A. Data protection information and general notes on data protection
1. information on the processing of personal data and responsibilities
HEAG mobilo GmbH appreciates your interest in our HeinerLiner mobility service and the HeinerLiner app ("App"). We ("HEAG mobilo" or "we") take the protection of your personal data seriously and want you to feel safe and comfortable when using the HeinerLiner.
We use your information in compliance with the relevant data protection law. In the following, we would like to inform you about which data is collected by us within the scope of the app and the website and the respective services obtained via them, for what purpose and how it is processed by us and when it is deleted by us.
2. responsible person pursuant to Article 4 No. 7 EU General Data Protection Regulation (DSGVO)
The person responsible pursuant to Article 4 No. 7 of the EU General Data Protection Regulation (DSGVO) is exclusively HEAG mobilo GmbH, represented by the management, Klappacher Straße 172, 64285 Darmstadt, firstname.lastname@example.org.
3. company data protection officer:
CTM-COM GmbH, Marienburgstraße 27, 64297 Darmstadt, www.ctm-com.de, email@example.com or telephone 06151 - 3942-72.
The contents of the website and the app were created with the greatest possible care. HEAG mobilo reserves the right to make changes or additions to the information or data provided at any time and without notice.
The website or the app may contain references ("hyperlinks") to websites of other providers. These pages are subject exclusively to the liability of the respective operators. The linked internet offers and their contents are not continuously monitored by HEAG mobilo. We have no influence whatsoever on the content of these websites. If we become aware of any infringements of the law, we will remove the links concerned without delay.
The contents of the website and the app are subject to copyright, trademark and competition law protection rights. Reproduction, dissemination, making available for retrieval or online access (transfer to other websites or apps) of the layout or content (texts, logos) in whole or in part, in modified or unmodified form is only permitted with the prior written consent of HEAG mobilo. Only non-commercial private use is permitted within the limits of copyright law.
4. data subject rights
You have the following rights in relation to personal data relating to you:
- Right of access (Article 15 GDPR),
- Right of rectification (Article 16 GDPR) or erasure (Article 17 GDPR),
- Right to restriction of processing (Article 18 GDPR),
- Right to object to processing,
- Right to data portability.
You also have the right to complain to a data protection supervisory authority about the processing of your personal data. The supervisory authority responsible for us is
The Hessian Commissioner for Data Protection and Freedom of Information
represented by Prof. Dr Alexander Roßnagel
Phone: 0611-1408 0
5. revocation of consent
If the data processing is based on your consent, this consent can be revoked at any time with effect for the future.
You will not incur any costs for the revocation. Your revocation does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation. Further processing of this data on the basis of another legal basis also remains unaffected.
6. right to object to data processing for the exercise of legitimate interests
In the case of processing of personal data for the purpose of legitimate interests (Article 6(1) sentence 1 lit. f DS-GVO), you may object to the processing of personal data relating to you at any time with effect for the future.
In the event of an objection, we shall refrain from any further processing of your data for the aforementioned purposes, unless there are compelling legitimate grounds for processing which override your interests, rights and freedoms, or processing is necessary for the assertion, exercise or defence of legal claims.
To exercise the rights set out in sections 4 - 6, you are welcome to contact us at any time by post (HEAG mobilo GmbH, Data Protection, Klappacher Str. 172, 64285 Darmstadt) or by e-mail at firstname.lastname@example.org.
7. reservation of right of modification
B. Data protection information and special instructions for using the app
1. general information on data processing
We only process users' personal data insofar as this is necessary to ensure the functionality of the app.
Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses. However, data such as the number of users of our services is not personal data.
2. recipients of personal data (external service providers)
We only transfer your personal data to third parties within the scope of the applicable provisions of the DSGVO.
The following companies are contractors who support us and only act within the framework of our instructions and a commissioned data processing agreement (AVV) concluded with us:
- Clever Shuttle Südwest GmbH, Bad Nauheimer Str. 4, 64289 Darmstadt ("CleverShuttle") as operator of the HeinerLiner
- ioki GmbH, An der Welle 3, 60322 Frankfurt am Main ("ioki") as technical service provider for the programming and operation of the App
- LogPay Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn as service provider for payment processing ("LogPay")
Your personal data will only be transferred to public authorities if the information is requested on the basis of a legal request for information.
3. download the app
When the app is downloaded, the necessary information is transferred to the app store (Google Play Store or Apple App Store), i.e. in particular the user name, email address and customer number of your account, the time of the download and the individual device identification number. We have no influence on this data collection and are not responsible for it.
4. start the app
If you use the app on your smartphone, your end device establishes a connection with the servers of our external service provider ioki. The operating system and the version used are transmitted and processed. The transmission and processing is carried out to improve the app and for troubleshooting on the basis of Article 6 paragraph 1 sentence 1 lit. f DSGVO.
Registration requires the deposit of the following personal data:
- the user name (first name and surname; the real name must be chosen, not a pseudonym)
- a mobile phone number,
- a valid e-mail address,
- If applicable, credit card details, PayPal account details and/or further details on desired payment methods (see point 9 Billing below).
6. location data
a) When booking and carrying out the journey, the app collects the following data at the time of booking:
- At the time of booking, start location (address), if you have activated your GPS location services.
- Pick-up location (address of the virtual stop)
- Destination (address of the virtual stop)
- Information about your end device (operating system)
- Payment method
- Number of seats required
- any discounts granted and the facts on which they are based
- Details of local transport ticket, if applicable
- If applicable, please state whether you are a wheelchair user.
b) We collect the following data during or at the end of the journey:
- Journey time in minutes
- kilometres travelled
The legal basis for the processing of your GPS location data is Article 6(1) sentence 1 lit. a DSGVO, the other data is collected for the purpose of processing the contract on the basis of Article 6(1) sentence 1 lit. b DSGVO.
As long as authorisation was granted when the app was installed and not deactivated again, location data is collected and used to find and display transport options in the vicinity. Your position is not stored temporarily and is only used to find possible pick-up locations in the vicinity.
7. use of Google Maps, Firebase, receipt of push messages
a) The App uses the Google Maps API application operated by Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland ("Google"). Google Maps is used to display a map to you in the App. This interactively shows you the distance to the vehicle carrying out your journey. If you have consented to the use of your GPS location data, this will be processed on the basis of Article 6 (1) sentence 1 lit. a DSGVO.
b) Our app uses Firebase, a service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), is used in our app. With the help of this tool, information is transmitted to us anonymously in the event of an app crash in order to trace the cause of the respective crash and to be able to remedy it more quickly. In this way, existing errors are analysed and identified and the quality of the app is ensured. The transmitted data is purely technical and has no personal context.
c) When installing the app or using it for the first time, you will be asked whether you want to receive push notifications. If this is the case, you must explicitly agree to receive push notifications.
We use the services Firebase Cloud Messaging from Google (Android) and Apple Push Notifications (iOS) for push notifications. In the process, Firebase and Apple generate a calculated key that is made up of the app's identifier and its device identifier. This key is stored on our push platform with the settings you have selected in order to make the content available to you according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve solely as transmitters.
If you agree to this, your data will be processed on the basis of Article 6 (1) sentence 1 lit. a DSGVO.
d) We use the programme "Airship" from the provider Airship Group (1225 West Burnside, Suite 401, Portland OR 97209). The programme enables us to communicate via push message with the users of our HeinerLiner app. "Airship" uses various technologies for the purpose of analysing user behaviour. In the process, information such as the duration of use of the app, the version number, the end device used, the time zone and other technical parameters are collected for the purpose of statistical analysis and measuring the reach of our advertising measures. As you have consented to receive push messages, the legal basis for the processing of the personal data collected in this context is Article 6(1) sentence 1 lit. a) DSGVO. Further information on data protection at "Airship" can be found at: https://www.airship.com/legal/privacy/.
8. driving history
In your customer account, you have the option of displaying your data on booked journeys (route, boarding time and place, route guidance, vehicle, exit, booking code, price) under "Account".
We will pass on your personal data (first and last name, date of birth, address, e-mail address, bank account details, credit card details, telephone number if applicable and data on your respective purchases) and any changes to LogPay for the purpose of selling and assigning our claims against you arising in connection with your ticket purchase.
The data processing is based on Article 6 (1) sentence 1 lit. f DSGVO.
The legitimate interest on our side is the outsourcing of payment processing and receivables management.
The legitimate interest on the part of LogPay consists in the processing of the data for the purpose of processing payments, for receivables management, the evaluation of the admissibility of payment methods and the prevention of payment defaults.
You can object to the transmission of this data to LogPay at any time, however, you can then only settle payments due using credit that you have previously topped up at our customer centre.
The data protection information of LogPay can be found under https://documents.logpay.de/de/datenschutzinformationen.pdf retrieve.
In addition, we process your personal data which we receive from LogPay Financial Services GmbH (information on the decision whether or not to acquire the claim).
If you pay in our app with PayPal (PayPal (Europe) Sàrl et Cie, S.C.A. Boulevard Royal L-2449 Luxembourg), PayPal receives your payment data for payment processing. It is possible that PayPal will carry out a credit check. You can find information on this under https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de%20DE#rAnnex.
11. customer contact form / feedback / statutory retention obligations
For questions or cancellations, you can contact us electronically via our contact form in our app. If you use this option, you will transmit the following data to us:
- Mail address (to contact you)
- First and last name (for abuse prevention purposes and to verify you as our customer)
- In addition to the data that you voluntarily provide to us, we store the time (date and time) of the transmission of your data to us as well as your IP address.
The processing of this data corresponds to our legitimate interest under Article 6 (1) sentence 1 lit. f DSGVO in order to ensure the security of our systems and to counteract misuse.
This data, which we additionally collect during your contact, is deleted as soon as it is no longer required, at the latest when the matter of your contact has been comprehensively clarified. Your data will not be used for any other purpose.
If your contact is aimed at purchasing a ticket via the app, this is also done on the basis of Article 6 (1) sentence 1 lit. b DSGVO. This data is then stored for as long as it is required for the execution of the contract.
In addition, we store your data in order to comply with our legal obligations (e.g. tax or commercial law obligations) on the basis of Article 6 (1) sentence 1 lit. c DSGVO).
C. Data protection information and special notes on the use of the website www.heinerliner.de
In the following we inform about the collection of personal data when using our website www.heinerliner.de. Personal data is all data that can be related to you personally (e.g. name, address, e-mail addresses or user behaviour).
1. contact form, commissioned service providers
When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.
The processing of this data corresponds to our legitimate interest under Article 6 (1) sentence 1 lit. f DSGVO in order to ensure the security of our systems and to counteract misuse. If your contact aims to purchase a ticket, this is additionally done on the basis of Article 6 (1) sentence 1 lit. b DSGVO. This data is then stored for as long as it is required for the execution of the contract.
2. collection of personal data when visiting the website
a) When you use the website for information purposes only, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access Status/HTTP Status Code
- Data volume transferred in each case
- Website from which the request comes
- Browser, language and its version
- Operating system and screen resolution
b) In addition to the aforementioned data, cookies may be stored on your computer when you use our website if you consent to this. Cookies are small text files that are stored on your hard drive in relation to the browser you are using and which provide the party setting the cookie (in this case, us) with certain information. They are used to improve our website and make it more user-friendly.
aa) This website uses the following types of cookies, the scope and functionality of which are explained below:
- Transient cookies (bb)
- Persistent cookies (see cc).
bb) Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This enables your computer to be recognised when you return to our website. The session cookies are deleted when you close the browser.
cc) Persistent cookies are automatically deleted after a predefined period of time, which may differ depending on the cookie. You can delete the cookies at any time in the security settings of your browser.
d) The data processing referred to in this section is carried out exclusively on the basis of Article 6 (1) sentence 1 lit. a DSGVO.
3. further functions and offers of our website
a) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. For this purpose, you usually have to provide further personal data which we use to provide the respective service and for which the aforementioned data processing principles apply.
b) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.
c) Furthermore, we may pass on your personal data to third parties if we offer promotions, competitions, contracts or similar services together with partners. You will find more information on this in the description of the respective offer.
d) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offer.
4. use of social media
a) We market the HeinerLiner offer on the social media platforms Facebook, Instagram and Twitter. We also use the video platform YouTube. However, we do not use social media plug-ins for this. Instead, our respective pages can be reached via a simple link. You can recognise the provider by their initial letters or the respective company logo.
b) The legal basis for the use of the social media platforms is Article 6 (1) sentence 1 lit. f DS-GVO.
c) If you use the pages of the social media providers, then we have no influence on the data collected and data processing procedures, nor are we aware of the full extent of the data collection, the purposes of the processing or the storage periods. We also have no information on the deletion of the collected data.
d) Each provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective provider to exercise this right. By integrating the providers, we offer you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user.
e) The use of data by the providers is independent of whether you have an account with the respective provider and are logged in there. If you are logged in to the provider, the data we collect is directly assigned to your account with the provider. We recommend that you log out regularly after using a social network, as this allows you to avoid being assigned to your profile with the provider.
f) For further information on the purpose and scope of data collection and processing by the plug-in provider, please refer to the data protection declarations of these providers provided below. There you will also receive further information on your rights in this regard and setting options for protecting your privacy.
5. addresses of the social networks and links to their data protection notices
D. Dashcam recordings
Dashcams are installed in the HeinerLiner vehicles. However, the responsible body is not HEAG mobilo, but CleverShuttle Südwest GmbH, Bad Nauheimer Str. 4, 64289 Darmstadt. You can obtain further information on this at www.clevershuttle.de/dashcam.
E. Data protection information as part of the HeinerLiner survey
The legal basis for the processing of your personal data as part of the HeinerLiner survey is Article 6 (1) sentence 1 lit. a DSGVO (consent). The survey is intended to make the current use and mobility behaviour of HeinerLiner users transparent and to identify potential for improvement in the future. To this end, non-users are also surveyed.
The following pseudonymised data is collected and processed:
-> Regular use of public transport
-> Mobility restrictions
-> Age range
-> Postcode Place of residence
-> current activity
-> Highest level of education
-> Net disposable income
Recipients or categories of recipients of the data:
Within our company, those departments that evaluate the survey to improve our HeinerLiner and derive measures from it will receive access to your data. Processors used by us (Art. 28 DSGVO) may also receive data for these purposes. These processors are the Darmstadt University of Applied Sciences (Department of Civil and Environmental Engineering) and companies in the IT services and telecommunications categories.
The data collected about you pseudonymously will be deleted after completion and evaluation of the survey. This is expected to be at the end of 2024.
Please refer to Section A No. 4 and No. 5 (Withdrawal of consent given) of this data protection information for your rights. In order to exercise your rights, it is sufficient to send a letter to the above-mentioned data controller.