Data protection information for the app

The following gives a simple overview of what happens to your personal data when you use the Verkehrsverbund Region Braunschweig GmbH (VRB) app. Personal data are any data with which you can be personally identified. Detailed information on data protection can be found in the following privacy policy.

Various third parties are involved in the development, provision and support of the app, as well as all the content and features offered. If they collect, use or store your personal data, the purposes and legal bases are listed below, or additionally in the linked data protection information of the respective third party.

Privacy policy

The operator of this app takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations, as well as with this privacy policy.

When you use this app, various personal data are collected. Personal data are data that can be used to identify you personally. This privacy policy explains what data we collect and how we use them. It also explains how and for what purpose this is done.

Please note that the transfer of data over the Internet (such as when communicating by email) may involve security risks. It is not possible to provide absolute protection against access by third parties.

Note on the data controller

The controller for data processing in this app is:

Verkehrsverbund Region Braunschweig GmbH
Frankfurter Strasse 2
38122 Braunschweig

Managing Directors:

Jörg Reincke and Ralf Sygusch

Phone: +49 (0)531-2 42 62 99
Email:

The data controller is the individual or legal entity that, alone or together with others, decides on the purposes and means for the processing of personal data (such as names, email addresses and similar information).

Revocation of your consent to data processing

Many data processing procedures can only be carried out with your express consent. You can revoke an already-granted consent at any time. An informal notification by email to us is sufficient for this. The revocation does not affect the legality of data processing that occurred up to the time of revocation.

Right to object to the collection of data in special cases as well as to object to direct marketing (Art. 21 GDPR)

If the data processing is carried out on the basis of Art. 6(1e,f) GDPR, you have the right at any time to object to the processing of your personal data on grounds relating to your particular situation; this also applies to profiling based on these provisions. The respective legal basis for processing can be found in this privacy policy. If you file an objection, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (objection pursuant to Art. 21[1] GDPR).

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object, your personal data will no longer be used for direct marketing purposes (objection pursuant to Art. 21[2] GDPR).

Right to file a complaint with the competent supervisory authority

In the event of breaches of the GDPR, data subjects have the right to file a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged breach. The right of appeal exists without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to have data that we process by automated means based on your consent, or to fulfil a contract, delivered to you or to a third party in a common, machine-readable format. If you request direct transfer of the data to a different controller, this will only occur to the extent technically feasible.

Encryption during data transmission

Personal data transmitted when using the functionalities of this app, if applicable, will be transmitted in encrypted form, as far as possible.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time at the address given in the legal notice. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the check, you have the right to request the restriction of the processing of your personal data.

If the processing of your personal data was/is unlawful, instead of deletion, you can request the restriction of data processing.

If we no longer need your personal data, but you need these to exercise, defend or assert legal claims, you have the right to request the processing of your personal data to be restricted instead of being deleted.

If you have filed an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your and our interests. As long as it is not yet clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data may – with the exception of their storage – only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal entity or for reasons of an important public interest of the European Union or a Member State.

Objection to advertising emails

The use of contact data published as part of the legal-notice obligation to send unsolicited advertising and information material is hereby objected to. The operators of the sites expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as by spam emails.

We have appointed a statutorily prescribed Data Protection Officer for our company.

If you have any questions about data protection, please contact our Data Protection Officer:

Data Protection Officer for the Verkehrsverbund Region Braunschweig GmbH:

Secom IT GmbH
Nienburger Strasse 9D
27232 Sulingen
email:
Phone: +49 (0)4271 9473800

Data Protection Supervisory Authority

Die Landesbeauftragte für den Datenschutz Niedersachsen [Data Protection Authority for the State of Lower Saxony]
Prinzenstrasse 5
30159 Hanover
Phone: +49 (0)511 120 45 00
Fax: +49 (0)511 120 45 99
Email:

When you download the mobile app, the required information is sent to the app store, in particular the user name, email address and customer number of your account, the time of download, payment information and the individual device ID. We have no influence on this data collection and are not responsible for it. We only process the data to the extent necessary to download the mobile app to your mobile device.

When using the mobile app, we collect the personal data described below in order to make the use of the app possible and as convenient as possible. If you wish to use our mobile app, we collect the following data, which are technically necessary for us to be able to guarantee the functions of the app as well as its stability and security. This also applies to the integration of necessary third parties who provide the electronic journey planner (EJP) or handle the hosting for this and the related systems. However, the third-party electronic journey planner systems and the hosting service providers for the EJP shall not process or store any data that would allow the identification of persons. The legal basis for this is Art. 6(1.1f) GDPR:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status / http status code
  • Data volume transferred in each case
  • Website from which the request came
  • Browser
  • Operating system and its interface
  • Language and version of the browser software

The processing activities associated with the app are – if necessary – carried out within the framework of order processing. Verkehrsverbund Region Braunschweig GmbH is the client and HanseCom Public Transport Ticketing Solutions GmbH processes the data, e.g., in connection with registration and the user account, on behalf of VRB.

For the provision of services in the area of support – specifically telephone customer service – Verkehrsverbund Region Braunschweig GmbH has entered into an agreement on contract data processing with the service provider Omniphon GmbH, Leipzig. Omniphon GmbH has access to the service portal and thus to the personal data of the registered users stored there. This is the only way to ensure that customers who contact the hotline by telephone can be helped to change personal data that cannot be subsequently altered by the user (first name, last name, date of birth, gender).

It is also necessary to view and edit user data in order to resolve specific problems when using the integrated ticket shop in the app.

To improve user convenience, the user has the option of accessing system-side functions of the mobile device for certain functions within the app. The user must actively consent to this use and can switch it on and off at any time in the system settings. The app can also be used without access to these system-side functions, but with less scope and convenience of the available functionalities.

The following section lists the functions for which this applies:

  • Access to the GPS location, such as for information on connections/departures from the current location, improved walking-route planning, displaying of nearby stops (and departures from them), etc.
  • The GPS location can be used by this application in the background if the respective permission is granted. The GPS location may be used for the navigation while walking or to identify nearby public transport stations. Especially devices with an Android operating system the GPS location may be used to regulary refresh the list of nearby stations and departures within the widget of this application on the main screen of the device, when permission is granted.
  • Access to the calendar to access addresses stored for appointments and use these addresses as a starting point or destination for the connection information.
  • Tracking by Google’s Firebase service (see Article 8), so that we can evaluate the usage behaviour anonymously in order to continuously improve the app.

Use of personal data for the ticket shop

Registration is required for the creation of a user account and subsequent use of the ticket shop integrated into the app. During the registration, the following user data will be requested in a binding manner:

  • First and last name
  • Gender (male/female/non-binary)
  • Date of birth
  • Address
  • Email address
  • Mobile number

Use of data collected during registration

Personal data are used to clearly identify the user during registration and following the purchase of digital tickets via the mobile app. The collection and use of the data described below is necessary for the execution of the contract pursuant to Art. 6(1b) GDPR or is based on consent pursuant to Art. 6(1a) GDPR.

Details of the last name, first name, date of birth and address can ensure that the person is clearly identified. This is necessary in order to be able to check the data as part of payment processing. These data are also used when setting up means of payment and thus also to ensure the payments and for possible credit checks regarding the customer by the financial service provider (cf. Article 4). In addition, it is possible for the financial services provider to contact the person in writing (by post or email) based on the data for the enforcement of claims, should this become necessary.

The first and last names of the user are displayed on the ticket as the holder in order to enable the checking of the personal ticket by comparing it with a form of identification.

The date of birth is also used to confirm the necessary minimum age for the means of payment (currently 16 years for credit card use and 18 years for SEPA direct debit). In addition, when resetting the PIN (see password), it serves as an additional security element for the identification of the user, in addition to the email address and the mobile phone number.

The mobile phone number is used to set up the individual user account and also serves to send the newly registered person the initial PIN required for the login. When the PIN is reset – if the user has forgotten it, for example – the new PIN will also be sent to the mobile phone number stored for the user.

The email address is stored in the user account and serves not only as a security element for resetting the access PIN, but also for sending the invoice or purchase confirmation after purchasing a digital ticket via the VRB mobile app.

If a user gives notice of termination of the user agreement, the personal data stored in the user database at that time will be automatically deleted twelve months after the termination.

We pass on your personal data (first and last name, date of birth, address, email address, if applicable telephone number and data on your respective purchases) and all changes to LogPay Financial Services GmbH for the purpose of the sale and assigning our claims against you arising in connection with your purchase. This is done on the basis of Art. 6(1.1f) GDPR. The legitimate interest on our part is the outsourcing of payment processing and claims management. The legitimate interest on the part of LogPay Financial Services GmbH consists in the processing of the data for the purpose of processing payments, claims management, the assessment of the admissibility of payment methods and the avoidance of payment defaults.

The offer to conclude a purchase contract for a ticket will only be accepted if LogPay Financial Services GmbH accepts the assignment of the claim arising from the ticket sale. If LogPay Financial Services GmbH rejects the assignment of the claim, your offer to conclude a purchase contract will be rejected.

You can object to the transmission of these data to LogPay Financial Services GmbH at any time, but it will then no longer be possible for you to order via the electronic sales channel.

The data protection information for LogPay Financial Services GmbH can be found at www.logpay.de/DE/datenschutzinformationen/.

We also process your personal data that we receive from LogPay Financial Services GmbH (information on the decision on whether or the assignment of the claim is accepted).

In the case of processing of personal data for the performance of tasks in the public interest (Art. 6[1.1e] GDPR) or for the performance of legitimate interests (Art. 6[1.1f] GDPR), you can object to the processing of personal data concerning you at any time with effect for the future. In the event of an objection, we shall refrain from any further processing of your data for the aforementioned purposes, unless

– there are compelling, legitimate grounds for processing that outweigh your interests, rights and freedoms, or

– the processing is intended for the assertion, exercise or defence of

With regard to your personal data, you have the following rights:

  • the right to information pursuant to Art. 15 GDPR,
  • the right to rectification pursuant to Art. 16 GDPR,
  • the right to deletion within the meaning of Art. 17 GDPR,
  • the right to the restriction of processing pursuant to Art. 18 GDPR,
  • the right to information pursuant to Art. 19 GDPR,
  • the right to data portability pursuant to Art. 20 GDPR,
  • the right to revocation of granted consent pursuant to Article 7(3) GDPR; and
  • the right to lodge a complaint pursuant to Art. 77 GDPR.

To exercise these rights, you can get in touch with us or, for a complaint, with our competent data protection supervisory authority:

Verkehrsverbund Region Braunschweig GmbH
Frankfurter Strasse 2
38122 Braunschweig

Managing Directors:

Jörg Reincke and Ralf Sygusch

Phone: +49 (0)531-2 42 62 99
Email:

Data Protection Supervisory Authority

Die Landesbeauftragte für den Datenschutz Niedersachsen [Data Protection Authority for the State of Lower Saxony]
Prinzenstrasse 5
30159 Hanover
Phone: +49 (0)511 120 45 00
Fax: +49 (0)511 120 45 99
Email:

Who is the controller for data collection in the app?

The controller for data processing due to the use of this app is Verkehrsverbund Region Braunschweig GmbH. You can find their contact details in Section 2 of this data protection information.

How do we collect your data?

Your data are collected by you providing us with this information. These may, for example, be data that you enter in a contact form or that are transmitted to us when you contact us (such as by email or telephone).

Further data are automatically collected by our IT systems when our app is installed and used. These are mainly technical data (such as device data, operating system or time of access). These data are collected automatically when you use our app.

What do we use your data for?

Some of the data are collected to ensure proper provision of the functions in the app. Other data may be used to analyse your user behaviour.

Tracking (Google Firebase)

The legal basis for the associated data processing is Art. 6(1a) GDPR (Consent to data processing).

To improve our app product, we use Google Analytics (including Google Analytics for Firebase), an analytics service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, “Google”). Google Analytics uses “cookies”, text files which are placed on your smartphone to help analyse how you use the app. The information generated by Google Analytics about your use of on the app is generally sent to a Google server in the United States and stored there for up to 14 months. IP anonymisation has been activated within our app, so that the IP addresses of users are truncated by Google, and thereby anonymised, within the territory of the Member States of the European Union or other parties to the Agreement on the European Economic Area.

Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there.

There is currently no decision by the EU Commission as to whether the US generally offers an adequate level of data protection. However, Google is committed to complying with the European standard contractual clauses on the processing of personal data from the member states of the EU. You can find more information on this here: policies.google.com/privacy/frameworks. You can find more information on data protection at Google at https://policies.google.com/privacy?gl=en.

More information specifically about data collection by Google Analytics for Firebase can be found at support.google.com/firebase/answer/6318039;

Google will use the collected information on our behalf to evaluate your usage of the app, compile reports about activities and provide us with further services related to usage. The IP address transmitted from your smartphone in connection with Google Analytics will not be associated with any other data held by Google. You can prevent the collection of data related to your use of the app (including your IP address) by Google Analytics, as well as the processing of this data by Google.

Setting the use of tracking in the app

When you use the app for the first time, you will be run through a process for setting up the app. There, you can choose to consent to the use of the Firebase tracking tool or to object to the use.

If you skip this introduction process (onboarding) or the decision to consent to the tracking, this will be considered an objection.

For a subsequent adjustment of the decision to use the tracking tool, it is possible to reset all app settings in the “More” area (accessible by clicking on the three vertical points) and using the “Reset settings” function there. To do this, click on “Delete all settings and data”. The onboarding process will then be automatically opened immediately, and the app settings, including the decision to use the tracking tool, can be made again in it.

Standard contractual clauses

The European Commission has authorised the use of standard contractual clauses as a means of ensuring adequate protection for transfers of data outside the EEA. By the use of standard contractual clauses in a contract concluded between data transmitters, personal data are considered to be protected when transferred from the EEA or the United Kingdom to countries not covered by an adequacy decision.

We rely on these standard contractual clauses for data transfers.

 

Last revised: 8 December 2020

More about the app