Data Privacy Statement NAH.SHUTTLE-App
The NAH.SH GmbH enables users of this app to make use of demand-responsive transit services.
As you wish to use a special service of NAH.SH GmbH with our app for demand-responsive transit, the processing of personal data will become necessary. Since there is no legal basis for such processing of personal data (e.g., the implementation of a contractual agreement), we ask for your consent.
With this information, we inform you about which data we collect from you, how we use it and how you can object to the use of data.
Who is responsible for data collection and processing?
Nahverkehrsverbund Schleswig-Holstein GmbH, Raiffeisenstr. 1, 24103 Kiel, collects and processes your data as the responsible party.
If you have any questions or suggestions regarding data protection in connection with the NAH.SHUTTLE app, please contact:
NAH.SH Kundendialog
0431 660 19 449
kundendialog@nah.sh
If you have any further questions regarding the processing of your personal data, please contact our data protection officer:
compolicy GmbH
An den Eichen 15
24248 Mönkeberg
datenschutz@nah.sh
What data do we collect? How and why do we process your data?
We collect and process your data exclusively for specific purposes. These may result from contractual requirements or explicit user requests. In order to fulfil a contract, we require personal data from you. Accordingly, this data is required to provide the roles of the app (e.g. trip search and booking of a trip).
1) Downloading the app
When downloading the app, the necessary information is transferred to the App Store, i.e. in particular user name, e-mail address and customer number of your account, time of download and individual device identification number. We have no influence on this data collection and are not responsible for it.
2) Starting the app / establishing a connection to servers
If you use the app on your smartphone, your end device establishes a connection with the servers of the app provider ioki. The operating system and the version of our app used are transmitted to ioki and processed. The transmission and processing is carried out to improve the app as well as for troubleshooting purposes. The legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO.
3) Use of positioning services
For optimal functionality, the app requires the authorization to use positioning services of the end device.
You have the option of granting authorization to use the positioning services when using the app for the first time.
If you do not grant authorization to use the positioning services, the app can be used with one restriction: you must enter your address manually when making a journey request.
You can revoke the authorization granted at any time in the settings of your end device.
4) Registration data
During registration, the following login and user data is collected in order to create a customer account:
Mandatory data:
- Mobile phone number
- Email address
- Last name and first name
Voluntary data:
- Payment details (credit card number, validity)
- Billing address
5) Google Maps
The App uses Google Maps as a service to show you a map in the App. Accordingly, it uses the Google Maps API application operated by Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland (“Google”). The terms of use for Google Maps can be found at: https://www.google.com/help/terms_maps.html. Google’s privacy policy can be found at: https://policies.google.com/privacy.
This map is embedded via Google Maps and interactively shows you the distance to the vehicle carrying out your journey. If you have consented to the use of your GPS location data, this will be processed on the basis of Article 6 (1) a) DSGVO.
6) Location data and journey data
In order to be able to carry out or provide the transport and thereby a core service of the app, it is necessary that location data is processed. This can be both released GPS data of the positioning services and location data entered by the user.
When booking and carrying out the journey, we collect the following data at the time of booking:
- Start location (address) – if you have activated your GPS location services. This information is used to find a pick-up location. The GPS data is not cached at this time.
- Pick-up location (address)
- Drop-off location (address)
- Destination (address)
- Information about your end device (operating system)
- Payment method
- Number of seats required
- Discounts granted, if applicable
- If applicable, details of local transport ticket
- If applicable, information on whether you are a wheelchair user.
We collect the following data during and at the end of the journey:
- journey duration in minutes
- kilometers travelled
The legal basis for the processing of your GPS location data is Article 6 Paragraph 1 p. 1 lit. a DSGVO, while the remaining data is collected for the purpose of processing the contract on the basis of Article 6 Paragraph 1 p. 1 lit. b DSGVO.
As long as authorization was granted when the app was installed and not deactivated again, location data is collected and used to find and display transport options in the vicinity. Your position is not temporarily stored and is only used to find possible pick-up locations in the vicinity.
7) Journey history
In your customer account, you have the option of displaying your data on booked journeys (route, boarding time and place, route guidance, vehicle, exit, booking code, price) under “Account”.
8) Billing
Fees are charged for booking a journey. Billing between you as a user and the operator takes place via a payment service provider. You have the option of paying the costs incurred for the rides by credit card.
The credit card payment is made by the service provider Stripe Payments Europe, Ltd, The One Building, 1 Grand Canal Street, Lower, Dublin 2, Ireland.
You can view the privacy policy of Stripe Payments Europe, Ltd. here: https://stripe.com/de/privacy.
For payment by credit card, the first and last name of the credit card holder, the issuer of the credit card, the first six and last four digits of the credit card number and the expiry date of the credit card must be provided in order to process the payment.
Stripe Payments Europe, Ltd. is PCI DSS (Payment Card Industry Data Security Standard) certified. When you provide your credit card details, they are transmitted directly to the payment service provider we use via an encrypted connection. Our payment service provider then carries out a so-called authentication of your means of payment. This ensures that your means of payment is an active means of payment. For security reasons, only the first six and last four digits of your credit card are transmitted to us and we store these for identification and verification purposes.
ioki as the app provider itself and NAH.SH GmbH as the responsible party for the app do not receive any payment data from users.
9) News and individualized offers
If you wish to receive news (e.g. regarding current route information, developments in the app) or offers (e.g. vouchers, discounts) as part of a newsletter (email) and/or via push notifications directly in the app, you must explicitly consent to receiving these messages.
You can give your consent for one or both channels of information as part of the installation and setup of the app or at any time later in the settings of the app. The legal basis for the processing is in each case Art. 6 Para. 1 a) DSGVO.
You can unsubscribe from receiving emails or push notifications at any time by adjusting the setting for receiving emails and push notifications in the app. In addition, each newsletter contains a link to unsubscribe at the bottom.
For this service, we use technology from Urban Airship Inc, 1417 NW Everett St, Suite 300, Portland OR 97209, USA. For more details, please see Urban Airship’s privacy policy at http://urbanairship.com/legal/privacy-policy.
Technically, push notifications are delivered via the services Firebase Cloud Messaging (Android) and Apple Push Notifications (iOS). In the process, Firebase and Apple generate a computed key composed of the app’s identifier and its device identifier. This key is stored on our push platform according to the settings you have selected in order to provide you with the content according to your wishes. The servers of the service providers cannot draw any conclusions about the requests of users or determine other data related to a person. Firebase and Apple serve solely as intermediaries.
10) Firebase
Our app uses Firebase, a service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). With the help of this tool, information is transmitted to us anonymously in the event of an app crash in order to be able to trace the cause of the respective crash and remedy it more quickly. In this way, existing errors are analysed and identified and the quality of the app is ensured.
Furthermore, Firebase is used to measure the success of individual roles of the app. Firebase analyses the acceptance of the roles by the user.
The transmitted data is purely technical and has no personal context.
If you wish to receive push notifications via the NAH.SHUTTLE app, you must explicitly consent to receiving the push notifications. You can revoke your consent at any time. You will be asked for consent to receive push notifications during installation or when using the app for the first time.
We use the services Firebase Cloud Messaging from Google (Android) and Apple Push Notifications (iOS) for push notifications. In the process, Firebase and Apple generate a calculated key that is made up of the identifier of the app and your device identifier. This key is stored on our push platform with the settings you have selected in order to make the content available to you according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve solely as transmitters.
11) Newsletter
If you register for one of our newsletters, we will send the newsletter to the e-mail address you have provided. In this case, your email address may be used by us for advertising purposes. The legal basis for the processing is Art. 6 para. 1 a) DSGVO.
When you register for the newsletter, we store the IP address of your computer system used at the time of registration as well as the date and time of registration assigned by your Internet service provider (ISP). The collection of this data is necessary in order to be able to trace a possible misuse of the e-mail address of a data subject at a later date and therefore serves our legal protection.
You can unsubscribe from the newsletter at any time by adjusting the newsletter setting in the app or by sending an email to nahshuttle@nah.sh. In addition, each newsletter contains a link to unsubscribe at the end.
12) Disclosure to third parties
In general, the processing of contracts requires the involvement of instruction-dependent processors, such as computer center operators, printing or shipping service providers or other parties involved in the performance of the contract.
External service providers who process data on our behalf are carefully selected by us and strictly bound by contract. The service providers work according to our instructions, which is ensured by strict contractual regulations, by technical and organisational measures and by supplementary controls. We work with service providers from the EU. To this end, we have concluded order processing contracts with our external service providers within the EU or the European Economic Area in accordance with Article 28(3) of the GDPR, insofar as this is necessary due to the purpose of the contract.
Otherwise, your data will only be transferred if you have given us express consent to do so or on the basis of a statutory regulation.
As far as necessary for our purposes, we may also transfer your data to recipients outside the EU in individual cases. If we transfer data to third countries, we ensure that the recipient has implemented an adequate level of data protection pursuant to Art. 45 DSGVO or appropriate guarantees pursuant to Art. 46 (2) and (3) DSGVO and that no other interests worthy of protection speak against the transfer of data.
13) Storage duration and deletion deadlines
Your personal data will be stored by us for as long as it is necessary for the aforementioned purposes of the processing or insofar as this is provided for by law. In the event of an objection, no compelling reasons worthy of protection on the part of the operator are opposed or in the event of a revocation, no other legal basis for the data processing exists. However, in certain cases, e.g., if there is a legal obligation to retain data, your personal data will not be deleted immediately but will first be blocked.
14) Encrypted transmission
The transmission of personal data from the user’s end device (e.g., smartphone) is always encrypted.
What rights do you have?
– You can request information about what data is stored about you.
– You can demand correction, deletion and restriction of processing (blocking) of your personal data, as long as this is legally permissible and possible within the framework of an existing contractual relationship.
– You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for NAH.SH GmbH is: Independent Centre for Data Protection Schleswig-Holstein, P.O. Box 71 16, 24171 Kiel, telephone: 04 31/988-12 00, fax: 04 31/988-12 23, e-mail: mail@datenschutzzentrum.de, homepage: http://www.datenschutzzentrum.de.
– You have the right to transfer data that you have provided to us on the basis of consent or a contract (data portability).
– If you have given us consent to process data, you can revoke this consent at any time by the same means by which you gave it. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
– You may object to data processing on grounds relating to your particular situation if the data processing is based on our legitimate interests.
To exercise your rights, simply send a letter by post to Nahverkehrsverbund Schleswig-Holstein GmbH, Raiffeisenstr. 1, 24103 Kiel, or by e-mail to kundendialog@nah.sh or datenschutz@nah.sh.
Updating the data privacy statement
We adapt the data privacy statement to changed functionalities or changed legal situations. We therefore recommend that you read the data privacy statement at regular intervals. If your consent is required or parts of the data privacy statement contain provisions of the contractual relationship with you, the changes will only be made with your consent.