Privacy Policy for the Jelbi app.

Last modified: March 19, 2020

 

A. General information

Thank you for your interest in Jelbi. We take the protection of your personal data very seriously. The personal data you provide when using the Jelbi app and our services is treated confidentially and in accordance with both statutory data protection regulations and this privacy policy. We would like to give you detailed information about what personal data we process, for what purposes we process it, whom we share it with, and what control and information rights you may have. We therefore recommend that you read through this privacy policy carefully.

 

B. Responsibility and contact

Berliner Verkehrsbetriebe AöR, Holzmarktstraße 15-17, 10179 Berlin (referred to below as “BVG” or “we” or “our” or “us”) is responsible for the Jelbi app. If you have any questions regarding this privacy policy or the processing of your personal data, please feel free to contact us by email at privacy@jelbi.de.

If you have any questions, suggestions, or criticisms relating to our services, please contact us by email at support@jelbi.de.

 

C. General information on data processing

We collect and use personal data only to the extent necessary to ensure a functioning Jelbi app and provide our content and services. One of the main purposes of data processing is to provide a tool for optimum coordination, selection, and presentation of mobility services for users – including a data management system to ensure that users do not need to re-enter their contact data every time they book a different mobility provider and always have access to an overview of the mobility services they use.

 

D. Summary of our processing activities

  • If the Jebli app is used purely for informational purposes (i.e., no user registration), we process data about your device to enable use of the app. The legal basis is Article 6(1)(b) of the GDPR. We also evaluate usage data to enable optimisation of our app and provide you with a better user experience. The legal basis is Article 6(1)(f) of the GDPR (see also I).
  • When you download the Jelbi app and at any time thereafter, you have the option to subscribe to email and push notifications containing useful information and offers relating to our products and services. The legal basis for such processing of your data is your consent as set out in Article 6(1)(a) of the GDPR (see also D.I.1).
  • We will process your location data if you search for mobility services in the Jelbi app. This allows us to display mobility services located nearby or for a specific route. The legal basis is Article 6(1)(b) of the GDPR (see also D.I.2).
  • If you create a customer account in the Jelbi app, in addition to the data set out above we will also process all information required for registration (e.g. name, address, mobile number). We can only provide you with the option to book mobility services on the basis of this information. The legal basis is Article 6(1)(b) of the GDPR (see also II).
  • If you use a service provided by the BVG or another mobility provider through the Jelbi app, your data will also be processed for the purpose of processing the booking and invoicing (e.g., name, location). The legal basis is Article 6(1)(b) of the GDPR (see also III).
  • In order to be able to process bookings, we process information relating to your selected payment method. The legal basis is Article 6(1)(b) of the GDPR (see also D.III.2).
  • If you wish to use mobility services that require a valid driving licence, we will verify your driving licence and your ID card. The legal basis for this data processing is Article 6(1)(b) of the GDPR (see also D.III.3).
  • If you contact our customer service, we will process data for the purpose of dealing with your request (e.g., name, email address, reason for contacting us). The legal basis is Article 6(1)(b) of the GDPR (see also IV).
  • We use external service providers for some of these data processing operations. This is the case, for example, for payment processing and driving licence validation. When using mobility services provided by the mobility providers, we act in concert with them as joint controllers responsible for the relevant processing operations, as set out in Article 26 of the GDPR (see also V).

 

Definitions

Personal data means any information relating to an identified or identifiable natural person (Article 4(19 of the GDPR). This includes information such as your name, your e-mail address, your postal address, and your telephone number. It does not include information which cannot be linked directly to your identity, such as the number of users of a website.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Mobility provider means companies that provide their services through the Jelbi app or the Jelbi website These services (referred to below as “mobility services”) are transport services provided by public and private transport companies that create a transport route according to the customer’s specifications, provide a means of transport (e.g., car, scooter or electric scooter, bicycle), and handle payments.

 

I. Processing of your data when using the Jelbi app for informational purposes

If you use the Jelbi app purely for information purposes, i.e., you do not register or otherwise provide us with information, we will collect the following personal data, which is technically necessary for us to provide you with the functions of the Jelbi app and ensure the stability and security of the app:

  • Device identifier: DeviceID for Android, IDFA for iOS
  • IP address
  • App language and version
  • Operating system
  • Date and time of request
  • Type of device, device properties, type of network connection (e.g., WiFi, 3G, LTE, Bluetooth), network provider, network and device performance, browser type, device model
  • City
  • Transferred data volume
  • Information on interactions with the Jelbi app
  • Location for the purpose of displaying mobility services nearby or a route starting from the location with duration and prices for all available mobility services (see also D.I.2.).

This information is processed to enable use of our app (Article 6(1)(b) of the GDPR), as we require automatically collected data to provide a functioning app (e.g., adapting the app to the requirements of your device). This information is also processed to allow us to pursue our legitimate interest in optimising the Jelbi app and ensuring the stability and security of both the app and our IT systems (Article 6(1)(f) of the GDPR). Automatically collected personal data is stored for 30 days and then erased, unless a longer period of storage is justified or required by law (see also E).

We also evaluate usage data for our app (technical usage data, app version, click flows, used functions) on a purely anonymised basis for the purpose of identifying preferences and to help us develop the app.

  1. Push notifications and emails containing useful offers

After downloading the Jelbi app, you can choose whether to receive relevant, personalised messages from Jelbi on your mobile device by email or push notification and whether you wish to be informed about special offers, discounts, and surveys, which may include advertising from the BVG and/or Jelbi’s cooperation partners (for BVG products/events or products/events from Jelbi cooperation partners).

You can also activate this function in the Jelbi app at any later time. We will process the personal data you provide for this purpose (e.g., name, address, email address) to send you the relevant information. The legal basis for processing your personal data in connection with registration for these services is your consent as set out in Article 6(1)(a) of the GDPR.

Right to withdraw consent: You may withdraw your consent to be sent such notifications or to the processing of your personal data for direct marketing purposes with future effect at any time and without giving reasons by going to Account > Legal > Jelbi and deselecting the advertising checkbox.

If you have purchased goods or services from us, we may send you information about other similar goods and services from us to your email address that we received when you purchased the original goods or services, even without your consent, provided you have not objected to us sending such information. You can object to us sending information without incurring any costs other than the standard rates for data transmission. Objections must be sent to privacy@jelbi.de. Every message also contains a link that you can use to exercise your right to withdraw.

  1. Collection of location data

When you use the app to search for a mobility service, we will determine your exact or approximate location data in order to display the mobility services available at your location or a route starting from your location with duration and pricing for all available mobility services. In the process, we also store information on suggested and selected connections (start location, destination, start time, arrival time, journey time, connection times, type of transport, prices, user rating of connection information).  You can either allow the app to access location services through the operating system on your device and its permissions system (“location tracking”) or manually enter your location. In the case of GPS tracking, however, we only collect the location determined by your device if the app is open and you tap the location icon. Your device will indicate if location tracking is active. On an iPhone, for example, it is indicated by a compass symbol in the status bar. Android devices feature a similar function. If you enter your location manually, we will store only this information.

The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as your location is only determined and transmitted to us if you use app functions that we can only provide if we are aware of your location. When you request mobility services, we need to process your location for the purpose of suggesting available services near you. You can enable or disable this function (automated positioning) at any time by going to your operating system’s settings. If you do not allow us to collect your location data, the app will also work if you manually enter your location. In addition, the start point and destination (location information) of the vehicle used are collected for billing purposes, even if you have not allowed us to collect your location data.

 

II. Processing of your data during registration and/or use of a customer account

Our app provides services (e.g., customer account, mobility services, customer service) that, if used, require your personal data, e.g., name, email address, and other information as necessary. If you do not provide this data, we may not be able to provide you with the request service or may not be able to reply to your request. A summary of relevant processing operations and legal bases is provided below.

  1. Registration process

We provide the option for you to register or create a customer account, which requires you to enter personal data. A customer account is required in order to use mobility services through the Jelbi app. During the registration process, we process the following personal data, which you provide on an input form:

  • Surname (from an existing BVG account if registering with existing BVG login credentials)
  • First name (from an existing BVG account if registering with existing BVG login credentials)
  • Date of birth
  • Address
  • Email address
  • Language
  • Mobile number
  • Date and time of registration
  • Gender
  • Login and password (from existing BVG account)
  • Version number of applicable terms and conditions of use and privacy policy
  • Optional: other information required to make a booking (payment information required by payment type, driving licence verification, ID card verification; see D.III.). You can also wait until you make a booking to enter this data.

We use the double opt-in procedure for registration. After you register in the app, this means that you will receive an email containing a link that you must click on to confirm that you are the owner of the email address and wish to create a customer account in the Jelbi app. If you do not confirm within 24 hours, your registration and the personal data you provided will be automatically erased. If you use an existing BVG account to register, please enter the email address and password that you use to log in to the BVG Ticket app, the Fahrinfo app, or on BVG.de; your BVG account will then be associated with the Jelbi app and the above data from your BVG account (surname, first name, login, password) will be used (“single sign-on”, SSO). The SSO service is provided by our service provider unitb (see also D.V.).

We will also verify that you are the owner of the mobile number used during registration by sending a text containing a four-digit code to the number you provide. When requested to do so, enter this number in the Jelbi app (Android typically detects the code automatically) to store a verified mobile number in Jelbi.

We store the data you provide in your personal customer account within the Jelbi app. You can manage and change any of the data you provide in your password-protected customer account, although you may need to contact customer service to change some information (see also D.IV).

The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this information is required to establish, formulate, or modify the contractual relationship between you and the BVG. The data is also used to provide customer account functions and for management of your customer account. You cannot use the mobility services in the Jelbi app if you do not provide the data required during registration. We will process your contact data, including your email address and mobile number, in order to provide you with information on contract-related changes relating to the services we offer in compliance with relevant legislation and provide you with other information required by law. We require your date of birth to ensure that you are an adult and therefore legally competent, as well as to distinguish between persons with the same names.

  1. Erasing your customer account

You can erase your Jelbi customer account as follows: Please send an email to privacy@jelbi.de with a written request to erase your account. If you decide to erase your customer account, all of your account data, including all communication data, will first be blocked from further processing, with the exception of processing that is required in compliance with legal obligations or rights (see E below) and then permanently erased. You can also erase individual items of data within your customer account. Your request for erasure may conflict with statutory provisions or rights on the part of the BVG. As such, your data may not be erased if the BVG is required to comply with legal obligations to retain data (e.g., for commercial or tax law reasons) or if processing of your data is required for the establishment, exercise, or defence of legal claims, e.g., if we initiate legal proceedings against you for misconduct during use of our services or for payment reasons. In such cases, we will notify you of the reasons conflicting with your right to erasure.

 

III. Processing of your data when using the mobility services in the Jelbi app

When you book and use mobility services through the Jelbi app, a mobility contract is formed between you and the mobility provider from the list below. Through the Jelbi app, you can make use of mobility services provided by either the BVG or a third-party provider. The BVG will only transmit the data required to form and process the contract to your selected mobility provider; this data is processed only by us if you use BVG services. This data is transmitted for the purpose of forming and processing the contract. The data is not transmitted until you book your first journey. The required data is listed below.

All mobility providers receive the following:

  • First name
  • Surname
  • Email address
  • Address
  • Mobile device information
  • Information on your selected payment method (offered by LogPay)
  • Specific booking/reservation request
  • Location and position data (start and destination address only)
  • MSP-related support queries

NextBike, Berlkönig, Miles, and Taxi Berlin also receive the following:

  • Mobile number

Miles and emmy also receive the following:

  • Result of driving licence validation, including your driving licence data (see D.III.3.)

At the end of your usage, the mobility provider transmits the following data to us, which we provide for you in the app:

  • Start and end time of a journey, start and end coordinates of a journey
  • Cost of the journey

The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this data is required for the provision of mobility services by the respective mobility provider, i.e., for the formation and processing of contracts between you and a mobility provider. The BVG will transmit this data to the respective mobility provider for the purpose of processing your booking and/or reservation request, thereby enabling formation and execution of the contract. The BVG and the respective mobility provider act as joint controllers responsible for processing your data and have concluded an agreement as set out in Article 26 of the GDPR (see also D.V.4). You can obtain information on data processing activities carried out by the different mobility providers in their privacy policies.

Full payment information is not transmitted to the BVG for the purpose of billing used mobility services (see D.V); only information on the selected payment service is transmitted. The data required for payment (payment service provider token and total amount) is transmitted to the mobility provider by LogPay during the payment process.

  1. Invoice creation and dispatch

Invoices are created for each journey by the mobility provider with which you completed your journey. You can view and download invoices by going to Account > My Trips in the Jelbi app. After each journey, you will also receive a receipt by email.

You can request erasure of your data in “My Trips” at any time by sending an email to privacy@jelbi.de; this does not affect the storage periods applicable to your invoice data (see also E below).

  1. Payment information

In order to use mobility services through the Jelbi app, you must provide payment information directly to LogPay during the registration process (see also D.V.1). LogPay is the controller responsible for processing your personal data.

  1. Online validation of your driving licence and ID card

A driving licence valid for a car or scooter and a valid ID card/passport are required for use of some mobility services in the Jelbi app. Our app allows you to perform an “online” validation of your driving licence and ID card. During this procedure, we will collect and process pictures and videos of your driving licence and ID card taken by you, as well as a photograph and video of your face, for the purpose of checking your driving licence and ID card. In order to carry out the driving licence check, the following mandatory information is collected:

  • Driving licence date of issue
  • Driving licence date of expiry
  • Driving licence category
  • Driving licence number
  • Issuing authority
  • Country in which the driving licence was issued
  • Driving licence picture
  • Facial photograph and video

In order to carry out the ID card (or passport) check, the following mandatory is collected:

  • First name
  • Address
  • Date of birth
  • ID card date of issue
  • ID card date of expiry
  • Country in which the ID card was issued
  • ID card number
  • Facial photograph and video

We will not be able to check your driving licence if you do not provide this information, which will subsequently preclude your use of certain vehicles. The data required to check the driving licence is automatically extracted. The driving licence picture is then checked against the facial photograph and video you provide (face match) and the photographs and videos are then stored. In the event that automated processing cannot be carried out (e.g., if the image quality is poor), a new verification attempt is made. The storage of the data for a period of 30 days serves as proof of the verification of the driving licence by the BVG. Only the result of the driving licence and ID card validation (for driving licence: date of issue, date of expiry, category, number, issuing authority, photo; for the ID card: name, address, photo, date of issue, date of expiry, country of issue) is permanently stored in your Jelbi account.

The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this data processing is required for performance of the contract and for steps prior to entering into the contract between you and Jelbi, as well as for any mobility contracts between you and third-party suppliers with the involvement of Jelbi. We use the services of Veriff OÜ, Niine 11, 10414 Tallinn, Estonia (referred to below as “Veriff”) for the automated validation process. We have concluded a processing contract with Veriff. Data transmission is therefore privileged in accordance with Article 28 of the GDPR.

 

IV. Processing of your data when you contact customer service

When you contact our customer service (e.g., through the Jelbi app, by email, by telephone), we will store the reason for contacting us, your email address, your name, and our replies for the purpose of responding to your questions. To allow us to diagnose and correct errors, the following technical information is also collected: operating system (iOS or Android), city in the which the user is located, app version, device model, OpenGL version, device ID. We also save all the information you provide on a voluntary basis with your query. The legal basis of this data processing is set out in Article 6(1)(b) of the GDPR, as this data processing is required for the purpose of providing customer service during the contractual relationship.

 

V. Disclosure of your data

Contracted service providers

Personal data may be disclosed to our contracted service providers for processing in accordance with the purposes for which it was originally provided, e.g. to provide offered services, evaluate user behaviour on our website and app, or for technical support. Under statutory agreements (Article 28 of the GDPR), we contractually oblige our contracted service providers to use personal data solely for the agreed purposes and not to disclose your personal data to other parties without your consent, unless this is required by law. We make use of the following external service providers to process your data:

  • Trafi (UAB Intelligent Communications / Labdarių 5, LT-01120 / Vilnius, Lithuania) – hosting and operation of our central IT system
  • Amazon Web Services, Inc. (410 Terry Avenue North, Seattle, WA) – hosting of the IT system
  • Veriff OÜ (Niine 11, 10414 Tallinn, Estonia) – driving licence and ID card validation
  • Twilio, Inc. (375 Beale St Suite 300, San Francisco, CA 94105, USA)) – mobile number verification
  • unitb consulting GmbH – (Brunnenstraße 156, 10115 Berlin) – provision of single sign-on
  • Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – use of Google Firebase. We use the following Google Firebase products for Jelbi: Crashlytics, Performance, Google Analytics for Firebase, Cloud Messaging, and Remote Config. These products may involve the processing of different data categories for different purposes.
    • Google Analytics for Firebase: Device information, information on the used app, data on app usage, location data, user ID, and information on individual requests within the app (events) are processed for Analytics. The data is used to analyse user behaviour and, based on the result, make decisions relating to product and marketing optimisation. Analytics is only used if you have given your consent (Article 6(1)(a) of the GDPR).
    • Firebase Cloud Messaging: Firebase Cloud Messaging allows us to message users with specific, context-related information on our services and encourage use of the app. Information on the message’s subject, the type of message, and the time of sending are processed, in addition to data regarding whether and when a message was received and read. Some of this data is also used for analysis purposes. Cloud Messaging is only used if you have given your consent (Article 6(1)(a) of the GDPR).
    • Firebase Performance: We use Firebase Performance to process data relating to usage of the app, e.g., used version of the app, device information, type of network used (e.g., WiFi), type of malfunction, duration of malfunction. The data allows us to monitor performance of the Jelbi app and diagnose problems by determining the contexts in which they occur. This helps up to minimise the app’s response times.  The legal basis for data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring that the app runs smoothly and that problems can be resolved quickly. We assume that this processing is also in users’ interest.
    • Firebase Crashlytics: Firebase Crashlytics processes data on the operation of the app, including the type of operating system used, information on malfunctions in use (type of malfunction, time of malfunction, duration of malfunction, use of the app at the time of the malfunction), and device information. When malfunctions or problems occur during use of the app, we can use this data to obtain an overview of malfunctions and weight them according to their relevance for use in order to ensure efficient troubleshooting and ensure the stability of the app. The legal basis for data processing is Article 6(1)(f) of the GDPR. We have a legitimate interest in identifying and eliminating stability issues that affect the quality of the app. This also increases the user-friendliness of the app for our customers.
    • Firebase Remote Config: The Remote Config function gives us the option to modify the design of the app temporarily or permanently, e.g., to adapt it to regional circumstances. In addition, the function allows us to perform A/B testing on new functions of the app before the release of a new app version by introducing individual functions on a test basis. If the user has agreed to the use of Analytics, we can evaluate the effects of the changes during use. The data categories listed under Firebase Analytics are processed when using Remote Config: Device information, information on the used app, data on app usage, location data, user ID, and information on individual requests within the app (events). The legal basis is Article 6(1)(f) of the GDPR. Changes to the app on a test basis for optimisation purposes represents a legitimate interest.

The data obtained by Firebase is in part evaluated by using the Google services “BigQuery” and “Looker”, provided by Looker Data Sciences, Inc., 101 Church Street, Santa Cruz, California 95060, for the above-mentioned purposes. BigQuery is a developer tool from Google designed to perform quick, web-based queries of large data sets. Looker is an analytics platform. It improves the use of BigQuery by enabling execution directly in the database. Both services are used in connection with a processing contract in accordance with Article 28 of the GDPR.

We also disclose data to the following third parties, which act as (joint) controllers when processing the data:

  1. LogPay Financial Services GmbH

When using any payment method (i.e., SEPA direct debit, credit card, PayPal), your customer data (first name and surname, date of birth, address, gender, email address) will be transmitted to our external financial services provider (currently LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, referred to below as “LogPay”). The payment method data (account details, credit card details, information on your ticket purchases) is collected directly by LogPay, as claims against you are assigned to LogPay when you use mobility services. The legal basis for the data transmission is Article 6(1)(b) and (f) of the GDPR. We have a legitimate interest in outsourcing the handling of payments and the management of claims for the purpose of efficient invoicing, as the involvement of a large number of mobility providers gives rise to considerable complexity in payment processing.

LogPay is the sole controller responsible for processing your personal data. More information on how LogPay processes data can be found at https://www.LogPay.de/DE/datenschutzinformationen/.

Please note: as set out in these policies, if you are not yet a customer of LogPay, LogPay will transmit your data to credit agencies (e.g., Schufa) in order to check your details and creditworthiness to prevent payment defaults.

  1. Google Maps

We use the Google Maps service via an API. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Maps makes it possible to quickly and accurately determine your location and show both available mobility services and the routes that you request. Your IP address must be stored to use Google Maps functions. This information is typically sent to and stored on Google servers in the USA. We have no influence over this data transmission.

We use Google Maps in the interest of increasing the attractive and ease of use of our app. This represents a legitimate interest as set out in Article 6(1)(f) of the GDPR. We assume that an increase in user-friendliness is also in your interest. More information on how Google handles user data can be found in the Google privacy policy: https://www.google.de/intl/de/policies/privacy/.

  1. Google Ads

In order to run online advertising campaigns and both gauge and improve their success, we use Google Ads, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). When a user interacts with our advertisement, Google Ads stores information on this interaction (e.g., a click). If the user then completes a conversion (e.g., downloading the app), this information is sent back to Google Ads with the conversion data. Conversion methods allow Google to use the information stored to measure the number of people who have clicked on an AdWords advertisement and decided to purchase an advertised offer. If Google ads link to Jelbi, Jelbi receives statistics from Google regarding the number of purchases after clicking on a Google Ad advertisement. Jelbi does not, however, receive any information that can be used to personally identify users. Jelbi uses the statistics to determine the success of its advertising.  We only use Google Ads if you give your consent for us to do so. This consent is voluntary and can be withdrawn at any time. More information on how Google Ads processes data can be found at https://policies.google.com/privacy#infocollect. Google LLC is certified under the Privacy Shield framework and has committed itself to compliance with the requirements involved.

  1. Joint responsibility of the BVG and mobility providers

We work closely with other mobility providers on behalf of Jelbi. This also concerns the processing of your personal data. The BVG and the mobility provider you use are jointly responsible for the protection of your personal data (Article 26 of the GDPR) when it is used in the context of marketing the Jelbi app, use of the Jelbi app, and billing of mobility services through the Jelbi app, as well as for customer service. The following mobility providers are used in the Jelbi app:

  • Miles (Miles Mobility GmbH, Kemperplatz 1, 10785 Berlin)
  • Emmy (Electric Mobility Concepts GmbH, Alboinstraße 17-23, 12103 Berlin
  • Nextbike (nextbike GmbH, Erich-Zeigner-Allee 69-73, 04229 Leipzig)
  • Tier (TIER Mobility GmbH , c/o The Drivery, Mariendorfer Damm 1, 12099 Berlin)
  • BerlKönig, (Berliner Verkehrsbetriebe (BVG) – AöR –, Holzmarktstraße 15-17, 10179 Berlin)
  • Taxi Berlin, (Taxi Berlin TZB GmbH, Persiusstraße 7, 10245 Berlin)

As part of our joint data protection responsibilities, we and the above-mentioned mobility providers have agreed on who will meet which obligations in accordance with the GDPR. This, in particular, applies to the exercise of the rights of data subjects and our obligation to provide information as set out in Articles 13 and 14 of the GDPR. You can request the key provisions of this contract from privacy@jelbi.de at any time.

  1. Disclosure of personal data to the authorities

We will only transmit your personal data to public authorities if the information is requested on the basis of statutory requests for information or if the BVG is otherwise legally obliged to transmit the data (Article 6(1)(c) of the GDPR).

  1. Disclosure of data within the BVG

We reserve the right to allow another company in the BVG Group to operate the Jelbi app in the future; in the event of such a change of operator, user data will also be disclosed to the new operator. The new operator will then assume all relevant rights and obligations and process personal data in accordance with this privacy policy.

 

VI. Transfer of personal data to third countries

Please note that data processed in other countries may be subject to foreign laws and may be accessible to the governments, courts, law enforcement authorities, and regulatory authorities of those countries. If your personal data is transferred to third countries, however, we will take appropriate measures to adequately secure your data.

If you data is transferred to a third country, this transmission is secure thanks to the fact that the recipient is either certified in accordance with the EU-U.S. Privacy Shield (http://privacyshield.gov/) or has concluded EU standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en).

 

E. Data erasure and duration of storage

Your personal data will be stored as long as it is necessary for the fulfilment of the specific purpose. Subsequently, your data will be erased, unless there are legal obligations to retain the data beyond this time or there is legal justification to do so. The following time limits for storage and erasure generally apply:

Data category Time limit for storage/erasure
Customer account data ·        Storage while account is active and for up to one month after erasure of account
Data on selected payment method ·        Storage while account is active and for one month after erasure of account
Location data during informational use of the app ·        Data is erased within 30 days of closing/exiting the app
Request data during informational use of the app ·        Data is erased within 30 days of closing/exiting the app
Request data on unsuccessful booking of a service ·        Data is erased within 30 days of closing/exiting the app
Data for validation of driving licence and ID card ·        Storage for 30 days following completion of validation process
Result of validation (positive result, document number, dates of issue and validity, vehicle category) ·        Storage while customer account is active and for three years after erasure of account (time starts at end of respective calendar year)
Receipt data for BVG services, i.e., data on specific use of BVG services such as BerlKönig (e.g., data and time of booking and use, invoice, information on specific tickets, etc.) ·        Storage for 10 years
Trip history (data on specific use of services from other mobility providers, e.g. date and time of booking and use, invoice) ·        Storage for three years following use of the service (time starts at end of respective calendar year)
Data from customer service queries ·        Storage for a maximum of three years following handling of the request (time starts at end of respective calendar year)

 

F.Your data protection rights

Depending on the circumstances in your specific case, you have the right

  • to obtain access to the personal data processed by us and/or request copies of these data. This includes information concerning the purpose of usage, the category of data used, their recipients and authorised users, and, where possible, the planned period for which the data will be stored or, if that is not possible, the criteria used to determine that period;
  • to request the rectification, erasure, or restriction of processing of your personal data, provided that its  use is impermissible under data protection law, in particular because (i) the data is incomplete or incorrect, (ii) the data is no longer required for the purposes for which they were collected, (iii) the consent on which processing is based was withdrawn, or (iv) you have made use of your right to object to processing of your personal data; in cases in which the data is processed by third parties, we will forward your request for rectification, erasure, or restriction of processing to these third parties, unless this proves to be impossible or would involve disproportionate effort;
  • to refuse consent or – without affecting the lawfulness of data processing carried out prior to withdrawal – to withdraw your consent to the processing of your personal data at any time;
  • to request the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit this data to another controller without hindrance from us; you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible;
  • to take legal action or appeal to the data protection supervisory authorities, if you are of the opinion that your rights have been infringed due to processing of your personal data that is not in compliance with data protection regulations.

You also have the right to object to processing of your personal data at any time, free of charge, and with effect for the future:

  • where we process your personal data for direct marketing purposes
  • where we process your personal data in pursuance of our legitimate interests and on grounds relating to your particular situation

You can exercise your rights at any time by sending an email to privacy@jelbi.de.

If you would like to contact the BVG’s data protection officer directly, please send an email to datenschutz@bvg.de.

 

G. Amendment clause

We reserve the right to make changes to this privacy policy from time to time. Updated versions are published at https://www.jelbi.de/datenschutz.