Privacy Policy

 

Protecting your personal data is important to us. With this privacy policy, we would like to explain in more detail which personal data we collect when you use myTuur.de and for what purposes this data is used.

 

Controller and Contact

The controller responsible for the processing of your personal data is:

 

myTuur GmbH

Münchner Straße 15

89073 Ulm

Germany

If you have any questions or suggestions regarding data protection, you can also contact us by email at info@mytuur.com.

 

You can reach our data protection officer at: dataprotection@mytuur.com

Subject Matter of Data Protection

The subject matter of data protection is personal data (hereinafter also simply referred to as “data”), i.e. all information relating to an identified or identifiable natural person.

 

Automatic Data Collection

 

When you access our website, your device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:

 

·       browser type and browser version

·       operating system used

·       referrer URL

·       URL of the page accessed

·       network connection latency

·       date and time of the server request

·       IP address

 

We store this data for the following purposes:

 

·       to ensure the security of our IT systems, for example to defend against specific attacks on our systems and to detect attack patterns;

·       to ensure the proper operation of our IT systems, for example where errors and/or technical problems occur that we can only resolve by storing the IP address;

·       to enable criminal prosecution, threat prevention or legal enforcement in the event of specific indications of criminal offences.

 

Your IP address is stored for a period of 90 days only.

In this case, the processing is carried out on the basis of our overriding legitimate interests mentioned above (Art. 6(1)(f) GDPR).

 

Registration Data

 

In order to use all functions of myTuur, you must register. For this purpose, you must provide the following mandatory information:

 

·       email address

·       username

·       password

 

Alternatively, you can log in using the following services:

 

·       Apple account

·       Facebook

·       Google

 

In this case, we receive the following personal data from the respective company with which you have your account in order to create a user account for you:

 

·       name

·       email address

·       photo, if applicable (Facebook only)

·       authentication token

 

If you log in via Facebook, your Facebook friends who also use myTuur can find you via search, provided you wish this and have set this accordingly on Facebook. After your registration, you will receive a registration email from us to activate your user account.

 

Your registration data is required to set up, activate and manage a user account for you and to enable you to use all features of our app. In this case, you conclude a free user agreement with us, on the basis of which we collect this data (Art. 6(1)(b) GDPR).

 

In order to conclude the agreement, you must provide us with this data. However, you are neither contractually nor legally obliged to conclude the agreement and thus to provide the data.

 

In addition, you may provide further voluntary information as part of the registration process. For example, you can upload a profile photo, tell others something about yourself or specify your favourite travel destinations. This information is voluntary and is not required in order to register. Please note, however, that this information may be visible to other myTuur users depending on your settings. You can determine yourself whether you want to be found by other users. We collect this data in order to provide you with the corresponding functions of our website, Art. 6(1)(b) GDPR.

 

When you log in to myTuur, we store your IP address in order to detect and prevent possible attacks and mass abusive registrations with myTuur (for example so-called brute force attacks) by temporarily blocking access from this IP address where necessary. The processing is carried out to ensure the security of processing pursuant to Art. 32 GDPR and on the basis of our legitimate interest in protecting ourselves against abusive use of our service (Art. 6(1)(f) GDPR). The data is stored for a maximum of 90 days. The IP address is then anonymised.

 

Enquiries

 

Support enquiries via our support centre (Gleap)

 

If you contact us via our support centre, we process:

 

·       your email address,

·       time and date of your enquiry,

·       topic, subject and content of your enquiry, and

·       the information contained in any attachments you may upload,

 

in order to receive and process your enquiry.

To process your enquiries via our support centre, we use the customer service platform of Gleap GmbH: https://www.gleap.io/legal/imprint

 

Your personal data is processed within the EU.

Further information is available at: https://www.gleap.io/legal/privacy-policy

Enquiries via our contact details

If you send us enquiries by email or by other means (for example by post), your information will be processed in order to handle the enquiry. This includes:

 

·       your name,

·       time and date of your enquiry and any further information that you provide to us in your enquiry

 

and, depending on the contact method you choose or the contact details you provide:

 

·       your email address and/or

·       your postal address.

 

Purpose and Legal Basis of Processing

 

The legal basis for processing is our legitimate interest (Art. 6(1)(f) GDPR) in fast communication in order to conduct the exchange you have requested and to handle your enquiry appropriately. For enquiries relating to an existing or future contractual relationship with us, processing is carried out for the initiation and performance of the respective contractual relationship, Art. 6(1)(b) GDPR. We also have a legitimate interest in the efficient management of our customer relationships, Art. 6(1)(f) GDPR.

 

Retention Period

 

We store enquiries relating to contracts or of potential legal relevance for the general limitation period, i.e. three years from the end of the year in which we received your enquiries. All other enquiries are stored for a period of 24 months. Your enquiries will then be deleted unless we are legally obliged to retain them for a longer period.

 

Storage is carried out on the basis of our legitimate interest in properly documenting our business operations and safeguarding our legal positions (Art. 6(1)(f) GDPR). In the case of enquiries relating to contracts, storage is carried out for the initiation and performance of the respective contractual relationship (Art. 6(1)(b) GDPR) and, where applicable, to fulfil statutory obligations (Art. 6(1)(c) GDPR).

 

Location Determination and Location-Based Functions

 

When you open our app or website, we determine your approximate location using your IP address in order to show you maps, routes, tours, spots and content near you. This processing is carried out pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in providing our users with a suitable and relevant product and in optimising the use of the app for our users.

 

If you activate location permission for your device in the app, we also process the precise location of your device. This processing is necessary in order to provide you with location-based functions of the app, in particular to enable radius searches, to display spots and points of interest in your vicinity, to calculate distances to spots and to provide context-based and location-based answers.

 

Depending on how you use the app, the following data in particular may be processed in connection with location-based functions:

 

·       your precise or approximate location,

·       the city or region in which you are located,

·       name, category, description and geographic position of spots or points of interest,

·       information about your distance to spots or whether you are near a specific spot.

 

Precise location data is processed only if you have granted the corresponding permission on your device. You can withdraw or restrict this permission at any time in your device settings. In this case, certain location-based functions of the app may only be available to a limited extent or may not be available at all.

 

The processing of your IP address for approximate location determination takes place exclusively on servers in the EU. If you ask location-based questions to the AI assistant or use location-based AI functions, the location and spot information required to answer your request may also be transmitted to OpenAI. Further information can be found in the sections “AI Assistant / Questions by Text and Voice”, “OpenAI / AI Assistant” and “Transfers to Third Countries”.

 

Unless otherwise stated, we store location data only for as long as this is necessary to provide the respective function, for error analysis, for app security or to prevent misuse.

 

AI Assistant / Questions by Text and Voice

 

Within the app, you can ask questions to our AI assistant by text input or by voice. The AI assistant is intended to answer your questions about the app, tours, spots, points of interest, your surroundings or other app-related content.

 

When you use the AI assistant, we process the content you enter or speak as well as the responses generated by the AI assistant. Voice inputs are processed via the OpenAI interface used by us in order to recognise and answer your spoken questions. We do not use an additional separate speech-to-text provider for this purpose.

 

Depending on how you use the function, we may add additional context to your request so that the AI assistant can provide you with an appropriate and location-based answer. This may include in particular the following information:

 

·       your text inputs and voice inputs,

·       the resulting transcripts and AI responses,

·       your precise location, insofar as this is necessary for the function you use,

·       the city or region in which you are located,

·       name, category, description and geographic position of a spot or point of interest,

·       information about your proximity to a spot or the distance to a spot.

 

The transmission of the precise location to the AI assistant may be necessary so that the app can perform radius searches, calculate distances to spots and display location-based answers to you. Location data is used only to the extent necessary for the respective request or function.

 

The chat history is stored only within the app and is not stored permanently on our servers. AI requests, voice inputs, transcripts and responses are stored by us only for as long as this is necessary to provide the function, for error analysis, for security, for misuse prevention or, where applicable, for traceability.

 

Please do not enter any information into your requests to the AI assistant that is not required to answer your question, in particular no sensitive personal data such as health data, payment data, passwords or confidential information about yourself or other persons.

 

The legal basis is Art. 6(1)(b) GDPR insofar as the processing is necessary to provide the app function used by you. Insofar as we process the data to ensure technical operation, for error analysis, to prevent misuse or to improve the function, this is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. Where consent is required for the processing of your precise location data, the processing is carried out on the basis of your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw location permission at any time in the settings of your device.

 

Newsletter

 

If you register with us, we will inform you regularly, approximately once per quarter, about news regarding our services on the myTuur platform.

 

For sending the newsletter, myTuur GmbH uses the services of BREVO, formerly Sendinblue GmbH. The basis for this is a data processing agreement within the meaning of Art. 28 GDPR between myTuur GmbH as controller and BREVO, Köpenicker Str. 126, 10179 Berlin, as processor, reviewed by the data protection officer of myTuur GmbH. BREVO is a service provider with certified data protection management (certificate 0000046350) by TÜV Rheinland GmbH. The server location is in Germany.

 

The subject matter of the processing of personal data is contact information (email address) and personal information (first and last name). The scope, nature and purpose of the data processing are limited to the use of address data for sending the newsletter by email.

 

The newsletter subscription is carried out in compliance with the GDPR using a double opt-in procedure; you can unsubscribe at any time. The contact details stored for sending the newsletter (email address, first and last name) will then be deleted.

 

BREVO is obliged to document the technical and organisational measures required under Art. 32 GDPR before the collection, processing or use of personal data begins, with particular regard to the specific processing activity, and to provide this documentation upon request. The technical and organisational measures required under Art. 32 GDPR are set out in a data security concept and form part of the agreement.

 

Data that you actively provide to us, for example:

 

·       username and display name,

·       email address,

·       notification settings (push notification, email),

·       favourite sport.

 

Data that we obtain through your interactions within myTuur, for example:

 

·       device information,

·       information about your completed tours (end time),

·       usage information (start time of a session),

·       community information (number of your followers and number of users you follow).

 

With customer.io, we can also identify which of our communications work well and which do not, for example whether you save or explore a tour suggested by us as a result of our communication. This enables us to improve our messages to you accordingly.

 

The use is based on our legitimate interest in sending you only news that is relevant and of interest to you, in improving your user experience with our product and in helping you use myTuur more successfully for planning tours and explorations, Art. 6(1)(f) GDPR.

 

Embedded Third-Party Content

 

Crash Reporting

 

Google collects statistical and technical data on possible crashes of the website for us. These are not intended to contain personal data. Should personal data nevertheless be included in individual cases, we collect it on the basis of our legitimate interest in the error-free operation of our website and the ability to troubleshoot errors (Art. 6(1)(f) GDPR).

 

Performance Monitoring

 

Google stores non-personal statistics on the performance of our website for us, i.e. on speed and possible delays in processes. These details are not intended to contain personal data. Should personal data nevertheless be included in individual cases, we collect it on the basis of our legitimate interest in the error-free and needs-based operation of our website and the ability to detect and resolve errors (Art. 6(1)(f) GDPR).

 

reCAPTCHA

 

We use reCAPTCHA, a service of Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland (“Google”), which is integrated into our website. A probability value is used to determine whether access is being made by a human or by a spam bot. Google decides whether additional so-called captchas are displayed to you – small tasks that are easy for humans to solve but difficult for machines. These captchas help us prevent the automated creation of user accounts and thus spam, fraud and other misuse in our community.

 

When you access our registration and login form, reCAPTCHA collects device-related and, where applicable, personal data from you in order to determine whether you are a human user or a spam bot. This data includes information about your browsing behaviour, log data, information about your browser and your IP address. reCAPTCHA also uses cookies.

 

Your personal data is processed in the USA. There is an adequacy decision of the European Commission pursuant to Art. 45(1) GDPR for the EU-U.S. Data Privacy Framework, which serves as the basis for data transfers to certified companies and organisations in the USA. Google Cloud EMEA Limited is certified under the Data Privacy Framework.

 

Further information can be found in Google’s privacy policy.

We use reCAPTCHA on the basis of our legitimate interest in protecting ourselves, our users and our community from spam, fraud and other misuse through automatically created accounts (Art. 6(1)(f) GDPR).

 

Google Firebase

 

We use Google Firebase, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We use Google as a processor (see Art. 4 No. 8 and Art. 28 GDPR).

 

Google Firebase provides us with various services in order to offer the functionalities of our website. Specifically, we use the following services within the scope of Google Firebase.

 

Mapbox

 

In our app, we use the Mapbox API of the American software company Mapbox Inc., 740 15th Street NW, 5th Floor, District of Columbia 20005, USA. Mapbox is an online map tool (open-source mapping) that is accessed via an interface (API). By using this tool, your IP address, among other data, is forwarded to Mapbox and stored. In this privacy policy, you can learn more about the functions of the tool, why we use it and, above all, which data is stored and how you can prevent this.

 

Mapbox is an American software company that offers customised online maps for websites. With Mapbox, content can be illustrated in our app or routes can be displayed graphically, for example. The maps can be easily integrated into our website using small code snippets (JavaScript code). Among other things, Mapbox offers a mobile-friendly environment, real-time routing information and visualised data.

 

You can find Mapbox’s privacy policy here: https://www.mapbox.com/legal/privacy

 

Mixpanel

 

In our app, we use Mixpanel by Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, California 94111. Mixpanel is a software product analytics tool used to increase revenue and customer retention. Interactive reports allow data to be evaluated and visualised. Data science models can be used to predict user actions and make forecasts; notifications about changes in important KPIs can also be used to take quick measures.

 

The data processing agreement is available as a DPA on the provider’s website and supplements the main agreement. Further information on the use of personal data can be found in the privacy policy.

 

You can find Mixpanel’s privacy policy here: https://docs.mixpanel.com/docs/privacy/gdpr-compliance

 

AppsFlyer

 

We use AppsFlyer, a mobile marketing analytics platform, on our website. The service provider is the American company AppsFlyer, 100 First Plaza, 100 1st St, San Francisco, USA.

 

AppsFlyer also processes your data in the USA, among other places. We point out that, according to the Court of Justice of the European Union, there may be risks for the lawfulness and security of data processing when data is transferred to the USA, unless suitable safeguards are in place.

 

As the basis for data processing by recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, in particular the USA) or for transfer to such countries, AppsFlyer uses so-called standard contractual clauses (= Art. 46(2) and (3) GDPR). Standard contractual clauses are model templates provided by the European Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries such as the USA. Through these clauses, AppsFlyer undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the European Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

 

The AppsFlyer Data Processing Addendum, which corresponds to the standard contractual clauses, can be found at: https://www.appsflyer.com/gdpr/dpa.pdf

 

You can find out more about the data processed through the use of AppsFlyer in the privacy policy at: https://www.appsflyer.com/legal/privacy-policy/

 

AWS

 

We operate our app and website on servers of our web host Amazon Web Services EMEA Sàrl, 38 avenue John F. Kennedy, L-1855 Luxembourg, which processes personal data on our behalf. Processing takes place only within the European Union.

 

OpenAI / AI Assistant

 

To provide the AI assistant, we use services of OpenAI. The provider is OpenAI OpCo, LLC, USA, or the respectively contractually involved OpenAI entity. OpenAI processes the transmitted content on our behalf insofar as we use OpenAI via an interface provided for this purpose. We have concluded a data processing agreement pursuant to Art. 28 GDPR for this purpose.

 

When using the AI assistant, texts, voice inputs, transcripts, AI responses and the context information required to answer your request may be transmitted to OpenAI. Depending on how you use the function, this may also include precise location data, the city or region in which you are located, names, descriptions and geographic positions of spots or points of interest, as well as information about your proximity to or distance from a spot.

 

OpenAI may process personal data in countries outside the European Union or the European Economic Area, in particular in the USA. Further information on this can be found in the section “Transfers to Third Countries”.

 

According to OpenAI, data from API platform and business offerings is not used by default to train or improve OpenAI models unless this is expressly enabled. We do not permit the use of your AI requests for training OpenAI models, unless this is expressly stated separately or you have expressly consented to it.

 

Provision of Your Data

 

You are neither legally nor contractually obliged to provide your personal data; furthermore, unless expressly stated in the sections above, the provision of your personal data is not required for the conclusion of a contract.

 

However, providing your personal data is necessary to a certain extent so that we can make the functions of our website available to you. In particular, providing your data is necessary so that:

 

·       you can use the community functions you request,

·       we can receive and process your enquiries or reports.

 

Where the provision of your data is required, we indicate this at the point of entry by marking the relevant field as mandatory. The provision of additional data is voluntary. For required data, failure to provide this data means that we cannot provide you with the corresponding functions of our website and cannot receive and process your enquiries or reports.

 

In other cases, failure to provide the data may mean that we cannot provide the corresponding functions or cannot provide them to the usual extent, or that we can only process your enquiries and reports to a limited extent.

 

Disclosure of Your Data

 

Your data will only be disclosed beyond the scope described in this privacy policy to the following extent:

 

·       If it is necessary to investigate unlawful use of our website and services or for legal enforcement, personal data will be disclosed to external advisers (for example lawyers), law enforcement authorities and, where applicable, injured third parties. This will only take place if there are specific indications of unlawful or abusive behaviour. Disclosure may also take place if this serves the establishment, exercise or defence of legal claims. We are also legally obliged to provide information to certain public authorities upon request. These include law enforcement authorities, authorities prosecuting administrative offences subject to fines, and tax authorities.

·       In addition, your personal data may also be disclosed if we are otherwise exposed to claims by third parties that may include a request for information about your data.

·       The disclosure of this data is carried out on the basis of our legitimate interest in combating misuse, prosecuting criminal offences and establishing, exercising or defending legal claims, Art. 6(1)(f) GDPR, or on the basis of a legal obligation pursuant to Art. 6(1)(c) GDPR.

·       For the provision of our services, we rely on contractually affiliated third-party companies and external service providers, so-called processors (see Art. 4 No. 8 and Art. 28 GDPR). In such cases, personal data is disclosed to these processors to enable them to carry out further processing. These processors process personal data on our behalf and are strictly bound by our instructions.

·       In addition to the processors already mentioned in this privacy policy, we also use the following categories of processors: IT service providers, cloud service providers and software service providers.

·       Within the scope of administrative processes, the organisation of our business, financial accounting and compliance with legal obligations, such as archiving, we disclose or transmit your data to the tax authorities, advisers such as tax consultants or auditors, and other fee offices and payment service providers.

·       The disclosure of this data is carried out on the basis of our legitimate interest in maintaining our business activities, performing our tasks and establishing, exercising or defending legal claims, Art. 6(1)(f) GDPR, or on the basis of a legal obligation pursuant to Art. 6(1)(c) GDPR.

·       As part of the further development of our business, the structure of our company may change through a change of legal form, formation, acquisition or sale of subsidiaries, parts of companies or components. In such transactions, user information is shared with the part of the company to be transferred. In each disclosure of personal data to third parties within the scope described above, we ensure that this is carried out in accordance with this privacy policy and the applicable data protection laws.

·       The disclosure of personal data is justified by our legitimate interest in adapting our corporate form to economic and legal circumstances, Art. 6(1)(f) GDPR.

 

Transfers to Third Countries

 

We also process data in countries outside the European Economic Area (“EEA”), in so-called third countries, or transfer data to recipients in these third countries.

 

Insofar as your personal data is transferred to recipients outside the European Economic Area beyond the cases described in this privacy policy, we transfer your data to third countries for which an adequacy decision of the European Commission pursuant to Art. 45(1) GDPR exists.

 

Where no such adequacy decision exists, we use the standard contractual clauses approved by the European Commission pursuant to Art. 46(2)(c) GDPR when structuring contractual relationships with recipients in third countries. You can request a copy of these standard contractual clauses and information on the supplementary measures we have taken to ensure an adequate level of data protection using the contact details provided above.

 

This also applies in particular to the use of OpenAI services for our AI assistant. In this context, personal data, including your inputs, voice inputs, transcripts, location data and context information relating to spots or points of interest, may be transmitted to OpenAI or to sub-processors of OpenAI outside the European Union or the European Economic Area. Such transfers are based, where applicable, on an adequacy decision, in particular the EU-U.S. Data Privacy Framework, or on standard contractual clauses pursuant to Art. 46 GDPR and supplementary safeguards.

 

Automated Individual Decisions or Profiling

 

We do not use the AI assistant to make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. The AI assistant is used to answer your questions and to provide app-related and location-based information.

 

Deletion of Your Data

 

Unless otherwise stated, we delete or anonymise your personal data as soon as it is no longer required for the purposes for which we collected or used it in accordance with the preceding sections. As a rule, we store your personal data for the duration of the usage or contractual relationship via the website plus a period of 30 days during which we retain backup copies after deletion.

 

If you delete your user account, your profile will be completely and permanently deleted. However, we retain backup copies of your data for a period of 30 days before these are also permanently deleted, unless this data is required for a longer period for legal reasons, for criminal prosecution or to safeguard, assert or enforce legal claims.

 

We Also Continue to Retain Your Data

 

·       if we are legally obliged to do so, Art. 6(1)(c) GDPR. Where we are legally obliged to retain data, we store your data for the legally prescribed period. Legal requirements for storage may arise in particular from the retention periods under the German Commercial Code (HGB) or the German Fiscal Code (AO). The retention period under these provisions is generally between 6 and 10 years from the end of the year in which the relevant matter was completed, for example when we have finally processed your enquiry.

·       if the data is required for a longer period for criminal prosecution or for the establishment, exercise or defence of legal claims. This is also our legitimate interest, Art. 6(1)(f) GDPR. Storage then takes place until the corresponding process has been completed plus the statutory limitation period.

 

Where data must be retained for legal reasons, processing is restricted. The data is then no longer available for further use.

 

Your Rights as a Data Subject

 

With regard to the processing of your personal data, you have the rights described below. To exercise your rights, you can submit a request by post or by email to the address provided above.

 

Right of Access

 

You have the right to obtain from us, at any time upon request, information about the personal data concerning you that we process, to the extent and under the conditions of Art. 15 GDPR and Section 34 of the German Federal Data Protection Act (BDSG).

 

Right to Rectification of Incorrect Data

 

You have the right to request that we immediately rectify personal data concerning you if it is incorrect.

 

Right to Erasure

 

You have the right, under the conditions described in Art. 17 GDPR and Section 35 BDSG, to request that we erase personal data concerning you. These conditions provide for a right to erasure in particular where the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject. With regard to the retention period, please also see the section “Deletion of Your Data” in this privacy policy.

 

Right to Restriction of Processing

 

You have the right to request that we restrict processing in accordance with Art. 18 GDPR.

 

Right to Data Portability

 

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR, or to have it transmitted to another controller.

 

Right to Object

 

You have the right, on grounds relating to your particular situation, to object at any time pursuant to Art. 21 GDPR to the processing of personal data concerning you which is based, among other things, on Art. 6(1)(e) or (f) GDPR. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defence of legal claims.

 

Where we process personal data concerning you for direct marketing purposes, including profiling, you have the right to object to this processing. After your objection, we will stop the processing.

 

Unless otherwise stated in this privacy policy, please contact the contact addresses provided above to exercise the aforementioned right.

 

Right to Lodge a Complaint

 

You have the right to lodge a complaint with a supervisory authority of your choice.

 

Data Processing When Exercising Your Rights

 

Finally, we point out that we process the personal data transmitted by you when exercising your rights pursuant to Art. 7(3) sentence 1 GDPR and Art. 15 to 22 GDPR for the purpose of implementing these rights and in order to be able to provide evidence thereof, and, where applicable, to defend legal positions. The processing of your data for the fulfilment of your data subject rights is based on Art. 6(1)(c) GDPR in conjunction with Art. 15 to 22 GDPR and Section 34(2) BDSG. Insofar as we process personal data for the purpose of legal defence, this is also our legitimate interest, Art. 6(1)(f) GDPR.

 

For the sake of completeness, we point out that your personal data in connection with your request to exercise your rights will be stored to fulfil the statutory documentation obligations under the GDPR, in particular to prove that your request was answered in due time, for the duration of the regular limitation period of three years, beginning at the end of the year in which your request was finally processed by us.

 

The legal basis for storage is Art. 6(1)(f) GDPR. It is our legitimate interest to provide and document the above-mentioned proof.

 

This personal data will be blocked and will not be processed for other purposes unless the processing is necessary for the establishment, exercise or defence of legal claims. This is then also our legitimate interest, Art. 6(1)(f) GDPR.

 

You are neither contractually nor legally obliged to provide your personal data. However, we may refuse to fulfil your request to exercise your data subject rights pursuant to Art. 12(2) sentence 2 GDPR if you do not provide us, where necessary upon request, with the data required for your clear identification.

 

Changes to This Privacy Policy

 

The current version of this privacy policy is available in the app.

Version: 2026-05-06