DATA PROTECTION POLICY

Handling your data in compliance with data protection regulations is more than just a legal requirement for us at AllRide GmbH. Regardless of whether you use our mobility services, obtain information about our services or our company, are in contact with us as a service provider or partner, or work for us or want to work for us as an employee or applicant – you can rely on the correct handling of your data. For reasons of better readability, we refrain from using both male and female forms of language in the following. All personal designations apply equally to all genders.

In this privacy policy, you can find out how, to what extent and for what purposes we process your data, whether we pass on your data to partners and service providers if necessary, when we delete your data and other points that are important to you.

Who we are

Contact details of the person responsible

Managing Directors: David von Oertzen, Dr. Julian Blessin, Laurin Hahn AllRide GmbH Hackescher Markt 2, 10178 Berlin

E-mail: info@allride.io https://allride.io

Contact details of the data protection officer

David von OertzenE-mail: data.protection@allride.io

General information on data processing

1. scope of the processing of personal data

We only process our users’ personal data to the extent necessary to provide a functional website and our content and services. The processing of our users’ personal data only takes place regularly with the user’s consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and/or the processing of the data is permitted by law.

2 Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

3 Data erasure and storage duration

The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

4. data transfer and commissioning of processors

If we disclose data to other persons and companies (processors, joint controllers or third parties) as part of our processing, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR), if you have given your consent, if a legal obligation provides for this or on the basis of our legitimate interests.

If we commission the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 GDPR.

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or in the context of the use of third-party services or disclosure or transfer of data to third parties, this will only take place if it is done to fulfill our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that processing takes place, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

5 Rights of the data subjects

5.1 Withdrawal of consent

You have the right to revoke declarations of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

5.2 Right to object

In accordance with Art. 21 GDPR, you have the right, under certain conditions, to object to the processing of your personal data at any time for reasons arising from your particular situation. If you object to such processing, we will terminate or interrupt this data processing process and check again whether we can demonstrate compelling legitimate grounds for the processing that outweigh your interests.

If personal data is processed for direct marketing purposes, you have the right to object to this processing at any time. If you object to direct advertising, we will no longer use your data for advertising purposes.

5.3 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the competent supervisory authority if you have the impression that we are violating applicable data protection law. To do so, you can contact the state data protection officer or the state data protection officer at your place of work, residence or domicile.

As a rule, your request will be forwarded to the office responsible for us.

Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219 Visitor entrance: Puttkamerstr. 16 – 18 (5th floor) 10969 Berlin

Telephone: 030 13889-0 Fax: 030 2155050 E-mail: mailbox@datenschutz-berlin.de

5.4 Right to information / right to rectification

You have the right to obtain information about the processed data. We have already compiled all the necessary information in accordance with Art. 15 para. 1 GDPR here on the privacy policy. Art. 15 para. 3 GDPR also grants you the right to receive a copy of your data. If you are not sure whether we are processing your data, we will be happy to send you a confirmation.

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement. Some of your data can be changed in your customer account. If you are unable to rectify data yourself, we will support you in exercising your right to rectification in accordance with Art. 16 GDPR.

5.5 Right to restriction of processing / right to erasure

The data processed by us will be erased or its processing restricted in accordance with Art. 17 and 18 GDPR.

In accordance with Art. 17 GDPR, you can demand that your data be deleted immediately. We are obliged to delete your data immediately if one of the legally prescribed reasons of Art. 17 para. 1 GDPR applies and none of the exceptions under Art. 17 para. 3 or similar provisions apply. We are legally authorized under Art. 17 para. 3 lit. e GDPR to retain data relating to journeys. The relevant limitation periods of § 14 StVG of up to 30 years are decisive here.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted in accordance with Art. 18 GDPR. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or to enforce our own legal claims. In particular, we reserve the right to permanently store data of blocked users (e.g. due to accidental driving, fraud, payment default) in order to prevent re-registration. This is a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

According to Art. 18 para. 1 GDPR, you can request the restriction of the processing of your data under certain circumstances. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

5.6 Right to data portability

According to Art. 20 GDPR, you have the right to request that we support you in transferring your contract data or data that we process on the basis of consent to third parties, provided that we process the data using automated procedures, e.g. if you wish to switch to a competitor. Let us know to whom we should transfer your data and we will contact the service provider. Alternatively, you can also receive this data in a machine-readable format.

5.7 Right to information

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

Furthermore, you have the right to be informed about these recipients.

Privacy policy for users of the website and visitors to our social media presence

Below we explain how we handle the data of users of our website and our social media presences.

6.1 Overview of our websites

We operate these websites:

www.allride.io with some subpages (e.g. www.support.allride.io).
www.ticket-plus.app with some subpages (e.g. www.support.ticket-plus.app).
mobil-ticket.com
germany-ticket.de

You can also find us on Facebook, Instagram, LinkedIn and X.

6.2 General information on data processing

6.2.1 Data subjects

The data subjects affected by data processing are visitors to our website or our social media channels (hereinafter also referred to as users or interested parties).

6.2.2 Purposes

The purposes of processing are to provide information about our company and our services, to offer communication channels to our company, to address interested parties in an advertising manner, to analyze the effectiveness of our advertising measures, to conduct anonymized market research and to ensure the security of our websites.

6.2.3 Categories of data / data types

The following data types can be processed:

IP address
Access times and approximate location of users
Meta/communication data (e.g. device information)
Websites visited
Interest in content
Demographic characteristics (via our advertising partners)

The data is generally collected when the offers are used.

6.2.4 Recipients / categories of recipients

The recipients of data are primarily the service providers involved. Below is an overview of the service providers. Further information can be found in the respective sections on processing.

WordPress (Hosting)
WordPress (Consent Management)
WooCommerce (Payment)
Google (statistics/marketing/card clippings/videos)
Facebook (Marketing)
Hubspot (Chat)
Hubspot (CRM)
Funnel.io (Analytics)
BuchhaltungsButler (accounting)
Celonis (automation)
Segment (data management)
Firebase (Crashlytics)
Firebase (Data management)
Google Cloud (GCP)
Sentry

6.2.5 Reservation(s) regarding the storage and processing location of data

We would like to point out that our company works with partners in third countries, in particular the United States. Personal information that we collect from you may be processed in the United States or other third countries. Some of these third countries, such as the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same protection there as under the GDPR.

Until new decisions are made regarding data transfers to the United States or other third countries, we rely on derogations for specific situations as set out in Article 49 of the GDPR and, where applicable, the safeguards under Article 46 of the GDPR. In particular, we only collect and transfer personal data to the United States or third countries with your explicit consent or to fulfill a contract with you. We and our processors endeavor to use appropriate measures to protect the privacy and security of your personal data and to use it only in accordance with your relationship with us and the practices described in this Privacy Policy.

6.3 The data processing in detail

6.3.1 Server log files / log files

A web server log file is created each time the website is visited. The following characteristics are recorded in this file.

Browser type and browser version of the user
Operating system used by the user
Referrer URL Host name of the accessing computer
Date and time of access
IP address of the user
Internet service provider of the user

This data is not merged with other data sources. The provider may collect this data and store it for a period of 7 days. This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the secure operation of a technically error-free presentation and the optimization of our website – for this purpose, the server log files must be recorded. In order to ensure data protection-compliant processing, we have concluded an order processing contract with our hoster.

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. We use encryption to meet the requirements of Art. 32 GDPR, which requires us to take appropriate measures to ensure the security of the website. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

6.4 Cookies and personalized tracking

Our website uses so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services. Insofar as other cookies (e.g. cookies for the analysis of surfing behavior) are stored, these are dealt with below in this privacy policy and used with the corresponding consent.

6.4.1 Cookie consent with the Consent Manager from WordPress This website uses the cookie consent technology from WordPress to obtain your consent to the storage of certain cookies on your end device and to document this in accordance with data protection regulations.

When you open our website, we obtain your consent or refusal to the cookies and tracking tools. Your IP address, information about your browser and the device you are using are transmitted to WordPress.

WordPress stores a cookie in your browser in order to be able to assign the consents given or their revocation. The data collected in this way is stored until we are asked to delete it. You can also delete the cookie yourself, in which case you will be asked again the next time you visit the website.

WordPress is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. f GDPR as we, as the website operator, have a legitimate interest in implementing the cookie policy in compliance with data protection regulations. Please read section 6.2.5 for more information on this provider.

6.4.2 Management of analysis tools using Google Tag Manager We use Google Tag Manager to integrate and manage website analyses centrally and via a user interface. Tags are different tracking codes (JavaScript code lines) with which we can record and track your activities on our website.

The advantage of the Tag Manager is that we can not only use it to manage Google services, but also to centrally manage other analytics services. In this way, we can better recognize which tracking technology provides us with the information we need and avoid unnecessary data collection. The Tag Manager itself does not process any data, but helps us to organize the data from Google Analytics, Facebook or Instagram.

We use the Tag Manager to make our website as useful, convenient and easy to use as possible for you and other visitors. We need the analysis data for this purpose. We use the Tag Manager on the basis of Art. 6 para. 1 lit. f GDPR, which permits processing on the basis of a balancing of interests. We have a legitimate interest in seeing which content appeals to our prospective customers. This allows us to refocus our marketing to make more people aware of our offers. Please read section 6.2.5 for more information about this provider.

6.4.3 Cookies and other tools for the purpose of reach measurement and statistics We use cookies for reach measurement and to create statistical evaluations of our website and interactions in social media. Among other things, we use Google Analytics for this purpose.

The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called “cookies” and similar technologies. Cookies are text files that are stored on your computer and enable an analysis of your use of the website (target group reports, conversion reports, interaction and behavior reports, real-time reports, etc.). The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. When using Google Analytics, your IP address is usually shortened to make it more difficult to identify you at a later date.

Google Analytics cookies are stored on the basis of Art. 6 para. 1 lit. a GDPR, in accordance with the user’s consent.

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this website: Disable Google Analytics.

Our aim in using Google Analytics is to further optimize our service and to be able to offer more to potential users. Google Analytics statistics help us to better understand our customers and support us in achieving this goal.

Google Analytics sets the following cookies:

Name: _ga (Google Analytics js) Purpose: Google uses this cookie to store the ID of users and to distinguish users. Expiration date: after 2 years
Name:_gid Purpose: Expiry date: after 24 hours
Name: _gat_gtag_UA_<property-id> Purpose: If Google Analytics is provided via Google Tag Manager, this cookie is given this name. Expiration date: after 1 minute
Storage period: We have limited the storage period to 14 months in order to comply with the principle of storage limitation in Art. 5 GDPR. This retention period applies to data linked to cookies, user recognition and advertising IDs. Report results are based on aggregated data and are stored independently of user data.

You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

6.4.5 Facebook Pixel

This website uses Facebook’s visitor action pixel to measure conversions. The provider of this service is Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland; “Facebook”). This pixel can be used to track the behavior of website visitors after they have been redirected to the operator’s website by clicking on a Facebook ad. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous to us as the operator of this website. We cannot draw any conclusions about the identity of the users. However, the personal data is processed by Facebook. This enables Facebook to place advertisements on Facebook pages and outside of Facebook. This use of the data cannot be influenced by us as the site operator.

In detail, the following data is processed by Facebook and us

IP address
User Agent
Facebook user ID
Browser type
HTTP header
Device information (device ID, device operating system)
Geographical location
Browser information
Usage/click behavior, including content viewed and elements clicked on
Facebook cookie information
Pixel ID
Visited pages
Referrer URL
Marketing information, including advertisements viewed and interactions with advertisements, services and products

The Facebook tracking pixel is used exclusively with and on the basis of your prior consent, Art. 6 para. 1 lit. a GDPR. Your consent can be revoked at any time with effect for the future via the “Your cookie settings” function provided on our website. This does not affect the lawfulness of any processing carried out on the basis of your consent until you withdraw it.

If personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Facebook Ireland Limited, (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility and is the sole responsibility of Facebook. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can find the text of the agreement at https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights against us, we are obliged to forward your request to Facebook.

According to Facebook, the data collected will also be transferred to the USA and other third countries and processed there. Facebook bases the data transfer to the USA on the standard contractual clauses of the EU Commission. You can find details here: https://www.facebook.com/legal/EU_data_transfer_addendum.

Please note: Despite the fact that Facebook Ireland Ltd. is based in Ireland, your personal data, including the IP address of the internet connection you are using, may be transferred to Facebook servers in the USA or other third countries if you consent to our performance cookies. The United States of America is currently classified as an unsafe third country, i.e. a third country in respect of which neither an adequacy decision pursuant to Art. 45 GDPR exists nor a comparable level of protection can be assumed. The same applies to other third countries. When your data is transferred, both Facebook and, if applicable, US or other third country authorities have access to the transferred data. Facebook may link your data with other data such as your personal accounts, the usage data of other devices and all other data that Facebook has about you, and may also pass on your personal data to third parties. In addition, US or other third country authorities may gain access and process your data without having to provide you with any notice or notification (during and even after the processing has been completed) or without you being entitled to comparable legal remedies and data subject rights. Unfortunately, we have no influence on the processing by Facebook and US or other third country authorities in these cases.

If you wish, you can deactivate the remarketing function “Custom Audiences” in the settings for advertisements under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen if you are logged in to Facebook. If you do not have a Facebook account, you can also deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

For more information about Facebook’s privacy policy, please see Facebook’s privacy policy at the following link: https://de-de.facebook.com/about/privacy/.

6.4.6 Facebook Custom Audiences

With the help of the Facebook pixel, Facebook is able to determine the visitors of our online offer as a target group for the display of ads (so-called “Facebook ads”). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called “Custom Audiences”).

The processing of data by Facebook takes place within the framework of Facebook’s Data Usage Policy. Accordingly, you will find general information on the display of Facebook ads in Facebook’s data usage policy: https://www.facebook.com/policy. You can find specific information and details about the Facebook pixel and how it works in the Facebook help section: https://www.facebook.com/business/help/651294705016616.

You can object to the collection by the Facebook pixel and use of your data to display Facebook ads. To set which types of ads are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are adopted for all devices, such as desktop computers or mobile devices.

You can also object to the use of cookies for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

6.4.7 funnel.io

To statistically analyze visitor data, we use the analysis tool funnel.io on our website. This is offered by:

funnel.io Limited Klarabergsgatan 29 111 21 Stockholm Sweden

funnel.io is a service that evaluates visitor behavior and feedback through combined analysis and feedback tools. We receive heatmaps, conversion funnels, visitor recordings, incoming feedback, feedback polls and surveys.

We use these evaluations to optimize the usability and user experience of the site and to obtain additional customer opinions via the feedback channel. We receive reports and visual representations from funnel.io that show us where and how users “move” on our site. The personal data is automatically anonymized. We cannot assign the interactions to a user, nor is the data transmitted to funnel.io.

funnel.io automatically collects usage data. For this purpose, a website tracking code is linked to a cookie.

The following data is collected and stored

Time of the visit
Screen size and resolution.
Browser version
Approximate location (IP location)
Language used
Subpages visited
Date and time of access to one of our subpages (web pages)
IP address (anonymized)

Purpose: The cookie is used to retain a funnel.io user ID that is unique to the website in the browser. This allows user behavior to be assigned to the same user ID on subsequent visits. Expiration date: after one year

6.4.8 Hubspot

We use HubSpot on our website, a tool for digital marketing, customer relationship management (CRM), content management, web analytics and search engine optimization. The provider is HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, is responsible for users in the EU.

Nature and purpose of data processing

HubSpot is an integrated software solution that we use to cover various aspects of customer management and our online marketing. These include Email marketing (newsletters as well as automated mailings), social media publishing & reporting, reporting (e.g. traffic sources, hits, etc.), contact management (e.g. user segmentation & CRM), landing pages and contact forms.

The following list shows the purposes of data collection and processing that can be carried out using HubSpot. Consent is only valid for the specified purposes. The data collected cannot be used or stored for any purpose other than those listed below.

CRM
statistics
marketing
Newsletter dispatch

The list contains the personal data that may be collected by or through the use of this service:

Geographic location
Browser type
Navigation information
Reference URL
Performance data
Mobile apps data
Login information for the HubSpot subscription service
Files that are displayed
Domain names
Pages viewed
Aggregated usage
Version of the operating system
Internet service provider
IP address
Device identifier
Duration of the visit
Where the application was downloaded from
Operating system
Events that occur within the application
Access times
Clickstream data
Device model and version

As part of the use of HubSpot CRM, the software solution unidy is also used. The provider is Unidy GmbH, Spitaler Str. 10, 20095 Hamburg, Germany. unidy is an API-supported solution for creating and organizing user accounts. Your data will only be stored if you consent to the use of HubSpot to process your personal data. Both HubSpot and unidy act for us as processors within the meaning of Art. 28 GDPR.

Storage duration

The data will be stored on revocation and deleted as soon as it is no longer required for the processing purposes and there are no legal storage obligations or overriding legitimate interests to the contrary.

Data recipient

HubSpot Inc, USA
Hubspot partner (see https://legal.hubspot.com/privacy-policy)

Third country transfer

Please note that this service may transfer data outside the EU/EEA and to a country that does not offer an adequate level of data protection.

There is currently an adequacy decision by the EU Commission for the USA. Data transfer to the USA is therefore legally permissible if the data recipient is also certified in accordance with the EU-US Data Privacy Framework. This is the case for HubSpot Inc.: https://www.dataprivacyframework.gov/list.

Legal basis

The legal basis for the described data processing is your consent. Insofar as Hubspot services are required in the context of the conclusion or fulfillment of a contract between us and customers or members, the legal basis is Art. 6 para. 1 lit. b GDPR. Furthermore, the legal basis for the use of Hubspot services is Art. 6 para. 1 lit. f GDPR (legitimate interest). Both HubSpot and unidy act for us as processors within the meaning of Art. 28 GDPR.

Possibility of revocation

You can withdraw your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The legality of the data processing until the revocation remains unaffected.

Further information can be found in HubSpot’s privacy policy: https://legal.hubspot.com/privacy-policy

You can find unidy’s privacy policy at https://www.unidy.de/privacy-policy.

You can also object to the sending of emails by HubSpot by clicking on the unsubscribe link in the respective email.

6.4.9 WooCommerce and WooCommerce Germanized

We have integrated the WooCommerce open source store system as a plugin on our website. This WooCommerce plugin is based on the WordPress content management system, which is a subsidiary of Automattic Inc (60 29th Street #343, San Francisco, CA 94110, USA). The implemented functions send, store and process data to Automattic Inc. We also use Woocommerce Germansized to ensure the technically smooth sale of products. This is a local plugin. No personal data is transferred to Woocommerce. The Woocommerce plugin adds the functionality of an online store to our content management system. WooCommerce Germanized extends WooCommerce and ensures the technical adaptation to the specific German legal requirements. In this way, we ensure compliance with data protection regulations when using WooCommerce.

Why do we use WooCommerce on our website?

We use this practical online store solution to offer you our physical or digital products or services on our website in the best possible way. The aim is to provide you with simple and easy access to our range so that you can get your desired products quickly and easily. With WooCommerce, we have found a good plugin that meets our requirements for an online store.

What data is stored by WooCommerce?

Information that you actively enter in a text field in our online store can be collected and stored by WooCommerce or Automattic. So, when you register with us or order a product, Automattic can collect, process and store this data. In addition to your e-mail address, name or address, this may also include credit card or billing information. Automattic can subsequently use this information for its own marketing campaigns.

In addition, there is also information that Automattic automatically collects from you in so-called server log files:

IP address
Browser information
Default language setting
Date and time of web access

WooCommerce also sets cookies in your browser and uses technologies such as pixel tags (web beacons), for example to clearly identify you as a user and possibly offer interest-based advertising. WooCommerce uses a number of different cookies that are set depending on the user action. This means, for example, that if you place a product in the shopping cart, a cookie is set so that the product remains in the shopping cart when you leave our website and return at a later time.

Here we show you an exemplary list of possible cookies that can be set by WooCommerce:

Name: woocommerce_items_in_cart
Value: 1
Purpose: The cookie helps WooCommerce to determine when the content in the shopping cart changes.
Expiration date: after the end of the session
Name: woocommerce_cart_hash
Wert: 447c84f810834056ab37cfe5ed27f204211127229-7
Purpose: This cookie is also used to recognize and save the changes in your shopping cart.
Expiration date: after the end of the session
Name: wp_woocommerce_session_d9e29d251cf8a108a6482d9fe2ef34b6
Wert: 1146%7C%7C1589034207%7C%7C95f8053ce0cea135bbce671043e740211127229-4aa
Purpose: This cookie contains a unique identifier for you so that the shopping cart data can also be found in the database. Expiration date: after 2 days

6.4.10 WordPress

Our website uses WordPress, a popular content management platform, to manage and provide content. When using WordPress, so-called “static files” are used. These files contain static content such as images, CSS files and JavaScript files that are required to display the website, Art. 6 para. 1 sentence 1 lit. f) GDPR. The use of WordPress static files enables efficient provision of website content and improves loading times for visitors to our website. These static files are stored on our own servers or, if necessary, on an external content delivery network (CDN). A CDN can be used to optimize the delivery of the static files by storing them on servers in different locations worldwide. When using WordPress Static Files, no personal data is collected or processed unless you actively provide such data via forms or other interactions on the website. In this case, the relevant data protection provisions apply in accordance with our privacy policy. It should be noted that the use of WordPress and the associated static files may use cookies or similar technologies to improve the user experience or collect statistical data. You can find more information on this in our Cookie Policy. Please note that we are not responsible for the processing of data in connection with WordPress Static Files. The responsibility lies with WordPress as an independent company.

6.5 Google Maps

This site uses the map service Google Maps via an API. The provider is:

Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to save your IP address and transmit it to a Google server, where it is also stored. The provider of this site has no influence on the specific content of this data transmission. The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find our business areas.

This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

You can find more information on the handling of user data in Google’s privacy policy: https://policies.google.com/privacy?hl=de . 8.

6.6 Contact form, chat request by email or telephone

You can send us inquiries via the contact form, chat, email or telephone. In this case, your request will be stored in our CRM system with the contact details and any other information from the request form or request for processing the request and for possible follow-up questions.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

We will retain your data until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

6.7 YouTube

We have integrated YouTube videos on our website. This allows us to present videos from our YouTube channel directly on our site. The portal is operated by YouTube, a Google company. When you access a page on our website that has an embedded YouTube video, your browser automatically connects to the YouTube or Google servers. Various data will be transmitted (depending on the settings).

Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe. If you want to find out more, we recommend that you read the privacy policy at https://policies.google.com/privacy?hl=de.

6.8 Celonis (Make.com)

Service: Celonis, Inc., with its registered office at One World Trade Center 87th Floor New York, NY 10007, the United States of America, which runs the platform make we use to keep up with our tasks and workflow

Address: Celonis, Inc., with its registered office at One World Trade Center 87th Floor New York, NY 10007

Data use: Celonis accesses the data you use with the connected applications and services as part of its service. This data may contain personal data. Celonis uses this data to enable the linking of applications and services and to provide and improve its services. Celonis only shares the data with third parties if this is required by law or if you have given your consent.

Use by us: We use Celonis to enable the automation of tasks between different applications. This helps us to save time and improve our efficiency.

6.9. BuchhaltungsButler

Dienst: BuchhaltungsButler ist eine Online-Buchhaltungssoftware, die Unternehmen bei der Verwaltung ihrer Finanzen unterstützt.

Adresse: BuchhaltungsButler GmbH, Spreestraße 5, 15913 Märkische Heide

Datennutzung: BuchhaltungsButler erhebt und verarbeitet im Rahmen seiner Dienstleistung verschiedene personenbezogene Daten von Ihnen und Ihren Kunden. Dazu gehören unter anderem Stammdaten, Finanzdaten und Belege. BuchhaltungsButler verwendet diese Daten, um die Buchhaltung und andere Leistungen für Sie zu erbringen. BuchhaltungsButler gibt die Daten an Dritte nur weiter, wenn dies gesetzlich vorgeschrieben ist oder Sie Ihre Einwilligung dazu gegeben haben.

Einsatz bei uns: Wir setzen BuchhaltungsButler ein, um unsere Buchhaltung zu verwalten. Dies hilft uns, Zeit zu sparen und unsere Effizienz zu verbessern.

6.10 Google Cloud (GCP)

Google Cloud Service (GCP): Our application uses Google Cloud Services (GCP) to store and process data. GCP offers a highly secure infrastructure that guarantees the confidentiality and integrity of the data. Various security measures such as encryption are used both at rest and in transit. GCP is in compliance with international data protection standards and certifications, including the GDPR, to ensure that your personal data is protected. Data processing on GCP takes place exclusively in data centers operated by Google and is subject to Google’s privacy policy.

6.11 Sentry

We use Sentry on our website, error analysis software from Functional Software Inc., 45 Fremont St, San Francisco, CA 94105, USA. Sentry serves to achieve high availability of our website and to enable a trouble-free user experience (Art. 6 Para. 1 f) DSGVO). To do this, we can use Sentry to monitor the stability of our website and identify code errors or exceptions. The software only uses user data that is automatically transmitted by your browser. Data logged:

Time stamp;
resource/URL, runtime environment;
Error type/category, technical error log/stack trace;
classification of criticality;
related to change in application code;
Device characteristics: browser version, operating system, device categorization.

No data is evaluated for advertising purposes. The data is collected anonymously, only stored on our own servers, not used personally and then deleted.

Privacy policy for users of the app and mobility services

Overview of the purposes, the type of data, the categories of recipients and the storage period.

In order to conclude a rental agreement with AllRide GmbH, a user account with the AllRide app is required, as also described in the General Terms and Conditions and Rental Conditions. This personal data is processed by AllRide GmbH. In an agreement on joint responsibility in accordance with Article 26 GDPR, we have defined how the respective tasks and responsibilities for the processing of personal data are structured and who fulfills which data protection obligations. In particular, we have agreed on how the data protection information obligations can be jointly fulfilled. This also includes ensuring the fulfillment of reporting and notification obligations.

The processing of data via apps from partner companies that offer joint mobility services with AllRide GmbH takes place in accordance with the privacy policy of the respective app.

7.1 Purposes of data processing

Customer administration, customer contact and customer support
Registration with identity verification and verification of driving license
Vehicle booking via the app / service provision (provide vehicle)
Billing and payment tracking
Processing of violations of the law, in particular against the StVO
Receivables management and debt collection
Security checks and fraud control
Claims settlement

7.2 The following of your data will be processed

First name, last name
Your address
Date of birth
Language
Email address
Phone (mobile)
Device key (number of the mobile device)
password
Bank details / Preferred payment method
Schufa – Extract
Customer number/ reference number
Verification of driving license, driving license number, identity document
Geolocation data (for vehicle search / and vehicle booking)
Location data during registration (city / business area)
Contract data / tariffs / discounts
(E-mail) correspondence / contact history
Trip log
Black box in the vehicle (no personal data collection, but personally identifiable)
(e.g. subject matter of contract, term, customer category)

7.3 Type and origin of the data

The following data is collected directly from the data subject during registration:

First name, surname
Date of birth
Language
Your address
E-mail address
Phone (mobile)
Bank details
Customer number/ reference number
Verification of driver’s license, driver’s license number, ID card number
Location data (city)
Contract data / tariffs / discounts

The following data is collected as part of the use of the offer:

Device key (number of the mobile device)
Geolocation data (for vehicle search / vehicle booking / while driving)
(E-mail) correspondence / contact history
Trip log for billing purposes.
Black box in the vehicle (no personal data collection, but personally identifiable)
Contract data / tariffs / discounts (in the event of changes)

The following data is collected via third parties:

Reports on driving behavior by other road users
Master data and, if applicable, verification data from mobility partners (Sixt, Tier, Bolt, FreeNow)

7.4 Automated decision

An automated decision is made as part of our security checks.

Furthermore, an automated decision is made as part of the Schufa statement – although AllRide GmbH is not responsible for this.

You have the right to explain your point of view to us and to challenge these decisions. In this case, we will be happy to carry out a manual review of the automated decision.

7.5 Storage period

7.5.1 Deletion upon request

For processing based on consent:

Withdrawal of consent affects the receipt of the newsletter.

As a rule, the withdrawal of consent is implemented immediately and automatically by the mailing service provider’s systems. In rare cases, the synchronization of the unsubscription from different mailing lists may take a few hours.

If customers claim their right to data erasure for data processed on a legal basis other than consent, the customer account will be deleted in accordance with the following information:

The personal data of the data subject to be deleted will be blocked in the system, partially obscured or redacted and access to the data will be strictly limited. After one year, the data listed above is automatically deleted from the system, with the exception of personal data, which must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO). After ten years, this data is also automatically and irrevocably deleted.

Recipients of the data will be informed of the deletion request.

If the deletion conflicts with overriding interests, the customer will be informed of the reasons for the restriction of the right to deletion. This is particularly the case if AllRide GmbH requires the data for the enforcement or defense of legal claims.

7.5.2 Deletion after the purpose no longer applies

If data is processed to fulfill the contract, the data is generally stored for the duration of the contractual relationship. This does not apply in particular to usage data, which is only stored for a period of one year.

After termination of the contractual relationship (discontinuation of the purpose), the personal data of the data subject to be deleted will be blocked in the system, made partially unrecognizable or blacked out and access to the data will be strictly limited. After one year, the data listed above is automatically deleted from the system, with the exception of personal data, which must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO). After ten years, this data is also automatically and irrevocably deleted.

If data is processed in order to comply with legal requirements, the data subject’s right to erasure shall lapse until the expiry of the respective deadlines with regard to the data to be stored. AllRide GmbH does not use this data for any other purposes. This expressly includes storage as proof of proper accounting. For violations of the StVG, the retention periods are based on the statute of limitations. These are up to 30 years.

AllRide GmbH reserves the right to permanently store data of blocked users in order to prevent re-registration. This is a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

7.6 Registration with verification

User account registration with AllRide GmbH (Germany) takes place via the app. In the process, the surname, first name and contact details, preferred language, date of birth (as proof of age and as an identification feature), email address (together with the option to consent to receiving the newsletter), bank and payment details and, if necessary, verification of the driver’s license and a valid ID document are requested.

The approximate location (city) and date of registration and activation of the email address are stored for the duration of the customer relationship. We sometimes use the services of processors to verify your data. You confirm your e-mail address with the help of an activation e-mail. We may validate the telephone number via a processor.

To verify the driver’s license and ID document, the user is asked to take a video or photo of the documents to be verified and to film their face. The recording of the face is compared with the image on the driver’s license/ID document and the documents are also evaluated by the service provider on the basis of recognition features.

A verification service provider is used to verify the driver’s license and the identity of the user. This service provider is subject to the strict security regulations of the PCI DSS (Payment Card Industry Data Security Standard) and, as a processor, is bound by the instructions of AllRide GmbH.

The legal basis for the verification of the driver’s license results from Art. 6 para. 1 lit. c GDPR in conjunction with § 21 para. 1 no. 2 StVG. Accordingly, AllRide GmbH, as the vehicle owner, is obliged to verify the driving license of users. In addition, a photocopy of an identity document is requested in order to be able to prove the customer’s identity beyond doubt in the event of accidents, for claims settlement, but also in the event of criminal offenses and administrative offenses and older and international driving licenses. In addition to the driving license, a second document is requested to make any identity theft more difficult. The legal basis for this verification is also derived from Article 6(1)(c) GDPR in conjunction with Section 21(1)(2) StVG.

This purpose generally remains in place for the duration of a customer relationship. AllRide GmbH is also obliged to be able to prove at a later point in time (particularly in the event of a claim) that the legal obligations have been fulfilled. In the event of a claim, this proof may also be required vis-à-vis insurance companies and state authorities, which is why the data from the driver’s license and ID verification is stored at least for the duration of the customer relationship.

7.7 Use of the app

7.7.1 Vehicle booking and trip accounting The app is used, among other things, to locate and book vehicles during the customer relationship.

We need access to the location of your device. When a request is made, we collect the current location via GPS so that we can quickly provide information on the vehicles in the immediate vicinity. We also use location data from the device at the moment the vehicle is opened to check the distance to the vehicle. This serves the purpose of preventing vehicle mix-ups, theft or unauthorized vehicle transfers. Data on your location is used to process the request, i.e. at the start and end of a journey and in the event of interruptions.

During the journey, the location data of the vehicle is regularly compared with the data of the device; this is done via an encrypted connection. The location data is anonymized after the end of the request and statistically evaluated to improve our service.

The location data of the vehicle is primarily processed for billing purposes; we reserve the right to also use the location data query for fraud prevention and to compare the device location with the route driven.

To determine the location data, we use the services of a processor. This processor is subject to the strict security regulations of the PCI DSS (Payment Card Industry Data Security Standard) and, as a processor, is bound by the instructions of AllRide GmbH.

7.7.2 Customer data management In the app, the user’s data can be accessed via the login area. Here you will find the journey log, the master data and contact data as transmitted during verification. Furthermore, the payment and billing data. The data from the app is transmitted in encrypted form and stored in a CRM system.

We use HubSpot on our app, a tool for digital marketing, customer relationship management (CRM), content management, web analysis and search engine optimization. The provider is HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, is responsible for users in the EU.

We also use processors to store the data.

As this data is collected and processed to fulfill the contract or to comply with legal requirements, the rights of users to erasure or blocking may be limited. The right to rectification and information is unaffected.

7.7.3 Security of the app, usage analysis We have a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the secure and reliable operation of the app as well as in the further development of the app and the optimization of economic operation.

We use the Sentry tool, which is provided to us by Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, to evaluate error messages and analyze system parameters of the app. Sentry transmits error reports to servers in the USA and provides us with evaluations, e.g. about programming errors and compatibility problems. We only receive access to data about the version of the operating system and the device type.

We have concluded a contract data processing agreement with the provider and have ensured that sufficient guarantees are in place for the data to be transferred to the USA in compliance with data protection regulations. We cannot identify any conflicting interests on the part of users. However, you can prevent the transmission of error reports at any time.

With your express consent, which you can withdraw at any time, we also use Google Analytics for Firebase and Firebase Crashlytics. The legal basis is Art. 6 para. 1 lit. a GDPR. When you start the app for the first time, you can select whether Google Analytics for Firebase and Firebase Crashlytics should be used; you can deactivate the collection of analysis data in the app.

Firebase / Crashlytics transmits your anonymized IP address, your anonymized advertising ID as well as usage and analysis data to a Google server in the USA and stores them there. IP anonymization in Analytics is carried out by shortening the addresses. If you have consented to the use of Google Analytics for Firebase and Firebase Crashlytics, we use the app usage data for statistical, anonymous evaluations and to improve the app.

7.8 Credit check

As a company, we have a legitimate interest in protecting ourselves against payment defaults. In accordance with our GTC, we are entitled to check the creditworthiness of customers with credit agencies or Schufa.

The processing of personal data as part of the credit check is carried out on the basis of Art. 6.1.f GDPR. We assume that the verification and confirmation of solvency is generally also in the interest of the customer, as this form of credit assessment does not pose any significant risks to rights and freedoms, the transmission of additional data on creditworthiness can be avoided in this way and a simple and convenient process can be provided.

The credit check is necessary for the enforcement of rights and claims of AllRide GmbH.

The credit checks serve to protect AllRide GmbH from payment defaults and are intended to ensure that AllRide GmbH can fall back on the party responsible in the event of a claim

Your data will be transmitted to Schufa during the credit check. This may include, for example, your name, address, date of birth and bank details, insofar as these are required to establish your identity. We receive a scoring value from Schufa or integrated credit agencies and, if applicable, further information from which the risk of non-payment can be derived. This includes, for example, unpaid claims, deferrals due to inability to pay, ongoing insolvency proceedings, participation in debtor counseling. If we receive a scoring value that is too low as part of the credit check, we can temporarily deactivate the user account. You have the right to explain your point of view to us and to challenge the decision. In this case, we will be happy to carry out a manual review of the automated decision.

As a rule, we do not report payment defaults to Schufa. However, we reserve the right to do so if the legal requirements for a report are met. In this case, customers will be reminded repeatedly in compliance with formal requirements and informed of the possibility of transmission in the reminder.

SCHUFA processes your data and also uses it for the purpose of profiling (scoring). SCHUFA is responsible for transferring your data to companies in the EEA and Switzerland and, if applicable, to third countries outside the EEA. Further information on SCHUFA’s activities can be found at www.schufa.de/datenschutz. Data processing and profiling is carried out by Schufa; Schufa is the controller for this processing within the meaning of data protection law. Schufa is therefore also responsible for the lawfulness of the processing.

General information about the data used by Schufa can be found here: https://www.schufa.de/de/faq/privatpersonen/daten/. Please contact Schufa to find out exactly what data Schufa processes about you.

7.9 Customer management, customer approach and customer support

7.9.1 Customer management We use HubSpot on our website, a tool for digital marketing, customer relationship management (CRM), content management, web analytics and search engine optimization. The provider is HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, is responsible for users in the EU.

The customer database contains all data from registration as well as billing data and the customer history. We use the customer administration to be able to organize customer support quickly and effectively and to be able to respond to inquiries.

This data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c. GDPR.

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services. The data processed in this context, the type, scope, purpose and necessity of its processing are determined by the underlying contractual relationship.

We also use the contact data to inform users about relevant changes to our services. As part of the use of our service, we process inventory data, communication data, contract data, location data and payment data of users.

The processing is carried out for the purpose of providing contractual services, for billing, for providing customer service, for customer communication, for determining the causes of accidents and for settling claims.

Processing is carried out on the basis of Art. 6 para. 1 lit. b (data processing for the performance of contractual services) and Art. 6 para. 1 lit. c GDPR (fulfillment of legal obligations). Processing prescribed by law arises, for example, in archiving or from the keeper obligations of the StVG.

Insofar as we use service providers who process data in a third country, the conditions of Art 44 et seq. GDPR are checked.

7.9.2 Customer support We use HubSpot on our website, a tool for digital marketing, customer relationship management (CRM), content management, web analytics and search engine optimization. The provider is HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, is responsible for users in the EU.

Nature and purpose of data processing

CRM
statistics
marketing
Newsletter dispatch

The list contains the personal data that may be collected by or through the use of this service:

Geographic location
Browser type
Navigation information
Reference URL
Performance data
Mobile apps data
Login information for the HubSpot subscription service
Files that are displayed
Domain names
Pages viewed
Aggregated usage
Version of the operating system
Internet service provider
IP address
Device identifier
Duration of the visit
Where the application was downloaded from
Operating system
Events that occur within the application
Access times
Clickstream data
Device model and version

Storage duration

Data recipient

HubSpot Inc, USA
Hubspot partner (see https://legal.hubspot.com/privacy-policy)

Third country transfer

Please note that this service may transfer data outside the EU/EEA and to a country that does not offer an adequate level of data protection.

Legal basis

The legal basis for the described data processing is your consent. Insofar as Hubspot services are required in the context of the conclusion or fulfillment of a contract between us and customers or members, the legal basis is Art. 6 para. 1 lit. b GDPR. The legal basis for the use of Hubspot services is also Art. 6 para. 1 lit. f GDPR (legitimate interest). Both HubSpot and unidy act for us as processors within the meaning of Art. 28 GDPR.

Revocation option

Further information can be found in HubSpot’s privacy policy: https://legal.hubspot.com/privacy-policy

You can find unidy’s privacy policy at https://www.unidy.de/privacy-policy.

You can also object to the sending of emails by HubSpot by clicking on the unsubscribe link in the respective email.

7.10 Third-party providers for mobility services

We work together with various mobility service providers, these are currently

TIER Mobility SE: c/o Mindspace Friedrichstraße 68 10117 Berlin
Sixt GmbH & Co. Car Rental KG: Zugspitzstraße 1. D-82049 Pullach
Bolt Technology OÜ: Vana-Lõuna tn 15 Tallinn 10134 Estonia

By using the Services, you consent to your personal data being used by these companies as follows:

To provide the services you have requested: This includes providing car sharing vehicles, e-scooters and other micro-mobility vehicles, billing for your rides and providing customer support.
To improve the services: This includes analyzing usage data to improve the performance of the Services and develop new features.
For marketing purposes: This includes the sending of promotional offers and information, the respective mobility services and their partners.

7.11 Billing, accounting and payment tracking

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services and to invoice them.

We process data that is necessary for the establishment and fulfillment of the contractual services and point out the necessity of their disclosure, unless this is evident to the contractual partners.

The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract content, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

This data will not be passed on to third parties unless it is necessary to pursue our claims in accordance with Art. 6 para. 1 lit. f. GDPR or there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c. GDPR. We expressly reserve the right to use the services of legal service providers (debt collection, lawyers, etc.) to assert claims and to transmit the data of contractual partners and customers to them to the extent necessary.

The data is deleted when it is no longer required for the fulfillment of contractual or statutory duties of care and for dealing with any warranty and comparable obligations. Statutory retention obligations remain unaffected.

In order to implement efficient, secure and convenient payment processing, we use other payment service providers in addition to banks and credit institutions.

It is necessary to pass on data to the payment service providers so that they can carry out the transaction. The payment service providers receive the name and address, the stored payment method and, if applicable, bank data, a pseudonymous ID and the invoice data. AllRide GmbH will be informed by the payment service providers of any payment made or not made.

We use the following service providers: PayPal PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal L-2449 Luxembourg;

Stripe Stripe, Inc. 510 Townsend Street, San Francisco CA 94103 USA;

An order processing contract was concluded with Stripe. In addition, it was checked whether the requirements for the transfer of personal data pursuant to Art. 44-49 GDPR are met.

7.12 Outstanding receivables/collection

AllRide GmbH works together with debt collection service providers.

eCollect AG, Neuhofstrasse 21, 6340 Baar ZG, Switzerland

Atriga GmbH, Pittlerstr. 47, 63225 Langen, Germany

The involvement of a debt collection service provider is a legal service within the meaning of Section 10 (1) sentence 1 of the Legal Services Act (Rechtsdienstleistungsgesetz). AllRide GmbH is free to decide whether to use a lawyer or a debt collection company in the event of a dispute regarding an – even if only allegedly – outstanding claim. In these cases, AllRide GmbH may and must pass on personal data of the debtor (in particular name and address, the reason for the claim, the amount and due date of the claim, etc.) to the debt collection agency.

The following data is passed on as part of the debt collection process.

First name, surname (title, if recorded and e.g. name component)
Company name (for commercial customers)
Address (business) (for commercial customers)
Address (private)
Billing address (if different and recorded)
e-mail address
Your telephone number
Date of birth
Customer number
Contact history (if relevant)
bank details
Contract data
Data on solvency

Only with this data is it possible for the debt collection company to approach the debtor and assert the claim. The consent of the user/customer for the transfer of data to a legal service provider is not required, as it is based on the legal facts of Art. 6 para. 1 sentence 1 lit. b) and lit. f) GDPR (data processing for the performance of a contract, data processing based on the legitimate interest of the creditor).

7.13 Violations of the law, in particular against the StVG

Unfortunately, user accounts are frequently blocked due to reports of unusual driving behavior. AllRide GmbH may become aware of this in various ways:

Notification by other road users
Report via police / public order office

If a report is made by another road user (third party), the driving behavior described is recorded together with the telephone number/email of the person making the report.

No automated decision is made; instead, the support staff check the information for plausibility. As a precautionary measure, AllRide blocks the accounts of registered users if there is any suspicion of driving misconduct in order to protect third parties and to comply with the owner’s obligations under Art. 21 StVO. This measure results not least from the special situation that AllRide GmbH only checks the existence of a driving license and fitness to drive by querying the user at the beginning of the contractual relationship and thus grants its users a high degree of trust.

A review of reported allegations only takes place in the event of an objection by the person concerned or in the event of inquiries by government agencies. In addition to the data transmitted by the app during the journey, the data from a black box, which is installed in all vehicles, is evaluated.

The black box determines the G-forces and activities of the driver. These are e.g. (acceleration and deceleration, steering movements, indicators, jolts). This data is not collected on a personal basis (but can be related to individuals); it is only evaluated by employees in the event of suspicion and linked to recent journeys.

The data will only be passed on to legal counsel or government agencies if AllRide GmbH is legally obliged to do so or if this is necessary to enforce legal claims against the user. The data is processed in the European legal area.

7.14 Violations of the GTC/AMB, fraud prevention and security checks

AllRide GmbH has a legitimate interest in protecting itself against attempted fraud and breaches of our GTC/AMB. The processing of personal data in the context of fraud prevention is based on Art. 6.1.f. GDPR. We assume that these checks are generally also in the interests of our customers. The nature of the security checks does not represent a significant encroachment on the rights and freedoms of our users. Fraud prevention measures are necessary to enforce rights and claims.

Furthermore, AllRide GmbH reserves the right to publicly disclose the security checks carried out in detail with reference to Section 32 (1) No. 4 BDSG.

In addition to the driver’s license verification, further details from the registration are checked. This may include the e-mail address, telephone number and bank account details. Newly entered data is regularly compared with the existing data in order to prevent multiple registrations. In addition, random samples of data transmitted from the vehicle are compared with data transmitted from the app using defined parameters to prevent account sharing. In addition, the individual device key of end devices is used to make it more difficult and prevent the transfer, sale and multiple use of account data.

If an irregularity is detected during the security checks, the account will initially be blocked. You have the option of objecting to this and explaining your position to us.

7.15 Settlement of claims

In the event of a claim, it is unfortunately necessary to process further data.

The purposes of the processing are

Supporting our customers in the event of damage (Art. 6.1.b GDPR)
Reconstruction of the course of the accident (Art. 6.1.f GDPR, if applicable in conjunction with Art. 6.1.c GDPR and Section 24 BDSG)
Settlement/liquidation of the damage (Art. 6.1.b and c GDPR)
Pursuit of own legal claims. (Art. 6.1.f GDPR)

For these purposes, we process your master data, usage data, data from the vehicles, statements and information from third parties (police, other parties involved in the accident, witnesses, other AllRide users) and payment data.

Under certain circumstances, we may also receive health-related data in this context. Examples of this are injuries or indications of alcohol and narcotics consumption. In this case, Art. 9 para. 2 lit. f GDPR is relevant.

In the event of an incident for which you are responsible and for which we receive a claim for damages or another claim from an injured or otherwise entitled third party (e.g. costs due to a private towing operation when the property owner is disturbed), we will transmit your stored contact details to the claimant and/or to our insurance broker (SHL Versicherungsmakler GmbH) so that the liability issues can be clarified directly in the relationship between you as the party responsible and the claimant or you can indemnify us against the claim in accordance with the provisions of the GTC. The transfer is necessary to fulfill your contract with us (Art. 6.1.b GDPR) and to safeguard the legitimate interest in pursuing the legal claims that we and the claimant have against you (Art. 6.1.f GDPR).

In the event of a claim, we are legally obliged to cooperate in documenting the course of the accident. Furthermore, there are contractual obligations, e.g. towards claims adjusters, the fulfillment of which constitutes a legitimate interest in processing the data of those responsible for the damage. Since the defense of legal claims is decisive here, the right to object is subject to the restrictions of Art. 21 GDPR.

Privacy policy for business customers, partners and service providers

8.1 Business customers

For business customers, essentially all the points described above apply to users of the app. However, company-related contact data and billing data may also be stored.

In addition to our general customer administration, we use the service provider Pipedrive OÜ, Paldiski mnt 80, Tallinn, 10617, Estonia, for the administration and support of business customers. You can access Pipedrive’s privacy policy here: https://www.pipedrive.com/en/privacy.

We use the Pipedrive CRM system from the provider Pipedrive OÜ on the basis of our legitimate interests (efficient and fast processing of user inquiries, existing customer management, new customer business).

8.2 General administration, accounting and business development

We process data as part of administrative tasks and the organization of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process as part of the provision of our contractual services. The legal bases for processing are Art. 6 para. 1 lit. c. GDPR, as well as for all processing not affected by a legal obligation our legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information specified in these processing activities.

We disclose or transmit data to the tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.

We also store information on suppliers, event organizers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We generally store this mainly company-related data permanently.

8.3 Business analyses

In order to operate our business economically, identify market trends and the wishes of contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR. GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users with information, e.g. on the services they have used. The analyses help us to increase user-friendliness, optimize our offer and improve business efficiency. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarized values.

If these analyses or profiles are personal, they are deleted or anonymized when the user terminates the contract, otherwise after two years from the conclusion of the contract. Otherwise, the overall business analyses and general trend determinations are created anonymously where possible.

Applicants and employees

9 Applicants and employees

We process the applicant data only for the purpose and within the scope of the application procedure in accordance with the legal requirements. Applicant data is processed to fulfill our (pre-)contractual obligations in the context of the application process within the meaning of Art. 6 para. 1 lit. b. GDPR. Art. 6 para. 1 lit. f. GDPR is applicable if the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, Section 26 BDSG also applies).

The application procedure requires applicants to provide us with their application data. If we offer an online form, the necessary applicant data is marked as such, or otherwise results from the job descriptions and generally includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. Applicants can also voluntarily provide us with additional information.

By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the type and scope set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).

If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We therefore cannot accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending by post. Instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post.

The data provided by applicants may be processed by us for the purposes of the employment relationship if the application is successful. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified revocation by the applicant, the deletion will take place after a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

9.1 Talent pool

As part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of two years on the basis of consent within the meaning of Art. 6 para. 1 lit. a. and Art. 7 GDPR.

The application documents in the talent pool will only be processed in the context of future job advertisements and the search for employees and will be destroyed after the deadline at the latest. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future.

9.2 Handling of applicant data

We offer you the opportunity to apply to us (e.g. by email, post or online application form). Below we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.

9.3 Scope and purpose of data collection

If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and – if you have given us your consent – Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Section 26 BDSG and Art. 6 para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

9.4 Retention period of the data

If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The retention serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), it will only be deleted when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations prevent deletion.