Privacy Policy for the hvv switch app

A. Why is data protection important?

We, Hamburger Hochbahn AG, are grateful for your interest in hvv switch. Through the hvv switch app, hvv switch enables you to make use of a number of different mobility services in Hamburg using just one single app, without having to register separately with each individual mobility provider. The long-term goal of hvv switch is to create a simple and reliable alternative to private car use with the hvv switch app and its integrated mobility services.

Within the scope of this Privacy Policy, we would like to inform you about how your personal data is handled and processed in cases relating to hvv switch. Your personal data includes all information that can be assigned to you as a person. This includes your name, email address, mobile phone number, location and payment data, among other things.

Protecting your privacy is very important to us. Your personal data will only ever be processed in accordance with data protection regulations. You can learn more about the purpose and legal basis of all respective data processing under C. Purpose and legal basis of processing.

B. Who is responsible?

Hamburger Hochbahn AG, Steinstrasse 20, 20095 Hamburg, Germany, is responsible for the processing of your personal data in relation to your use of the hvv switch app. With regard to the processing of a mobility service booked by you using the hvv switch app, the respective mobility provider will also be responsible for processing your personal data. You can find out more about this under E. Will data be passed on to third parties?

If you have any questions about this Privacy Policy or about the processing of your personal data in general, please contact our Data Protection Officer by email: datenschutzbeauftragter@hochbahn.de.

If you have general questions about hvv switch, please contact info@hvv-switch.de.

C. Purpose and legal basis of the processing

In the following we provide you with an overview of the purpose and legal basis for any processing of your personal data. A more detailed description of the processing of your personal data and the respective purpose of this processing can be found under D. Which personal data is processed for which specific purpose?

Provision of services

First and foremost, we process your data in order to be able to carry out and invoice the services you have used. This includes, for example, the creation of your user account ("hvv switch profile") as well as the information, booking and use of mobility services. For the booking and use of mobility services, you enter into a separate contractual relationship with the respective mobility provider with our participation. We transmit the data required for the respective contract to the corresponding mobility provider, who processes this data on his own responsibility for the purpose of processing the contract. In addition, we transmit personal data to our payment service provider for the payment process and to our validation service provider in the event of a required driving licence validation. The legal basis for the data processing is the necessity for the fulfilment of the contract with (Art. 6 para. 1 lit. b DSGVO) or the protection of legitimate interests (Art. 6 para. 1 lit. f DSGVO).

Legal obligations

We process your personal data if and insofar as this is necessary for the fulfilment of legal obligations (e.g. tax retention obligations) (Art. 6 para. 1 lit. c DSGVO).

Enforcement of legal claims

Furthermore, we process your personal data if this is necessary to enforce claims or other legal claims. The legal basis for data processing in these cases is the necessity for the performance of the contract with HOCHBAHN (Art. 6 para. 1 lit.b GDPR) or the protection of legitimate interests (Art. 6 para. 1 lit. f GDPR).

Security of systems, prevention of criminal offences

Another purpose of processing is to ensure the security of our systems and, for instance, to prevent and detect any instances of fraud and other criminal offences. The legal basis for data processing here is the preservation of legitimate interests by HOCHBAHN (Article 6.1 (f) of the GDPR).

Improvement of our services

We are constantly improving our services. We use anonymised data for this purpose. The legal basis for data processing is the preservation of legitimate interests by HOCHBAHN (Article 6.1 (f) of the GDPR).

D. Which personal data is processed for which specific purpose?

1. Informational use

If you use the hvv switch app for informational purposes, i.e. you have not registered, we only process personal data that is necessary for us to enable you to use the hvv switch app. This includes, for example, the device identification number (DeviceID for Android, IDFA for iOS), language and version of the app, operating system and the date and time of the request. These automatically collected personal data are processed by us in order to be able to ensure a functional, stable hvv switch app, to enable optimisation of the hvv switch app (e.g. through corresponding adaptations of the app for your mobile end device) and also to ensure the security of our information technology systems.

The data processing for informational use is based on Art. 6 Para. 1 lit. f DSGVO).

2. Location data & location tracking

When you request a mobility service via the hvv switch app, e.g. select an hvv ticket, a MOIA ride or a car sharing service (e.g. SIXT share), we use the location data contained in the request (e.g. your current location, start stop, start and destination) in order to issue you a valid hvv ticket or to show you booking options for MOIA or to show you available car sharing vehicles in your area and the route to the respective car sharing vehicle. In addition, we use this information without establishing a personal connection in order to better adapt the offers in the hvv switch app to the demand.

In order to offer you the easiest possible user experience with the hvv switch app, we recommend that you activate the location detection for the hvv switch app. This requires that you allow the hvv switch app to access location services through the operating system of the mobile device you are using and its authorisation system. In this context, we then only record the location determined by your device, provided that the hvv switch app is open. If location tracking is active, this is usually indicated by a corresponding function on your mobile device. You can allow or revoke the option of location tracking at any time via the settings in the operating system of your mobile end device. We ask you once when you first start the hvv switch app whether you want to activate automatic location tracking.

The data processing for location tracking is based on Art. 6 Para. 1 lit. f DSGVO).

We do not ever use location data to create a movement profile of you.

3. Registration for hvv switch

You choose your login details (email address and password) when you register for the hvv switch app. We will process this personal data when setting up your user account. You need a user account in order to be able to make use of mobility services in the hvv switch app (subject to the respective service providers activated in the app).

The data processing for registration is based on Art. 6 para. 1 lit. b DSGVO.

4. Activation for mobility services

The hvv switch app gives you the option to make use of the mobility services of various mobility providers, and in the case of hvv ticketing to also avail of our own services. Depending on the mobility service you want to use, additional personal data and validations of your personal data will be required.

For example, this might include specifying and validating your:

  • First and last name
  • Date of birth
  • Mobile phone number
  • Address
  • Driving licence details
  • Payment details

If you don’t provide the required information or complete the required validation you will not be able to make use of the respective mobility service.

For certain mobility services, it is also necessary to create a personal PIN. This PIN is then requested again for additional identification of the user before the start of each rental. This is the case, for example, when renting a car sharing vehicle from SIXT share.

The data processing for activation is carried out on the basis of Art. 6 Para. 1 lit. b DSGVO).

With regard to activating a particular mobility service, the only personal data that will be requested is that which is required for using the respective service. This information might need to be validated and will be saved in your user account. Any additional information you provide in your user account is optional.

Once you have successfully activated a particular mobility service, you will no longer be able to delete certain personal data from your user account yourself, as it is required and mandatory for using the mobility service you selected. You can make changes to your personal data, but this new data might have to be validated again. If you want to delete certain personal data that is absolutely necessary for use of a mobility service, you can do this by contacting our customer service. However, you will then no longer be able to use that service.

With regard to hvv ticketing, we will process your contact and address data, after your account has been successfully activated, in order to inform you about contract-relevant changes to our products and our mobility services, and to send you other information that is legally required.

In order to use a car sharing service, you must be in possession of a valid driving licence to drive a car. We offer you the option of having your identity and driving licence checked through the hvv switch app, with a video call, as part of the activation process for a car sharing service. Alternatively, you can also have your personal data and documentation validated in person at one of the hvv service points.

Validation involves your identity being confirmed (by means of a valid identification document that you present), in addition to ownership of a valid driving licence. The data you have already entered in the hvv switch app, which is necessary for activating car sharing services, will also be checked to see if it matches the information on your ID document and driving licence.

If you take advantage of the option of validation via video call in the hvv switch app, i.e. if you don’t go to a hvv service point to have your information validated in person, recordings of your identity documents and driving licence will be made during the video call. The recordings of your driving licence will be saved by us for the duration of the contractual relationship between you and us, as proof that we have checked and validated your driving licence, but it will not be stored as part of an active customer profile. Rather, the data is blocked by a strict authorisation concept and cannot be accessed on an ongoing basis.

The data processing for the validation of the driving licence is based on Art. 6 para. 1 lit. b) and c) DSGVO.

5. Booking and use of mobility services

If you purchase, reserve or book a mobility service via the hvv switch app, we assign the associated purchase, reservation and booking data to your user account. In this context, we also process, for example, your name and the location data you provide in your request for a mobility service. We display the mobility services you have used (active and completed) in your user account.

The data processing for the booking and use of mobility services is based on Art. 6 para. 1 lit. b DSGVO).

Furthermore, we transmit the purchase/reservation/booking data required for the respective mobility service to the corresponding mobility provider, who processes this data for the purpose of handling the mobility service under its own responsibility. You can find out more about how we pass on data under E. Is data passed on?

We also process personal data for the settlement of further claims (e.g. settlement of damages incurred) resulting from a booking and/or use.

If disruptions or similar occur in connection with the provision of mobility services, we use your contact details to inform you of this, e.g. via e-mail, SMS, in-app or push message.

6. Payment and billing

In order for you to be able to use a mobility service via the hvv switch app, it is necessary to deposit a valid means of payment in your user account.

In order to carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LogPay Financial Services GmbH ("LogPay"). Our payment service provider processes and stores your personal data for the purpose of processing payments, managing receivables, evaluating the admissibility of payment methods and avoiding payment defaults.

If you choose credit card as a payment method, the necessary payment information (e.g. credit card provider, credit card holder, credit card number, expiry date and credit card verification number) is stored directly with LogPay. The processing of the personal data is carried out by LogPay as its own responsible party. You can find additional information on this under E.2 Payment service providers.

If you would like to use PayPal as a payment method, it is necessary in a first step that you link your PayPal account with your hvv switch user account. Within the framework of this account linking, you have the option of transferring personal data already stored in your PayPal account (e.g. name and billing address) to your hvv switch user account and saving it there. In this way, we offer you the option of a quicker and more convenient entry of personal data, the provision of which is required for the use of certain mobility services. The transfer of your data to PayPal is based on Art. 6 para. 1 lit. a DSGVO (consent) and Art. 6 para. 1 lit. b DSGVO (processing for the performance of a contract). For each mobility service that you use via the hvv switch app, we create an invoice and process your personal data in this context (e.g. your name, date and place of use of the respective service). We send our own invoices and invoices that we issue on behalf of individual mobility providers exclusively by e-mail.

Due to legal storage obligations, such as obligations under commercial and tax law, we keep invoices for up to ten years. The period begins at the end of the year in which the invoice was created. During the retention period, this personal data is completely blocked and no longer accessible for further data processing.

7. Customer service

When you contact us, for example by submitting an enquiry or providing feedback, we store this information in order to process your enquiry or respond to your feedback. We will contact you about your enquiry or feedback if this is necessary to resolve your concern.

E. Will data be passed on to other parties?

Mobility service providers

Whenever you book and make use of a mobility service you enter into a separate contractual relationship with the respective mobility provider, with our involvement. You decide which mobility services you wish to use and which contract you wish to enter into with them. We then forward the data required for the respective contract exclusively to the respective mobility provider in each case, who will then process that data for the purpose of processing the contract. You must explicitly agree to the transfer of the data required for this process.

We currently work with the following mobility service providers:

Mobility provider

Required data

Privacy Policy

MOIA GmbH, Alexanderufer 5, 10117 Berlin

und

MOIA Operations Germany GmbH, Podbielskistraße 306, 30655 Hanover

Data for activation or changes made by you, e.g. first and last name, validated e-mail address, validated mobile phone number; data relating to a booking request, e.g. start and destination points

https://www.moia.io/en/privacy-policy

Sixt GmbH & Co. Autovermietung KG, Zugspitzstrasse 1, 82049 Pullach, Germany

Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated email address, validated mobile phone number, validated address, validated driving licence details; data relating to a booking request, e.g. location data; proof on request that a driving licence check has been carried out

https://about.sixt.com/websites/sixt_cc/English/8100/privacy-policy.html

MILES Mobility GmbH, Leipnizstraße 49, 10629 Berlin, Germany

Data for activation or as a result of changes made by you, e.B validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driver's license data; Data on the booking request, e.B. location data; on request proof of the driving licence check carried out

https://miles-mobility.com/en/data-protection
TIER Mobility GmbH c/o WeWork, Eichhornstraße 3, 10785 Berlin, Germany Data for activation in the form of your hvv switch customer number; Data on the booking request, e.B. location data; on request, first and last name, address, validated e-mail address https://www.tier.app/de/privacy-notice/
UMI Urban Mobility International GmbH, Mollstraße 1, 10178 Berlin, Germany Data for activation or as a result of changes made by you, e.g. validated first and last name, validated date of birth, validated e-mail address, validated mobile phone number, validated address, validated driving licence data; data on the booking request, e.g. location data; on request, proof of the driver's licence check carried out. https://www.we-share.io/app-privacy

Payment service providers

In order to enable and carry out the payment process and for the purpose of selling and assigning our claims against you, we transmit personal data to our payment service provider LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn ("LogPay"). In addition, we also pass on personal data for the settlement of further claims (e.g. settlement of damages incurred) arising from the booking/use. Our payment service provider processes and stores your personal data for the purpose of processing payments, managing claims, assessing the admissibility of payment methods and avoiding payment defaults.

You can find more information about the data processing by LogPay at Logpay Data Protection. Please note that this information also states that if you are not yet known to LogPay, LogPay will transfer your data to credit agencies (such as SCHUFA) to check your details and creditworthiness in order to avoid a payment default.

Mobility concession hvv-m DB Bonvoyo

We have integrated hvv-m DB Bonvoyo as a possible method of payment, in order to give you the option of paying for the services of individual mobility providers in the hvv switch app using a mobility concession provided by your employer. The provider of hvv-m DB Bonvoyo is Deutsche Bahn Connect GmbH (“DB Connect”), Mainzer Landstrasse 169, 60327 Frankfurt am Main, Germany. If you make use of this feature, the data required for its use will be transferred between DB Connect and us. We shall have no influence or control over data processing internally at DB Connect. You can learn more about data processing associated with the mobility concession here.

Service provider for driving licence validation

In cases of required identification and verification are required, we will transfer personal data to our service provider, identity Trust Management AG, Lierenfelder Strasse 51, 40231 Düsseldorf, Germany, who then conducts the identification and verification process on our behalf and assumes the role of data processor for us. All personal data will be deleted by our service provider seven days after the processing has been completed and the relevant information provided to us.

Service providers used

We use a number of different service providers who may process your personal data on our behalf. These service providers have been carefully selected by us and will process any personal data exclusively in accordance with our instructions and under our jurisdiction. In particular, this shall include the following service providers:

Hosting and operation:

Claranet GmbH, Hanauer Landstrasse 196, 60314 Frankfurt am Main, Germany

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

DATAGROUP SE, Wilhelm-Schickard-Strasse 7, 72124 Pliezhausen, Germany

Mailings:

Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Text messaging:

Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Mapbox

We have integrated an SDK (Software Developer Kit) of the map service Mapbox into the hvv switch app to enable you to use the hvv switch app easily and reliably. The provider is Mapbox Inc. with headquarters at 740, 15th Street NW, Washington DC, 20005, USA. In order to use the functions of Mapbox, it is necessary to save your IP address. In addition, device information and location data are also collected and temporarily stored. This information is usually transferred to a Mapbox server in the USA and can be processed there. You can find more information about data processing by Mapbox at Mapbox Privacy .

You actively decide whether you want to help improve OpenStreetMap and Mapbox maps by collecting anonymised user data. Mapbox uses location data from all integrations to improve their maps, directions and travel times and provide aggregated insights. To do this, we ask for your consent once when you first launch the hvv switch app. You also have the option to adjust your consent at any time in the privacy settings of the hvv switch app.

PayPal

We have integrated a PayPal SDK (Software Developer Kit) into the hvv switch app, in order to provide you with an easy way of paying using PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. PayPal uses this SDK for risk management reasons to protect its services and its customers from fraud and abuse. In addition to your IP address, PayPal will also collect and process information about your device, technical usage data and location data using the SDK. We have no influence over this data transmission and processing. You can find out more about data processing by PayPal by visiting https://www.paypal.com/en/webapps/mpp/ua/privacy-full.

F. Which analysis tools do we use and why?

Adjust

In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany) and have integrated its SDK (Software Developer Kit) into the hvv switch app. The anonymised data collected using Adjust provides us with information, for instance, about the downloading of the hvv switch app, the online advertising channel through which the download was generated, and the time at which the app was opened. You can find out more about data processing by Adjust by visiting https://www.adjust.com/privacy-policy/.

You actively decide whether you want to allow Adjust to optimise our marketing activities. To this end, we ask for your consent once when you start the hvv switch app for the first time. In addition, you have the option of adjusting or revoking your consent in the privacy settings of the hvv switch app at any time.

Use of this analysis tool is based on Article 6.1 (a) of the GDPR.

Google Firebase

We have integrated an SDK (Software Developer Kit) from Google Firebase into the hvv switch app in order to better understand the use of our app and to be able to improve the offer. The provider is Google Inc, 1600 Amphitheatre Party, Mountain View, CA 94043, USA. The anonymised information about the use of our app collected via Google Firebase gives us information about, for example, the number of times the app is opened in a period of time, provides insights into particularly popular functions as well as the number of in-app purchases and the total number of users in a certain period of time. For this purpose, the data is transferred to Google in the USA and stored there. Further information on data processing by Google Firebase can be found at https://www.firebase.com/terms/privacy-policy.html.

You actively decide whether you want to permit the use of Google Firebase to optimise our app offer. For this purpose, we request your consent once when you start the hvv switch app for the first time. You have the option to alter and revoke your consent in the privacy settings of the hvv switch app at any time.

Any use of this analysis tool is based on Article 6.1 (a) of the GDPR.

G. What are your rights with regard to data protection?

The GDPR grants certain rights to data subjects whose personal data is processed by us. We would like to outline these rights in the following. If you have any questions regarding data protection with respect to hvv switch, please feel free to contact us as the data controller, or to get in touch with our Data Protection Officer. You can find the contact details under B. Who is responsible?

1. Information, deletion & correction

You have the right to request information about your personal data stored by us free of charge at any time. This includes information about the purpose of processing, the category of data used, its recipients and the planned duration of data storage or, if this is not possible, the criteria for determining this duration. Furthermore, you have the right to have the data deleted and/or corrected, in particular if the data is incomplete or incorrect, if it is no longer necessary for the purpose for which it was collected, or if you have withdrawn your consent to the processing.

2. Revocation of consent

If data processing is carried out with your consent, you have the option to revoke this consent at any time. An informal email is sufficient here to make this happen. The legality of the data processing carried out up until the date of revocation will remain unaffected by the revocation.

3. Right of objection

If the data processing is based on a legal legitimate interest on our part, you have the right to object to the data processing. The prerequisite for this are reasons arising from your particular situation (Art. 21 (1) DSGVO).

4. Right to restriction of processing

You have the right to request that the processing of your personal data be restricted. This right to restriction of processing applies in the following cases:

  • If you query the accuracy of your personal data stored by us. We will usually need some time to check this.
  • For the duration of this review period, you will have the right to request the restriction of the processing of your personal data.
  • If your personal data has been processed/ is being processed in a way that is unlawful, you can request the restriction of data processing rather than having your data deleted.
  • If we no longer need your personal data, but require it for the exercising, defence or assertion of any legal claims, you will have the right to request the restriction of the processing of your personal data rather than having your data deleted.
  • If you have lodged an complaint as per Article 21.1 of the GDPR, a balance must be struck between your interests and our interests. As long as it has not yet been determined whose interests prevail, you will have the right to demand the restriction of the processing of your personal data.

5. Right to data portability

You have the right to have data that we process automatically, based on your consent and/or to fulfil a contract, provided to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of data to another data controller, this will only be implemented provided it is technically feasible.

6. Right of complaint to a supervisory authority

In the event of a breach of the GDPR, you have the right to lodge a complaint with a supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies.

In Hamburg, you can contact the official data protection commissioner at:

The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg.