oLast modified: Feburary 01, 2024
A. General information
B. Responsibility and contact
If you have any questions, suggestions, or criticisms relating to our services, please contact us by email at firstname.lastname@example.org.
C. General information on data processing
We collect and use personal data only to the extent necessary to ensure a functioning Jelbi app and provide our content and services. One of the main purposes of data processing is to provide a tool for optimum coordination, selection, and presentation of mobility services for users – including a data management system to ensure that users do not need to re-enter their contact data every time they book a different mobility provider and always have access to an overview of the mobility services they use.
D. Summary of our processing activities
- If the Jebli app is used purely for informational purposes (i.e., no user registration), we process data about your device to enable use of the app. The legal basis is Article 6(1)(b) of the GDPR. We also evaluate usage data to enable optimisation of our app and provide you with a better user experience. The legal basis is Article 6(1)(f) of the GDPR (see also I).
- When you download the Jelbi app and at any time thereafter, you have the option to subscribe to email and push notifications containing useful information and offers relating to our products and services. The legal basis for such processing of your data is your consent as set out in Article 6(1)(a) of the GDPR (see also D.I.1).
- We will process your location data if you search for mobility services in the Jelbi app. This allows us to display mobility services located nearby or for a specific route. The legal basis is Article 6(1)(b) of the GDPR (see also D.I.2).
- If you create a customer account in the Jelbi app, in addition to the data set out above we will also process all information required for registration (e.g. name, address, mobile number). We can only provide you with the option to book mobility services on the basis of this information. The legal basis is Article 6(1)(b) of the GDPR (see also II).
- If you use a service provided by the BVG or another mobility provider through the Jelbi app, your data will also be processed for the purpose of processing the booking and invoicing (e.g., name, location). The legal basis is Article 6(1)(b) of the GDPR (see also III).
- In order to be able to process bookings, we process information relating to your selected payment method. The legal basis is Article 6(1)(b) of the GDPR (see also D.III.2).
- If you wish to use mobility services that require a valid driving licence, we will verify your driving licence and your ID card. The legal basis for this data processing is Article 6(1)(b) of the GDPR (see also D.III.3).
- If you contact our customer service, we will process data for the purpose of dealing with your request (e.g., name, email address, reason for contacting us). The legal basis is Article 6(1)(b) of the GDPR (see also IV).
- We use external service providers for some of these data processing operations. This is the case, for example, for payment processing and driving licence validation. When using mobility services provided by the mobility providers, we act in concert with them as joint controllers responsible for the relevant processing operations, as set out in Article 26 of the GDPR (see also V).
Personal data means any information relating to an identified or identifiable natural person (Article 4(19 of the GDPR). This includes information such as your name, your e-mail address, your postal address, and your telephone number. It does not include information which cannot be linked directly to your identity, such as the number of users of a website.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Mobility provider means companies that provide their services through the Jelbi app or the Jelbi website These services (referred to below as “mobility services”) are transport services provided by public and private transport companies that create a transport route according to the customer’s specifications, provide a means of transport (e.g., car, scooter or electric scooter, bicycle), and handle payments.
I. Processing of your data when using the Jelbi app for informational purposes
If you use the Jelbi app purely for information purposes, i.e., you do not register or otherwise provide us with information, we will collect the following personal data, which is technically necessary for us to provide you with the functions of the Jelbi app and ensure the stability and security of the app:
- Device identifier: DeviceID for Android, IDFA for iOS
- IP address
- App language and version
- Operating system
- Date and time of request
- Type of device, device properties, type of network connection (e.g., WiFi, 3G, LTE, Bluetooth), network provider, network and device performance, browser type, device model
- Transferred data volume
- Information on interactions with the Jelbi app
- Location for the purpose of displaying mobility services nearby or a route starting from the location with duration and prices for all available mobility services (see also D.I.2.).
This information is processed to enable use of our app (Article 6(1)(b) of the GDPR), as we require automatically collected data to provide a functioning app (e.g., adapting the app to the requirements of your device). This information is also processed to allow us to pursue our legitimate interest in optimising the Jelbi app and ensuring the stability and security of both the app and our IT systems (Article 6(1)(f) of the GDPR). Automatically collected personal data is stored for 30 days or in case of error 90 days and then erased, unless a longer period of storage is justified or required by law (see also E).
We also evaluate usage data for our app (technical usage data, app version, click flows, used functions) on a purely anonymised basis for the purpose of identifying preferences and to help us develop the app.
- Push notifications and emails containing interesting and relevant offers
After downloading the Jelbi app, you can choose whether to receive relevant, personalised messages from Jelbi on your mobile device by email, push notification or in-app notification and whether you wish to be informed about special offers, discounts, and surveys, which may include advertising from the BVG and/or Jelbi’s cooperation partners (for BVG products/events or products/events from Jelbi cooperation partners).
You can also activate this function in the Jelbi app at any later time. We will process the personal data you provide for this purpose (e.g., name, address, email address) to send you the relevant information. The legal basis for processing your personal data in connection with registration for these services is your consent as set out in Article 6(1)(a) of the GDPR. We use the services of IMEDIAPP (43 rue Beaubourg, 75003 Paris, Frankreich) (referred to below as “Batch”) for the app communication. We have concluded a processing contract with Batch. Data transmission is therefore privileged in accordance with Article 28 of the GDPR.
Right to withdraw consent: You may withdraw your consent to be sent such notifications or to the processing of your personal data for direct marketing purposes with future effect at any time and without giving reasons by going to Account > Legal > Jelbi and deselecting the advertising checkbox. Push notifications can also be disabled and also re-enabled at any time in your device settings.
If you have purchased goods or services from us, we may send you information about other similar goods and services from us to your email address that we received when you purchased the original goods or services, even without your consent, provided you have not objected to us sending such information. You can object to us sending information without incurring any costs other than the standard rates for data transmission. Objections must be sent to email@example.com. Every email also contains a link that you can use to exercise your right to withdraw.
- Collection of location data
When you use the app to search for a mobility service, we will determine your exact or approximate location data in order to display the mobility services available at your location or a route starting from your location with duration and pricing for all available mobility services. In the process, we also store information on suggested and selected connections (start location, destination, start time, arrival time, journey time, connection times, type of transport, prices, user rating of connection information). You can either allow the app to access location services through the operating system on your device and its permissions system (“location tracking”) or manually enter your location. In the case of GPS tracking, however, we only collect the location determined by your device if the app is open and you tap the location icon. Your device will indicate if location tracking is active. On an iPhone, for example, it is indicated by a compass symbol in the status bar. Android devices feature a similar function. If you enter your location manually, we will store only this information.
We also collect the location determined by your device in the course of using certain mobility offers (Miles, Sixt Share and Bolt). Unless you have already consented to the location function of your mobile device for the app, your active consent is required for this so that the app can access location services by means of the operating system of the mobile device you are using and its authorization system. In this context, your location and position data will only be transmitted to the relevant mobility providers for the purposes stated under III. (Processing of your data when using the mobility services in the Jelbi app).
The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as your location is only determined and transmitted to us if you use app functions that we can only provide if we are aware of your location. When you request mobility services, we need to process your location for the purpose of suggesting available services near you. You can enable or disable this function (automated positioning) at any time by going to your operating system’s settings. If you do not allow us to collect your location data, the app will also work if you manually enter your location. In addition, the start point and destination (location information) of the vehicle used are collected for billing purposes, even if you have not allowed us to collect your location data.
II. Processing of your data during registration and/or use of a customer account
Our app provides services (e.g., customer account, mobility services, customer service) that, if used, require your personal data, e.g., name, email address, and other information as necessary. If you do not provide this data, we may not be able to provide you with the request service or may not be able to reply to your request. A summary of relevant processing operations and legal bases is provided below.
- Registration process
We provide the option for you to register or create a customer account, which requires you to enter personal data. A customer account is required in order to use mobility services through the Jelbi app. During the registration process, we process the following personal data, which you provide on an input form:
- Surname (from an existing BVG account if registering with existing BVG login credentials)
- First name (from an existing BVG account if registering with existing BVG login credentials)
- Date of birth
- Email address
- Mobile number
- Date and time of registration
- Login and password (from existing BVG account)
- Optional: other information required to make a booking (payment information required by payment type, driving licence verification, ID card verification; see D.III.). You can also wait until you make a booking to enter this data.
We use the double opt-in procedure for registration. After you register in the app, this means that you will receive an email containing a link that you must click on to confirm that you are the owner of the email address and wish to create a customer account in the Jelbi app. If you do not confirm within 24 hours, your registration and the personal data you provided will be automatically erased. If you use an existing BVG account to register, please enter the email address and password that you use to log in to the BVG Ticket app, the Fahrinfo app, or on BVG.de; your BVG account will then be associated with the Jelbi app and the above data from your BVG account (surname, first name, login, password) will be used (“single sign-on”, SSO). The SSO service is provided by our service provider akquinet AG (see also D.V.).
We will also verify that you are the owner of the mobile number used during registration by sending a text containing a four-digit code to the number you provide. When requested to do so, enter this number in the Jelbi app (Android typically detects the code automatically) to store a verified mobile number in Jelbi.
We store the data you provide in your personal customer account within the Jelbi app. You can manage and change any of the data you provide in your password-protected customer account, although you may need to contact customer service to change some information (see also D.IV).
The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this information is required to establish, formulate, or modify the contractual relationship between you and the BVG. The data is also used to provide customer account functions and for management of your customer account. You cannot use the mobility services in the Jelbi app if you do not provide the data required during registration. We will process your contact data, including your email address and mobile number, in order to:
- provide you with information on contract-related changes relating to the services we offer in compliance with relevant legislation
- contact you, if necessary, in the event of individual technical problems with your Jelbi account as well as to
- provide you with other information required by law.
We require your date of birth to ensure that you are an adult and therefore legally competent, as well as to distinguish between persons with the same names.
- Erasing your customer account
You can erase your Jelbi customer account as follows: Please send an email to firstname.lastname@example.org with a written request to erase your account or submit a deletion request via the Jelbi App by clicking on the deletion button under Account > Profile > Delete Jelbi account. If you decide to erase your customer account, all of your account data, including all communication data, will first be blocked from further processing, with the exception of processing that is required in compliance with legal obligations or rights (see E below) and then permanently erased. You can also erase individual items of data within your customer account. Your request for erasure may conflict with statutory provisions or rights on the part of the BVG. As such, your data may not be erased if the BVG is required to comply with legal obligations to retain data (e.g., for commercial or tax law reasons) or if processing of your data is required for the establishment, exercise, or defence of legal claims, e.g., if we initiate legal proceedings against you for misconduct during use of our services or for payment reasons. In such cases, we will notify you of the reasons conflicting with your right to erasure.
III. Processing of your data when using the mobility services in the Jelbi app
When you book and use mobility services through the Jelbi app, a mobility contract is formed between you and the mobility provider from the list below. Through the Jelbi app, you can make use of mobility services provided by either the BVG or a third-party provider. The BVG will only transmit the data required to form and process the contract to your selected mobility provider; this data is processed only by us if you use BVG services. This data is transmitted for the purpose of forming and processing the contract. The data is not transmitted until you book your first journey. The required data is listed below.
All mobility providers receive the following:
- First name
- Email address
- Mobile device information
- Information on your selected payment method (offered by LogPay)
- Specific booking/reservation request
- Location and position data (start and destination address only)
- MSP-related support queries
NextBike, Miles, Sixt Share, Voi, Taxi Berlin, Lime, Emmy and Bolt also receive the following:
- Mobile number
Voi, Lime, Bolt, TIer and Emmy also receive the following:
- The image transmitted by the user at the end of a trip
Miles, Sixt Share and Emmy also receive the following:
- Result of driving licence validation, including your driving licence data (see D.III.3.)
Miles, Sixt Share, Emmy and Bolt also receive the following:
- Date of birth
Miles, Sixt Share and Bolt also receive the following:
- Location and positioning data in the processes of reservation, booking and termination of the trip
Miles and Bolt also receive the following:
- Language settings of the app when retrieving the invoice, in the processes of booking and ending the trip
Lime receives the following:
- Time stamp at the beginning and end of the trip
At the end of your usage, the mobility provider transmits the following data to us, which we provide for you in the app:
- Start and end time of a journey, start and end coordinates of a journey
- Cost of the journey
The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this data is required for the provision of mobility services by the respective mobility provider, i.e., for the formation and processing of contracts between you and a mobility provider. The BVG will transmit this data to the respective mobility provider for the purpose of processing your booking and/or reservation request, thereby enabling formation and execution of the contract. The BVG and the respective mobility provider act as joint controllers responsible for processing your data and have concluded an agreement as set out in Article 26 of the GDPR (see also D.V.4). You can obtain information on data processing activities carried out by the different mobility providers in their privacy policies.
Certain mobility providers require proof that the vehicle was properly parked at the end of the trip. When booking the following offers via Jelbi, this proof is provided by the user taking a photo of the correctly parked vehicle:
– E-bikes of the providers Bolt and Tier
– E-scooters of the providers Bolt, Lime, Tier and Voi
– E-mopeds of the provider Emmy
At the end of the vehicle rental, the user will be asked to take an appropriate photo. After a corresponding confirmation by the user, the photo is transmitted to the Jelbi mobility platform along with the ride-specific ID and verified there.
This requires the Jelbi app to have access to the user’s camera at the end of a rental. To enable a smooth completion of the rental, the corresponding authorization is already requested before the ride.
The lawfulness of this data processing results from Art. 6 (1) p. 1 lit. b DSGVO, as this information is necessary for the establishment, content or amendment of the contractual relationship between you and BVG.
Full payment information is not transmitted to the BVG for the purpose of billing used mobility services (see D.V); only information on the selected payment service is transmitted. The data required for payment (payment service provider token and total amount) is transmitted to the mobility provider by LogPay during the payment process.
- Invoice creation and dispatch
Invoices are created for each journey by the mobility provider with which you completed your journey. You can view and download invoices by going to Account > My Trips in the Jelbi app. After each journey, you will also receive a receipt by email.
- Payment information
a. In order to use mobility services through the Jelbi app, you must provide payment information directly to LogPay during the registration process (see also D.V.1). LogPay is the controller responsible for processing your personal data.
b. Recent ticket function for the purchase of BVG Tickets
To make the purchasing process of BVG tickets easier and quicker for you, we save your most recent ticket purchases to enable you to buy said tickets again. The following data is collected by us in the process: user ID, ticket booking ID, ticket ID, ticket tariff, price, VAT. Legal basis is Article 6(1)(f) of the GDPR. Ensuring a quick and easy BVG ticket purchase is a legitimate interest.
- Online validation of your driving licence and ID card
A driving licence valid for a car or scooter and a valid ID card/passport are required for use of some mobility services in the Jelbi app. Our app allows you to perform an “online” validation of your driving licence and ID card. During this procedure, we will collect and process pictures and videos of your driving licence and ID card taken by you, as well as a photograph and video of your face, for the purpose of checking your driving licence and ID card. In order to carry out the driving licence check, the following mandatory information is collected:
- Driving licence date of issue
- Driving licence date of expiry
- Driving licence category
- Driving licence number
- Issuing authority
- Issuing country
- Driving licence picture
- Facial photograph and video
In order to carry out the ID card (or passport) check, the following mandatory is collected:
- First name
- Date of birth
- ID card date of issue
- ID card date of expiry
- Issuing country
- ID card number
- Facial photograph and video
We will not be able to check your driving licence if you do not provide this information, which will subsequently preclude your use of certain vehicles. The data required to check the driving licence is automatically extracted. The driving licence picture is then checked against the facial photograph and video you provide (face match) and the photographs and videos are then stored. In the event that automated processing cannot be carried out (e.g., if the image quality is poor), a new verification attempt is made. The storage of the data for a period of 30 days serves as proof of the verification of the driving licence by the BVG. Only the result of the driving licence and ID card validation (for driving licence: date of issue, date of expiry, category, number, issuing country; for the ID card: name, address, date of issue, date of expiry, issuing country) is permanently stored in your Jelbi account.
The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this data processing is required for performance of the contract and for steps prior to entering into the contract between you and Jelbi, as well as for any mobility contracts between you and third-party suppliers with the involvement of Jelbi. We use the services of Veriff OÜ, Niine 11, 10414 Tallinn, Estonia (referred to below as “Veriff”) for the automated validation process. We have concluded a processing contract with Veriff. Data transmission is therefore privileged in accordance with Article 28 of the GDPR.
4. The use of vouchers
If you participate in a BVG Jelbi voucher campaign that includes voucher codes, vouchers, discounts and other promotional offers for redemption via app (collectively, “vouchers”), we will use your personal data as necessary to provide you with the applicable BVG Jelbi vouchers and to confirm your participation in the campaign. The terms and conditions of the relevant campaign will be provided to you upon registration. For the purpose of providing the vouchers, we process this data:
– technical information required to redeem a voucher (redemption ID and status, user-specific as well as Voucherify specific ID, discounted amount, date and time of entering the voucher code in the Jelbi app).
– trip-related information required to redeem a voucher (trip specific as well as Voucherify specific ID, currency, promotion and purchase ID).
The use of the vouchers is voluntary. The lawfulness of this data processing results from Article 6(1)(b) of the GDPR, as this data processing is necessary for the execution of the contract with the participating customers and for the execution of pre-contractual measures between you and Jelbi. For the provision of the service, we rely on our service provider Voucherify Porcelanowa 23/A4, 40-246 Katowice Poland (hereinafter: “Voucherify”) We have concluded an order processing contract with Voucherify. The data transfer is therefore privileged according to Article 28 of the GDPR.
5. Fraud analysis/prevention
In the course of ticket sales and ride handling, fraudulent activity may occur during the payment process. In order to track and in future prevent these fraudulent activities, we process your personal data, in particular master data (e.g. surname, first name, address), label data (e.g. fraud label, label time, label details), payment data (e.g. payment method, shopping cart, order time, ride ID, ride time and ride costs), customer account data (e.g. account creation date, sales & rides history), and potentially also customer journey data and risk data. For processing of your personal data, we work closely with our service provider Risk.Ident GmbH (Risk Ident), An Sandtorkai 50, D-20457 Hamburg. In cooperating with Risk Ident, we have concluded a processing agreement pursuant to Article 28 of the GDPR for GDPR-compliant processing of your personal data.
We process your personal data on the basis of our legitimate interest, in particular our interest in preventing fraudulent activities, Article 6(1)(f) of the GDPR.
We process your personal data until the purpose of processing no longer applies.
IV. Processing of your data when you contact customer service
When you contact our customer service (e.g., through the Jelbi app, by email, by telephone), we will store the reason for contacting us, your email address, your name, and our replies for the purpose of responding to your questions. To allow us to diagnose and correct errors, the following technical information is also collected: operating system (iOS or Android), city in the which the user is located, app version, device model, OpenGL version, device ID. We also save all the information you provide on a voluntary basis with your query. The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this data processing is required for the purpose of providing customer service during the contractual relationship.
To process written customer inquiries by email, we use the services of Majorel Group Luxembourg S.A., 18 Boulevard de Kockelscheuer, L-1821 Luxembourg (hereinafter: “Majorel”). Majorel receives access to your data stored in Jelbi, such as name, email address, address, telephone number, if applicable, data from document verification, reason for contacting us, as well as information about journeys made in the Jelbi app, for the purpose of processing your request. The lawfulness of this data processing results from Art. 6 para. 1 p. 1 lit. b DSGVO, as this data processing is necessary to ensure customer service within the contractual relationship. We have concluded an order processing contract with Majorel. The data transfer is therefore privileged according to Art. 28 DSGVO.
V. Disclosure of your data
Contracted service providers
Personal data may be disclosed to our contracted service providers for processing in accordance with the purposes for which it was originally provided, e.g. to provide offered services, evaluate user behaviour on our website and app, or for technical support. Under statutory agreements (Article 28 of the GDPR), we contractually oblige our contracted service providers to use personal data solely for the agreed purposes and not to disclose your personal data to other parties without your consent, unless this is required by law. We make use of the following external service providers to process your data:
- Trafi (UAB Intelligent Communications, Labdarių 5, LT-01120, Vilnius, Lithuania) – hosting and operation of our central IT system
- Amazon Web Services EMEA SARL (38 Avenue John F. Kennedy, L-1855 Luxemburg, Luxemburg) – hosting of the IT system
- Veriff OÜ (Niine 11, 10414 Tallinn, Estonia) – driving licence and ID card validation
- LINK Mobility Austria GmbH (websms) (Brauquartier 5/13, 8055 Graz, Austria) – mobile number verification
- akquinet AG (Paul-Stritter-Weg 156, 22297 Hamburg, Germany) – provision of single sign-on
- IMEDIAPP (Batch) (43 rue Beaubourg, 75003 Paris, Frankreich) – app communication
- Majorel Group Luxembourg S.A. (18 Boulevard de Kockelscheuer, L-1821 Luxembourg) – customer service
- Voucherify (Porcelanowa 23/A4, 40-246 Katowice, Poland) – use of vouchers
- Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – use of Google Firebase. We use the following Google Firebase products for Jelbi: Crashlytics, Performance, Google Analytics for Firebase, and Remote Config. These products may involve the processing of different data categories for different purposes.
- Google Analytics for Firebase: Device information, information on the used app, data on app usage, location data, user ID, and information on individual requests within the app (events) are processed for Analytics. The data is used to analyse user behaviour and, based on the result, make decisions relating to product and marketing optimisation. Analytics is only used if you have given your consent (Article 6(1)(a) of the GDPR).
- Firebase Performance: We use Firebase Performance to process data relating to usage of the app, e.g., used version of the app, device information, type of network used (e.g., WiFi), type of malfunction, duration of malfunction. The data allows us to monitor performance of the Jelbi app and diagnose problems by determining the contexts in which they occur. This helps up to minimise the app’s response times. The legal basis for data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring that the app runs smoothly and that problems can be resolved quickly. We assume that this processing is also in users’ interest.
- Firebase Crashlytics: Firebase Crashlytics processes data on the operation of the app, including the type of operating system used, information on malfunctions in use (type of malfunction, time of malfunction, duration of malfunction, use of the app at the time of the malfunction), and device information. When malfunctions or problems occur during use of the app, we can use this data to obtain an overview of malfunctions and weight them according to their relevance for use in order to ensure efficient troubleshooting and ensure the stability of the app. The legal basis for data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in identifying and eliminating stability issues that affect the quality of the app. This also increases the user-friendliness of the app for our customers.
- Firebase Remote Config: The Remote Config function gives us the option to modify the design of the app temporarily or permanently, e.g., to adapt it to regional circumstances. In addition, the function allows us to perform A/B testing on new functions of the app before the release of a new app version by introducing individual functions on a test basis. If the user has agreed to the use of Analytics, we can evaluate the effects of the changes during use. The data categories listed under Firebase Analytics are processed when using Remote Config: Device information, information on the used app, data on app usage, location data, user ID, and information on individual requests within the app (events). The legal basis is Article 6(1)(f) of the GDPR. Changes to the app on a test basis for optimisation purposes represents a legitimate interest.
- Google Ads: To run online advertising campaigns, measure and improve their success, we use the Google Ads service, an offering from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). When a user interacts with our ad (e.g., banner or video), Google Ads records information about that interaction (e.g., a click on the banner). In addition to interacting with the ad, Google Ads can only measure the download of the app through the Google Play Store (app store for Android phones). Using this stored information, Google can measure the number of people who clicked on a Google ad and downloaded the app to their cell phone through the Google Play Store. If Google ads link to Jelbi, Jelbi receives statistics from Google about the number of app downloads after clicking on a Google ad. However, Jelbi does not receive any information that can be used to personally identify users. Jelbi uses the statistics to determine how successful the individual advertising measures are. We only use Google Ads if you give your consent. This consent is voluntary and can be revoked at any time. You can find more information about data processing at Google Ads at https://policies.google.com/privacy#infocollect.
We also disclose data to the following third parties, which act as (joint) controllers when processing the data:
- LogPay Financial Services GmbH
When using any payment method (i.e., SEPA direct debit, credit card, PayPal), your customer data (first name and surname, date of birth, address, gender, email address) will be transmitted to our external financial services provider (currently LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, referred to below as “LogPay”). The payment method data (account details, credit card details, information on your ticket purchases) is collected directly by LogPay, as claims against you are assigned to LogPay when you use mobility services. The legal basis for the data transmission is Article 6(1)(b) and (f) of the GDPR. We have a legitimate interest in outsourcing the handling of payments and the management of claims for the purpose of efficient invoicing, as the involvement of a large number of mobility providers gives rise to considerable complexity in payment processing.
LogPay is the sole controller responsible for processing your personal data. More information on how LogPay processes data can be found at https://www.LogPay.de/DE/datenschutzinformationen/.
Please note: as set out in these policies, if you are not yet a customer of LogPay, LogPay will transmit your data to credit agencies (e.g., Schufa) in order to check your details and creditworthiness to prevent payment defaults.
- Google Maps
We use the Google Maps service via an API. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Maps makes it possible to quickly and accurately determine your location and show both available mobility services and the routes that you request. Your IP address must be stored to use Google Maps functions. This information is typically sent to and stored on Google servers in the USA. We have no influence over this data transmission.
3. Joint responsibility of the BVG and mobility providers
We work closely with other mobility providers on behalf of Jelbi. This also concerns the processing of your personal data. The BVG and the mobility provider you use are jointly responsible for the protection of your personal data (Article 26 of the GDPR) when it is used in the context of marketing the Jelbi app, use of the Jelbi app, and billing of mobility services through the Jelbi app, as well as for customer service. The following mobility providers are used in the Jelbi app:
- Miles (Miles Mobility GmbH, Leibnizstraße 49, 10629 Berlin)
- Emmy (Electric Mobility Concepts GmbH, Alboinstraße 17-23, 12103 Berlin)
- Nextbike (TIER Mobility SE, Eichhornstraße 3, c/o WeWork, 10785 Berlin)
- Tier (TIER Mobility SE, Eichhornstraße 3, c/o WeWork, 10785 Berlin)
- Taxi Berlin (Taxi Berlin TZB GmbH, Persiusstraße 7, 10245 Berlin)
- Voi (Voi Technology AB, Warfvinges väg 34, 112 51 Stockholm, Sweden)
- Lime (Lime Electric Ireland Limited, 6th Floor South Bank House, Barrow Street, Dublin 4, Ireland)
- Sixt Share (Sixt GmbH & Co. Autovermietung KG, Zugspitzstraße 1, 82049 Pullach)
- Bolt (Bolt Operations OÜ, Vana-Lõuna tn 15, 10134 Tallin, Estonia)
As part of our joint data protection responsibilities, we and the above-mentioned mobility providers have agreed on who will meet which obligations in accordance with the GDPR. This, in particular, applies to the exercise of the rights of data subjects and our obligation to provide information as set out in Articles 13 and 14 of the GDPR. You can request the key provisions of this contract from email@example.com at any time.
- Disclosure of personal data to the authorities
We will only transmit your personal data to public authorities if the information is requested on the basis of statutory requests for information or if the BVG is otherwise legally obliged to transmit the data (Article 6(1)(c) of the GDPR).
- Disclosure of data within the BVG
VI. Transfer of personal data to third countries
Please note that data processed in other countries may be subject to foreign laws and may be accessible to the governments, courts, law enforcement authorities, and regulatory authorities of those countries. If your personal data is transferred to third countries, however, we will take appropriate measures to adequately secure your data.
Unless an adequacy finding has been made by the EU Commission for the recipient country, the transfer of your data to a third country is protected by the fact that EU standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) have been concluded with the recipient or that binding internal data protection guidelines exist. Otherwise, a transfer will only take place if an exception under Art. 49 GDPR is fulfilled.
E. Data erasure and duration of storage
Your personal data will be stored as long as it is necessary for the fulfilment of the specific purpose. Subsequently, your data will be erased, unless there are legal obligations to retain the data beyond this time or there is legal justification to do so. The following time limits for storage and erasure generally apply:
|Time limit for storage/erasure
|Customer account data
|· Storage while account is active and for up to one month after erasure of account
|Data on selected payment method
|· Storage while account is active and for one month after erasure of account
|Location data during informational use of the app
|· Data is erased within 30 days or in case of error 90 days of closing/exiting the app
|Request data during informational use of the app
|· Data is erased within 30 days or in case of error 90 days of closing/exiting the app
|Request data on unsuccessful booking of a service
|· Data is erased within 90 days of closing/exiting the app
|Data for validation of driving licence and ID card
|· Storage for 30 days following completion of validation process
|Result of validation (positive result, document number, dates of issue and validity, vehicle category)
|· Storage while customer account is active and for three years after erasure of account (time starts at end of respective calendar year)
|Receipt data for BVG services, i.e., data on specific use of BVG services (e.g., data and time of booking and use, invoice, information on specific tickets, etc.)
|· Storage for 10 years
|Trip history (data on specific use of services from other mobility providers, e.g. date and time of booking and use, invoice)
|· Storage for three years following use of the service (time starts at end of respective calendar year)
|Photo transmitted by the user at the end of a trip
|· Storage for 2 years
|Data from customer service queries
|· Storage for a maximum of three years following handling of the request (time starts at end of respective calendar year)
|Data from the use of vouchers
|· Retention during the existence of the customer account as well as three years after deletion of the account (time starts at the end of the respective calendar year)
F. Your data protection rights
Depending on the circumstances in your specific case, you have the right
- to obtain access to the personal data processed by us and/or request copies of these data. This includes information concerning the purpose of usage, the category of data used, their recipients and authorised users, and, where possible, the planned period for which the data will be stored or, if that is not possible, the criteria used to determine that period;
- to request the rectification, erasure, or restriction of processing of your personal data, provided that its use is impermissible under data protection law, in particular because (i) the data is incomplete or incorrect, (ii) the data is no longer required for the purposes for which they were collected, (iii) the consent on which processing is based was withdrawn, or (iv) you have made use of your right to object to processing of your personal data; in cases in which the data is processed by third parties, we will forward your request for rectification, erasure, or restriction of processing to these third parties, unless this proves to be impossible or would involve disproportionate effort;
- to refuse consent or – without affecting the lawfulness of data processing carried out prior to withdrawal – to withdraw your consent to the processing of your personal data at any time;
- to request the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit this data to another controller without hindrance from us; you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible;
- to take legal action or appeal to the data protection supervisory authorities, if you are of the opinion that your rights have been infringed due to processing of your personal data that is not in compliance with data protection regulations.
You also have the right to object to processing of your personal data at any time, free of charge, and with effect for the future:
- where we process your personal data for direct marketing purposes
- where we process your personal data in pursuance of our legitimate interests and on grounds relating to your particular situation
You can exercise your rights at any time by sending an email to firstname.lastname@example.org.
If you would like to contact the BVG’s data protection officer directly, please send an email to email@example.com.
G. Amendment clause