Privacy policy and general information on data protection for the app of the "HeinerLiner" on-demand service, for the website www.heinerliner.de and for satisfaction surveys of users and non-users of the HeinerLiner.
A. Data protection information and general notes on data protection
1. information on the processing of personal data and responsibilities
HEAG mobilo GmbH appreciates your interest in our HeinerLiner mobility service and the HeinerLiner app ("App"). We ("HEAG mobilo" or "we") take the protection of your personal data seriously and want you to feel safe and comfortable when using the HeinerLiner.
We use your information in compliance with the relevant data protection law. In the following, we would like to inform you about which data is collected by us within the scope of the app and the website and the respective services obtained via them, for what purpose and how it is processed by us and when it is deleted by us.
2. responsible person pursuant to Article 4 No. 7 EU General Data Protection Regulation (DSGVO)
The person responsible pursuant to Article 4 No. 7 of the EU General Data Protection Regulation (DSGVO) is exclusively HEAG mobilo GmbH, represented by the management, Klappacher Straße 172, 64285 Darmstadt, info@heagmobilo.de.
3. company data protection officer:
CTM-COM GmbH, Marienburgstraße 27, 64297 Darmstadt, www.ctm-com.de, datenschutz@ctm-com.de or telephone 06151 - 3942-72.
The contents of the website and the app were created with the greatest possible care. HEAG mobilo reserves the right to make changes or additions to the information or data provided at any time and without notice.
The website or the app may contain references ("hyperlinks") to websites of other providers. These pages are subject exclusively to the liability of the respective operators. The linked internet offers and their contents are not continuously monitored by HEAG mobilo. We have no influence whatsoever on the content of these websites. If we become aware of any infringements of the law, we will remove the links concerned without delay.
The contents of the website and the app are subject to copyright, trademark and competition law. Reproduction, distribution, making available for retrieval or online access (transfer to other websites or apps) of the layout or content (texts, logos) in whole or in part, in modified or unmodified form, is only permitted with the prior written consent of HEAG mobilo. Unless otherwise agreed, only non-commercial private use is permitted within the limits of copyright law.
4. data subject rights
You have the following rights in relation to personal data relating to you:
- Right of access (Article 15 GDPR),
- Right of rectification (Article 16 GDPR) or erasure (Article 17 GDPR),
- Right to restriction of processing (Article 18 GDPR),
- Right to object to processing,
- Right to data portability.
You also have the right to complain to a data protection supervisory authority about the processing of your personal data. The supervisory authority responsible for us is
The Hessian Commissioner for Data Protection and Freedom of Information
represented by Prof. Dr Alexander Roßnagel
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Phone: 0611-1408 0
poststelle@datenschutz.hessen.de
5. revocation of consent
If the data processing is based on your consent, this consent can be revoked at any time with effect for the future.
You will not incur any costs for the revocation. Your revocation does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation. Further processing of this data on the basis of another legal basis also remains unaffected.
6. right to object to data processing for the exercise of legitimate interests
In the case of processing of personal data for the purpose of legitimate interests (Article 6(1) sentence 1 lit. f DS-GVO), you may object to the processing of personal data relating to you at any time with effect for the future.
In the event of an objection, we shall refrain from any further processing of your data for the aforementioned purposes, unless there are compelling legitimate grounds for processing which override your interests, rights and freedoms, or processing is necessary for the assertion, exercise or defence of legal claims.
To exercise the rights mentioned in sections 4 - 6, you can contact us at any time by post (HEAG mobilo GmbH, Datenschutz, Klappacher Str. 172, 64285 Darmstadt) or by e-mail to datenschutz@heagmobilo.de contact.
7. reservation of right of modification
We reserve the right to change this privacy policy from time to time. We will update the status of the most recent change at the beginning of the provision accordingly. Where required by law, we will notify you of any changes. However, we encourage you to review this policy for changes when you use the HeinerLiner.
B. Data protection information and special instructions for using the app
1. general information on data processing
We only process users' personal data insofar as this is necessary to ensure the functionality of the app.
Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses. However, data such as the number of users of our services is not personal data.
2. recipients of personal data (external service providers)
We only transfer your personal data to third parties within the scope of the applicable provisions of the DSGVO.
The following companies are contractors who support us and only act within the framework of our instructions and a commissioned data processing agreement (AVV) concluded with us:
- Via Mobility DE GmbH, Rosa-Luxemburg-Str. 14, 10178 Berlin ("Via") as operator of the HeinerLiner and technical service provider for the programming and operation of the App
- LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn ("LogPay") as service provider for the processing of payments
Your personal data will only be transferred to public authorities if the information is requested on the basis of a legal request for information.
3. download the app
When the app is downloaded, the necessary information is transferred to the app store (Google Play Store or Apple App Store), i.e. in particular the user name, email address and customer number of your account, the time of the download and the individual device identification number. We have no influence on this data collection and are not responsible for it.
4. start the app
If you use the app on your smartphone, your device establishes a connection with the servers of our external service provider Via. A time stamp, the language set on your smartphone and the exact localisation (if permitted by you) are transmitted and processed. The transmission and processing takes place on the one hand to prepare the conclusion of a contract in accordance with Article 6 paragraph 1 sentence 1 lit. b GDPR and on the other hand to improve the app and to correct errors on the basis of Article 6 paragraph 1 sentence 1 lit. f GDPR.
5. registration
Registration requires the deposit of the following personal data:
- the user name (first name and surname; the real name must be chosen, not a pseudonym)
- a mobile phone number,
- a valid e-mail address,
- a time stamp,
- Status message for receiving push notifications,
- Type, operating system and set language of your smartphone,
- Credit card details, details of the PayPal account and/or further details of the desired payment method (see point 9 Billing below).
6. location data
a) When booking and carrying out the journey, the app collects the following data at the time of booking:
- Timestamp,
- at the time of booking Start location (GPS position), if you have activated your GPS location services,
- Pick-up location (address of the virtual stop),
- Destination (address of the virtual stop),
- Information about your end device (set language),
- Information about the payment method,
- Number of seats required and luggage, if applicable,
- discounts granted and the facts on which they are based,
- Details of the local transport ticket,
- Information on whether you need an accessible vehicle,
- Photos for booking (uploaded like this).
b) We collect the following data during or at the end of the journey:
- the user name (first name and surname),
- Ride ID,
- Timestamp,
- Data on the journey made (status, start and destination, journey duration, number of passengers, costs),
- Information about your end device (set language),
- Information on submitted ratings (stars and comments).
The legal basis for the processing of your GPS location data is Article 6(1) sentence 1 lit. a DSGVO, the other data is collected for the purpose of processing the contract on the basis of Article 6(1) sentence 1 lit. b DSGVO.
As long as authorisation was granted when the app was installed and not deactivated again, location data is collected and used to find and display transport options in the vicinity. Your position is not stored temporarily and is only used to find possible pick-up locations in the vicinity.
7. use of Google Maps, Firebase, receipt of push messages
a) The App uses the Google Maps API application operated by Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland ("Google"). Google Maps is used to display a map to you in the App. This interactively shows you the distance to the vehicle carrying out your journey. If you have consented to the use of your GPS location data, this will be processed on the basis of Article 6 (1) sentence 1 lit. a DSGVO.
For more information, please see the Google Maps Terms of Service at https://www.google.com/help/terms_maps.html. You can find Google's privacy policy at https://policies.google.com/privacy?hl=de.
b) Our app uses Firebase, a service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), is used in our app. With the help of this tool, information is transmitted to us anonymously in the event of an app crash in order to trace the cause of the respective crash and to be able to remedy it more quickly. In this way, existing errors are analysed and identified and the quality of the app is ensured. The transmitted data is purely technical and has no personal context.
You can find more information on Google Firebase and data protection at https://policies.google.com/privacy and https://firebase.google.com/support/privacy.
c) When installing the app or using it for the first time, you will be asked whether you want to receive push notifications. If this is the case, you must explicitly agree to receive push notifications.
We use the services Firebase Cloud Messaging from Google (Android) and Apple Push Notifications (iOS) for push notifications. In the process, Firebase and Apple generate a calculated key that is made up of the app's identifier and its device identifier. This key is stored on our push platform with the settings you have selected in order to make the content available to you according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve solely as transmitters.
If you agree to this, your data will be processed on the basis of Article 6 (1) sentence 1 lit. a DSGVO.
d) If you have consented to receiving push notifications, we use the Leanplum platform for customer communication in the app (e.g. notifications, promotions). The legal basis is your consent in accordance with Article 6 (1) sentence 1 lit. a) GDPR. Further information on data protection at Leanplum can be found at https://www.leanplum.com/privacy/.
8. driving history
In your customer account you have the option of displaying your data on booked journeys (boarding date, time and place, number of passengers, name of driver, journey costs) under "History".
9. settlement
We will pass on your personal data (first and last name, date of birth, address, e-mail address, bank account details, credit card details, telephone number if applicable and data on your respective purchases) and any changes to LogPay for the purpose of selling and assigning our claims against you arising in connection with your ticket purchase.
The data processing is based on Article 6 (1) sentence 1 lit. f DSGVO.
The legitimate interest on our side is the outsourcing of payment processing and receivables management.
The legitimate interest on the part of LogPay consists in the processing of the data for the purpose of processing payments, for receivables management, the evaluation of the admissibility of payment methods and the prevention of payment defaults.
You can object to the transfer of this data to LogPay at any time, but you will then only be able to settle payments due using credit that you have previously topped up in our customer centre.
The data protection information of LogPay can be found under https://documents.logpay.de/de/datenschutzinformationen.pdf retrieve.
In addition, we process your personal data which we receive from LogPay Financial Services GmbH (information on the decision whether or not to acquire the claim).
10. PayPal
If you pay in our app with PayPal (PayPal (Europe) Sàrl et Cie, S.C.A. Boulevard Royal L-2449 Luxembourg), PayPal receives your payment data for payment processing. It is possible that PayPal will carry out a credit check. You can find information on this under https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de%20DE#rAnnex.
11. customer contact form / feedback / statutory retention obligations
For questions or cancellations, you can contact us electronically via our contact form in our app. If you use this option, you will transmit the following data to us:
- Mail address (to contact you)
- First and last name (for abuse prevention purposes and to verify you as our customer)
- In addition to the data that you voluntarily provide to us, we store the time (date and time) of the transmission of your data to us as well as your IP address.
The processing of this data corresponds to our legitimate interest under Article 6 (1) sentence 1 lit. f DSGVO in order to ensure the security of our systems and to counteract misuse.
This data, which we additionally collect during your contact, is deleted as soon as it is no longer required, at the latest when the matter of your contact has been comprehensively clarified. Your data will not be used for any other purpose.
If your contact is aimed at purchasing a ticket via the app, this is also done on the basis of Article 6 (1) sentence 1 lit. b DSGVO. This data is then stored for as long as it is required for the execution of the contract.
In addition, we store your data in order to comply with our legal obligations (e.g. tax or commercial law obligations) on the basis of Article 6 (1) sentence 1 lit. c DSGVO).
C. Data protection information and special notes on the use of the website www.heinerliner.de
In the following, we provide information about the collection of personal data when using our website www.heinerliner.de. Personal data is all data that can be related to you personally (e.g. name, address, email addresses or user behaviour).
1. contact form, commissioned service providers
When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.
On the one hand, this data is processed on the basis of your consent pursuant to Article 6(1) sentence 1(a) GDPR; on the other hand, it corresponds to our legitimate interest pursuant to Article 6(1) sentence 1(f) GDPR in order to ensure the security of our systems and counteract misuse. If your contact is aimed at purchasing a ticket, this is also done on the basis of Article 6 paragraph 1 sentence 1 lit. b GDPR. This data is then stored for as long as it is required to fulfil the contract.
2. collection of personal data when visiting the website
a) When you use the website for information purposes only, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access Status/HTTP Status Code
- Data volume transferred in each case
- Website from which the request comes
- Browser, language and its version
- Operating system and screen resolution
b) In addition to the aforementioned data, cookies may be stored on your computer when you use our website if you consent to this. A cookie is a piece of information that is stored on your end device (computer, smartphone, etc.) by the browser you use and through which certain information flows to us. They are used to improve our website and make it more user-friendly.
c) Use of cookies:
aa) This website uses the following types of cookies, the scope and functionality of which are explained below:
- Transient cookies (bb)
- Persistent cookies (see cc).
bb) Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This enables your computer to be recognised when you return to our website. The session cookies are deleted when you close the browser.
cc) Persistent cookies are automatically deleted after a predefined period of time, which may differ depending on the cookie. You can delete the cookies at any time in the security settings of your browser.
d) The data processing referred to in this section is carried out exclusively on the basis of Article 6 (1) sentence 1 lit. a DSGVO.
3. further functions and offers of our website
a) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. For this purpose, you usually have to provide further personal data which we use to provide the respective service and for which the aforementioned data processing principles apply.
b) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.
c) Furthermore, we may pass on your personal data to third parties if we offer promotions, competitions, contracts or similar services together with partners. You will find more information on this in the description of the respective offer.
d) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offer.
4. use of social media
a) We market HeinerLiner's services on the social media platforms Facebook, Instagram and X (formerly Twitter). We also use the YouTube video platform. However, we do not use any social media plug-ins for this. Instead, our respective pages can be reached via a simple link. You can recognise the provider by its initial letters or the respective company logo.
b) The legal basis for the use of the social media platforms is Article 6 (1) sentence 1 lit. f DS-GVO.
c) If you use the pages of the social media providers, then we have no influence on the data collected and data processing procedures, nor are we aware of the full extent of the data collection, the purposes of the processing or the storage periods. We also have no information on the deletion of the collected data.
d) Each provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective provider to exercise this right. By integrating the providers, we offer you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user.
e) The use of data by the providers is independent of whether you have an account with the respective provider and are logged in there. If you are logged in to the provider, the data we collect is directly assigned to your account with the provider. We recommend that you log out regularly after using a social network, as this allows you to avoid being assigned to your profile with the provider.
f) For further information on the purpose and scope of data collection and processing by the plug-in provider, please refer to the data protection declarations of these providers provided below. There you will also receive further information on your rights in this regard and setting options for protecting your privacy.
5. addresses of the social networks and links to their data protection notices
a) The social network Facebook and the social network Instagram are operated by Meta Platforms Inc, 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA or Canada, the controller for the processing of personal data is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook maintains a privacy policy at https://de-de.facebook.com/about/privacy/ resp. https://de-de.facebook.com/help/instagram/155833707900388 (Instagram) ready.
b) The video platform YouTube is operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google maintains a privacy policy at https://policies.google.com/privacy?hl=de ready.
c) The short message service X (formerly Twitter) is operated by Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. X maintains a privacy policy at https://twitter.com/privacy?lang=de ready.
D. Data protection information as part of the HeinerLiner survey
The legal basis for the processing of your personal data as part of the HeinerLiner survey is Article 6 (1) sentence 1 lit. a DSGVO (consent). The survey is intended to make the current use and mobility behaviour of HeinerLiner users transparent and to identify potential for improvement in the future. To this end, non-users are also surveyed.
The following pseudonymised data is collected and processed:
- Regular use of public transport
- Mobility restrictions
- Gender
- Age range
- Postcode Place of residence
- Current activity
- Highest educational qualification
- Net disposable income
Recipients or categories of recipients of the data:
Within our company, those departments that evaluate the survey to improve our HeinerLiner and derive measures from it will receive access to your data. Processors used by us (Art. 28 DSGVO) may also receive data for these purposes. These processors are the Darmstadt University of Applied Sciences (Department of Civil and Environmental Engineering) and companies in the IT services and telecommunications categories.
Data deletion
The data collected about you pseudonymously will be deleted after completion and evaluation of the survey. This is expected to be at the end of 2024.
Your rights
Please refer to Section A No. 4 and No. 5 (Withdrawal of consent given) of this data protection information for your rights. In order to exercise your rights, it is sufficient to send a letter to the above-mentioned data controller.