PRIVACY POLICY

This privacy policy describes how we process personal data when you use our aroundBerlin Application ("App") and its functionalities or make a booking via our telephone bookings system.

For data processing in relation to the website for our aroundBerlin Shuttle service, please refer to the privacy policy at https://www.door2door.io.

1. What is Personal Data?

Personal Data includes all information relating to an identified or identifiable natural person. This may include, for example, their name, address, e-mail address, and user behaviour in relation to the App.

2. Responsible Body and Data Protection Officer

The Responsible Body under Article 4 No. 7 of the General Data Protection Regulation (GDPR) is Door2Door GmbH, Torstraße 109, 10119 Berlin, hello@door2door.io.

We have appointed a Data Protection Officer. You can reach our data protection officer at the above postal address – c/o "Data Protection Officer" - and by e-mail at datenschutzbeauftragter@door2door.io.

3. What personal data do we collect? How do we use the data we collect from you? On what legal principle is the use based?

a) Installation of the App and registration

When you install the App and create a user account, the following personal information is collected from you:

• First name and surname
• Email address
• Encrypted password
• IP address of the last login
• Date of last login
• Date of account registration

This data processing is for the purpose of registration and authentication aswell as for verification of the user identity. The legal basis for this is Art. 6 para. 1 (a) GDPR (consent given by you).

b) Installation and use of the App without registration

If you install and use the App without creating a user account, anonymised/pseudonymised data is collected via Google Firebase. See the information about Firebase Analytics, Firebase Crashlytics and Firebase Remote Config under Item 3 c) iv. below. You can opt out of this data collection by Firebase Analytics by disabling this functionality in the permissions menu in the App.

c) Use of the App after registration

When using our App after registration, the following personal data may be collected:

• i. Location-based data

  You can use our App to request a vehicle for a specific route by entering the following data in the App:

  • Pick-up address
  • Destination address
  • Date and time
  • Number of passengers
  • Choice of ticket
  • Payment method
  • Accessible vehicle request

  The purpose of this data processing is to carry out the transportation request and to plan the route of the vehicle. The legal basis for this is Art. 6 para. 1 (b) GDPR (performance of a contract).

  If you would like to use "my location" as your starting address and click on the "my current location" button, we can automatically determine your geographical location in real time using your mobile device. In order for this feature to work, you need to have activated the location services in our App.

  The automatic collection, processing and use of your location-based data is only carried out if you give your consent, by enabling location services. You can withdraw your consent at any time by deactivating location services. Please note that if you deactivate location services, you will not be able to use certain functions of our App, since location services are an important element of the App.

• ii. Payment-relevant information

  A fee is charged for the use of the shuttle service. If you wish to pay the fee online via the payment system integrated into the App, you will be asked to provide certain payment information. Whether you wish to pay by credit card or via Paypal, this will go to our external payment service provider, Braintree (a division of Paypal).

  You will enter the following information in order to make an online payment:

  • Name
  • Email address
  • Method of payment
  • Credit card number, validity date, security code

  In the case of a Paypal transfer, you may not need to enter your credit card information. Your IP address may also be transferred automatically to Braintree.

  Braintree is a third-party service owned by Paypal and is therefore a trusted provider of payment services. Braintree handles all security issues that require PCI compliance and provides a scalable and flexible way to enable digital payments. Further information can be found at https://www.braintreepayments.com/.

  The purpose of this data processing is to arrange payment of the transportation fee. The legal basis for this is Art. 6 para. 1b GDPR (performance of a contract).

  The European operating company of Paypal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxemburg, Luxemburg.

• iii. Data visible to drivers and dispatchers

  If you request a ride via the App, some or all of the following data is shared with the driver and dispatcher of the vehicle as well as other relevant employees:

  • Your first name and, if applicable, surname
  • Your pick-up address and destination
  • Number of passengers to be transported
  • Total price of passenger transport for the specified route
  • Accessible vehicle request

  The purpose of this data processing is the fulfilment of the ride request. The legal basis for this is Art. 6 para. 1b GDPR (contract implementation).

  Once the ride is completed and invoicing has taken place, the driver has no further access to this data.

• iv. Use of Google Firebase

  We use Google Firebase within our App. Google Firebase is a platform that offers numerous application possibilities for app-developers. Use of Google Firebase can greatly improve the connectivity, quality, scalability and security of apps.

  Google Firebase enables the operator to carry out independent analysis of App user behaviour through Firebase Analytics or to send short messages to App users through Firebase Cloud Messaging. Google Firebase is a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US. When you use the App, personal data is collected and processed by Google Firebase. You can find more information about the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=en

  We use Google Firebase as follows:

  • Firebase Analytics

    Firebase Analytics enables the operator to carry out independent analysis of user behaviour on the basis of anonymised or pseudonymised data. When you use the App, an app Instance ID is automatically generated by Firebase Analytics and assigned each time you open the App. The ID is used to calculate user metrics.

    Firebase Analytics also derives demographic and interest data from the following other sources, depending on your device's operating system:

    • Android Ad ID: The device-specific Ad ID is used to track app usage only. In Analytics, an identifier is generated based on the ID. This identifier contains information about demographics and interests (such as arts and entertainment, games, sport) based on user app activity.

    • iOS Identifier for Advertisers (IDFA): The device-specific IDFA only collects app usage. In Firebase Analytics, an identifier is generated based on the IDFA. This identifier contains information about demographic characteristics and interests that result from user app activity.

    Location data is derived from the IP addresses of users. We have configured Firebase Analytics to anonymize IP addresses within the European Union and the European Economic Area before they are submitted to Google LLC. Neither from the collection of the IP address nor from the other data can we or Google LLC (to the best of our knowledge) draw conclusions about your identity.

    Google LLC uses the data to provide us with anonymous information and statistics on the use of our App in real-time reports. We use this information to further improve the stability and security of the App, to increase the attractiveness of our App and to adapt the App's content to the needs of the target group.

    You can object to the collection of this information by deactivating the functionality in the Permissions menu in the App.

  • Firebase Cloud Messaging

    Firebase Cloud Messaging is used to transmit push messages or so-called in-app messages (messages that are only displayed within the respective app). The end device is assigned a pseudonymized push reference, which serves as the target for the push messages or in-app messages. Information about the functionality of Firebase Cloud Messaging can be found here: https://firebase.google.com/products/cloud-messaging

    We use Firebase cloud messaging to provide you with important operational information in connection with your booking, such as the vehicle's arrival time. This enables us to increase the attractiveness and performance of our shuttle service and adapt the shuttle service to the needs of our users.

    The push messages can be deactivated and reactivated at any time in the settings of the terminal device.

  • Firebase Crashlytics

    In the event of a technical error or crash, Firebase Crashlytics enables Firebase Crashlytics to identify information about this specific event and therefore determine the cause of the crash. The data which would be investigated in this instance could include the operating system version, app version, time of the crash etc. Information about the functionality of Firebase Crashlytics can be found here:

    https://firebase.google.com/products/crashlytics

    We use the data collected in this context to increase the attractiveness of our App and to minimize future failures and malfunctions of the App.

  • Firebase Remote Config

    Firebase Remote Config enables the configuration of app settings so that the app can be modified on the devices on which it is installed without having to completely reinstall it from the Google Store every time a change is made to it. In this context, certain device information is processed. Information about how Remote Config works can be found here:

    https://firebase.google.com/products/remote-config/

    We use the data collected in this context to increase the attractiveness of our app and to minimize future failures and malfunctions of the app.

    The legal basis for the processing and transmission of personal data (insofar as personal data is involved) mentioned in this item 3 c) iv. is our legitimate interest according to Art. 6 para. 1 f) GDPR.

• v. Use of Twilio

  Our application (App) uses functionalities of the communication platform Twilio Inc. 375 Beale Street, Suite 300 San Francisco, CA 94105. Communication signals like Voice (VoIP) are integrated into our App, to enable drivers to establish contact with the passenger. To enable this contact, a pseudonymised identifier is used. This allows the Passenger App and the Driver App to establish a connection.

  The legal basis for the use of Twilio is Art. 6 Abs. 1 S. 1 (b) DSGVO. There is a data processing agreement according to the EU standard agreement clauses. More information on data protection can be found in the Twilio data protection policy at https://www.twilio.com/legal/privacy

d) Telephone Bookings

• i. Contact and booking information

  When you make a booking via our telephone bookings system, the following personal data is collected:

  • First name (surname is optional)
  • Pick-up address
  • Destination address
  • Date and time
  • Number of passengers
  • Choice of ticket
  • Payment method
  • Accessible vehicle request

  The purpose of this data collection is to carry out the transportation request and to plan the route of the vehicle. The legal basis for this is Art. 6 para. 1 (b) GDPR (performance of a contract).

• ii. Data visible to drivers and dispatchers

  If the telephone bookings assistant enters a ride request into the system on your behalf, some or all of the following data is shared with the driver and dispatcher of the vehicle as well as other relevant employees:

  • Your first name (and surname, if provided)
  • Your pick-up address and destination
  • Number of passengers to be transported
  • Total price of passenger transport for the specified route

  The purpose of this data processing is fulfilment of the ride request. The legal basis for this is Art. 6 para. 1b GDPR (contract implementation).

  Once the ride is completed and invoicing has taken place, the driver has no further access to this data.

4. Will the data and information about me be shared with others?

Your personal data will not be passed on, sold or otherwise transferred to third parties, except in the cases described in Item 3 above ("What personal data do we collect?") unless this is necessary for the purpose of processing the contract or you have expressly consented to this.

If the transfer of personal data to an external service provider is necessary for the provision of a service or a response to an enquiry, we shall take technical and organisational measures to ensure that the statutory provisions on data protection under Art. 28 GDPR are complied with and shall also oblige the external service provider to comply with the relevant statutory data protection provisions, to treat the data confidentially and to delete the personal data without delay as soon as it is no longer required.

5. Are data also transmitted to recipients outside the European Union or outside the European Economic Area (EEA)?

We share personal information in anonymised or pseudonymised form with contract processors located in non-EEA countries, in particular, the data shared via Google Firebase with Google LLC in California. In this case, we ensure that the recipient has an adequate level of data protection (e.g. based on an EU Commission Adequacy Decision for the respective country, a self-certification of the recipient for the EU-US Privacy Shield or an agreement between the recipient and the European Union on EU Standard Contractual Clauses).

We can provide you with an overview of the recipients in third countries and a copy of the specifically agreed regulations to ensure the appropriate level of data protection. Please use the information in the contact section for this purpose.

6. How long will my data be stored?

Your data will generally be deleted after the purpose for which they were stored has been fulfilled, unless the deletion is contrary to statutory retention periods. These periods are in many cases set by the German Civil Code (BGB), the German Commercial Code (HGB) or the German Fiscal Code (AO) and will normally be 6 - 10 years, or, in exceptional cases, longer. After the expiration of a statutory retention obligation, the data will be deleted.

7. What rights do I have?

According to the GDPR, you have the right to information, rectification, portability and erasure of your data.

If the data processing is justified by our legitimate interests, you have the right to object to the data processing for the future, unless the data is absolutely necessary for the operation of the App.

Your right to Appeal to a supervisory authority: Without prejudice to the rights set out above, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are staying, at your place of work or in the place where the alleged infringement is alleged, if you consider that the processing of your personal data is in breach of the GDPR.

The supervisory authority where the complaint was lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

8. Contact

For information and suggestions on the subject of data protection, please contact our data protection officer at datenschutzbeauftragter@door2door.io and we will be happy to assist you.

Door2Door GmbH
Torstraße 109
10119 Berlin, Germany

Version of 30th April 2021