunction and use of the app at the time of the malfunction) and device information. This data enables us to obtain an overview of various malfunctions when malfunctions or problems occur during operation of the hvv switch app and to weight them according to their relevance for use in order to ensure efficient troubleshooting and ensure the stability of the app.

You actively decide whether you want to allow the use of Analytics for Firebase or Crashlytics to optimize our offer. We ask for your consent once when you start the hvv switch app for the first time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. You have the option of adjusting your consent in the privacy settings of the hvv switch app at any time (withdrawal of consent). The company Google is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under C.7 EU-U.S. Data Privacy Framework.

B.9 Optimization of marketing activities for the hvv switch app

B.9.1 Adjust and Outbrain

In order to optimize our marketing activities, we use the service provider Adjust (Adjust GmbH, Saarbrücker Straße 37A, 10405 Berlin) and have integrated its SDK (Software Developer Kit) into the hvv switch app. The purpose of data processing with Adjust is to analyze usage behavior and the way in which the user reached the hvv switch app. The usage analyses are evaluated and used to optimize user communication. Data is collected in the measurement and processed pseudonymously. The data is determined by Adjust using various methods. These include the use of advertising IDs, device IDs, Adjust reftags and the so-called “hashed fingerprint” (use of publicly accessible device statistics). The data collected via Adjust provides information, for example, about the download of the hvv switch app, the online advertising channel via which the download was generated and the time at which the hvv switch app was opened.

The analysis by Adjust helps us to continuously improve our communication and adapt it to your needs. You can find more information on data processing by Adjust athttps://www.adjust.com/privacy-policy/.

We have integrated Outbrain (Outbrain Inc., 111 West 19th Street, New York, NY 10011) via Adjust so that information on user behavior is passed on to this online-based marketing platform. This enables us to provide useful and interesting content to our users who are interested in hvv switch products and at the same time to play out marketing campaigns more efficiently.

You can find more information on data processing by Outbrain at https://www.outbrain.com/privacy/

Outbrain is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under C.7. EU-U.S. Data Privacy Framework.

You actively decide whether you want to allow the use of Adjust and Outbrain to optimize our marketing activities. For this purpose, we ask for your consent once when you first start the hvv switch app. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. You have the option of adjusting your consent in the privacy settings of the hvv switch app at any time (withdrawal of consent).

B.9.2 CleverTap

In order to optimize our marketing activities with regard to communication with you, we use the service provider Wizrocket Inc (607 W Dana St. Suite A Mountain View, CA 94041, USA) and have integrated its SDK (Software Developer Kit) CleverTap into the hvv switch app. The purpose of data processing with CleverTap is to analyze your behavior in the hvv switch app in order to optimize our communication with you and to be able to inform you about our products and services in line with your needs. In addition to your personal data (device ID, first name, surname, date of birth, email address and place of residence), your behavior in the hvv switch app is also recorded in CleverTap (e.g. which products you find out about and which services you book). Further information on data processing by CleverTap can be found at https://clevertap.com/privacy-policy.

You actively decide whether you want to allow the CleverTap application to optimize our marketing activities. We will ask for your consent once when you start the hvv switch app for the first time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. You have the option of adjusting your consent in the privacy settings of the hvv switch app at any time (withdrawal of consent). The company CleverTap is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under C.7. EU-U.S. Data Privacy Framework.

B.10 Google Tag Manager and Google Consent Mode

We use Google Tag Manager and Google Consent Mode. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and other technologies into our app. Google Tag Manager itself does not create any user profiles and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the USA.

Google Consent Mode allows us to adjust the behavior of Google tags and scripts based on your consent status. Tags are loaded in the app before the consent dialog appears so that tag behavior is dynamically adjusted depending on the privacy settings you have selected. Analysis tools are only used for specifically defined purposes if you have given your consent. The user's consent status is transmitted to Google by Google Consent Mode for further processing. No personal data is sent to Google, only information about the consent decisions of individual users, e.g. permission to use certain marketing tools.

You actively decide whether you want to allow the use of Google Tag Manager and Google Consent Mode and integrated tools. We ask for your consent once when you first start the hvv switch app. You also have the option of adjusting your consent in the privacy settings of the hvv switch app at any time. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. You have the option of adjusting your consent in the privacy settings of the hvv switch app at any time (withdrawal of consent). The company Google is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under C.7. EU-U.S. Data Privacy Framework.

B.11 Enquiries to customer service

If you contact us, your request or feedback, including all resulting personal data (name, request/feedback) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

In the event of service and for the purpose of error analysis, you have the option of providing us with additional information from your mobile device. A function linked in the version display of the hvv switch app can be used for this purpose. As a rule, our customer service will ask you to click on this link. When you click on the link, a daily event log file is generated that is limited to the period of use of the hvv switch app. This file will be forwarded to us after your confirmation. A direct personal reference cannot be established on the basis of the information available in the file.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), provided that this has been requested; consent can be revoked at any time.

The data you send to us via a contact request will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

B.12 Use of vouchers

If you take part in an hvv switch voucher campaign, we will process your personal data to the extent necessary to send you the relevant vouchers and to confirm your participation in the campaign. Use of the vouchers is voluntary. The terms and conditions of the respective hvv switch voucher campaign will be made available to you in the course of your participation.

We use our service provider Voucherify PSA, Porcelanowa 23/A4, 40-246 Katowice, Poland (“Voucherify”) to provide the service. We process the following data for the purpose of providing the vouchers

  • Technical information required for the redemption of a voucher (such as redemption ID and status, hvv switch customer number and Voucherify-specific ID, date and time the voucher code was entered in the hvv switch app)
  • Journey-related information required to redeem a voucher (e.g. journey-specific or provider-specific ID)

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR, as it is related to the performance of a contract or is necessary for the implementation of pre-contractual measures.

Further information on data processing by Voucherify can be found at https://www.voucherify.io/legal/

C. Disclosure of personal data

C.1 Mobility providers

For the booking and use of mobility services, with the exception of hvv tickets, you enter into a separate contractual relationship with the respective mobility provider with our involvement. You decide which mobility services you want to use and which contract you want to enter into in connection with them. We then transmit the data required for the respective contract exclusively to the relevant mobility provider, which processes it for the purpose of processing the contract. You explicitly agree to the transfer of the required data during the process.

We currently work with the following mobility service providers

MILES Mobility GmbH, Leipnizstraße 49, 10629 Berlin

Mobile phone number, validated address, validated driving license data; data on the booking request, e.g. location data; proof of driver's license check on request

https://miles-mobility.com/datenschutz

MOIA GmbH, Alexanderufer 5, 10117 Berlin and MOIA Operations Germany GmbH, Podbielskistraße 306, 30655 Hanover

Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driver's license data; data on booking request, e.g. location data; proof of driver's license check on request

https://www.moia.io/de-DE/datenschutz

SHARE NOW GmbH, c/o WeWork, Warschauer Platz 11-13, 10245 Berlin, Germany

Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driver's license data; data on booking request, e.g. location data; proof of driver's license check on request

https://www.share-now.com/de/de/legal/#privacy-app

Sixt GmbH & Co. Car Rental KG, Zugspitzstraße 1, 82049 Pullach

Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driver's license data; data on booking request, e.g. location data; proof of driver's license check on request

https://www.sixt.de/fileadmin/sys/agb/DSGVO_DE_de.pdf

TIER Mobility GmbH c/o WeWork, Eichhornstraße 3, 10785 Berlin

Data for activation in the form of your hvv switch customer number; data on the booking request, e.g. location data; on request first and last name, address, validated e-mail address

https://www.tier.app/de/privacy-notice/

Voi Technology Germany GmbH, Kaufinger Straße 24, 80331 Munich, Germany

Data for activation in the form of your hvv switch customer number; data on the booking request, e.g. location data; on request first and last name, address, validated e-mail address

https://www.voiscooters.com/de/impressum/voi-privacy-policy

C.2 Payment service provider

C.2.1 LOGPAY

We transmit personal data to our payment service provider LOGPAY Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn (“LOGPAY”) in order to carry out the payment process and for the purpose of selling and assigning our claims against you. In addition, we also pass on personal data for the processing of further claims (e.g. processing of damages incurred) arising from the booking/use. Our payment service provider processes and stores your personal data for the purpose of processing payments, assessing the admissibility of payment methods and avoiding payment defaults, as well as for receivables management.

You can find more information about data processing by LOGPAY at https://www.logpay.de/DE/datenschutzinformationen/.

Please note that this information also states that LOGPAY will transmit your data to credit agencies (such as SCHUFA) to check your details and creditworthiness to avoid payment default if you are not yet known to LOGPAY.

C.2.2 PayPal

We have integrated an SDK (Software Developer Kit) from PayPal into the hvv switch app in order to offer you a simple payment method with PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg. PayPal uses this SDK for risk management reasons in order to protect its services and its customers from fraud and abuse. In addition to your IP address, PayPal uses the SDK to collect and process device information, technical usage data and location data. This takes place if you have selected PayPal as your payment method. We have no influence on further data transmission and processing. You can find more information about data processing by PayPal at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.

C.2.3 Mobility budget hvv-m DB Bonvoyo

To give you the option of paying for mobility services in the hvv switch app using a mobility budget provided by your employer, we have integrated hvv-m DB Bonvoyo as a possible means of payment. The provider of hvv-m DB Bonvoyo is Deutsche Bahn Connect GmbH (“DB Connect”), Mainzer Landstraße 169, 60327 Frankfurt am Main. If you use this function, the data required for its use will be transferred between DB Connect and us. We have no influence whatsoever on data processing within DB Connect. You can find more information about data processing as part of the mobility budget at https://www.deutschebahnconnect.com/produkte/mobilitaetsbudget/DSE_Bonvoyo_App.pdf.

C.2.4 Form for reporting incorrect parking, soiling and damage on hvv switch points

If you use the report form to send us information about parking offenders at hvv switch points, your details, including your first name, surname and e-mail address, will be recorded for the purpose of reporting and processing the parking offender. Your personal data will not be stored by HOCHBAHN, but will be forwarded to our parking enforcement service provider (PRS Parkraum Service GmbH, Kirchplatz 7, 58739 Wickede (Ruhr); hereinafter referred to as PRS for short) and processed there when you submit the form. Only the photo of the incorrectly parked vehicle will be stored by HOCHBAHN for the purpose of preserving evidence for a period of three months and then deleted (limitation period in accordance with Section 26(3) of the Road Traffic Act (StVG)). Information on data protection and the handling of your personal data at PRS can be found in their privacy policy.

If you send us information about soiling or damage on hvv switch points, you have the option of providing your name and e-mail address. This information is voluntary. This data is processed by HOCHBAHN. The data you provide will only be used to process your report. If you have provided your name and e-mail address, this information will be deleted immediately after the necessary measures to remove the soiling or repair the damage have been completed. If you decide to report anonymously, no personal data will be stored.

In principle, reporting via the forms and providing your personal data is voluntary. We base the processing on Art. 6 para. 1 lit. f GDPR (overriding legitimate interest). We have a legitimate interest in eliminating contractual disruptions (parking offenders) as well as soiling and damage at hvv switch points and providing the available car sharing parking spaces to our hvv switch customers in the best possible condition. Due to the voluntary nature of the report you have made, we do not see any legitimate interest on your part that conflicts with or outweighs our legitimate interest.

We use ProcessWire, a content management system (CMS), to display the forms described here. By using ProcessWire, we process certain personal data in order to provide you with a user-friendly and personalized online experience. The personal data processed by ProcessWire serves the purpose of providing and maintaining our website. This includes the display of content and the improvement of website functionalities. ProcessWire enables us to process data such as IP addresses, browser information and - if provided - personal data such as name and e-mail address, which you have communicated to us, for example, via the contact form provided. The processing of your data by ProcessWire is based on our legitimate interest in the efficient provision and maintenance of the functions of our website (Art. 6 para. 1 lit. f GDPR) and, if applicable, on the basis of your consent, which you have given us, for example, for the use of cookies (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG).

C.3 Service providers for the display of map services

We have integrated an SDK (Software Developer Kit) of the map service Mapbox into the hvv switch app to enable you to use the hvv switch app easily and reliably. The provider is Mapbox Inc. based in 740, 15th Street NW, Washington DC, 20005, USA. To use the functions of Mapbox, it is necessary to save your IP address. In addition, device information and location data are also collected and temporarily stored. This information is usually transferred to a Mapbox server in the USA and can be processed there. You can find more information about data processing by Mapbox at https://www.mapbox.com/privacy/.

You actively decide whether you want to help improve OpenStreetMap and Mapbox maps by collecting anonymized data for use. Mapbox uses location data from all integrations to improve their maps, directions and travel times and provide aggregated insights. For this purpose, we ask for your consent once when you first start the hvv switch app. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. You have the option to adjust your consent at any time in the privacy settings of the hvv switch app. The company Mapbox is certified in accordance with the “EU-U.S. Data Privacy Framework”. You can find additional information on this under C.7 EU-U.S. Data Privacy Framework.

C.4 Service provider for driver's license validation

If identification and verification are required as part of driver's license validation, we transfer personal data to our service provider IDnow GmbH, Auenstraße 100, 80469 Munich, which completes the identification and verification process for us and acts as our processor. All personal data will be deleted by our service provider seven days after completion of processing and provision to us.

C.5 Service provider for determining journeys and prices in the context of hvv Any

The calculation of the distance traveled and the subsequent calculation of the fare to be paid is carried out by the processor Scheidt & Bachmann GmbH, Breite Straße 132, 41238 Mönchengladbach. For this purpose, we have integrated an SDK (Software Developer Kit) of the provider into the hvv switch app. In doing so, we comply with all provisions of the applicable European data protection law. We have ensured compliance with these provisions through corresponding agreements with the company processing the order.

C.6 Other service providers

We use various service providers who process your personal data on our behalf. These have been carefully selected by us and process the personal data exclusively in accordance with our instructions and under our control. In particular, these are the following service providers

Hosting and operation:

Claranet GmbH, Hanauer Landstraße 196, 60314 Frankfurt am Main, Germany

Bechtle GmbH, Bernhard-Nocht-Straße 113, 20359 Hamburg, Germany

Sending of e-mail and SMS:

Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland

rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau, Germany

C.7 EU-U.S. Data Privacy Framework

We also use service providers that are certified in accordance with the “EU-U.S. Data Privacy Framework” (EU-U.S. DPF). The EU-U.S. DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the EU-U.S. DPF undertakes to comply with these data protection standards. You can find more information on this at the following link: https://www.dataprivacyframework.gov/. If a company is certified according to the EU-U.S. DPF, the data transfer to the USA is based on an adequacy decision of the European Commission pursuant to Art. 45 GDPR of 10.07.2023. Such an adequacy decision makes it possible to transfer personal data from the EU to the corresponding third country without the need for further transfer instruments or additional measures.

D.  Storage period

As your contractual partner, HOCHBAHN processes and stores your personal data only for as long as is necessary to fulfill its contractual and legal obligations. We differentiate between the various categories of data. In principle, we only store data from registered customers. This is only done at your request so that we do not have to store personal data again if you use our services repeatedly. When purchasing subscription products (e.g. Deutschlandticket), a continuing obligation arises with regard to your business relationship with us, which means that we also require and must process certain basic data such as name, address and stored means of payment (master data) on a permanent basis.

If data is no longer required for the direct fulfillment of contractual or legal obligations, for example because it relates to sales that have already been settled, it is regularly deleted. This does not apply to data whose (temporary) continued storage is required for the following purposes:

  • Fulfillment of retention periods under commercial or tax law: these include, for example, the German Commercial Code and the German Fiscal Code. The retention and documentation periods stipulated there are up to 10 years.
  • Preservation of evidence within the framework of the statute of limitations: According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods are generally 3 years, but can also be up to 30 years in individual cases.

Movement data for determining journeys in the context of using hvv Any is stored for a maximum of four months from the time the movement data is determined. Data on journeys and chains of journeys from the use of hvv Any are stored for a maximum of seven months from the date on which the journey was determined. The data is stored in order to clarify and trace possible complaints.

E.  Data protection rights

The GDPR grants data subjects whose personal data is processed by us certain rights, which we would like to inform you about here. You are welcome to contact us as the controller or our data protection officer if you have any further questions about data protection at hvv switch. You can find the contact details in section A.

E.1 Information, erasure and rectification

You have the right to request information about your personal data stored by us free of charge at any time. This includes information about the purpose of processing, the category of data used, its recipients and the planned duration of data storage or, if this is not possible, the criteria for determining this duration. You also have the right to erasure and/or rectification of the data, in particular if the data is incomplete or inaccurate, if it is no longer necessary for the purpose for which it was collected or if you have withdrawn your consent to processing.

E.2 Withdrawal of consent

If data processing is carried out with your consent, you can withdraw this consent at any time. An informal notification by email is sufficient for this. You can withdraw your consent to the analysis of your usage behavior in the privacy settings under Settings in the hvv switch app. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

E.3 Right to object

If the data processing is carried out on the basis of a legitimate interest on our part, you have the right to object to the data processing. The prerequisite for this are reasons arising from your particular situation (Art. 21 para. 1 GDPR).

E.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. The right to restriction of processing exists in the following cases

  • If you dispute the accuracy of your personal data stored by us, we usually need time to verify this.
  • For the duration of the review, you have the right to request that the processing of your personal data be restricted.
  • If your personal data has been or is being processed unlawfully, you can request the restriction of data processing instead of erasure.
  • If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of its erasure.
  • If you have lodged an objection in accordance with Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

E.5 Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.

E.6 Right to lodge a complaint with a supervisory authority

If you believe that we are in breach of data protection law, you have the right to lodge a complaint with a supervisory authority. The right to lodge a complaint is without prejudice to any other administrative or judicial remedies. In Hamburg, you can contact the responsible supervisory authority at The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Straße 22, 20459 Hamburg, e-mail: mailbox@datenschutz.hamburg.de.

Status: July 2024