As a matter of principle, we only process personal data of our users insofar as this is necessary for the provision of a functional website as well as our contents and services. The processing of personal data of our users is regularly only carried out with the consent of the user. An exception applies in those cases in which obtaining prior consent is not possible for actual reasons, the processing of data is permitted by legal regulations, or we have a legitimate interest. As stated in the general terms and conditions, it is necessary to complete the registration process properly and confirm that the present privacy policy has been read and accepted in order to become a MILES user. This includes the fact that MILES may create a driving profile for each of its users.

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

If, in the course of our processing, we disclose data to other persons and companies (order processors, jointly responsible persons or third parties), transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1) lit. b GDPR), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interests.

If we commission the processing of data on the basis of a so-called "order processing contract", this is done on the basis of Art. 28 GDPR.

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this only occurs if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. GDPR are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").

You have the right to revoke declarations of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Pursuant to Article 21 of the GDPR, you have the right, under certain conditions, to object to the processing of your personal data at any time on grounds relating to your particular situation. If you object to such processing, we will terminate or interrupt this data processing process and re-examine whether we can demonstrate compelling legitimate grounds for the processing that outweigh your interest.

If personal data is processed for direct marketing purposes, you have the right to object to this processing at any time. An objection to direct advertising means that we will no longer use your data for advertising purposes.

You have the right to complain to the competent supervisory authority if you have the impression that we are violating applicable data protection law. To do this, you can contact the state data protection commissioner or the state data protection commissioner at your place of work, residence or stay.

As a rule, your request will be forwarded to the office responsible for us.

Berlin Commissioner for Data Protection and Freedom of Information
Alt Moabit 59-61
10555 Berlin

Phone: 030 13889-0
Fax: 030 2155050
E-mail: mailbox@datenschutz-berlin.de 

5.4 Right to information / right to rectification

You have the right to receive information about the processed data. We have already compiled all the necessary information in accordance with Article 15 (1) of the Data Protection Regulation here on the privacy statement. Article 15 (3) GDPR also grants you the right to receive a copy of your data. If you are not sure whether we process your data, we will be happy to send you a confirmation.

You may have the right to ask us to correct any inaccurate personal data relating to you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, also by means of a supplementary declaration. Partially, your data can be changed in the customer account. If you are unable to correct your data yourself, we will support you in exercising your right to rectification in accordance with Article 16 of the GDPR.

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 of the GDPR.

In accordance with Article 17 of the GDPR, you can request that your data be deleted without delay. We are obliged to delete your data immediately if one of the legally prescribed reasons of Art. 17 (1) of the GDPR applies and none of the exceptions according to Art. 17 (3) or similar provisions apply. We are legally authorised under Art. 17 (3) (e) of the GDPR to retain data relating to journeys. The relevant limitation periods of § 14 StVG of up to 30 years are decisive here.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted in accordance with Art. 18 GDPR. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or to enforce our own legal claims. In particular, we reserve the right to permanently store data of blocked users (e.g. due to accidental driving, fraud, non-payment) in order to prevent re-registration. This is a legitimate interest according to Art. 6 para. 1 lit. f) GDPR.

According to Article 18 (1) of the GDPR, you may, under certain circumstances, request the restriction of the processing of your data. If processing has been restricted, this personal data may - apart from being stored - only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

According to Article 20 of the GDPR, you have the right to request that we assist you in transferring your contractual data or data that we process on the basis of consent to third parties if we process the data using automated processes, e.g. if you want to switch to a competitor. Let us know who you would like us to transfer your data to and we will contact the service provider. Alternatively, you can also receive this data in a machine-readable format.

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

Furthermore, you have the right to be informed about these recipients.

Below we explain how we handle the data of the users of our website and our presences in social media.

We operate this website (www.miles-mobility.com) with some sub-sites (including www.support.miles-mobility.com).

You can also find us on Twitter, Facebook, Instagram, LinkedIn, Xing and YouTube.

6.2.1 Affected persons
Data subjects of the data processing are visitors to our website or our channels in the social media (hereinafter also users or interested parties).

6.2.2 Purposes
The purpose of the processing is to provide information about our company and our services, to offer communication channels to our company, to address interested parties in an advertising manner, to analyse the effectiveness of our advertising measures, to conduct anonymised market research and to ensure the security of our websites.

6.2.3 Categories of data / types of data
The following data types can be processed:

IP address 

Access times and approximate location of users

Meta/communication data (e.g. device information) 

Visited websites 

Interest in content 

Demographic characteristics (via our advertising partners)

The data is usually collected when the offers are used.

6.2.4 Recipients / categories of recipients
The recipients of data are primarily the integrated service providers. Below we list an overview of the service providers. Further information can be found in the respective paragraphs on processing.

Strato (Hosting) 

Osano (Consent Management) 

Google (Statistics/Marketing/Map Clippings/Videos) 

Facebook (Marketing)

Ultimate.ai (Chat) 

Zendesk

Hotjar 

Braze 

Invers (driving data)

Whatsapp

6.2.5 Reservation(s) on the location of storage and processing of data
We would like to inform you that our company works with partners in third countries (Osano, Google, Facebook, Braze Inc, WhatsApp, Sentry, and PayPal). Personal information that we collect from you may be processed in the United States or other third countries. Some of these third countries, including the United States, have received an adequacy decision from the European Union under Article 45 of the GDPR (e.g., the EU-U.S. Data Privacy Framework). This means that your data enjoys an adequate level of protection in these countries. In cases where such a decision is not in place, we rely on exceptions for specific situations as outlined in Article 49 of the GDPR and, where applicable, on safeguards under Article 46 of the GDPR. Specifically, we only collect and transfer personal data to the United States or other third countries with your explicit consent, or to fulfill a contract with you. We and our processors are committed to implementing appropriate measures to protect the privacy and security of your personal data and to use it solely in accordance with your relationship with us and the practices described in this privacy policy.

6.3.1 Server log files / log files
Each time the website is visited, a log file is created by the web server. The following characteristics are recorded in this file.

Browser type and browser version of the user

Operating system used by the user

Referrer URL Host name of the accessing computer 

Date and time of access

IP address of the user

Internet service provider of the user

This data is not merged with other data sources. The provider may collect this data and store it for a period of 7 days. The collection of this data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the secure operation of a technically error-free presentation and the optimisation of our website - for this purpose, the server log files must be collected. In order to ensure data protection-compliant processing, we have concluded an order processing contract with our hoster.

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. We use encryption to meet the requirements of Art. 32 GDPR, which requires that we take appropriate measures for the security of the website. If SSL or TLS encryption is activated, the data you send to us cannot be read by third parties.

Our website uses so-called cookies. Cookies do not cause any damage to your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognise your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

Cookies that are required to carry out the electronic communication process or to provide certain functions desired by you are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. Insofar as other cookies (e.g. cookies for the analysis of surfing behaviour) are stored, these are dealt with below in this data protection declaration and used with the corresponding consent.

You can access our cookie banner and change your settings via the following link:

Cookie settings

6.4.1 Cookie consent with Osano's Consent Manager
This website uses Osano's cookie consent technology to obtain your consent to the storage of certain cookies on your terminal device and to document this in accordance with data protection law.

The provider of this technology is Osano, Inc, 3800 N Lamar Blvd, Ste 200, Austin, TX 78756 Website: https://https://www.osano.com/ (hereinafter "Osano").

When you open our website, we ask for your consent or refusal to the cookies and tracking tools. Your IP address, information about your browser and the terminal device used are transmitted to Osano.

Osano stores a cookie in your browser in order to be able to allocate the consents given or their revocation. The data collected in this way is stored until we are asked to delete it. You can also delete the cookie yourself, in which case you will be asked again the next time you visit the website.

Osano is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 (1) lit. f GDPR, as we as the website operator have a legitimate interest in the implementation of the cookie guidelines in accordance with data protection. Please read section 6.2.5 for more information on this provider.

6.4.2 Managing the analysis tools using Google Tag Manager
We use the Google Tag Manager in order to be able to integrate and manage website evaluations centrally and via a user interface. Tags are different tracking codes (JavaScript code lines) with which we can record and track your activities on our website.

The advantage of the tag manager is that we can use it not only to manage Google services, but also to centrally manage other analytics services. In this way, we can better identify which tracking technology provides us with the information we need and avoid unnecessary data collection. The tag manager itself does not process any data, but helps us organise the data from Google Analytics, Facebook or Instagram.

We use the tag manager to make our website as useful, comfortable and usable as possible for you and other visitors. For this purpose, we need the analysis data. We use the tag manager on the basis of Art. 6 para. 1 lit. f GDPR, which allows processing on the basis of a balance of interests. We have a legitimate interest in seeing which content appeals to our prospective customers. This allows us to realign our marketing to attract more people to our offers. Please read section 6.2.5 for more information about this provider.

6.4.3 Cookies and other tools for the purpose of range measurement and statistics
We use cookies for reach measurement and to create statistical evaluations of our website and social media interactions. For this purpose, we rely, among other things, on Google Analytics.

6.4.4 Google Analytics
The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called "cookies" and similar technologies. Cookies are text files that are stored on your computer and enable an analysis of your use of the website (target group reports, conversion reports, interaction and behaviour reports, real-time reports, etc.). The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. When using Google Analytics, your IP address is usually shortened to make subsequent identification more difficult.

Google Analytics cookies are stored on the basis of Art. 6 para. 1 lit. a GDPR, in accordance with the corresponding consent of the user.

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the collection of your data during future visits to this website: Deactivate Google Analytics. 

Our goal in using Google Analytics is to further optimise our service and offer more to potential users. The Google Analytics statistics help us to better understand our customers and support us in achieving this goal.

Google Analytics sets the following cookies:

Name: _ga (Google Analytics js) Purpose: Google uses this cookie to store the user ID and distinguish users. Expiry date: after 2 years

Name:_gid Purpose: Expiry date: after 24 hours

Name: gatgtag_UA_<property-id> Intended use: If Google Analytics is provided via the Google Tag Manager, this cookie is given this name. Expiry date: after 1 minute

Storage period: We have limited the storage period to 14 months in order to comply with the principle of storage limitation from Art. 5 GDPR. This retention period applies to data linked to cookies, user recognition and advertising IDs. Results of reports are based on aggregated data and are stored independently of user data.

You can find more information on the handling of user data with Google Analytics in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de 

This website uses the visitor action pixel from Facebook for conversion measurement. The provider of this service is Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland; "Facebook"). Via this Pixel, the behavior of website visitors can be tracked after they have been redirected to the operator's website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The collected data is anonymous for us as the operator of this website. We cannot draw any conclusions about the identity of the users. However, the personal data is processed by Facebook. This allows Facebook to enable the placement of advertisements on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.

Specifically, the following data is processed by Facebook and us:

IP address

User agent

Facebook user ID

Browser type

HTTP header

Device information (device ID, device operating system).

Geographic location

Browser information

Usage/click behavior, including content viewed and items clicked on

Facebook cookie information

Pixel ID

Pages visited

Referrer URL

Marketing information, including ads viewed and interactions with ads, services, and products

The use of the Facebook Tracking Pixel takes place exclusively with and on the basis of your prior consent, Art. 6 para. 1 lit. a GDPR. Your consent can be revoked at any time via the "Your cookie settings" function provided on our website, effective from this point forward. The legality of processing based on your consent prior to the revocation remains unaffected.

As long as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Facebook Ireland Limited, (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the forwarding is not part of the joint responsibility and is the sole responsibility of Facebook. Our joint obligations have been set forth in a Joint Processing Agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for implementing the tool on our website in a privacy-secure manner. Facebook is responsible for the data security of the Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert the data subject rights against us, we are obliged to forward your request to Facebook.

According to Facebook, the collected data is also transferred to the US and other third countries, and processed there. Facebook bases the data transfer to the US on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum.

Please note: Despite the fact that Facebook Ireland Ltd. is based in Ireland, your personal data, including the IP address of the internet connection you are using, may be transferred to Facebook servers in the United States or other third countries if you consent to our performance cookies. The United States of America is currently classified as an unsafe third country, i.e. as a third country where neither an adequacy decision pursuant to Article 45 of the GDPR exists, nor a comparable level of protection can be assumed. The same applies to other third countries. With the transmission of your data, both Facebook and, if applicable, US or other third country authorities have access to the transmitted data. Facebook may combine your data with other data, such as your personal accounts, usage data from other devices, and any other data Facebook holds about you, and may also share your personal data with third parties. In addition, US or other third country authorities may access and process your data without notice or notification to you (during and after the processing is completed) or without providing you with similar remedies and data subject rights. Unfortunately, we have no influence on the processing by Facebook and US or other third country authorities in these cases.

If you wish, you can deactivate the "Custom Audiences" remarketing feature in the ad settings section at: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen if you are registered with Facebook. If you do not have a Facebook account, you can also deactivate Facebook's usage-based advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

For more information about Facebook's privacy practices, please see Facebook's privacy policy at the following link: https://de-de.facebook.com/about/privacy/.

6.4.6 Facebook Custom Audiences
With the help of the Facebook pixel, it is possible for Facebook to determine the visitors to our online offer as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called "Custom Audiences").

The processing of data by Facebook takes place within the framework of Facebook's data usage policy. Accordingly, you can find general information on the display of Facebook ads in Facebook's data usage policy: https://www.facebook.com/policy. For specific information and details on the Facebook Pixel and how it works, please visit Facebook's help section: https://www.facebook.com/business/help/651294705016616 (https://www.facebook.com/business/help/651294705016616).

You can opt out of the Facebook Pixel's collection and use of your data to display Facebook ads. To control which types of ads are displayed to you within Facebook, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are applied to all devices such as desktop computers or mobile devices. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.

You can also opt out of the use of cookies for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

6.4.7 Hotjar
In order to statistically evaluate visitor data, we use the analysis tool Hotjar on our website. This is offered by:

Hotjar Limited Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta.

Hotjar is a service that evaluates visitor behaviour and feedback through combined analytics and feedback tools. We receive heatmaps, conversion funnels, visitor recordings, incoming feedback, feedback polls and surveys.

We use these evaluations to optimise the usability and user experience of the site and to additionally collect customer opinions via the feedback channel. We receive reports and visual representations from Hotjar that show us where and how users "move" on our site. The personal data is automatically anonymised. Neither can we assign the interactions to a user nor is the data transmitted to Hotjar.

Hotjar automatically collects usage data. For this purpose, a tracking code of the website is linked to a cookie.

The following data is collected and stored:

Time of the visit 

Screen size and resolution.

Browser version

Approximate location (IP location) 

Language

Visited subpages 

Date and time of access to one of our sub-pages (web pages)

IP address (anonymised)

Name: _hjid 

Purpose: The cookie is used to maintain a Hotjar user ID that is unique to the website in the browser. This allows user behaviour to be associated with the same user ID on subsequent visits. Expiry date: after one year

6.4.8 Newsletter dispatch
We send out mandatory information about the Miles Mobility GmbH offer via our newsletter. Furthermore, users of the app can subscribe to a newsletter and receive information about additional offers and promotions. To do this, we require your email address and consent to receive the newsletter, which we obtain via a so-called double opt-in procedure. Further data will not be collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties, apart from the respective newsletter senders.

In principle, the data is processed on the basis of your consent (Art. 6 para. 1 lit. a GDPR). In some of the cases mentioned below, which are directly related to the sending of newsletters, the processing is based on our legitimate interests (Art. 6 para. 1 lit. f GDPR).

You receive all newsletters of an advertising nature on the basis of your consent to the storage and use of the data; you can revoke this consent at any time. You can unsubscribe at any time by clicking on the "unsubscribe" link in the newsletter. The legality of the data processing already carried out remains unaffected by the revocation.

We also send newsletters as customer information letters with relevant technical and organisational information on terms of use, changed tariffs or business areas.

We consider it imperative that this information reaches our customers, so you cannot automatically unsubscribe here. Your right to object according to Art. 21 GDPR remains unaffected, but in this case it is your duty to actively inform yourself.

We use the services of Braze Inc. and PostMarks to send the newsletters.

Braze Inc 330 West 34th Street, 18th Floor New York, NY 10001 USA.

We have concluded a so-called "Data Processing Agreement" with Braze Inc. in which we oblige the service provider to protect our customers' data and not to pass it on to third parties.

We use a method to analyse the reach of our newsletter. When you open one of our emails, a file contained in the email connects to the servers of Braze Inc. in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. In addition, technical information is recorded (e.g. time of retrieval, IP address, browser type and operating system). However, this information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients. If you do not want any analysis, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message.

After unsubscribing from the newsletter distribution list, the email address is stored by us or the newsletter service provider in a blacklist, if necessary, in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interest outweighs our legitimate interest. However, you may then be contacted by us again.

We use WhatsApp, a communication service provided by WhatsApp Inc. (Merrion Road, Dublin 4, D04 X2K5, Ireland), to send you messages regarding additional offers, promotions, and advertising via WhatsApp. If you opt-in to receive these messages, we process your personal data, such as your phone number and information about whether you have opened a WhatsApp message (i.e., "reads"). This data is used solely to send you messages via WhatsApp and analyze interactions with these messages.

You can opt-out of the communication at any time by replying with "STOP" to the WhatsApp message. Your phone number will then be removed from the recipient list, and you will no longer receive any further messages.

The legal basis for processing this data is your prior, voluntary, and informed consent according to Art. 6, para. 1, lit. a of the GDPR. You can withdraw your consent at any time without facing any disadvantages.

The data transfer to WhatsApp takes place in accordance with WhatsApp's privacy policy, which you can view at the following link: WhatsApp Privacy Policy.

Our website also embeds AdaChat, an AI-based communication and conversation service provided by Ada Support Inc. (371 Front Street W, Suite 314, Toronto, Ontario, M5V 3S8, Canada), to provide you with high-quality chatbot-based customer support and to respond to your inquiries efficiently, quickly, and with and resource-efficient way.

If you contact us via our chat, we process your information for the processing of your request and in case follow-up questions arise. The data processed in this context includes the information you provide when contacting us or in the course of follow-up communication. Note: In order to comply with the data minimization principle in the best possible way, we kindly ask you, to limit your information to what is necessary, as far as possible.

AdaChat also uses so-called "cookies". These are text files that are stored in your internet browser or by your internet browser on your terminal device as a result of your consent. By setting the cookies, we are enabled to collect and process the data listed below and to analyze the content and use of the chat. The collection and processing of this data is done for the purpose of providing, security and functionality of the chat, for the analysis of your data, for the purpose of answering your requests and for the purpose of further development of the service itself. You can find more information about cookies here: https://www.ada.cx/cookies. The following personal data is collected and processed by us by means of these cookies:

IP address 

Chatter ID 

Chatter token 

Time and date of chat request and use 

Browser information (type, version, language setting) 

Operating system information (type, version) 

Device information (device identification number, type, hardware and software properties) 

Location information (country) 

The legal basis for the use of the tool and the data processing carried out on our behalf is your prior, voluntary and informed consent in accordance with § 25 TTDSG (German Telecommunications-Telemedia Data Protection Act) and art. 6 para. 1 lit. a GDPR, which we request via our cookie banner. Once you have given your consent, you can revoke it at any time with future effect using the "Your cookie settings" function on our website or by sending an email to data-protection@miles-mobility.com (mailto:data-protection@miles-mobility.com). Processing that has already taken place up to the time of the revocation remains unaffected by this. The chatbots used by us can "remember" a chatter from one conversation to the next ("chatter persistence"), provided that the conversations are not longer than 7 days apart. Within the scope and for the purpose of this reminder function, the chatter, the associated data and the chat history are recorded and stored by a bot. After the 7-day period selected by us has expired, the bot then automatically forgets the stored data.

Please note: Regardless of this automatic deletion after a certain period of time, your data may also be stored and processed by us, if and to the extent that this is required and permissible or we are subject to a legal obligation that requires further processing of your data. In order to ensure the data protection compliant processing and protection of your data in the context of the use of the tool, we have concluded an order processing agreement with Ada Support Inc. in the sense of art. 28 GDPR, which states in particular that your data may only be processed for the purpose of providing the service. The data transfer to Canada is covered by an adequacy decision of the European Commission, which certifies that Canada provides an adequate level of protection with regard to your data and data subjects' rights (art. 45 GDPR).

For more information about AdaChat and the privacy policy of Ada Support Inc. please visit: https://www.ada.cx/legal-resources/privacy-policy

This site uses the mapping service Google Maps via an API. Provider is:

Google Ireland Limited ("Google")
Gordon House
Barrow Street
Dublin 4
Ireland.

In order to use the functions of Google Maps, it is necessary to save your IP address and to transmit it to a Google server and it is also saved on this server. The provider of this site has no influence on the specific content of this data transmission. The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of our business areas.

This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de. 8 (https://www.facebook.com/settings?tab=ads).

You can send us enquiries via contact form, chat, e-mail or telephone. In this case, your enquiry with the contact details and, if applicable, further details from the enquiry form or the enquiry will be stored in our CRM system for processing the enquiry and for possible follow-up enquiries.

The processing of this data is based on Art. 6 (1) lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries sent to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested.

We keep your data until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions - in particular retention periods - remain unaffected.

We have embedded YouTube videos on our website. This allows us to present videos from our YouTube channel directly on our site. The portal is operated by YouTube, a Google company. When you call up a page on our website that has a YouTube video embedded, your browser automatically connects to the YouTube or Google servers. In the process, various data are transferred (depending on the settings).

Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe. If you want to find out more, we recommend that you read the data protection declaration at https://policies.google.com/privacy?hl=de.

We have integrated various services from Zendesk on our website. Zendesk serves as our service provider for the provision of our support page and our contact forms. Various personal data may be shared with Zendesk. For more information, please see Zendesk's privacy policy https://www.zendesk.de/company/privacy-and-data-protection/ and section 7.9.2 of this privacy policy (appropriate safeguards for data transfers to third countries, among others).

Users have the option to link their MILES account with their PAYBACK account in order to collect PAYBACK °Points while using MILES services. To do so, the user enters their ten-digit PAYBACK customer number in the MILES app and confirms the linkage.

As part of this linkage, MILES transmits the user’s PAYBACK customer number and transaction-related ride data (such as the invoice amount and date of ride) to PAYBACK GmbH, Theresienhöhe 12, 80339 Munich. This processing is carried out solely for the purpose of enabling the accrual of PAYBACK °Points and is based on Art. 6(1)(b) GDPR (performance of a contract relating to participation in the PAYBACK program).

Users may unlink their PAYBACK account from their MILES account at any time via the MILES app. Once unlinked, no further data will be transmitted to PAYBACK. Data that has already been transferred remains unaffected and is subject to the applicable statutory retention periods.

PAYBACK is TÜV-certified for data protection and complies with the requirements of the GDPR as well as other applicable data protection laws (e.g. the German Federal Data Protection Act – BDSG). PAYBACK uses modern security technologies and encryption methods to ensure the confidentiality and integrity of personal data. PAYBACK does not sell or share personal data with third parties for commercial purposes.

For further information on how PAYBACK processes personal data, please refer to: https://www.payback.de/info/hinweise-datenschutz-23

Overview of the purposes, the type of data as well as the categories of recipients and the storage period.

In order to execute rental contracts with MILES Mobility GmbH, a user account with the MILES Mobility App is required (see also the General Terms and Conditions and the Rental Conditions). This personal data is processed by MILES Mobility GmbH (Germany) and MILES Mobility Belgium BV under joint controllership. In other words, both entities jointly determine the purposes and means of processing in order to facilitate the execution of rental contracts. In an agreement on joint controllership pursuant to Article 26 GDPR, we have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfils which data protection obligations. In particular, we have coordinated how the information duties under data protection law can be fulfilled jointly. This also includes ensuring that reporting and notification obligations are fulfilled. In case you contact MILES Mobility Belgium BV or MILES Mobility GmbH (Germany) and the processing under joint control is affected, we will coordinate in order to respond to your inquiry and to guarantee your rights as a data subject.

The processing of data via apps of partner companies which offer joint mobility services with MILES Mobility GmbH takes place in accordance with the privacy policy of the respective app.

Customer management, customer approach and customer support

Registration with identification and verification of the driver's licence

Vehicle booking via the app / service provision (provide vehicle) 

Billing and payment tracking 

Processing of violations of the law, in particular against the StVO 

Receivables management and collection 

Security checks and fraud control 

Claims settlement

Creation of a driving profile for the processing of legal violations, particularly against the German Road Traffic Act (StVO).

First name, last name

Address 

Date of birth

Language

Email address

Telephone (mobile) 

Device-Key (Number of the device)

Password

Bank details / Preferred payment method 

Schufa - extract

Customer number/ reference number

Verification of driving licence, driving licence number, identity document

Geolocation data (for vehicle search / and vehicle booking) 

Location data at registration (city / business area)

Contract data / Tariffs / Discounts 

(E-mail) correspondence / contact history 

Trip log

Black box in the vehicle (no personal data collection, but can be related to individuals) 

(e.g. subject matter of the contract, term, customer category)

The following data is collected directly from the data subject during registration:

First name, last name

Date of birth

Language

Address 

E-mail address

Telephone (mobile) 

Bank details

Customer number/ reference number

Verification of driving licence, driving licence number, identity card number

Location data (city)

Contract data / Tariffs / Discounts 

The following data is collected in the course of using the offer:

Device-Key (Number of the device)

Geolocation data (for vehicle search / vehicle booking / during the journey) 

(E-mail) correspondence / contact history 

Trip log for accounting purposes. 

Black box in the vehicle (no personal data collection, but can be related to individuals) 

Contract data / tariffs / discounts (in case of changes)

The following data is collected via third parties:

Schufa score as part of the credit report (Schufa) 

Reports on driving behaviour by other road users 

Master data and, if applicable, verification data from mobility partners (Jelbi, FreeNow) 

An automated decision takes place within the framework of our security checks.

Furthermore, an automated decision is made within the framework of the Schufa statement, although the responsibility for this does not lie with MILES Mobility GmbH.

You have the right to make your point of view known to us and to challenge these decisions. In this case, we will be happy to carry out a manual review of the automated decision.

7.5.1 Deletion on request
For processing operations based on consent:

Withdrawal of consent concerns the receipt of the newsletter.

As a rule, the withdrawal of consent is implemented immediately and automatically by the mailing service provider's systems. In rare cases, the synchronisation of the unsubscription from different mailing lists may take a few hours.

If customers request their right to data deletion for data processed on a legal basis other than consent, the user account will be deleted in accordance with the following information:

The personal data of the data subject to be deleted will be blocked system, partially made unrecognisable or blacked out and access to the data strictly restricted. After one year, the data listed above will be automatically deleted from the system, with the exception of personal data, which must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Tax Code (AO). After ten years, this data is also automatically and irrevocably deleted.

Recipients of the data will be informed of the deletion request.

If overriding interests stand in the way of deletion, the customer will be informed of the reasons for the restriction of the right to deletion. This is particularly the case if MILES Mobility GmbH requires the data to enforce or defend legal claims.

7.5.2 Deletion after the purpose has ceased to exist
If data is processed for the fulfilment of the contract, the data is generally stored for the duration of the contractual relationship. This does not apply to usage data in particular, which is only stored for a period of 1 year.

Following the termination of the contractual relationship (cessation of the purpose), the personal data of the data subject to be deleted will be blocked in the system, partially rendered unrecognisable or blacked out and access to the data strictly restricted. After one year, the data listed above will be automatically deleted from the system, with the exception of personal data which must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Tax Code (AO). After ten years, this data is also automatically and irrevocably deleted.

If data is processed to comply with legal requirements, the rights of the data subjects to have the data deleted shall lapse until the expiry of the respective time limits with regard to the data to be stored. MILES Mobility GmbH does not use this data for any further purposes. This expressly includes storage for the purpose of proving proper accounting. For violations of the StVG, the retention periods are based on the limitation periods. These are up to 30 years.

MILES Mobility GmbH and MILES Mobility Belgium BV reserves the right to permanently store data of blocked users in order to prevent re-registration. This is a legitimate interest according to Art. 6 para. 1 lit. f) GDPR.

The registration of the user account takes place via the app. The surname, first name and contact details are requested, the preferred language, the date of birth (as proof of age as well as an identification feature) the email address (along with the option to consent to receiving the newsletter), the banking and payment details as well as verification of the driving licence and a valid identification document.

The approximate location (city) and date of registration as well as the activation of the email address are stored for the duration of the customer relationship. We sometimes use the services of order processors to verify your data. You confirm your email address with the help of an activation email. We validate the telephone number via a processor (BudgetSMS).

For the verification of the driving licence and the ID document, the user is asked to create a video of the documents to be verified and to film his/her face. The recording of the face is compared with the image on the driving licence/ID document, and the documents are also assessed by the service provider on the basis of recognition features.

MILES Mobility GmbH uses the verification service provider Jumio (Jumio Software Development GmbH - Linz, Lunaplatz 5, A-4030 Linz) to verify the driving licence and the identity of the users. As processing by JUMIO may also take place in the USA and JUMIO is not certified under the Transatlantic Privacy Framework, we have also entered into standard contractual clauses with JUMIO to ensure an adequate level of data protection for data transfers to and processing in the USA. For further

information about JUMIO's privacy policy can be found here: https://www.jumio.com/privacy-center/privacy-notices/

This company is subject to the strict security regulations of the PCI DSS (Payment Card Industry Data Security Standard) and, as a processor, is bound by our instructions.

The legal basis for the verification of the driving licence results from Art. 6 para. 1 lit c GDPR in conjunction with § 21 para. 1 no. 2 StVG. Accordingly, MILES Mobility GmbH, as the vehicle owner, is obliged to verify the user's driving licence. In addition, a copy of a customer's identity document is requested in order to be able to prove the customer's identity beyond doubt in the event of accidents, for the settlement of claims, but also in the case of criminal offenses and administrative offences and older and international driver's licenses. In addition to the driver's license, a second document is requested to make identity theft harder. The legal basis for this verification also results from Art. 6. para. 1. lit c GDPR in conjunction with § 21 para. 1 no. 2 StVG.

This purpose remains in principle for the duration of a customer relationship. Even at a later point in time (especially in the event of damage), MILES Mobility GmbH is obliged to be able to prove that the legal obligations have been fulfilled. In the event of damage, this proof may also be required vis-à-vis insurance companies and state authorities, which is why the data from the driver's licence verification is stored at least for the duration of the customer relationship.

7.7.1 Vehicle booking and trip accounting
The app is used during the customer relationship to locate and book the vehicles.

We need access to the location of your device. When a request is made, we collect the current location via GPS in order to be able to quickly provide information about the vehicles in the immediate vicinity. We also use location data of the device at the moment of the opening of the vehicle to check the distance to the vehicle. This serves the purpose of preventing vehicle misidentification, theft or unauthorized vehicle handovers. Data about your location is used to process the request, i.e. at the beginning and end of a journey and in the event of interruptions.

During the journey, the location data of the vehicle is regularly compared with the data of the device; this is done via an encrypted connection. The location data is anonymised after the end of the request and statistically analysed to improve our service.

The vehicle's location data is primarily processed for billing purposes; we reserve the right to also use the location data query for fraud prevention and to match the device location with the route driven.

For the determination of the location data, we rely on the services of our order processor Locationq, which is provided to us by the company Unwired Labs (India) Pvt Ltd. ("Unwired"), 128, Prashasan Nagar, Rd 72, Jubilee Hills, Hyderabad, TS, IN - 500033.

7.7.2 Customer data management
In the app, the user's data can be accessed via the login area. Here you will find the trip log, the master data and contact data as transmitted during verification. Furthermore, the payment and billing data. The data from the app is transmitted in encrypted form and stored in a CRM system.

The provider of the CRM system is Braze Inc.

Braze Inc 330 West 34th Street, 18th Floor New York, NY 10001 USA.

We have concluded a so-called "Data Processing Agreement" with Braze Inc. in which we oblige the service provider to protect our customers' data and not to pass it on to third parties. The transfer to the USA takes place on the basis of suitable guarantees.

Furthermore, we use order processors to store the data.

As this data is collected and processed for the purpose of fulfilling contracts or legal requirements, users' rights to erasure or blocking may be limited. The right to rectification and information is unaffected.

7.7.3 App security, usage analysis
We have a legitimate interest according to Art. 6. para. 1. lit. f GDPR in a secure and reliable operation of the app as well as in the further development of the app and the optimisation of the economic operation.

We use the tool Sentry, which is provided to us by the company Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, to evaluate error messages and to analyse system parameters of the app. Sentry transmits error reports to servers in the USA and provides us with evaluations, e.g. about programming errors and compatibility problems. We only have access to data about the version of the operating system and the type of device.

We have concluded an order data processing contract with the provider and have ensured that there are sufficient guarantees for the data transfer to the USA in accordance with data protection requirements. We cannot see any countervailing interest on the part of the users. You can still prevent the transmission of bug reports at any time.

With your express consent, which can be revoked at any time, we also use Google Analytics for Firebase and Firebase Crashlytics. The legal basis is Art. 6 para. 1 lit. a GDPR. When you first start the app, you can select whether Google Analytics for Firebase and Firebase Crashlytics should be used; you can deactivate the collection of analytics data in the app.

Firebase / Crashlytics transmits your anonymised IP address, your anonymised advertising ID as well as usage and analysis data to a Google server in the USA and stores them there. The IP anonymisation in Analytics is done by shortening the addresses. If you have agreed to the use of Google Analytics for Firebase and Firebase Crashlytics, we use the app usage data for statistical, anonymous evaluations and to improve the app.

7.7.4 Creation of driving profiles for monitoring and analysis of driving behavior and vehicle usage
The processing of driving data serves to monitor and analyze driving behavior, ensuring that vehicles are used safely and in compliance with regulations. In cases of repeated violations, such as excessive speed, affected drivers are first warned, and if inappropriate behavior continues, access to the car-sharing service may be temporarily or permanently suspended. This is intended to enhance road safety and maintain the quality of the car-sharing service.

The legal basis for this processing is Article 6(1)(b) of the GDPR to provide our contractual services to you, and our legitimate interest under Article 6(1)(f) of the GDPR in ensuring the safe and reliable operation of the ride. Driving data is collected by our provider, INVERS GmbH, via the black box and transmitted to us.

As a company, we have a legitimate interest in protecting ourselves against payment defaults. In accordance with our General Terms and Conditions, we are entitled to verify the creditworthiness of customers with credit agencies or Schufa.

The processing of personal data in the context of the credit assessment is based on Art. 6.1.f GDPR. We assume that the check and confirmation of solvency is usually also in the interest of the customers, as this form of credit assessment does not pose any significant risks to rights and freedoms, in this way the transmission of additional data on creditworthiness can be avoided and a simple and convenient process can be provided.

The credit assessment is necessary for the enforcement of rights and claims of MILES Mobility GmbH.

The credit checks serve to protect MILES Mobility GmbH from payment defaults and are intended to ensure that MILES Mobility GmbH has recourse to the originator in the event of a claim (please refer to the price list https://miles-mobility.com/preise/).

When determining your creditworthiness, your data will be transmitted to Schufa. This can be e.g. name, address, date of birth and bank details, insofar as these are necessary for establishing your identity. We receive a scoring value from Schufa or other credit agencies involved, as well as other information from which the risk of non-payment can be derived. These are, for example, outstanding debts, deferments due to insolvency, current insolvency proceedings, participation in debt counselling. If we receive a too low scoring value in the course of the credit assessment, we can temporarily deactivate the user account. You have the right to explain your point of view to us and to challenge the decision. In this case, we will gladly carry out a manual review of the automated decision.

As a rule, we do not report any payment defaults to Schufa. However, we reserve the right to do so if the legal requirements for a report are met. In this case, the customers will be reminded repeatedly in compliance with formal requirements and the possibility of transmission will be pointed out in the reminder.

SCHUFA processes your data and also uses it for profiling purposes (scoring). Schufa is responsible for passing on your data to companies in the EEA and Switzerland and, if applicable, to third countries outside the EEA. Further information on the activities of SCHUFA can be obtained at www.schufa.de/datenschutz. Data processing and profiling is carried out by Schufa; Schufa is the body responsible for this processing within the meaning of data protection law. Therefore, Schufa is also responsible for the lawfulness of the processing.

General information about the data used by Schufa can be found here: https://www.schufa.de/de/faq/privatpersonen/daten/. To find out exactly what data Schufa processes about you, please contact Schufa.

7.9.1 Customer management
We use the CRM system of the provider Braze to manage customer data.

Braze Privacy Policy Issues 330 West 34th Street, 18th Floor New York, NY 10001 USA

We have concluded an order processing contract with Braze. The service provider has provided us with appropriate safeguards for transfers to non-European jurisdictions.

All data from the registration as well as billing data and the customer history are stored in the customer database. We use the customer administration to be able to organise customer care quickly and effectively and to be able to respond to enquiries.

In principle, this data is not passed on to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with Art. 6 Para. 1 lit. c. GDPR.

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services. The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying contractual relationship.

Furthermore, we use the contact data to inform users about relevant changes to our services. In the context of the use of our service, we process inventory data, communication data, contract data, location data and payment data of the users.

Processing is carried out for the purpose of providing contractual services, billing, customer service, customer communication, accident investigation and claims settlement.

The processing is based on Art. 6 para. 1 lit. b (data processing for the performance of contractual services) and Art. 6 para. 1 lit. c GDPR (fulfilment of legal obligations). Legally prescribed processing results, for example, in archiving or from the keeper obligations of the StVG.

Insofar as we make use of service providers who process data in a third country, the conditions of Art 44. ff. GDPR are checked.

We use the CRM system "Zendesk", from the provider Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA, in order to be able to process user enquiries more quickly and efficiently (legitimate interest pursuant to Art. 6 Para. 1 lit. f. GDPR).

Zendesk has provided us with appropriate safeguards in accordance with Art. 44 et seq. GDPR and has undertaken to comply with European data protection law. Zendesk only uses the users' data for the technical processing of the requests and does not pass them on to third parties. In order to use Zendesk, at least a correct email address must be provided. A pseudonymous use is possible. In the course of processing service requests, it may be necessary to collect further data (name, address).

If users do not consent to data collection via and storage in Zendesk's external system, we provide them with alternative means of contact to submit service requests by email, telephone or post.

For more information, users should refer to Zendesk's privacy policy: https://www.zendesk.de/company/customers-partners/privacy-policy/.

The customer approach for private customers is carried out via Customer Care using Zendesk and the customer database. We use the master data, contact data and the stored language to contact customers.

For customer support, we also use the telephone service provider Aircall:

Aircall SAS (GmbH & Co.KG (http://co.kg/))
11 Rue Saint-Georges
75009 Paris
France

For customer support, we also use the SMS service provider Seven:

Seven communications GmbH & Co. KG

Willestr. 4-6

24103 Kiel

Deutschland

Registered in Local Court of Kiel, Register number: HRA 11707 KI

We process the data of our customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual services and to invoice them.

We process data that are required for the justification and fulfilment of the contractual services and point out the necessity of their provision, unless this is evident to the contractual partners.

The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

As a rule, this data is not passed on to third parties, unless it is necessary for the pursuit of our claims pursuant to Art. 6 Para. 1 lit. f. GDPR or there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c. GDPR. We expressly reserve the right to use the services of legal service providers (debt collection, lawyers, etc.) to assert claims and to transmit data of the contractual partners and customers to them to the extent necessary.

The deletion of the data takes place when the data is no longer required for the fulfilment of contractual or legal duties of care and for dealing with any warranty and comparable obligations. Statutory retention obligations remain unaffected.

In order to be able to process payments efficiently, securely and conveniently, we use other payment service providers in addition to banks and credit institutions.

It is necessary to pass on data to the payment service providers so that they can carry out the transaction. The payment service providers receive the name and address, the stored payment method and, if applicable, bank data, a pseudonymous ID and the invoice data. MILES Mobility GmbH will be informed by the payment service providers of any payment made or missed.

We use the following service providers:

LogPay: LogPay Financial Services GmbH, Schwalbacher Str. 72, 65760 Eschborn, Germany

Privacy policy: https://documents.logpay.de/de/datenschutzinformationen.pdf

PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; 

Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Stripe: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; 

Privacy policy: https://stripe.com/de/privacy

An order processing agreement was concluded with Stripe. In addition, it was verified whether the requirements according to Art. 44-49 of the GDPR for the transfer of personal data are met.

MILES Mobility GmbH works together with collection service providers.

PAIR Finance GmbH, Hardenbergstraße 32, 10623 Berlin

The involvement of a debt collection service provider is a legal service within the meaning of the Legal Services Act § 10 para. 1 sentence 1. It is the free decision of MILES Mobility GmbH to use the services of a lawyer or a debt collection agency in disputes regarding an - even if only alleged - outstanding debt. In these cases, MILES Mobility GmbH may and must pass on personal data of the debtor (in particular name and address, the reason for the claim, the amount and due date of the claim, etc.) to the collection agency.

The following data will be passed on within the framework of the collection procedures.

First name, last name (title, if recorded and e.g. name component) 

Name of the company (for commercial customers)

Address (business) (for commercial customers) 

Address (private)

Invoice address (if different and recorded) 

E-mail address

Telephone number

Date of birth

Customer number

Contact history (as far as relevant)

Bank details

Contract data

Data on solvency

Only with this data is it possible for the collection agency to approach the debtor and assert the claim. The user's/customer's consent for the transfer of data to a legal service provider is not required, as it is based on the legal facts of Art. 6 para. 1 sentence 1 lit. b) and lit. f) DS-GVO (data processing for the performance.

Unfortunately, user accounts are blocked time and again due to reports of unusual driving behaviour. MILES Mobility GmbH may become aware of this in various ways:

Reporting by other road users

Notification via police / public order office

In the event of a report by another road user (third person), the driving behaviour described is recorded together with the telephone number/email of the reporting person.

No automated decision is made; rather, the support staff check the information for plausibility. For the protection of third parties and in order to comply with the owner's obligations under Article 21 of the German Road Traffic Act (StVO), MILES Mobility blocks the accounts of registered users as a precautionary measure if there is any suspicion of driving misconduct. This measure results not least from the special situation that MILES Mobility GmbH only checks the existence of a driving licence and fitness to drive by means of a query at the beginning of the contractual relationship and thus grants its users a high degree of trust.

A review of reported allegations only takes place in the event of an objection by the person concerned or in the event of enquiries by government agencies. In addition to the data transmitted by the app during the journey, the data from a black box, which is installed in all vehicles, is evaluated.

The black box determines the G-forces and activities of the driver. These are e.g. (acceleration and deceleration, steering movements, indicators, jolts). These data are not collected on a personal basis (but can be related to individuals); they are only evaluated by the staff in case of suspicion and linked to the last journeys.

Data will only be passed on to legal counsel or government agencies if MILES Mobility GmbH is legally obliged to do so or if this is necessary to enforce legal claims against the user. The data is processed in the European legal area.

MILES Mobility GmbH and MILES Mobility Belgium BV have a legitimate interest in protecting themselves against fraud attempts and breaches of our General Terms and Conditions and Rental Terms and Conditions. The processing of personal data in the context of fraud prevention is based on Art. 6.1.f. GDPR. We assume that these checks are generally also in the interest of the customers. The type of security checks do not represent a significant interference with the rights and freedoms of our users. Fraud prevention measures are necessary for the enforcement of rights and claims.

Furthermore, MILES Mobility GmbH and MILES Mobility Belgium BV reserves the right, with reference to § 32 para. 1 no. 4 BDSG, to publicly present the security checks carried out in detail.

In addition to the driving licence verification, further details from the registration are checked. This can be the e-mail address, telephone number and bank account details. Newly entered data is regularly compared with the existing data in order to prevent multiple registrations. In addition, data transmitted from the vehicle is randomly compared with data transmitted from the app using defined parameters in order to prevent account disclosure. In addition, the individual device key of personal devices is used to impede and prevent the sharing, sale, and multiple use of account data.

If an irregularity is detected during the security checks, the account will initially be blocked. You have the possibility to object to this and explain your point of view to us.

In the event of damage, it is unfortunately necessary to process further data.

The purposes of the processing are the

Support for our customers in the event of damage (Art. 6.1.b GDPR) 

Reconstruction of the course of the accident (Art. 6.1.f GDPR possibly in conjunction with Art. 6.1.c GDPR as well as § 24 BDSG) 

Settlement/liquidation of damages (Art. 6.1.b and c GDPR)

Pursuit of own legal claims. (Art. 6.1.f GDPR) 

For these purposes, we process your master data, usage data, data from the vehicles, statements and information from third parties (police, other parties involved in the accident, witnesses, other Miles users) and payment data.

Under certain circumstances, we may also receive health-related data in this context. Examples of this are injuries or indications of alcohol and narcotic consumption. In this case, Art. 9 (2) lit. f GDPR is relevant.

In the event of an incident for which you are responsible and for which we receive a claim for damages or another lawsuit from an injured or otherwise entitled third party (e.g. costs due to a private towing operation in the event of disturbance of the property owner), we transmit your stored contact data to the claimant and/or to our insurance broker (SHL Versicherungsmakler GmbH), so that the liability issues can be clarified directly in the relationship between you as the party responsible and the claimant or you can release us from the claim following the provisions of the GTC. The transfer is necessary to fulfil your contract with us (Art. 6.1.b GDPR) and to protect the legitimate interest in pursuing the legal claims that the claimant and we have against you (Art. 6.1.f GDPR).

In the event of damage, we are legally obliged to cooperate in documenting the course of the accident. Furthermore, there are contractual obligations towards, among others, claims adjusters, the fulfilment of which constitutes a legitimate interest to process the data of those who caused the damage. As the defence of legal claims is decisive here, the right to object is subject to the restrictions of Art. 21 GDPR.

Tesla Model 3 vehicles have certain factory features which record video of the exterior area around the car.

You can identify the relevant vehicles by the following pictogram, which is displayed on the outside of the cars and whose QR code may have led you to this privacy policy:

We have put in place several measures to protect your personal data concerning the exterior video recordings made by the Vehicles. These measures strictly define the scenarios in which stored recordings from the vehicles are viewed and the extent to which they may be used to investigate specific offences.

7.15.1 The data processing in detail
Tesla Model 3 vehicles have the following recording systems:

Dashcam: While the vehicle is ready to drive, four camera systems continuously record the outside area around the car and temporarily store the footage locally. The stored recordings are generally automatically overwritten every 60 minutes. If a safety-relevant behaviour is registered by the vehicle (e.g. triggering of the airbags), local storage takes place, and the overwriting is suspended for this recording so that, for example, an accident can be reconstructed and reviewed. The stored records are specially protected and can only be viewed by our service team on-site at the vehicle; we cannot access them via the Internet. In the car, appropriate symbols indicate to the tenants that the dashcam function is active.

Sentry mode: When the car is parked, the four cameras remain in "standby" mode. They record the outside area around the car to detect threats to the vehicle (sentry mode is also called "guard mode"), and these recordings are constantly being permanently overwritten. If the car recognises a potential threat (e.g. if the vehicle is touched), the last ten minutes of the video recording prior to the event and the subsequent 30 seconds is temporarily stored locally. The stored recordings are specially protected and can only be viewed by our service team on-site at the vehicle; we cannot access them via the Internet. Depending on the impact's severity on the vehicle, persons near the car will be alerted of the storage of a recording by the flickering of the headlights (“warning mode”), a message on the large screen in the vehicle that is visible from the outside and the activating of an alarm (“alarm mode”).

Review and utilisation of the recordings: We only retrieve and view the locally stored recordings for evaluation if:

there are liability issues due to involvement in an accident, 

there is suspicion of a criminal offence resulting from vandalism of the vehicle,

there are hints that the car was driven in a grossly irregular and reckless manner, 

and thus, a criminal offence could have been committed. The evaluation of the recordings is then carried out following a strict internal guideline by specially authorised employees and only for the specific purposes of providing evidence exclusively to the necessary extent. In particular, it is ruled out that the recordings are utilised without cause or concerning bystanders.

7.15.2 Legal basis and purposes of data processing
Video recordings of the vehicle's exterior are processed exclusively to clarify and prove involvement in accidents or criminal offences such as vandalism to the car or grossly irregular and reckless driving. The information on breaches of the law according to section 7.12 of this data protection declaration also applies with regard to the investigation of such incidents.

The collection, storage, physical retrieval and, if applicable, utilisation for the purposes mentioned above is necessary and thus justified according to Art. 6.1.f GDPR for the protection of our property and the assertion, exercise or defence of legal claims. In pursuing our legal claims, we also support our customers (drivers of a Tesla Model 3) in reconstructing an accident and providing evidence if they were involved in an accident. In this case, the exploitation is carried out based on Art. 6.1.b and Art. 6.1.f DSGVO, as we also pursue legitimate third-party interests and fulfil our obligations under the respective rental agreement.

In processing claims, further personal data may be processed in addition to the video recording. The processing of personal data is governed by the principles of claims settlement, which are explained in section 7.14 of this privacy policy.

7.15.3 Nature and origin of the data
The video recordings may involve the renter of the vehicle or passers-by as party to an accident or claim.

We will only disclose video recordings to other persons after viewing by specially authorised and trained employees if this is necessary to clarify or enforce claims or criminal offences. In this case, the disclosure only concerns the time period of the video recording relevant for clarification or enforcement. The disclosure is only made to third parties with a legitimate interest or claims for disclosure (claimants, insurance companies, lawyers, involved public bodies and courts). We deliberately do not disclose any video recording to Tesla Inc. or its affiliates.

7.15.5 Storage period
Dashcam: Recordings stored locally are overwritten every 60 minutes. Safety-relevant recordings (e.g. after airbag deployment) are stored locally and usually for a maximum of one week before being overwritten due to limited storage space. The local storage period is shorter if we view the recording beforehand as we have been informed by a third party (police report, bystander) that an incident has occured. Immediately after viewing, the record is manually deleted unless persistent storage is necessary to achieve the purposes described above.

Sentry mode: Exclusively safety-relevant recordings (e.g. when the vehicle is touched) are stored locally and usually for a maximum of one week before being overwritten due to the limited storage space. The local storage period is shorter if we view the recording beforehand based on the aforementioned informed notice. Immediately after viewing, the record is manually deleted unless further storage of the record is necessary to achieve the purposes described above.

7.15.6 Rights as a data subject
You have the following rights under the GDPR in connection with the processing of your personal data: The right to information, deletion or blocking, as well as the right to object to the processing of your personal data. For more details on this and how to exercise these rights, see section 5 of this privacy policy.

We want to point out at this point that we do not store any further personal data alongside the video recordings allowing us to identify you. Such an allocation would only take place in the context of concrete measures to clarify or enforce claims or criminal offences. Therefore, if you exercise your rights, we will generally not be able to identify you without further details, nor will we be able to determine whether you are part of a video recording.

Automated decision-making does not take place. In the limited cases described, a member of our claims department always views and checks the video recordings and the necessity of further use.

For business customers, essentially all the points described above apply to users of the app. However, company-related contact data and billing data may also be stored.

For the administration and support of business customers, we use the service provider Pipedrive OÜ, Paldiski mnt 80, Tallinn, 10617, Estonia, in addition to our general customer administration.

We have concluded a contract with Pipedrive with so-called standard contractual clauses, in which Pipedrive undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. You can access Pipedrive's privacy policy here: https://www.pipedrive.com/en/privacy.

We use the CRM system Pipedrive of the provider Pipedrive OÜ on the basis of our legitimate interests (efficient and fast processing of user enquiries, existing customer management, new customer business).

We process data in the context of administrative tasks as well as organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the context of providing our contractual services. The legal processing bases are Art. 6 para. 1 lit. c. GDPR, as well as for all processing not affected by a legal obligation our legitimate interest according to Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

In this context, we disclose or transmit data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is stored permanently.

In order to run our business economically, to be able to recognise market trends, wishes of the contractual partners and users, we analyse the data we have on business transactions, contracts, enquiries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with information, e.g. on the services they have used. The analyses serve us to increase user-friendliness, to optimise our offer and to improve business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised values.

If these analyses or profiles are personal, they will be deleted or anonymised upon termination of the users, otherwise after two years from the conclusion of the contract. Otherwise, the macroeconomic analyses and general tendency determinations are created anonymously if possible.

We only process the applicant data for the purpose of and within the scope of the application procedure in accordance with the legal requirements. The processing of the applicant data is carried out to fulfil our (pre)contractual obligations within the scope of the application procedure within the meaning of Art. 6 para. 1 lit. b. GDPR. Art. 6 para. 1 lit. f. GDPR is applicable insofar as the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, Section 26 BDSG also applies).

The application procedure requires that applicants provide us with the applicant data. The necessary applicant data are marked if we offer an online form, or otherwise result from the job descriptions and generally include personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.

By submitting an application to us, applicants consent to the processing of their data for the purposes of the application process in the manner and to the extent set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are voluntarily provided within the scope of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2) lit. b GDPR (e.g. health data, such as severely disabled status). Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR are requested from applicants in the context of the application procedure, their processing is additionally carried out in accordance with Art. 9 (2) a GDPR (e.g. health data, if this is necessary for the exercise of the profession).

If provided, applicants can submit their applications to us using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Furthermore, applicants can send us their applications via e-mail. Please note, however, that e-mails are generally not encrypted and applicants must ensure that they are encrypted themselves. We cannot therefore accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend rather using an online form or sending by post. This is because instead of applying via the online form and e-mail, applicants still have the option of sending us the application by post.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a vacancy is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified revocation by the applicant, deletion takes place after the expiry of a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

As part of the application process, we offer applicants the opportunity to be included in our "talent pool" for a period of two years on the basis of consent within the meaning of Art. 6 Para. 1 lit. a. and Art. 7 GDPR.

The application documents in the talent pool will be processed solely within the framework of future job advertisements and the employee search and will be destroyed at the latest after the deadline. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future.

We offer you the opportunity to apply to us (e.g. by e-mail, post or via the online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated as strictly confidential.

When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes in the context of job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b GDPR (general contract initiation) and - if you have given us consent - Art. 6 para. 1 lit. a GDPR. This consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG and Art. 6 Para. 1 lit. b GDPR for the purpose of implementing the employment relationship.

If we are unable to make you a job offer, if you reject a job offer or if you withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for continued storage no longer applies.

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if legal storage obligations prevent deletion.