Privacy policy and mandatory information in accordance with Article 12ff EU GDPR

Section 1

General information

The following information provides a general overview of what happens to your personal data when you use our mobile application "freYfahrt" (app). Personal data includes all data that identifies you as an individual. This privacy policy applies solely to our mobile app "freYfahrt" for iPhone and Android phones (hereinafter "app"). With regard to the data privacy policy of our external homepage for this service, please refer to the relevant data protection information on https://www.freyfahrt-freyung.de.

Responsible authority

City of Freyung
Mayor Dr. Olaf Heinrich
Rathausplatz 2
94078 Freyung
+49 (0) 8551 5880
info@freyung.de
Please note that data transmission via the Internet (for example, when communicating via e-mail) may involve security vulnerabilities. Completely safeguarding data from access by third parties is not possible.

Statutory data protection officer

We have appointed a data protection officer for our enterprise.

City of Freyung
Executive Administrator, City of Freyung
Mr. Herbert Graf
Rathausplatz 2
94078 Freyung
+49 (0) 8551 588-120
graf@freyung.de

Section 2

Data collected by the freYfahrt app and the legal basis for this

We only collect, process, and use personal data if you have consented to this or if the corresponding legal provisions concerning the protection of your data permit its collection, processing and use. Please refer to the following provisions for further details.

Section 3

Use for specific purpose

a. Installation of the app

When you install this app and create a user account, the following personal data will be collected:

• First and last name
• E-mail address
• Encrypted password
• IP address of the last login
• Date of last login
• Date of account creation

The data is collected for the purpose of registration and authentication, as well as for verification of the user identity. The legal basis for this is Article 6 (1b) EU GDPR (contract initiation or contract execution).

b. Use of the app

When using our app, the following personal data may be collected:

1. Location-based data

   You can use our app to request a vehicle enabling passenger transport on a specific route by entering the following information via the app:

   • Pick-up address
   • Drop-off address
   • Date and time
   • Number of passengers

   The purpose of this data collection is to execute the transport order and plan the vehicle's route. The legal basis for this is Article 6 (1b) EU GDPR (contract execution).

   If you would like to use "my location" as the pick-up address and tap the "my current location" button, we can use your mobile device to automatically determine your geographical location in real time. The prerequisite for this is that you have activated location services in the app.

   Your location-based data will only be collected, processed and used with your consent by authorizing your location to be shared. You can withdraw your consent at any time by deactivating the location service. Please note that if you deactivate the location service, you will not be able to use certain features of our app that are an integral part of the app.

2. Payment-related information

   A transport fee is charged for the use of the service. The transport fee can only be paid online via the payment system that has been integrated into the app. Therefore, you will be asked to provide certain payment information to our payment service provider Braintree:

   • Name
   • Email
   • Payment method
   • Credit card number

   The purpose of this data collection is to bill the fee for the transport order. The legal basis for this is Article 6 (1b) EU GDPR (contract execution).

   Braintree is a third-party service owned by PayPal and thus a trusted entity for payment services. Braintree handles all security matters that require PCI compliance, providing a scalable and flexible means of digital payment. For further information, please review: https://www.braintreepayments.com/.

3. Data visible to drivers

   If you request a vehicle for passenger transport via the app, the driver will receive the following data:

   • Your first and last name
   • The pick-up and drop-off address
   • The number of people who will be transported with you
   • The estimated total price of passenger transport for the specified route

   This data is used to execute the transport order. The legal basis for this is Article 6 (1b) EU GDPR (contract execution).

   After the passengers have been transported and the fee has been settled, the driver will no longer have access to this data.

4. Push notifications

   When using the mobility service, you can be informed by push notification about the arrival of the passenger vehicle or special offers.

   To receive push messages, you must have enabled push messages in your mobile device settings. Your mobile device settings allow you to deactivate push messages at any time.

Analysis tools

Google Analytics and Google Firebase

This website uses features of the web analysis service Google Analytics and Google Firebase. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The following data is stored and analyzed:

• Age
• Gender
• Country
• With Firebase, user behaviour within the app is also analysed

This information is normally transmitted to and stored on a Google server in the USA.

The purpose of collecting and using this information is to analyze our target audience and improve our product features on the basis of usage metrics. The legal basis is Article 6 (1f) GDPR (our legitimate interest is the analysis of user behaviour in order to optimize our app) or Article 6 (1a) GDPR (consent that you have granted).

The collected data is anonymized before any analysis is performed. To this end, personal data is abridged by Google within member states of the European Union or other contracting states to the Agreement on the European Economic Area prior to its transmission to the USA.

You may object to the collection of your data by Google Analytics. For more information about how Google Analytics handles user data, see the Google Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=de.

Facebook SDK

Our app uses the Facebook Software Development Kit (Facebook SDK). The Facebook SDK is provided by Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA ("Facebook"). The following data is used:

• App ID
• App version
• The information that the app was started

The Facebook SDK enables us to increase the advertising success of Facebook campaigns for mobile apps -- for example, by not displaying advertisements on a mobile device for apps that are already installed on the mobile device. The Facebook SDK also allows us to analyze the installation of our app and the success of our advertising campaigns.

The Facebook SDK also enables us to analyze users' individual activities within the app in order to better and more accurately define the target groups of advertising campaigns. Our app only transmits anonymized data to Facebook for this purpose. The pseudonym used here is the advertising ID provided by the device's operating system (the name may differ depending on the operating system). The app ID can be newly created by the user when the app is reinstalled.

The purpose of collecting and using this data is to analyze our target audience and to optimize advertising campaigns and product information. The legal basis is Article 6 (1f) GDPR (our legitimate interest is the analysis of user behaviour in order to conduct personalized advertising campaigns) or Article 6 (1a) GDPR (consent that you have granted).

Section 4

Recipients of personal data

Any transfer, sale or other transmission of your personal data to third parties will never take place except in the cases described under no. 2, unless it is necessary for the purpose of executing the contract or if you have expressly consented to it.

If providing personal data to an external service provider (such as the app developer we have commissioned to troubleshoot the app) is necessary to provide a service or respond to a request, we will use technical and organizational measures to ensure that the legal data protection provisions are maintained in accordance with Article 28 EU GDPR.

Furthermore, we oblige all external service providers to comply with the relevant statutory data protection provisions, the confidential use of personal data and the immediate deletion of it as soon as it is no longer required.

Section 5

Personal data of children

Since the protection of children's privacy is of great importance, we do not wish to collect, process or use personal information from anyone under the age of 18. If you as a guardian know that your children have transmitted their personal data to us, you can contact us via the addresses listed under "Responsible authority" if you would like the data to be deleted.

Section 6

Security aspects

We take all necessary technical and organizational security precautions in order to ensure that your personal data is protected from loss and misuse. For example, your data will be stored in a secure operating environment that is not accessible to the public. Wherever possible, encryption technology is also utilized to safeguard your data.

Section 7

Retention period

Your data will always be deleted after fulfilment of the purpose for which it was stored, unless the subsequent deletion is prohibited due to a statutory retention period. Such periods arise from the German Civil Code (BGB), the German Commercial Code (HGB) or the German Tax Code (AO) and can span 2 to 30 years. After expiry of any retention requirements, the data will be permanently deleted.

Section 8

Rights of the data subject

You have the right to information about personal data which concerns you, as well as the rectification, deletion or restriction of processing. Furthermore, you have a right to object to the processing and the right to data portability. You can read more about this in Section III of the EU GDPR.

Without prejudicing any other administrative or judicial action, you have the right to complain to a supervisory authority if you believe that the processing of your personal data is in breach of the EU GDPR. The supervisory authority responsible for data protection in our case is the Bavarian State Commissioner for Data Protection in Munich.

However, before you contact the supervisory authority, we would first like to ensure that you are provided with direct information about any questions or concerns you may have. Please feel free to contact the following person directly:

City of Freyung
Executive Administrator, City of Freyung
Mr. Herbert Graf
Rathausplatz 2
94078 Freyung
+49 (0)8551 588-120
graf@freyung.de