PRIVACY POLICY

Version of 31.1.2019

This privacy policy describes how we process personal data when using our mobile Application (App) and its functionalities.

This privacy statement Applies only to our mobile iPhone and Android "Allygator" App (the "App"). For data processing in relation to the website for our Allygator Shuttle service, please refer to the privacy policy at https://allygatorshuttle.com.

1. What is Personal Data?

Personal Data is any information relating to an identified or identifiable natural person. This may involve data that can be attributed to you personally, for example name, address, e-mail address, user behaviour.

2. Responsible Body and Data Protection Officer

The Responsible Body under Article 4 No. 7 of the General Data Protection Regulation (GDPR) is Door2Door GmbH, Torstraße 109, 10119 Berlin, hello@door2door.io.

We have appointed a Data Protection Officer. You can reach our data protection officer at the above postal address -- c/o "data protection officer" - and by e-mail at datenschutzbeauftragter@door2door.io.

3. What personal data do we collect? How do we use the data we collect from you? On what legal principle is the use based?

a) Installation of the App

When you install this App and create a user account, the following personal information is collected from you:

• First name and surname
• Email address
• Encrypted password
• IP address of the last login
• Date of last registration
• Date of account creation

The registration is made for the purpose of registration and authentication as well as for verification of the user identity. The legal basis for this is Art. 6 para. 1 (a) GDPR (consent given by you).

b) Use of the App

When using our App, the following personal data may be collected:

1. Location-based data

You can use our App to request a vehicle for a specific route by entering the following data in the App:

• Pick-up address,
• Destination address,
• Date and time,
• Number of passengers.

The purpose of this data collection is to carry out the transportation request and to plan the route of the vehicle. The legal basis for this is Art. 6 para. 1 (b) GDPR (performance of a contract).

If you would like to use "my location" as your starting address and click on the "my current location" button, we can automatically determine your geographical location in real time using your mobile device. In order for this feature to work, you need to have activated the location services in our App.

The automatic collection, processing and use of your location-based data is only carried out if you give your consent, by enabling location services. You can withdraw your consent at any time by deactivating location services. Please note that if you deactivate location services, you will not be able to use certain functions of our App, since location services are an important element of the App.

2. Payment-relevant information

A fee is charged for the use of the service. If you wish to pay the fee online via the payment system integrated into the App, you will be asked to provide certain payment information to our external payment service provider Braintree, namely:

• Name
• Email address
• Method of payment
• Credit card number
• Billing address

The purpose of this data processing is to arrange payment of the transportation fee. The legal basis for this is Art. 6 para. 1b GDPR (performance of a contract).

Braintree is a third-party service owned by Paypal and therefore a trusted provider of payment services. Braintree handles all security issues that require PCI compliance and provides a scalable and flexible way to enable digital payments. Further information can be found at https://www.braintreepayments.com/.

3. Data visible to drivers and dispatchers

If you request a ride via the App, some or all of the following data is shared with the driver and dispatcher of the vehicle as well as other relevant employees:

• Your first name and surname
• Your pick-up address and destination
• Number of passengers to be transported
• Total price of passenger transport for the specified route.

The purpose of this data processing is fulfilment of the ride request. The legal basis for this is Art. 6 para. 1b GDPR (contract implementation).

Once the ride is completed and invoicing has taken place, the driver has no further access to this data.

4. Push notification

When using the service, you can be informed of the arrival of the vehicle you have ordered by means of a push notification. In addition, we can inform you of important operational information about our service via push notification.

The purpose of this data use is Art. 6 para. 1a GDPR (consent given by you).

To receive push messages, you must have enabled the push messages in the settings of your mobile device. You can deactivate the push messages at any time via the settings on your mobile device.

5. Analysis tools

Firebase

Our App uses Firebase, a web analysis service provider provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The following data is stored and analyzed:

• Age
• Gender
• Country
• Device profile (model etc.)
• User behavior within the App

This information is usually transferred to a Google server in the USA and stored there.

We have programmed Firebase in such a way that it anonymizes your IP address. Your Google IP address will be abbreviated by Google within the Member States of the European Union or in other signatory states to the Agreement on the European Economic Area before transferring it to the Google server in the USA. This makes it impossible to trace it back. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and be abbreviated there. The IP address provided by your browser as part of Firebase will not be merged with other Google data.

The purpose of collecting and using this data is to analyse our target group and to improve our product functionality on the basis of usage metrics. The legal basis is Art. 6 para. 1 (f) GDPR (our legitimate interests in the analysis of user behaviour in order to optimise our App) or Art. 6 para. 1a GDPR (consent given by you).

You can prevent Firebase from collecting data by disabling the functionality in the Permissions menu of the App. You can find more information about the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=en

Facebook SDK

Our App uses the Facebook Software Development Kit (Facebook SDK). The Facebook SDK is provided by Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA ("Facebook"). The following data is used for this:

• App ID
• the App version
• the fact that the App has been opened

The Facebook SDK helps us to increase the advertising success of mobile App advertising campaigns that are placed on Facebook - for example, by not displaying advertising for the corresponding App on devices on which it is already installed.

The Facebook SDK also enables various evaluations of the installation of our App and the success of our advertising campaigns. The Facebook SDK also allows us to analyze a user's individual activities within the App in order to better define the target group for advertising campaigns, for example.

Only pseudonymized data is transmitted to Facebook. The Advertising ID provided by the operating system of the terminal device serves as the pseudonym (the name may differ depending on the operating system). A new App ID can be created by the user when the App is reinstalled.

The purpose of processing this data is to analyse our target group and to optimise advertising campaigns and product information. The legal basis is Art. 6 para. 1 (f) GDPR (our legitimate interest in the analysis of user behaviour in order to carry out individualised advertising campaigns) or Art. 6 para. 1 (a) GDPR (consent given by you).

4. Will the data and information about me be shared with others?

Your personal data will not be passed on, sold or otherwise transferred to third parties, except in the cases described in paragraph 3 b) above ("What data do we collect?"), unless this is necessary for the purpose of processing the contract or you have expressly consented to this.

If the transfer of personal data to an external service provider is necessary for the provision of a service or a response to an enquiry, we shall take technical and organisational measures to ensure that the statutory provisions on data protection under Art. 28 GDPR are complied with and shall also oblige the external service provider to comply with the relevant statutory data protection provisions, to treat the data confidentially and to delete the personal data without delay as soon as it is no longer required.

5. How long will my data be stored?

Your data will generally be deleted after the purpose for which they were stored has been fulfilled, unless the deletion is contrary to statutory retention periods. These periods are in many cases set by the German Civil Code (BGB), the German Commercial Code (HGB) or the German Fiscal Code (AO) and will normally be 6 - 10 years, or, in exceptional cases, longer. After the expiration of a statutory retention obligation, the data will be deleted.

The storage time of cookies varies according to the type of cookie and depends on your browser settings.

6. Are data also transmitted to recipients outside the European Union or outside the European Economic Area (EEA)?

We share personal information with contract processors located in non-EEA countries. In this case, we ensure that the recipient either has an adequate level of data protection (e.g. based on an EU Commission Adequacy Decision for the respective country, a self-certification of the recipient for the EU-US Privacy Shield or an agreement between the recipient and the European Union on EU Standard Contractual Clauses) or sufficient consent.

We can provide you with an overview of the recipients in third countries and a copy of the specifically agreed regulations to ensure the appropriate level of data protection. Please use the information in the contact section for this purpose.

7. What rights do I have?

According to the GDPR, you have the right to information, rectification, portability and deletion of your data.

If the data processing is justified by our legitimate interests, you have the right to object to the data processing for the future, unless the data is absolutely necessary for the operation of the App.

Your right to Appeal to a supervisory authority: Without prejudice to the rights set out above, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are staying, at your place of work or in the place where the alleged infringement is alleged, if you consider that the processing of your personal data is in breach of the GDPR.

The supervisory authority where the complaint was lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

8. Contact

For information and suggestions on the subject of data protection, please contact our data protection officer at datenschutzbeauftragter@door2door.io and we will be happy to assist you.

Door2Door GmbH
Torstrasse 109
10119 Berlin