PRIVACY POLICY

For MILES Mobility Belgium BV, handling your data in accordance with data protection regulations is more than just a legal requirement. Regardless of whether you use our mobility services, obtain information about our services or our company, are in contact with us as a service provider or partner, or work for us or want to work for us as an employee or applicant - you can rely on us to handle your data correctly. For easy understanding and accessibility we have refrained from using both the feminine and masculine forms of language in the following. All personal terms apply equally to all genders.

In this privacy policy you can find out how, to what extent and for what purposes we process your data, whether we pass on your data to partners and service providers, when we delete your data and other points that may be important to you.

Who we are 

Contact details of the responsible person (data controller)
Managing Directors: Oliver Mackprang, Eyvindur Kristjansson 
MILES Mobility Belgium BV
Handelsstraat 31
1000 Brussel - Belgium 

Reg-Nr.: BE37 0019 2995 3628

Website: miles-mobility.com

Contact details of the data protection officer
Pridatect S.L.
Carrer de Tarragona 161, Planta 11ª 
08014 Barcelona, Spain

E-mail: data-protection@miles-mobility.com 
Website: www.pridatect.de 

General information on data processing

1. Scope of the processing of personal data

As a matter of principle, we only process personal data of our users insofar as this is necessary for the provision of a functional website as well as our contents and services.

2. Data transfer and commissioning of processors 

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this only occurs if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. GDPR are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").

3. Rights of the data subjects 

3.1 Revocation of consent 

You have the right to revoke declarations of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3.2 Right of objection 

Pursuant to Article 21 of the GDPR, you have the right, under certain conditions, to object to the processing of your personal data at any time on grounds relating to your particular situation. If you object to such processing, we will terminate or interrupt this data processing and re-examine whether we can demonstrate compelling legitimate grounds for the processing that outweigh your interest. 

If personal data is processed for direct marketing purposes, you have the right to object to this processing at any time. An objection to direct advertising means that we will no longer use your data for advertising purposes. 

3.3 Right to complain to a supervisory authority 

You have the right to complain to the competent supervisory authority if you have the impression that we are violating applicable data protection law. To do this, you can contact the state data protection commissioner. For Belgium, this is:

Belgian Data Protection Authority (GBA)
Rue de la Presse 35
1000 Brussels

Phone: +32 (0)2 274 48 00  
website: https://www.dataprotectionauthority.be/citizen

3.4 Right of access and right to rectification 

You have the right to receive information about your processed data. We have already compiled all the necessary information in accordance with Article 15 (1) of the Data Protection Regulation here on the privacy statement. Article 15 (3) GDPR also grants you the right to receive a copy of your data. If you are not sure whether we process your data, we will be happy to send you a confirmation. 

You may have the right to ask us to correct any inaccurate personal data relating to you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, also by means of a supplementary declaration. Partially, your data can be changed in the user account. If you are unable to correct your data yourself, we will support you in exercising your right to rectification in accordance with Article 16 of the GDPR.

3.5 Right to restriction of processing / right to erasure

You can request us to delete or restrict the processing of your personal data in accordance with Articles 17 and 18 of the GDPR. 

In accordance with Article 17 of the GDPR, you can request that your data be deleted without delay. We are obliged to delete your data as soon as possible if one of the legally prescribed reasons of Art. 17 (1) of the GDPR applies and none of the exceptions according to Art. 17 (3) or similar provisions apply. 

Please note that, for the establishment, exercise or defence of legal claims, we are legally authorised under Art. 17 (3) (e) of the GDPR to retain data relating to journeys until the end of the applicable limitation period, being 10 years after the end of the contract. 

As a data subject, you can also request the restriction of the processing is restricted in accordance with Art. 18 GDPR. If processing has been restricted, this personal data may - apart from being stored - only processed with your consent or the establishment, exercise or defence of legal claims or of the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. This applies, for example, to data that must be retained for reasons of commercial or tax law or to enforce our own legal claims.  

3.6 Right to data portability 

According to Article 20 of the GDPR, you have the right to request that we assist you in transferring your contractual data or data that we process on the basis of consent to third parties if we process the data using automated processes, e.g. if you want to switch to a competitor. Let us know who you would like us to transfer your data to and we will contact the service provider. Alternatively, you can also receive this data in a machine-readable format.

3.7 Right to information

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

Furthermore, you have the right to be informed about these recipients.

4. Privacy policy for users of the website and visitors to our social media presences 

Below we explain how we handle the data of the users of our website and our presences in social media.

Overview of our web presences 

+

4.1 Overview of our web presences 

We operate this website (www.miles-mobility.com) with some sub-sites (including www.support.miles-mobility.com). 

You can also find us on Twitter, Facebook, Instagram, LinkedIn, Xing and YouTube. 

General information on data processing 

+

4.2 General information on data processing 

4.2.1 Affected persons 
The purpose of the processing is to provide information about our company and our services, to offer communication channels to our company, to address interested parties in an advertising manner, to analyse the effectiveness of our advertising measures, to conduct anonymised market research and to ensure the security of our websites. 

4.2.3 Categories of data / types of data 
The following data types can be processed: 

  • IP address 

  • Access times and approximate location of users

  • Meta/communication data (e.g. device information) 

  • Visited websites 

  • Interest in content 

  • Demographic characteristics (via our advertising partners)

The data is usually collected when the offers are used. 

4.2.4 Recipients / categories of recipients 
Miles Mobility Belgium BV is a controlled undertaking of Miles Mobility GmbH (Leibnizstrasse 49, 10629 Berlin, Germany, email: hello@miles-mobility.com, phone: +49 (0)30 83 799 699) which has the power to have personal data protection rules implemented and controls the processing of personal data (in accordance with Art. 4 (19), recital 37). 

The recipients of data are primarily the integrated service providers. Below we list an overview of the service providers. Further information can be found in the respective paragraphs on processing. 

  • Strato (Hosting) 

  • Google (Statistics/Marketing/Map Clippings/Videos) 

  • Ultimate.ai (Chat) 

  • Zendesk

  • Hotjar 

  • Braze 

4.2.5 Reservation(s) on the location of storage and processing of data
Please note that our company works with partners in third countries (Osano, Google, Facebook, Braze Inc, Sentry & Paypal), in particular the United States. Personal information we collect from you may be processed in the United States or other third countries. Some of these third countries, for example the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same level of protection there as under the GDPR.

Until new decisions are made regarding data transfers to the United States or other third countries, we rely on exemptions for specific situations as set out in Article 49 of the GDPR and, where applicable, the safeguards set out in Article 46 of the GDPR. In particular, we only collect and transfer personal data to the United States or third countries with your explicit consent, or to perform a contract with you. We and our processors aim to apply appropriate measures to protect the privacy and security of your personal data and to use it only in accordance with your relationship with us and the practices described in this Privacy Policy.

Cookies and personalised tracking 

+

4.3 Cookies and personalised tracking 

Our website uses so-called cookies. Cookies do not cause any damage to your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognise your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

Cookies that are required to carry out the electronic communication process or to provide certain functions desired by you are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. Insofar as other cookies (e.g. cookies for the analysis of surfing behaviour) are stored, these are dealt with below in this data protection declaration and used with the corresponding consent.

You can access our cookie banner and change your settings via the following link:

4.3.1 Managing the analysis tools using Google Tag Manager 
We use the Google Tag Manager in order to be able to integrate and manage website evaluations centrally and via a user interface. Tags are different tracking codes (JavaScript code lines) with which we can record and track your activities on our website. 

The advantage of the tag manager is that we can use it not only to manage Google services, but also to centrally manage other analytics services. In this way, we can better identify which tracking technology provides us with the information we need and avoid unnecessary data collection. The tag manager itself does not process any data, but helps us organise the data from Google Analytics, Facebook or Instagram. 

We use the tag manager to make our website as useful, comfortable and usable as possible for you and other visitors. For this purpose, we need the analysis data. We use the tag manager on the basis of Art. 6 para. 1 lit. f GDPR, which allows processing on the basis of a balance of interests. We have a legitimate interest in seeing which content appeals to our prospective customers. This allows us to realign our marketing to attract more people to our offers. Please read section 6.2.5 for more information about this provider.

4.3.2 Cookies and other tools for the purpose of range measurement and statistics 
We use cookies for reach measurement and to create statistical evaluations of our website and social media interactions. For this purpose, we rely, among other things, on Google Analytics. 

4.3.3 Google Analytics and G4
The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics and G4 use so-called "cookies" and similar technologies. Cookies are text files that are stored on your computer and enable an analysis of your use of the website (target group reports, conversion reports, interaction and behaviour reports, real-time reports, etc.). The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. When using Google Analytics, your IP address is usually shortened to make subsequent identification more difficult. 

Google Analytics and G4 cookies are stored on the basis of Art. 6 para. 1 lit. a GDPR, in accordance with the corresponding consent of the user. 

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the collection of your data during future visits to this website: Deactivate Google Analytics. 

Our goal in using Google Analytics and G4 is to further optimise our service and offer more to potential users. The Google Analytics statistics help us to better understand our customers and support us in achieving this goal. 

Google Analytics sets the following cookies:

Name: _ga (Google Analytics js) Purpose: Google uses this cookie to store the user ID and distinguish users. Expiry date: after 12 month

Name:_gid Purpose: Expiry date: after 24 hours

Name: gatgtag_UA_<property-id> Intended use: If Google Analytics is provided via the Google Tag Manager, this cookie is given this name. Expiry date: after 1 minute

Storage period: We have limited the storage period to 14 months in order to comply with the principle of storage limitation from Art. 5 GDPR. This retention period applies to data linked to cookies, user recognition and advertising IDs. Results of reports are based on aggregated data and are stored independently of user data. 

You can find more information on the handling of user data with Google Analytics in Google's privacy policy:

 https://support.google.com/analytics/answer/6004245?hl=de 

4.3.4 Hotjar 
In order to statistically evaluate visitor data, we use the analysis tool Hotjar on our website. This is offered by: 

Hotjar Limited Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta.

Hotjar is a service that evaluates visitor behaviour and feedback through combined analytics and feedback tools. We receive heatmaps, conversion funnels, visitor recordings, incoming feedback, feedback polls and surveys. 

We use these evaluations to optimise the usability and user experience of the site and to additionally collect customer opinions via the feedback channel. We receive reports and visual representations from Hotjar that show us where and how users "move" on our site. The personal data is automatically anonymised. Neither can we assign the interactions to a user nor is the data transmitted to Hotjar. 

Hotjar automatically collects usage data. For this purpose, a tracking code of the website is linked to a cookie. 

The following data is collected and stored: 

  • Time of the visit 

  • Screen size and resolution.

  • Browser version

  • Approximate location (IP location) 

  • Language

  • Visited subpages 

  • Date and time of access to one of our sub-pages (web pages)

  • IP address (anonymised)

Name: _hjid 

Purpose: The cookie is used to maintain a Hotjar user ID that is unique to the website in the browser. This allows user behaviour to be associated with the same user ID on subsequent visits. Expiry date: after one year.

You can find the list of cookies used or potentially used here:

https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookie-Information

4.3.5 Facebook tracking Pixel 

This website uses the visitor action pixel from Facebook for conversion measurement. The provider of this service is Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland; "Facebook"). Via this Pixel, the behavior of website visitors can be tracked after they have been redirected to the operator's website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The collected data is anonymous for us as the operator of this website. We cannot draw any conclusions about the identity of the users. However, the personal data is processed by Facebook. This allows Facebook to enable the placement of advertisements on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.

Specifically, the following data is processed by Facebook and us:

  • IP address

  • User agent

  • Facebook user ID

  • Browser type

  • HTTP header

  • Device information (device ID, device operating system).

  • Geographic location

  • Browser information

  • Usage/click behavior, including content viewed and items clicked on

  • Facebook cookie information

  • Pixel ID

  • Pages visited

  • Referrer URL

  • Marketing information, including ads viewed and interactions with ads, services, and products

The use of the Facebook Tracking Pixel takes place exclusively with and on the basis of your prior consent, Art. 6 para. 1 lit. a GDPR. Your consent can be revoked at any time via the "Your cookie settings" function provided on our website, effective from this point forward. The legality of processing based on your consent prior to the revocation remains unaffected.

As long as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Facebook Ireland Limited, (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the forwarding is not part of the joint responsibility and is the sole responsibility of Facebook. Our joint obligations have been set forth in a Joint Processing Agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for implementing the tool on our website in a privacy-secure manner. Facebook is responsible for the data security of the Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert the data subject rights against us, we are obliged to forward your request to Facebook.

According to Facebook, the collected data is also transferred to the US and other third countries, and processed there. Facebook bases the data transfer to the US on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum.

Please note: Despite the fact that Facebook Ireland Ltd. is based in Ireland, your personal data, including the IP address of the internet connection you are using, may be transferred to Facebook servers in the United States or other third countries if you consent to our performance cookies. The United States of America is currently classified as an unsafe third country, i.e. as a third country where neither an adequacy decision pursuant to Article 45 of the GDPR exists, nor a comparable level of protection can be assumed. The same applies to other third countries. With the transmission of your data, both Facebook and, if applicable, US or other third country authorities have access to the transmitted data. Facebook may combine your data with other data, such as your personal accounts, usage data from other devices, and any other data Facebook holds about you, and may also share your personal data with third parties. In addition, US or other third country authorities may access and process your data without notice or notification to you (during and after the processing is completed) or without providing you with similar remedies and data subject rights. Unfortunately, we have no influence on the processing by Facebook and US or other third country authorities in these cases.

If you wish, you can deactivate the "Custom Audiences" remarketing feature in the ad settings section at : https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen if you are registered with Facebook. If you do not have a Facebook account, you can also deactivate Facebook's usage-based advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

For more information about Facebook's privacy practices, please see Facebook's privacy policy at the following link: https://de-de.facebook.com/about/privacy/.

4.3.6 Newsletter dispatch 
We send out mandatory information about the MILES Mobility Belgium BV offer via our newsletter. Furthermore, users of the app can subscribe to a newsletter and receive information about additional offers and promotions. To do this, we require your email address and consent to receive the newsletter, which we obtain via a so-called double opt-in procedure. Further data will not be collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties, apart from the respective newsletter senders.

In principle, the data is processed on the basis of your consent (Art. 6 para. 1 lit. a GDPR). In some of the cases mentioned below, which are directly related to the sending of newsletters, the processing is based on our legitimate interests (Art. 6 para. 1 lit. f GDPR).

You receive all newsletters of an advertising nature on the basis of your consent to the storage and use of the data; you can revoke this consent at any time. You can unsubscribe at any time by clicking on the "unsubscribe" link in the newsletter. The legality of the data processing already carried out remains unaffected by the revocation.

We also send newsletters as customer information letters with relevant technical and organisational information on terms of use, changed tariffs or business areas. 

We consider it imperative that this information reaches our customers, so you cannot automatically unsubscribe here. Your right to object according to Art. 21 GDPR remains unaffected, but in this case it is your duty to actively inform yourself. 

We use the services of Braze Inc. and PostMark to send the newsletters. 

Braze Inc 330 West 34th Street, 18th Floor New York, NY 10001 USA. 

We have concluded a so-called "Data Processing Agreement" with Braze Inc. in which we oblige the service provider to protect our customers' data and not to pass it on to third parties. 

We use a method to analyse the reach of our newsletter. When you open one of our emails, a file contained in the email connects to the servers of Braze Inc. in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. In addition, technical information is recorded (e.g. time of retrieval, IP address, browser type and operating system). However, this information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients. If you do not want any analysis, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. 

After unsubscribing from the newsletter distribution list, the email address is stored by us or the newsletter service provider in a blacklist, if necessary, in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interest outweighs our legitimate interest. However, you may then be contacted by us again.

6.4.7 AdaChat - contacting and requesting via chat

Our website also embeds AdaChat, an AI-based communication and conversation service provided by Ada Support Inc. (371 Front Street W, Suite 314, Toronto, Ontario, M5V 3S8, Canada), to provide you with high-quality chatbot-based customer support and to respond to your inquiries efficiently, quickly, and with and resource-efficient way. 

If you contact us via our chat, we process your information for the processing of your request and in case follow-up questions arise. The data processed in this context includes the information you provide when contacting us or in the course of follow-up communication. Note: In order to comply with the data minimization principle in the best possible way, we kindly ask you, to limit your information to what is necessary, as far as possible. 

AdaChat also uses so-called "cookies". These are text files that are stored in your internet browser or by your internet browser on your terminal device as a result of your consent. By setting the cookies, we are enabled to collect and process the data listed below and to analyze the content and use of the chat. The collection and processing of this data is done for the purpose of providing, security and functionality of the chat, for the analysis of your data, for the purpose of answering your requests and for the purpose of further development of the service itself. You can find more information about cookies here: https://www.ada.cx/cookies. The following personal data is collected and processed by us by means of these cookies: 

  • IP address 

  • Chatter ID 

  • Chatter token 

  • Time and date of chat request and use 

  • Browser information (type, version, language setting) 

  • Operating system information (type, version) 

  • Device information (device identification number, type, hardware and software properties) 

  • Location information (country) 

The legal basis for the use of the tool and the data processing carried out on our behalf is your prior, voluntary and informed consent in accordance with § 25 TTDSG (German Telecommunications-Telemedia Data Protection Act) and art. 6 para. 1 lit. a GDPR, which we request via our cookie banner. Once you have given your consent, you can revoke it at any time with future effect using the "Your cookie settings" function on our website or by sending an email to data-protection@miles-mobility.com. Processing that has already taken place up to the time of the revocation remains unaffected by this. The chatbots used by us can "remember" a chatter from one conversation to the next ("chatter persistence"), provided that the conversations are not longer than 7 days apart. Within the scope and for the purpose of this reminder function, the chatter, the associated data and the chat history are recorded and stored by a bot. After the 7-day period selected by us has expired, the bot then automatically forgets the stored data. 

Please note: Regardless of this automatic deletion after a certain period of time, your data may also be stored and processed by us, if and to the extent that this is required and permissible or we are subject to a legal obligation that requires further processing of your data. In order to ensure the data protection compliant processing and protection of your data in the context of the use of the tool, we have concluded an order processing agreement with Ada Support Inc. in the sense of art. 28 GDPR, which states in particular that your data may only be processed for the purpose of providing the service. The data transfer to Canada is covered by an adequacy decision of the European Commission, which certifies that Canada provides an adequate level of protection with regard to your data and data subjects' rights (art. 45 GDPR). 

For more information about AdaChat and the privacy policy of Ada Support Inc. please visit: https://www.ada.cx/legal-resources/privacy-policy.

Google Maps 

+

4.4 Google Maps 

This site uses the mapping service Google Maps via an API. Provider is: 

Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. 

In order to use the functions of Google Maps, it is necessary to save your IP address and to transmit it to a Google server and it is also saved on this server. The provider of this site has no influence on the specific content of this data transmission. The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of our business areas. 

This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. 

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de. 8

Contact form, chat, request by e-mail or telephone

+

4.5 Contact form, chat, request by e-mail or telephone

You can send us enquiries via contact form, chat, e-mail or telephone. In this case, your enquiry with the contact details and, if applicable, further details from the enquiry form or the enquiry will be stored in our CRM system for processing the enquiry and for possible follow-up enquiries. 

The processing of this data is based on Art. 6 (1) lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries sent to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested.

We keep your data until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions - in particular retention periods - remain unaffected.

Youtube

+

4.6 Youtube

We have embedded YouTube videos on our website. This allows us to present videos from our YouTube channel directly on our site. The portal is operated by YouTube, a Google company. When you call up a page on our website that has a YouTube video embedded, your browser automatically connects to the YouTube or Google servers. In the process, various data are transferred (depending on the settings).

Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe. If you want to find out more, we recommend that you read the data protection declaration at https://policies.google.com/privacy?hl=de.

Zendesk

+

4.7 Zendesk

We have integrated various services from Zendesk on our website. Zendesk serves as our service provider for the provision of our support page and our contact forms. Various personal data may be shared with Zendesk. For more information, please see Zendesk's privacy policy https://www.zendesk.de/company/privacy-and-data-protection/.

Privacy policy for users of the app and mobility services

5. Privacy policy for users of the app and mobility services

Overview of the purposes, the type of data as well as the categories of recipients and the storage period. 

In order to execute rental contracts with MILES Mobility Belgium BV, a user account with MILES Mobility GmbH (Leibnizstrasse 49, 10629 Berlin, Germany, email: hello@miles-mobility.com, phone: +49 (0) 30 83 799 699) is required, cf. the General Terms and Conditions and the Rental Terms and Conditions. 

Considering that the personal data processed by MILES Mobility GmbH (Germany) are the basis of any rental contract, the respective personal data are processed by MILES Mobility Belgium BV and MILES Mobility GmbH (Germany) under joint control. In other words, both entities jointly determine the purposes and means of processing in order to facilitate the execution of rental contracts. In an agreement on joint controllership pursuant to Article 26 GDPR, we have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfils which data protection obligations. In particular, we have coordinated how the information duties under data protection law can be fulfilled jointly. This also includes ensuring that reporting and notification obligations are fulfilled. In case you contact MILES Mobility Belgium BV or MILES Mobility GmbH (Germany) and the processing under joint control is affected, we will coordinate in order to respond to your inquiry and to guarantee your rights as a data subject.

The processing of data via apps of partner companies which offer joint mobility services with MILES Mobility Belgium BV takes place in accordance with the privacy policy of the respective app.

Purposes of data processing

+

5.1 Purposes of data processing

  • Customer management, customer approach and customer support

  • Registration with identification and verification of the driver's licence

  • Vehicle booking via the app / service provision (provide vehicle) 

  • Billing and payment tracking 

  • Processing of violations of the law, in particular against the Road Traffic Regulation

  • Receivables management and collection 

  • Security checks and fraud control 

  • Claims settlement

The following of your data will be processed

+

5.2 The following of your data will be processed

  • First name, last name

  • Address 

  • Date of birth

  • Language

  • Email address

  • Telephone (mobile) 

  • Device-Key (Number of the device)

  • Password

  • Bank details / Preferred payment method 

  • Schufa - extract

  • Customer number/ reference number

  • Verification of driving licence, driving licence number, identity document

  • Geolocation data (for vehicle search / and vehicle booking) 

  • Location data at registration (city / business area)

  • Contract data / Tariffs / Discounts 

  • (E-mail) correspondence / contact history 

  • Trip log

  • Black box in the vehicle (no personal data collection, but can be related to individuals) 

  • (e.g. subject matter of the contract, term, customer category)

Nature and origin of the data

+

5.3 Nature and origin of the data

The following data is collected directly from the data subject during registration: 

  • First name, last name

  • Date of birth

  • Language

  • Address 

  • E-mail address

  • Telephone (mobile) 

  • Bank details

  • Customer number/ reference number

  • Verification of driving licence, driving licence number, identity card number

  • Location data (city)

  • Contract data / Tariffs / Discounts 

The following data is collected in the course of using the offer: 

  • Device-Key (Number of the device)

  • Geolocation data (for vehicle search / vehicle booking / during the journey) 

  • (E-mail) correspondence / contact history 

  • Trip log for accounting purposes. 

  • Black box in the vehicle (no personal data collection, but can be related to individuals) 

  • Contract data / tariffs / discounts (in case of changes)

The following data is collected via third parties: 

  • Schufa score as part of the credit report (Schufa) 

  • Reports on driving behaviour by other road users 

  • Master data and, if applicable, verification data from mobility partners (Jelbi, FreeNow) 

Automated decision

+

5.4 Automated decision

An automated decision takes place within the framework of our security checks. 

Furthermore, an automated decision is made within the framework of the Schufa statement, although the responsibility for this does not lie with MILES Mobility Belgium BV. 

You have the right to make your point of view known to us and to challenge these decisions. In this case, we will be happy to carry out a manual review of the automated decision. 

Storage period

+

5.5 Storage period

5.5.1 Deletion on request 
For processing operations based on consent:

Withdrawal of consent concerns the receipt of the newsletter.

As a rule, the withdrawal of consent is implemented immediately and automatically by the mailing service provider's systems. In rare cases, the synchronisation of the unsubscription from different mailing lists may take a few hours.

If customers request their right to data deletion for data processed on a legal basis other than consent, the user account will be deleted in accordance with the following information:

The personal data of the data subject to be deleted will be blocked in the system, partially made unrecognisable or blacked out and access to the data strictly restricted. After one year, the data listed above will be automatically deleted from the system, with the exception of personal data, which must be retained for a period of ten years.

Recipients of the data will be informed of the deletion request.

If overriding interests stand in the way of deletion, the customer will be informed of the reasons for the restriction of the right to deletion. This is particularly the case if MILES Mobility Belgium BV requires the data to enforce or defend legal claims.

5.5.2 Deletion after the purpose has ceased to exist 
If data is processed for the fulfilment of the contract, the data is generally stored for the duration of the contractual relationship. This does not apply to usage data in particular, which is only stored for a period of 1 year. 

Following the termination of the contractual relationship (cessation of the purpose), the personal data of the data subject to be deleted will be blocked in the system, partially rendered unrecognisable or blacked out and access to the data strictly restricted. After one year, the data listed above will be automatically deleted from the system, with the exception of personal data which must be retained for a period of ten years. 

If data is processed to comply with legal requirements, the rights of the data subjects to have the data deleted shall lapse until the expiry of the respective time limits with regard to the data to be stored. MILES Mobility Belgium BV does not use this data for any further purposes. This expressly includes storage for the purpose of proving proper accounting. For violations of the traffic regulation, the retention periods are based on the limitation periods. These are up to 30 years. 

MILES Mobility Belgium BV and MILES Mobility GmbH (Germany) reserve the right to permanently store data of blocked users in order to prevent re-registration. This is a legitimate interest according to Art. 6 para. 1 lit. f) GDPR. 

Registration with verification

+

5.6 Registration with verification

The registration of the user account with MILES Mobility GmbH (Germany) takes place via the app. The surname, first name and contact details are requested, the preferred language, the date of birth (as proof of age as well as an identification feature) the email address (along with the option to consent to receiving the newsletter), the banking and payment details as well as verification of the driving licence and a valid identification document. 

The approximate location (city) and date of registration as well as the activation of the email address are stored for the duration of the customer relationship. We sometimes use the services of order processors to verify your data. You confirm your email address with the help of an activation email. We validate the telephone number via a processor (BudgetSMS). 

For the verification of the driving licence and the ID document, the user is asked to create a video of the documents to be verified and to film his/her face. The recording of the face is compared with the image on the driving licence/ID document, and the documents are also assessed by the service provider on the basis of recognition features. 

We use the verification service provider Jumio (Jumio Software Development GmbH - Linz, Lunaplatz 5, A-4030 Linz) to verify the driving licence and the identity of the users.

This company is subject to the strict security regulations of the PCI DSS (Payment Card Industry Data Security Standard) and, as a processor, is bound by our instructions. 

The legal basis for the verification of the driving licence results from Art. 6 para. 1 lit c GDPR. Accordingly, MILES Mobility Belgium BV as the vehicle owner, is obliged to verify the user's driving licence in coordination with MILES Mobility GmbH (Germany) being the provider of the user account. In addition, a copy of a customer's identity document is requested in order to be able to prove the customer's identity beyond doubt in the event of accidents, for the settlement of claims, but also in the case of criminal offenses and administrative offences and older and international driver's licenses. In addition to the driver's license, a second document is requested to make identity theft harder. The legal basis for this verification also results from Art. 6. para. 1. lit c GDPR.

This purpose remains in principle for the duration of a customer relationship. Even at a later point in time (especially in the event of damage), MILES Mobility Belgium BV is obliged to be able to prove that the legal obligations have been fulfilled. In the event of damage, this proof may also be required vis-à-vis insurance companies and state authorities, which is why the data from the driver's licence verification is stored at least for the duration of the customer relationship. 

Use of the app

+

5.7 Use of the app

5.7.1 Vehicle booking and trip accounting 
The app is used during the customer relationship to locate and book the vehicles.   

We need access to the location of your device. When a request is made, we collect the current location via GPS in order to be able to quickly provide information about the vehicles in the immediate vicinity. We also use location data of the device at the moment of the opening of the vehicle to check the distance to the vehicle. This serves the purpose of preventing vehicle misidentification, theft or unauthorized vehicle handovers. Data about your location is used to process the request, i.e. at the beginning and end of a journey and in the event of interruptions. 

During the journey, the location data of the vehicle is regularly compared with the data of the device; this is done via an encrypted connection. The location data is anonymised after the end of the request and statistically analysed to improve our service. 

The vehicle's location data is primarily processed for billing purposes; we reserve the right to also use the location data query for fraud prevention and to match the device location with the route driven. 

For the determination of the location data, we rely on the services of our order processor Location, which is provided to us by the company Unwired Labs (India) Pvt Ltd. ("Unwired"), 128, Prashasan Nagar, Rd 72, Jubilee Hills, Hyderabad, TS, IN - 500033. 

5.7.2 Customer data management 
In the app, the user's data can be accessed via the login area. Here you will find the trip log, the master data and contact data as transmitted during verification. Furthermore, the payment and billing data. The data from the app is transmitted in encrypted form and stored in a CRM system. 

The provider of the CRM system is Braze Inc. 

Braze Inc 330 West 34th Street, 18th Floor New York, NY 10001 USA.

We have concluded a so-called "Data Processing Agreement" with Braze Inc. in which we oblige the service provider to protect our customers' data and not to pass it on to third parties. The transfer to the USA takes place on the basis of suitable guarantees. 

Furthermore, we use order processors to store the data. 

As this data is collected and processed for the purpose of fulfilling contracts or legal requirements, users' rights to erasure or blocking may be limited. The right to rectification and information is unaffected. 

5.7.3 App security, usage analysis 
We have a legitimate interest according to Art. 6. para. 1. lit. f GDPR in a secure and reliable operation of the app as well as in the further development of the app and the optimisation of the economic operation. 

We use the tool Sentry, which is provided to us by the company Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, to evaluate error messages and to analyse system parameters of the app. Sentry transmits error reports to servers in the USA and provides us with evaluations, e.g. about programming errors and compatibility problems. We only have access to data about the version of the operating system and the type of device.

We have concluded an order data processing contract with the provider and have ensured that there are sufficient guarantees for the data transfer to the USA in accordance with data protection requirements.  We cannot see any countervailing interest on the part of the users. You can still prevent the transmission of bug reports at any time. 

With your express consent, which can be revoked at any time, we also use Google Analytics for Firebase and Firebase Crashlytics.  The legal basis is Art. 6 para. 1 lit. a GDPR. When you first start the app, you can select whether Google Analytics for Firebase and Firebase Crashlytics should be used; you can deactivate the collection of analytics data in the app.

Firebase / Crashlytics transmits your anonymised IP address, your anonymised advertising ID as well as usage and analysis data to a Google server in the USA and stores them there. The IP anonymisation in Analytics is done by shortening the addresses. If you have agreed to the use of Google Analytics for Firebase and Firebase Crashlytics, we use the app usage data for statistical, anonymous evaluations and to improve the app. 

Credit assessment

+

5.8 Credit assessment

As a company, we have a legitimate interest in protecting ourselves against payment defaults. In accordance with our General Terms and Conditions, we are entitled to verify the creditworthiness of customers with credit agencies or Schufa. 

The processing of personal data in the context of the credit assessment is based on Art. 6.1.f GDPR. We assume that the check and confirmation of solvency is usually also in the interest of the customers, as this form of credit assessment does not pose any significant risks to rights and freedoms, in this way the transmission of additional data on creditworthiness can be avoided and a simple and convenient process can be provided.

The credit assessment is necessary for the enforcement of rights and claims of MILES Mobility Belgium BV.

The credit checks serve to protect MILES Mobility Belgium BV from payment defaults and are intended to ensure that MILES Mobility Belgium BV has recourse to the originator in the event of a claim (please refer to the price list https://miles-mobility.com/en-be/rates). 

When determining your creditworthiness, your data will be transmitted to Schufa. This can be e.g. name, address, date of birth and bank details, insofar as these are necessary for establishing your identity. We receive a scoring value from Schufa or other credit agencies involved, as well as other information from which the risk of non-payment can be derived. These are, for example, outstanding debts, deferments due to insolvency, current insolvency proceedings, participation in debt counselling. If we receive a too low scoring value in the course of the credit assessment, we can temporarily deactivate the user account. You have the right to explain your point of view to us and to challenge the decision. In this case, we will gladly carry out a manual review of the automated decision. 

As a rule, we do not report any payment defaults to Schufa. However, we reserve the right to do so if the legal requirements for a report are met. In this case, the customers will be reminded repeatedly in compliance with formal requirements and the possibility of transmission will be pointed out in the reminder.

SCHUFA processes your data and also uses it for profiling purposes (scoring). Schufa is responsible for passing on your data to companies in the EEA and Switzerland and, if applicable, to third countries outside the EEA. Further information on the activities of SCHUFA can be obtained at www.schufa.de/datenschutz. Data processing and profiling is carried out by Schufa; Schufa is the body responsible for this processing within the meaning of data protection law. Therefore, Schufa is also responsible for the lawfulness of the processing.

General information about the data used by Schufa can be found here: https://www.schufa.de/de/faq/privatpersonen/daten/.  To find out exactly what data Schufa processes about you, please contact Schufa.

Customer management, customer approach and customer support

+

5.9 Customer management, customer approach and customer support

5.9.1 Customer management 
We use the CRM system of the provider Braze to manage customer data: 

Braze Privacy Policy Issues 330 West 34th Street, 18th Floor New York, NY 10001 USA

We have concluded an order processing contract with Braze. The service provider has provided us with appropriate safeguards for transfers to non-European jurisdictions. 

All data from the registration as well as billing data and the customer history are stored in the customer database. We use the customer administration to be able to organise customer care quickly and effectively and to be able to respond to enquiries. 

In principle, this data is not passed on to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with Art. 6 Para. 1 lit. c. GDPR.

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services. The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying contractual relationship. 

Furthermore, we use the contact data to inform users about relevant changes to our services. In the context of the use of our service, we process inventory data, communication data, contract data, location data and payment data of the users. 

Processing is carried out for the purpose of providing contractual services, billing, customer service, customer communication, accident investigation and claims settlement. 

The processing is based on Art. 6 para. 1 lit. b (data processing for the performance of contractual services) and Art. 6 para. 1 lit. c GDPR (fulfilment of legal obligations). Legally prescribed processing results, for example, in archiving or from the keeper obligations. 

Insofar as we make use of service providers who process data in a third country, the conditions of Art 44. ff. GDPR are checked. 

5.9.2 Customer support 
We use the CRM system "Zendesk", from the provider Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA, in order to be able to process user enquiries more quickly and efficiently (legitimate interest pursuant to Art. 6 Para. 1 lit. f. GDPR).

Zendesk has provided us with appropriate safeguards in accordance with Art. 44 et seq. GDPR and has undertaken to comply with European data protection law. Zendesk only uses the users' data for the technical processing of the requests and does not pass them on to third parties. In order to use Zendesk, at least a correct email address must be provided. A pseudonymous use is possible. In the course of processing service requests, it may be necessary to collect further data (name, address).

If users do not consent to data collection via and storage in Zendesk's external system, we provide them with alternative means of contact to submit service requests by email, telephone or post.

For more information, users should refer to Zendesk's privacy policy: https://www.zendesk.de/company/customers-partners/privacy-policy/.

The customer approach for private customers is carried out via Customer Care using Zendesk and the customer database. We use the master data, contact data and the stored language to contact customers.

For customer support, we also use the telephone service provider Aircall: 

Aircall SAS (GmbH & Co.KG)
11 Rue Saint-Georges
75009 Paris
France

Accounting, bookkeeping and payment tracking

+

5.10 Accounting, bookkeeping and payment tracking

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services and to invoice them. 

We process data that are required for the justification and fulfilment of the contractual services and point out the necessity of their provision, unless this is evident to the contractual partners. 

The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

As a rule, this data is not passed on to third parties, unless it is necessary for the pursuit of our claims pursuant to Art. 6 Para. 1 lit. f. GDPR or there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c. GDPR. We expressly reserve the right to use the services of legal service providers (debt collection, lawyers, etc.) to assert claims and to transmit data of the contractual partners and customers to them to the extent necessary. 

The deletion of the data takes place when the data is no longer required for the fulfilment of contractual or legal duties of care and for dealing with any warranty and comparable obligations. Statutory retention obligations remain unaffected.

In order to be able to process payments efficiently, securely and conveniently, we use other payment service providers in addition to banks and credit institutions. 

It is necessary to pass on data to the payment service providers so that they can carry out the transaction. The payment service providers receive the name and address, the stored payment method and, if applicable, bank data, a pseudonymous ID and the invoice data. MILES Mobility Belgium BV will be informed by the payment service providers of any payment made or missed. 

We use the following service providers: 

Intolaw: Intolaw Advocaten BV, Begijnhoflaan 408, 9000 Gent, Belgium

Privacy policy: https://www.intolaw.be/fr/confidentialite 

PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; 

Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full 

Stripe: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; 

Privacy policy: https://stripe.com/de/privacy 

An order processing agreement was concluded with Stripe. In addition, it was verified whether the requirements according to Art. 44-49 of the GDPR for the transfer of personal data are met.

Outstanding receivables/collections 

+

5.11 Outstanding receivables/collections 

MILES Mobility Belgium BV works together with collection service providers. 

  • PAIR Finance GmbH, Hardenbergstraße 32, 10623 Berlin, Germany

The involvement of a debt collection service provider is a legal service within the meaning of the Legal Services Act § 10 para. 1 sentence 1. It is the free decision of MILES Mobility Belgium BV to use the services of a lawyer or a debt collection agency in disputes regarding an - even if only alleged - outstanding debt. In these cases, MILES Mobility Belgium BV may and must pass on personal data of the debtor (in particular name and address, the reason for the claim, the amount and due date of the claim, etc.) to the collection agency.

The following data will be passed on within the framework of the collection procedures.

  • First name, last name (title, if recorded and e.g. name component) 

  • Name of the company (for commercial customers)

  • Address (business) (for commercial customers) 

  • Address (private)

  • Invoice address (if different and recorded) 

  • E-mail address

  • Telephone number

  • Date of birth

  • Customer number

  • Contact history (as far as relevant)

  • Bank details

  • Contract data

  • Data on solvency

Only with this data is it possible for the collection agency to approach the debtor and assert the claim. The user's/customer's consent for the transfer of data to a legal service provider is not required, as it is based on the legal facts of Art. 6 para. 1 sentence 1 lit. b) and lit. f) GDPR (data processing for the performance of the contract, data processing based on the legitimate interest of the creditor). 

Violations of the law, esp. against the “Code de la Route”

+

5.12 Violations of the law, esp. against the “Code de la Route”

Unfortunately, user accounts are blocked time and again due to reports of unusual driving behaviour. MILES Mobility Belgium BV may become aware of this in various ways: 

  • Reporting by other road users

  • Notification via police / public order office

In the event of a report by another road user (third person), the driving behaviour described is recorded together with the telephone number/email of the reporting person. 

No automated decision is made; rather, the support staff check the information for plausibility. For the protection of third parties and in order to comply with the owner's obligations, MILES Mobility Belgium BV blocks the accounts of registered users as a precautionary measure if there is any suspicion of driving misconduct. This measure results not least from the special situation that MILES Mobility Belgium BV only checks the existence of a driving licence and fitness to drive by means of a query at the beginning of the contractual relationship and thus grants its users a high degree of trust. 

A review of reported allegations only takes place in the event of an objection by the person concerned or in the event of enquiries by government agencies. In addition to the data transmitted by the app during the journey, the data from a black box, which is installed in all vehicles, is evaluated. 

The black box determines the G-forces and activities of the driver. These are e.g. (acceleration and deceleration, steering movements, indicators, jolts). These data are not collected on a personal basis (but can be related to individuals); they are only evaluated by the staff in case of suspicion and linked to the last journeys. 

Data will only be passed on to legal counsel or government agencies if MILES Mobility Belgium BV is legally obliged to do so or if this is necessary to enforce legal claims against the user. The data is processed in the European legal area.

Breaches of the GTC/RTC, fraud prevention and security checks

+

5.13 Breaches of the GTC/RTC, fraud prevention and security checks

MILES Mobility Belgium BV and MILES Mobility GmbH (Germany) have a legitimate interest in protecting themselves against fraud attempts and breaches of the General Terms and Conditions and Rental Terms and Conditions. The processing of personal data in the context of fraud prevention is based on Art. 6.1.f. GDPR. We assume that these checks are generally also in the interest of the customers. The type of security checks do not represent a significant interference with the rights and freedoms of our users. Fraud prevention measures are necessary for the enforcement of rights and claims. 

Furthermore, MILES Mobility Belgium BV and MILES Mobility GmbH (Germany) reserves the right to publicly present the security checks carried out in detail. 

In addition to the driving licence verification, further details from the registration are checked. This can be the e-mail address, telephone number and bank account details. Newly entered data is regularly compared with the existing data in order to prevent multiple registrations. In addition, data transmitted from the vehicle is randomly compared with data transmitted from the app using defined parameters in order to prevent account disclosure. In addition, the individual device key of personal devices is used to impede and prevent the sharing, sale, and multiple use of account data.

If an irregularity is detected during the security checks, the account will initially be blocked. You have the possibility to object to this and explain your point of view to us. 

Settlement of claims

+

5.14 Settlement of claims

In the event of damage, it is unfortunately necessary to process further data. 

The purposes of the processing are the 

  • Support for our customers in the event of damage (Art. 6.1.b GDPR) 

  • Reconstruction of the course of the accident (Art. 6.1.f GDPR possibly in conjunction with Art. 6.1.c GDPR 

  • Settlement/liquidation of damages (Art. 6.1.b and c GDPR)  

  • Pursuit of own legal claims. (Art. 6.1.f GDPR) 

For these purposes, we process your master data, usage data, data from the vehicles, statements and information from third parties (police, other parties involved in the accident, witnesses, other Miles users) and payment data. 

Under certain circumstances, we may also receive health-related data in this context. Examples of this are injuries or indications of alcohol and narcotic consumption. In this case, Art. 9 (2) lit. f GDPR is relevant. 

In the event of an incident for which you are responsible and for which we receive a claim for damages or another lawsuit from an injured or otherwise entitled third party (e.g. costs due to a private towing operation in the event of disturbance of the property owner), we transmit your stored contact data to the claimant and/or to our insurance broker (Exios srl, 1140 Evere, Rue de Genève 10/73) which then forwards the data to the insurance company (Balois Belgium SA, 2600 Antwerpen, Posthofbrug 16), so that the liability issues can be clarified directly in the relationship between you as the party responsible and the claimant or you can release us from the claim following the provisions of the GTC. The transfer is necessary to fulfil your contract with us (Art. 6.1.b GDPR) and to protect the legitimate interest in pursuing the legal claims that the claimant and we have against you (Art. 6.1.f GDPR).

In the event of damage, we are legally obliged to cooperate in documenting the course of the accident. Furthermore, there are contractual obligations towards, among others, claims adjusters, the fulfilment of which constitutes a legitimate interest to process the data of those who caused the damage. As the defence of legal claims is decisive here, the right to object is subject to the restrictions of Art. 21 GDPR. 

6. privacy policy for business customers, partners and service providers

6.1 Business customers

For business customers, essentially all the points described above apply to users of the app. However, company-related contact data and billing data may also be stored. 

For the administration and support of business customers, we use the service provider Pipedrive OÜ, Paldiski mnt 80, Tallinn, 10617, Estonia, in addition to our general customer administration.  

We have concluded a contract with Pipedrive with so-called standard contractual clauses, in which Pipedrive undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. You can access Pipedrive's privacy policy here: https://www.pipedrive.com/en/privacy.

We use the CRM system Pipedrive of the provider Pipedrive OÜ on the basis of our legitimate interests (efficient and fast processing of user enquiries, existing customer management, new customer business).

6.2 General Administration, Accounting and Corporate Development

We process data in the context of administrative tasks as well as organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the context of providing our contractual services. The legal processing bases are Art. 6 para. 1 lit. c. GDPR, as well as for all processing not affected by a legal obligation, our legitimate interest according to Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

In this context, we disclose or transmit data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is stored permanently.

6.3 Business analyses

In order to run our business economically, to be able to recognise market trends, wishes of the contractual partners and users, we analyse the data we have on business transactions, contracts, enquiries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with information, e.g. on the services they have used. The analyses serve us to increase user-friendliness, to optimise our offer and to improve business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised values.

If these analyses or profiles are personal, they will be deleted or anonymised upon termination of the users, otherwise after two years from the conclusion of the contract. Otherwise, the macroeconomic analyses and general tendency determinations are created anonymously if possible.

7. Applicants and employees

We only process the applicant data for the purpose of and within the scope of the application procedure. The processing of the applicant data is carried out to fulfil our (pre)contractual obligations within the scope of the application procedure within the meaning of Art. 6 para. 1 lit. b. GDPR. Art. 6 para. 1 lit. f. GDPR is applicable insofar as the data processing becomes necessary for us, e.g. in the context of legal proceedings.

The application procedure requires that applicants provide us with the applicant data. The necessary applicant data are marked if we offer an online form, or otherwise result from the job descriptions and generally include personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.

Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are requested from applicants in the context of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2) a GDPR (e.g. health data, if this is necessary for the exercise of the profession).

If provided, applicants can submit their applications to us using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Furthermore, applicants can send us their applications via e-mail. Please note, however, that e-mails are generally not encrypted and applicants must ensure that they are encrypted themselves. We cannot therefore accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend rather using an online form or sending by post. This is because instead of applying via the online form and e-mail, applicants still have the option of sending us the application by post.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a vacancy is unsuccessful, the applicants' data will be deleted in accordance with section 9.4. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

7.1 Talent pool

As part of the application process, we offer applicants the opportunity to be included in our "talent pool" for a period of two years on the basis of consent within the meaning of Art. 6 Para. 1 lit. a. and Art. 7 GDPR.

The application documents in the talent pool will be processed solely within the framework of future job advertisements and the employee search and will be destroyed at the latest at the deadline. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future.

7.2 Scope and purpose of data collection

When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes in the context of job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is Art. 6 para. 1 lit. b GDPR (general contract initiation) and - if you have given us consent for the Talent pool - Art. 6 para. 1 lit. a GDPR. This consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Art. 6 Para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

7.3 Retention period of the data

If we are unable to make you a job offer, if you reject a job offer or if you withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for continued storage no longer applies.

Longer storage may also take place if you have given your consent (see section 9.1) or if legal storage obligations prevent deletion.

Status: January 2023