A.1. What is personal data?

Your personal data includes any information that can be associated with you as a natural person. Such details include your name, e-mail address, mobile number, location, and payment information.

A.2. Who is responsable for processing data?

The responsible party (“Data Controller”) for the processing of your personal data in connection with the use of our websites and apps, unless otherwise stated below, is MOIA GmbH, Alexanderufer 5, 10117 Berlin, Germany, registered with the commercial register of the Berlin Charlottenburg District Court, no. HRB 189716 B (“MOIA”, “we”, “us”).

If there are links to third-party websites, the respective provider is responsible for data processing in connection with use of the linked website.

A.3. Purposes and legal basis of data processing

We process personal data for the following purposes and on the legal basis explained below.

Providing services: First and foremost, we process your data in order to provide the services you use and, where applicable, to charge for this (e.g. creating a user account, booking of MOIA Mobility Services). The legal basis for processing data in this context is the necessity for the performance of a contract with MOIA (article 6 (1)(b) GDPR) and/or legitimate interests pursued by us (article 6(1)(f) GDPR).

Legal obligations: We process personal data if and to the extent necessary to fulfill our legal obligations (e.g. retention requirements under tax law) (article 6(1)(c) GDPR).

Compliance with the MOIA Code of Conduct and enforcement of legal claims: We also process personal data if this is necessary to assert financial or other legal claims, or to investigate violations of the MOIA Code of Conduct and to be in a position to take action based on this document (e.g. instances of vandalism). The legal basis for processing data in these cases is the necessity for the performance of a contract with MOIA (article 6(1)(b) GDPR) and/or legitimate interests pursued by us (article 6(1)(f) GDPR).

System security and crime prevention: Another purpose of data processing is to ensure the security of our systems and, for instance, to prevent and detect fraud and other crimes. For this purpose, we store information such as your IP address when you register or book fee-based services. The legal basis for data processing in this context is the protection of MOIA’s legitimate interests (article 6(1) GDPR).

Improving our services: We are constantly working to enhance our services. For this purpose, we use anonymized data if possible. The legal basis for data processing here is the protection of MOIA’s legitimate interests (article 6(1) GDPR).

Marketing: We pursue the purpose of successfully marketing our services. That is why we, for example, provide optional personalized e-mail marketing to our users and measure the success of our online campaigns. The legal basis for processing personal data for marketing purposes is the user’s consent (article 6(1)(a) GDPR) and/or the legitimate interests pursued by MOIA (article 6(1)(f) GDPR).

A.4. Sharing of data and transfer to third countries

We use various services that process data on our behalf (e.g. hosting, e-mail distribution, customer service). The respective service providers are checked by us and ensure an appropriate level of data protection.

Under certain circumstances, data may be transferred to countries outside the European Union or the European Economic Area. In this case, suitable guarantees are in place to ensure an appropriate level of protection for the personal data of the natural persons concerned. It is possible to obtain a copy of the appropriate safeguards via privacy@moia.io.

We pass on data to affiliated companies or third parties if this is necessary to provide our services or to safeguard legitimate interests (e.g. if a MOIA mobility service is provided by a cooperation partner or you book a MOIA mobility service via a third-party platform).

A.5. Contact and feedback

If you contact us or we contact you, for instance to submit a request or to provide feedback, we will store this information to process your request or respond to the feedback. We will contact you about your request or feedback if this is necessary to clarify matters. If your request relates to a contract to which you are a party, the legal basis for the data processing is Art. 6 (1) lit. b GDPR; otherwise, the legal basis is your implied consent pursuant to Art. 6 (1) lit. a GDPR.

If you submit feedback on a MOIA Mobility Service, no account data/contact data will be passed on to the driver.

If we contact you, for example, to settle matters or incidents related to our transportation contract to which you are a party, the data processing is based on Art. 6 (1) lit. b GDPR. Contacting you in the context of our legitimate interest, such as public relations, marketing and promotion, is carried out according to Art. 6 (1) lit. f GDPR.

A.6. Application at MOIA

If you would like apply for a job at MOIA, you can find information about data protection with regard to your application on our application portal.

A.7. Data deletion

We either delete or anonymize personal data as soon as it is no longer necessary to store it for the purposes of providing our services, protecting our legitimate interests, or complying with statutory retention periods. In the case of anonymization, all information that would make it possible to identify a specific natural person are rendered unrecognizable.

A.8. Rights of the data subject

Of course, you have rights in relation to the collection of your data, which we would like to inform you about. According to the legal requirements, you have the right

• to request information from us about the personal data concerning you (Art. 15 GDPR)
• to rectification (Art. 16 GDPR)
• to erasure (Art. 17 GDPR)
• to restriction of processing (Art. 18 GDPR)
• to data portability (Art. 20 GDPR)
• to object to the processing (Art. 21 GDPR)
• if your personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1) lit. f GDPR, you have the right to object to the processing at any time in accordance with Art. 21 GDPR
• to withdraw your consent (Art. 7 (3) GDPR) - if your personal data is processed on the basis of consent, the lawfulness of the processing carried out until the withdrawal is not affected by the withdrawal.

You can initiate the deletion of your personal data either directly in your "Account & Privacy" settings via the "Delete account" button or by sending an e-mail to datarequest@moia.io. In both cases, your personal data will be deleted no later than one month after receipt of your deletion request.

You can also contact our data protection officer at any time to assert your rights as a data subject or if you have any questions about data protection. You can reach them at:

datarequest@moia.io 

or 
 
MOIA GmbH
-Data Protection Officer-
Alexanderufer 5
10117 Berlin

A.9. Security

We keep your data secure using appropriate technical and organizational measures. Information that is transferred via our websites and apps is always encrypted.

A.10. Privacy Policy updates

We reserve the right to update this Privacy Policy from time to time. If there are any fundamental changes, we shall inform the MOIA App users about the update.

B.1. Visting our website

When you visit our website, the browser you use automatically sends a range of information to our servers. This includes your operating system, browser, and screen resolution settings as well as the date and time of your visit. Transferring this data is necessary in order to display the website content properly in your browser. This information is not associated with a specific natural person.

B.2. Cookies, tracking and map content from external providers

To make our websites more user-friendly and to evaluate the interest in our products, we use cookies and similar technology that helps us to track, for example, how long users spend looking at certain content. This information is not associated with a specific natural person.

We divide cookies into the categories "necessary", "statistics" and "personalization".
Cookies in the "necessary" category are essential to enable the website visit (article 6(1)(b) GDPR).

Cookies in the "statistics" and "personalization" categories are only set with the user's consent (article 6(1)(a) GDPR). The consent can be revoked at any time with future effect by deleting the cookies in the browser. Further information on the categories of cookies and the settings can be found here:

Cookie preferences

The following cookies are used:

Required
These cookies are required for the website to function and cannot be disabled in our systems. You can set your browser to block these cookies or to notify you of these cookies. However, some areas of the website will then not function. These cookies do not store any personal data.

Statistics
These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They help us answer questions about which pages are most popular, which are least used and how visitors move around the site. All information collected by these cookies is aggregated and therefore anonymous.

Personalisation 
These cookies enable the website to provide advanced personalisation. They may be set by us or by third parties whose services we use on our sites. They may be used by these companies to profile your interests and show you relevant ads on other websites. They do not directly store personal data, but are based on a unique identification of your browser and internet device. If you allow these cookies, we can provide appropriate advertising and better offers.

B.2.1 Google Analytics

We use Google Analytics on our website. This is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). By using Google Analytics, we are able to understand usage behavior on our website. For this purpose, user profiles may be created with a pseudonym. These user profiles are not associated with a specific natural person.

As a rule, Google will anonymize your IP address when you use our website if you are inside a member state of the European Union or the European Economic Area. In exceptional cases, the IP address may be sent to a server in the United States, where it is then made anonymous.

Google Analytics will only be activated if you have accepted cookies of the category “statistics”.

In addition to the standard functions of Google Analytics, we use the extended feature Remarketing with Google Analytics. This extended feature will only be activated if you have accepted cookies in the "Personalization" category and enables target group-oriented advertising in the Google advertising network.

You can deactivate Google Analytics by deleting the cookies in your browser or by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

Alternatively, you can click here to save a cookie that will prevent your data from being collected when you access this website in the future.

More information about Google Analytics and data usage by Google can be found here:

https://www.google.com/analytics/terms/us.html and https://policies.google.com/privacy?hl=en.

B.2.2 Google Ads Remarketing

We use Google Ads. By using Google Ads, visitors of our websites can be targeted with advertising when they visit other websites in the Google Search Network or Google Display Network. For this purpose, pseudonymous usage profiles can be created.

Google Ads will only be activated if you have accepted cookies of the category “personalization”.

You can deactivate Google Ads by adjusting your cookie settings or by downloading and installing the browser plug-in available under the following link: https://support.google.com/ads/answer/7395996?hl=en

More information about Google Ads and data usage by Google can be found here: https://policies.google.com/technologies/ads?hl=en and https://policies.google.com/privacy?hl=en.

B.2.3 Facebook Pixel and Facebook Custom Audiences

On our website we use both the Facebook Pixel and Facebook Custom Audiences retargeting (also in the Pixel mode). These services are provided by Facebook Inc., 1 Hacker Way, Menlo Park, California, USA and Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). A pixel is placed on our website that establishes a connection to Facebook servers when you visit the website. In this way, Facebook learns that you have visited our website and may associate this information to your personal Facebook profile. We use the Facebook Pixel to determine how effective our advertising on Facebook is. We use Facebook Custom Audiences in order to display advertising to our website visitors on Facebook that reflects their interests. For more information on how Facebook collects and processes data, please visit: https://www.facebook.com/about/privacy/.

Facebook Pixel and Facebook Custom Audiences will only be activated if you have accepted cookies of the category "personalization". You can deactivate both services by deleting the cookies in your browser.

Furthermore, you can opt-out of interest-based advertising on Facebook by adjusting your settings here: https://www.facebook.com/adpreferences/ad_settings/?entry_product=account_settings_menu.

Additionally, you can store an opt-out cookie by clicking here. This prevents data from being sent to Facebook when you access this website.

B.2.4 Google Maps

On our website, we use Google Maps so that you can access interactive maps. We use this feature to present our service area on a map, for example. Location data that is sent to Google is always made anonymous.

For more information about how Google processes data, see: https://www.google.com/policies/privacy/. You can find Google’s privacy policy on this page: https://policies.google.com/terms?hl=en.

B.2.5. Pinterest Tag

We use a “Pinterest tag” on our website. This is a pixel for Pinterest Inc., 635 High Street, Palo Alto, CA, USA (“Pinterest”). When you visit our website a connection to Pinterest servers is established. Through this connection, Pinterest is informed that you have visited our website and may assign this information to your personal Pinterest profile. We use the Pinterest tag to be able to track the effectiveness of our marketing on Pinterest and to be able to present visitors to our website with personalized ads on Pinterest.

The data collected in this way is anonymous and does not give us any references to the identity of the user in question. The data is stored in accordance with statutory data retention periods and then automatically deleted. Further information can be found in Pinterest's privacy policy: https://policy.pinterest.com/en-gb/privacy-policy.

The Pinterest tag is only enabled if you have accepted “Personalization” cookies. You can deactivate the tag by deleting the cookies in your browser.

You can also block personalized ads on Pinterest by deactivating the related settings under “Personalization” at https://help.pinterest.com/en/article/personalization-and-data.

B.2.6.1 LinkedIn Insight Tag

This website uses the conversion tool "LinkedIn Insight Tag" provided by LinkedIn Ireland Unlimited Company. The Insight Tag creates a cookie in your web browser that allows us to collect information such as: IP address, device and browser settings, and website events (such as page views). The IP addresses are shortened or - if they are to be used for cross-device recognition - hashed. The users' unique identifiers are removed within seven days to pseudonymize the data. This remaining pseudonymized data is then deleted within 180 days.

LinkedIn does not share any personally identifiable information with MOIA, but provides aggregated anonymized reports about the website audience and ad performance. In addition, LinkedIn offers retargeting via the Insight Tag. MOIA may use this data to display targeted advertising outside of its website. For more information about LinkedIn's privacy policy, please refer to the LinkedIn Privacy Policy.

LinkedIn members can control the use of their personal information for marketing purposes in their account settings. To disable ("opt-out") the Insight tag on our website, click here.

B.2.7 Friendly Captcha 

We use the Friendly Captcha service of Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany on our website.   

Friendly Captcha checks whether the data entry on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, Friendly Captcha analyses the behaviour of users. This analysis begins automatically as soon as users start filling out a form. Friendly Captcha does not use cookies and does not store any other user data.  

The data processing is based on the legal provisions of Art. 6 (1) f (legitimate interest) of the General Data Protection Regulation (DSGVO). Our concern in terms of the DSGVO (legitimate interest) is the protection of our web presence from spam and abuse.  

You can find more information about data protection at Friendly Captcha here. 

B.2.8 Microsoft Bing Ads - Universal Event Tracking (UET) 

B.3. MOIA Newsletter

With our newsletter, we aim to keep you informed about interesting articles from our blog. For the purpose of sending the newsletter, we store and process your email address. The processing of your data is based on your consent in accordance with Art. 6 (1) (a) of the GDPR. We will store your data until you withdraw your consent or until we discontinue the newsletter. We use Emarsys as our data processor for the newsletter.

B.4. userlike

On our career page, we offer a chat & video chat function so that you can get in touch with the recruiters more easily. For inquiries outside of service hours, you can leave your contact information (name, email address) and we will get back to you.

The legal basis for the processing is Art. 6 para. 1 lit. b DSGVO. The chat history will be deleted after 3 months.

B.5. MOIA Participation

If you register at Mitmachen , we will regularly invite you by e-mail to participation events and surveys. For this purpose, we store and process the data you enter in the registration form (name, e-mail address, place of residence, zip code, year of birth, gender, preferred language, physical disabilities, residential status, income situation, children in the household, car availability, purpose of MOIA use).

Your data is processed on the basis of your consent in accordance with Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR. We store your data until you withdraw your consent or we discontinue this format. We use Emarsys as a processor to send the invitations.

C.1. Registration

When registering to use our MOIA App, you enter your login details. We use this information to set up your user account. Fields are marked as optional if the respective information is not required for registration.
If you have added a photo to your user account, you can delete it or replace it with another photo at any time. Select your profile to see the various options that are available to you.

C.2. Requesting MOIA Mobility Services and integration of map content

C.2.1. Requesting a MOIA Mobility Services within the MOIA App

When you request a MOIA Mobility Service, we use the location details in the request (starting point and destination) to present booking options and to calculate the best routes for our vehicles.

We also use this information – with no reference to individual persons – to better tailor our services in line with demand and to improve our route calculation algorithm. 

We do not use location data to create a movement profile of you.

C.2.2. Integration of map content

Location data is shared with the map provider in order to display maps in the MOIA App and to navigate you to the point where you can start using the MOIA Mobility Service.

The map content is integrated using Google Maps, a service provided Google. Location data that is sent to Google is always made anonymous. For more information about how Google processes data, see: https://www.google.com/policies/privacy/. You can find Google’s privacy policy on this page: https://policies.google.com/terms?hl=en.

C.3. Payment function

C.3.1. Payment service provider

Your payment details are transmitted to our payment service provider in order to complete the payment process. Our payment service provider is Adyen N.V., Simon Carmiggelstraat 6–50, 1011 DJ Amsterdam (“Adyen”). The transmission of your data takes place for the purpose of payment settlement with the payment service provider Adyen according to Art. 6 (1) lit. f DSGVO.

To prevent and detect instances of fraud, your IP address, e-mail address as well as a device and payment service provider specific ID can be transmitted. All data transfers are encrypted. The legal basis for this processing is our legitimate interest under Art. 6 (1) lit. f GDPR.

Detailed privacy information about Adyen can be found online at:

https://www.adyen.com/policies-and-disclaimer/privacy-policy.

For more information about data processing when using PayPal, see:

https://www.paypal.com/webapps/mpp/ua/privacy-full.

C.3.2. Real Time Account Updater

To make your payment experience as convenient as possible, we use the Mastercard Automatic Billing Updater (ABU), which keeps your credit card information up to date. This automatic update of your credit card information provides a seamless process for updating the account without any action on your part as the cardholder. In addition, the feature simplifies uninterrupted service.

You may object to your credit card provider to the processing and forwarding of updated credit card information.

The legal basis for the collection of updated credit cards is the fulfillment of the contract according to Art. 6 (1) b DSGVO.

C.4. use of MOIA Mobility Services

When you book a MOIA Mobility Service, we will associate the booking details and information about performance of the MOIA Mobility Service to your user account, showing your previous trips in the MOIA App.

In addition, your information will be shared with the provider performing the MOIA Mobility Service. Data processing by the MOIA Mobility Service provider occurs in accordance with this Privacy Policy.

The driver of the MOIA vehicle is given your first name for identification purposes. Your initials will be displayed next to your stop on the vehicle’s information screen (e.g. “JB” for “Josephine Bloggs”). This allows you to track your position on the screen and see when you have reached your destination.

If there are any disruptions to the provision of our MOIA Mobility Services (e.g. your MOIA vehicle is delayed), we will use your contact details to notify you by phone, e-mail, text message, in-app alert, or push notification.

C.5. Optimization of the MOIA app and MOIA mobility services

When you use the MOIA app and the MOIA mobility services we provide, your data will also be processed by MOIA for other purposes. Such processing of customer data serves the purposes of continuously developing our offers, advertising campaigns, and mobility concepts while making them more attractive for you. To this end we use transaction data from MOIA mobility services (e.g. booked trips) and information about how the MOIA app is used so that we can respond better to customer inquiries and reviews and offer discounts or vouchers in a more targeted manner. Furthermore, reference to data allows us to control our spending on advertising more effectively and to offer our customers the best possible mobility services. By processing your data, we can also continuously improve our customer service and customer satisfaction by being in a position to respond to customer inquiries more individually.

The legal basis for the additional processing of your data is Article 6.4 of the GDPR in conjunction with the legal basis for the original processing in line with the fulfillment of contractual purposes (Article 6.1.1(b), GDPR) or the protection of our legitimate interests (Article 6.1.1(f), GDPR). Insofar as additional data processing is based on Article 6.4 of the GDPR in conjunction with Article 6.1.1(f) of the GDPR, our legitimate interests lie in increasing our service quality, improving customer communication, optimizing our offers, and ensuring that our advertising measures can be fully evaluated and improved.

We will store your data for additional processing as long as you use the MOIA app or our MOIA mobility services, and we will delete your data after the statutory retention periods have elapsed. Further information on exercising your rights as a data subject can be found in the section headed “General Conditions” of this data protection notice (A.8).
Data Protection Notice “CRM 2.0”

C.6. Use of vouchers & Smart Saver redeem codes

C.6.1. Use of vouchers

If you book a MOIA Mobility Service using a voucher that is billed to a third party (e.g. your employer or an event organizer purchased the voucher), information about the use of the voucher may be shared with the respective third party for accounting reasons (e.g. date and time of booking, booking number, coupon code, price). Your account information will not be forwarded to the third party. A personal reference can only be made by the third party, if the third party issues the voucher personalized.

The legal basis for transferring the data is Article 6 (1) sentence 1 lit. f GDPR.

C.6.2. Use of Smart Saver redeem codes

If you redeem a Smart Saver by means of an activation code, we assign this activation code to your account to enable you to receive the discount and to provide customer support. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit b. GDPR.

If the activation code has been purchased via a third party (e.g. your employer), information on the use of the activation code may be transmitted to the third party so that it can use it for accounting purposes (legitimate interest). The legal basis for this processing activity is Art. 6 para. 1 sentence 1 lit f. GDPR.

C.7. Improving our services

C.7.1 Google Firebase

We use Google Firebase to improve our app and to provide various features. Google Firebase makes it possible to use a variety of products. In particular, we use Crashlytics, Google Analytics for Firebase, Dynamic Links, Cloud Messaging, In-App Messaging, A/B Testing and Remote Config. You can find more information about these services here.

When Google Firebase is used, data is sent to Google using a pseudonym. We are unable to associate this data with a specific natural person. You can find more information about data privacy in connection with Google Firebase here.

You can opt-out Google Firebase (with the exception of Remote Config and A/B Testing) at any time by moving the “Analytics” slider inside the MOIA App accordingly. You can find the slider in the MOIA App's privacy settings when you visit your profile.

C.7.2 adjust

We use a service called “adjust” in our MOIA App. Provided by adjust GmbH, Saarbrücker Strasse 37a, 10405, Berlin (“Adjust”), adjust helps us to establish links between advertising campaigns and the subsequent installation and use of the MOIA App so that we are able to measure the success of advertising campaigns. For example, we look at which advertising measures via a social network have led to a MOIA trip. 

For this purpose, we use pseudonymized data such as your IDFA or Google Play Services ID as well as truncated IP and MAC addresses. The information collected is not associated with a specific natural person without explicit consent. This data is also not used by Adjust for its own purposes or passed on to third-party providers. 
 
The data is used to analyze and evaluate the performance of our marketing campaigns and marketing channels, to bill our marketing partners for marketing measures and to detect fraud attempts in connection with marketing measures (e.g. "click fraud", in which underlying billing systems are manipulated by simulating clicks on ads). This data is also used to improve the design of advertising measures and to analyze the use of the app in pseudonymous form. For example, we determine the extent to which an advertising campaign for the "MOIA Smart Saver" product has led to a purchase. 
 
The data on user actions (e.g. registrations, trips) are stored by Adjust for a period of 14 months and then automatically deleted. All other event data is stored for 2 months and then automatically deleted. Data whose storage period has expired is automatically deleted once a month. 

You can object to the collection of data by Adjust at any time here: https://www.adjust.com/forget-device/.: https://www.adjust.com/forget-device/. 
 
Data processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our aforementioned legitimate interests. 

C.8. Push notifications

Our MOIA App offers push notifications, which are messages created by the MOIA App that can be displayed on your device. You can decide at any time whether you want to allow push notifications or not by adjusting on your device.

C.9. Personalized marketing

We aim to send you messages that are of interest to you. For this reason, we ask for your consent to the following during the registration for our MOIA App:

"I am at least 16 years of age and would like to receive personalized information about vouchers, offers, products, and surveys from MOIA by e-mail, text message, push notification, or through advertisements (e.g. via social media). Data about location, usage, and content will be combined for this purpose. I have read the privacy policy. You have the right to withdraw your consent at any time.”

Your consent is optional. With your permission, we will use the information below to determine whether certain content is of interest to you:

Registration data (e.g. email address, first name, last name), Booking data (e.g. spending, journeys made, preferred starting points and destinations), Usage data (e.g. opening rates and click behavior in the MOIA Apps, websites, and newsletters), Location data (When processing locations, MOIA may use location-based services such as WLAN, GPS, or Bluetooth, which are used for data transmission. Localization only takes place in close proximity to our virtual MOIA stops and inside our MOIA vehicles. The storage of location information is temporary; this data is not used to create movement profiles. Additionally, MOIA may request a “blurred” location when the MOIA App is launched in order to decide which service area is of interest to you. This blurring takes place on your device, so no exact location is transmitted to MOIA. A log of blurred locations is not created.).

Consent is granted for the following marketing channels:

Email, SMS, Push notifications (if enabled on your device), In-app notifications, Advertising on third-party websites (retargeting), Advertisements within the Google and Facebook advertising networks (MOIA may use a campaign management tool provided by emarsys eMarketing Systems AG, Hans-Fischer-Straße 10, 80339 Munich (“emarsys”) to upload a hash of your e-mail address (a combination of letters and numbers) to the Google and Facebook advertising networks. Each advertising network can compare this hash value to other hash values that are already known to the network and determine whether you are a network user or not. If this is the case, advertisements may be displayed within the network. For more information about the Facebook data policy, please visit: https://www.facebook.com/policy.php. Google’s privacy policy can be found online at: https://policies.google.com/privacy?hl=en).

You may withdraw your consent to receiving personalized marketing information at any time with effect to the future. To do so, select the unsubscribe link contained in each e-mail we send out, adjust the privacy settings in the MOIA App, or send an e-mail to datarequest@moia.io.

Please note that it can take up to 48 hours to process your withdrawal of consent for technical reasons.

The legal basis for processing your personal information for personalized marketing is your consent (article 6(1)(a) GDPR).

C.9.1 Facebook Custom Audiences (App Marketing) 

In order to be able to show you individually adapted advertisements for our service within the social network Facebook, a service of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"), and on partner pages of Facebook, we work with Facebook Custom Audiences. This allows ads (e.g. banners) to be formulated in such a way that they are tailored precisely to the customer's possible needs. This is initially based on a so-called tagging process. In this process, the so-called advertising identifier (IDFA or GAID) is transmitted from the customer's end device (e.g. smartphone) to Facebook via a specific interface, either automatically or manually, with the involvement of a service provider selected by MOIA. You can prevent the transmission of the advertising identifiers if you activate the option "no ad tracking" for iOS under "Settings" - "Privacy" - "Advertising" or the option "disable personalised advertising" for Android under "Settings" - "Google" - "Ads". You also have the option to delete the advertising identifier at any time in the device settings (iOS: "Reset Ad ID"; Android: "Reset Advertising ID"). A new identification number will then be created for your device, which will not be merged with the previously collected data.

After the advertising identifiers have been transmitted, MOIA creates a list of customers who have taken certain actions with the MOIA app. Only certain predefined actions can be selected (e.g. installation of the MOIA passenger app in the last 30 days). Facebook matches the customers' ad identifier with the ad identifier of people with a Facebook profile, defines certain groups (e.g. group 1: installation in the last 30 days) and then serves ads to these groups. Facebook can also use the data to select other Facebook users whose statistical behaviours are similar to those of our customers or app users (so-called statistical twins, called Lookalike Audience by Facebook). This allows us to reach people with our advertising who do not yet use our service but are very likely to be interested in it. Customers who are not Facebook users cannot be matched by Facebook and will not be shown ads. Furthermore, with your consent, we can manually upload your email address to Facebook in encrypted form (so-called hash process). Facebook then compares whether the transmitted email addresses match existing Facebook customers. If there is a match, these target groups are served ads/campaigns by MOIA on Facebook or on partner pages of Facebook. In connection with Facebook Custom Audiences, we process the following data pursuant to Art. 6 para. 1 lit. a DSGVO: Advertising identifier (IDFA from Apple or GAID from Google) and email address.

If you no longer wish your data to be processed in connection with Facebook Custom Audiences, you can revoke your consent under "Account & Privacy" of the MOIA app (to be found there under the "Profile" option) by switching off the "Personalised Marketing" slider. Of course, you can also contact us accordingly by e-mail (datarequest@moia.io) or by sending an informal letter to MOIA GmbH -Data Protection Officer- Alexanderufer 5, 10117 Berlin.

Please note that the revocation and associated changes are only valid for the future and will take effect or be implemented no later than 48 hours after revocation. This is due to technical circumstances that do not allow a faster implementation.

C.9.2 TikTok

We partner with TikTok to display advertisements on the social media platform and measure the success of advertising campaigns. TikTok, TikTok Technology Limited ("TikTok") and TikTok Information Technologies UK Limited ("TikTok"), act as joint controllers of your personal data. MOIA and TikTok are each responsible for complying with applicable legal requirements and for complying with requests relating to your rights.

The following personal data is processed:

• Individual user identifiers such as Google Advertising ID ("GAID"), Advertiser ID ("IDFA"), Provider ID ("IDFV"), Android ID, IMEI or IP address
• Technical data such as user agent data, device information, operating system and browser data
• General information such as city, country, device language

The processing of your personal data by MOIA is based on your consent according to Art. 6 para. 1 lit. a) DSGVO with the consent in the cookie banner or your consent for personalised marketing in the MOIA app.

Your personal data will be transferred by TikTok to countries outside the European Union or the European Economic Area. Any transfer of personal data from MOIA to TikTok will be governed by the standard contractual clauses used between controllers pursuant to Article 46(2)(d) of the GDPR. For more information about possible transfers of your personal data by TikTok, please see TikTok's privacy policy at: https://www.tiktok.com/legal/privacy-policy?lang=de.

MOIA will share your personal data with Adjust to measure the success of our advertising campaigns. You can find all information about our cooperation with Adjust under point C 7.2.

C. 10. More time to walk

In your profile, you can adjust your preferred walking speed. If you activate this setting in your profile, this information will be stored in your account.  The processing of this information is used for the fulfillment of the contract according to Art. 6 (1) lit. b GDPR and your consent within the meaning of Art. 9 (2) lit. a GDPR.

To achieve complete accessibility for the use of local public transport, a substantial public interest, we process your trip data (in pseudonymous form) to optimize your customer experience as well as routing, condition and availability of our vehicles. We use this pseudonymous data to aggregate and anonymize the data, which does not allow any conclusions to be drawn about individuals, for scientific evaluations and publications. The legal basis for the processing is Art. 9 II lit. g GDPR, §22 I No. 1 lit. d BDSG i.V.m. § 8 III PBefG.

C.11. Visual impairment

You can provide information about your visual impairment in your profile so that the drivers are aware of you when you arrive and actively look out for you. In this case, we process this data on the basis of your consent pursuant to Art. 6 (1) a, Art. 9 (2) a GDPR.

To achieve complete accessibility for the use of local public transport, a substantial public interest, we process your trip data (in pseudonymous form) to optimize your customer experience as well as routing, condition and availability of our vehicles. We use this pseudonymous data to aggregate and anonymize the data, which does not allow any conclusions to be drawn about individuals, for scientific evaluations and publications. The legal basis for the processing is Art. 9 II lit. g GDPR, §22 I No. 1 lit. d BDSG i.V.m. § 8 III PBefG.

C.12. MOIA for wheelchair users

In your profile, you can indicate whether you use a wheelchair. If you activate this setting in your profile, this information will be stored in your account. You can also enter this information during the booking process.
We use this information so that we can provide you with a wheelchair accessible vehicle and the drivers are informed accordingly. The processing of this information serves the execution of the contract according to Art. 6 para. 1 lit. b and your consent in the sense of Art. 9 para. 2 lit. a DSGVO.

To achieve complete accessibility for the use of local public transport, a substantial public interest, we process your trip data (in pseudonymous form) to optimize your customer experience as well as routing, condition and availability of our vehicles. We use this pseudonymous data to aggregate and anonymize the data, which does not allow any conclusions to be drawn about individuals, for scientific evaluations and publications. The legal basis for the processing is Art. 9 II lit. g GDPR, §22 I No. 1 lit. d BDSG i.V.m. § 8 III PBefG.

C.13. MOIA for people with severe disability status

MOIA offers free rides for people with a severe disability in Hamburg. In order to offer you free rides, we will check your eligibility for free public transportation (either for you, a caretaker, or both of you) by reviewing you documents (your identity card or passport, your severely disabled person's card and supplementary sheet) in person. Therefore, you need to book an appointment with us and we will process your name, e-mail address and the date, time and location of your appointment. We will save the document status and the expiration date and will delete this data 90 days after the expiration date. The processing of this information serves the execution of the contract according to Art. 6 para. 1 lit. b GDPR and is based on your consent in the sense of Art. 9 para. 2 lit. a DSGVO.

In order to be able to offer you our service free of charge, we view the above-mentioned documents in the vehicle, transmit the trip data (usually aggregated) to the social authority for the settlement of fees, and process the appointment data for deployment planning in our customer centers. The legal basis for this is Art. 22 para. 1 lit. d BDSG in conjunction with Art. 8 para. 3 PBefG.

To achieve complete accessibility for the use of local public transport, a substantial public interest, we process your trip data (in pseudonymous form) to optimize your customer experience as well as routing, condition and availability of our vehicles. We use this pseudonymous data to aggregate and anonymize the data, which does not allow any conclusions to be drawn about individuals, for scientific evaluations and publications. The legal basis for the processing is Art. 9 II lit. g GDPR, §22 I No. 1 lit. d BDSG i.V.m. § 8 III PBefG.

C.13.1 Microsoft Bookings

We use Microsoft Bookings for scheduling the appointments for the document checks. When you book an appointment via this service, Microsoft will create and save technically required cookies on your device in order to handle your request. Microsoft Bookings is a service that Microsoft generally provides within the EU. You can learn more about Microsoft's privacy policy here: Microsoft Privacy Policy. The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the optimal organization and planning of the appointment allocation.

C.14. MOIA for hvv subscribers

In your profile you can indicate if you have a hvv subscription. If you activate this setting in your profile, this information will be stored in your account. We use this information to offer you a discounted fare in our Hamburg service area. The processing of this information serves the execution of the contract according to Art. 6 para. 1 lit. b GDPR.

Furthermore, we process the HVV status in aggregated form, pursuant to Art. 6 (1) lit. f GDPR, in order to analyze intermodalities in public transport.

C.15. MOIA booking by third parties

With the "Booking for Others" product, a MOIA trip can be booked for you by a third party via a web app. You do not need a MOIA app for these trips but must provide the third party with the data required for the booking. Their processing is described below.  

What kind of data is processed? 

We distinguish between two types of data based on their purpose to be processed: 

• trip booking-relevant data (first name, last name, room number, starting point, destination, number of passengers, time and date). 
• billing-relevant data (first name, last name, room number, time and date) from cooperation partners (e.g., hotels) who book a trip for you on their own account.  

This data is collected by the cooperation partner and stored in our application database to offer you a mobility service as described above (legitimate interest). The legal basis for this processing is Art. 6 (1) lit. f DSGVO.  

The booking-related data is used and stored as described above in the privacy policy for the implementation of the mobility application. 

In some cases, we pass on billing-relevant data to the cooperation partners for billing purposes. The legal basis for the transfer is Art. 6 (1) lit. f DSGVO with the legitimate interest of billing the trip. 

Retention periods 

Your personal data will only be processed and stored as long as the purpose or the law requires. 

The above-mentioned billing-relevant data will be stored for 7 days. 

C.16. Cookies

Cookies are small pieces of text used to store information in web browser or device. Cookies are used to store and receive identifiers and other information on computers, phones and other devices.

This section explains how we use cookies and why we use them.

C.16.1 Security, service availability and product integrity

A token is a piece of secret information that is used to prove identity. We use tokens to combat activity that violates our policies or otherwise degrades our ability to provide our service.

We store these tokens as cookies and send them to our backend services. This help us fight spam and phishing attacks by enabling us to identify computers that are used to create large numbers of fake accounts, as well as identify the browsers used by malicious actors and to prevent cyber-security attacks, such as a denial of service attack that could prevent you from accessing and using our service.

These tokens store technical characteristics on the user’s device in encrypted form, which can be used to distinguish between genuine and malicious requests. The information stored in these tokens cannot be used to identify a unique user. More information: Token characteristics

Legal basis is §25 (2) sentence 2 TTDSG.

C.17 Referral Program  

With the referral program "Friend Bonus", you can send an invitation message from the MOIA app using an email or messenger service to friends who do not yet have a MOIA account. If your invitation is successful, you will both receive a MOIA voucher as a friendship bonus.   

If you invite your friends with your unique referral code (example: SHARE-MOIA-1A2B3) and they enter the code in the app, we will assign this referral to your account to provide you and eligible friends with a voucher as a reward after their first ride and provide customer support if needed.   

If you accept an invitation and enter your friend's referral code in the app after your initial registration, the data from your first ride will be used to provide a voucher as a reward for you and your friend and to provide customer support if required.  

The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. b GDPR. Required data are also aggregated to measure the success (our legitimate interest) of the referral program (Art. 6 para. 1. lit. f GDPR).  

Retention periods: The recommendation data will be deleted six months after the voucher has been issued or the period for the first journey has expired. 

C.18 Share my MOIA’s location 

Sharer 

You can choose to share some information on your trip in real time with your contacts. After the successful booking of a trip, you can share it out of the app following a sharing icon and you will use your installed e-mail or messenger services to share this link with your contacts. This will allow the recipient of the link to see the following information in a browser: 

• live location of the MOIA you are boarding 
• its movement on a google map 
• the vehicle number  
• the pickup and drop-off location as pins on a map 
• the address of the drop-off location 
• the number of passengers you have booked for 

The website that displays your trip information will only be available until 60 minutes after your drop-off and will then be deleted. Legal basis for this processing is Art. 6 para. 1 lit. a GDPR.  

Recipient  

When you open a Trip Status Sharing link, you can see trip related data of the person who shared the link with you. We use google maps to show the vehicle and how it is moving from the pick-up to the drop-off destination. This information is only visible to you, if you choose to give your cookie consent (regarding the data processing with google please see section B.2.4.). The legal basis for this processing is Art. 6 para. 1  lit. a GDPR (your consent by clicking the ‘consent and load’ button).  The cookie we place has the following characteristics: 

What is more, for data security concerns, we process the IP address and the type of device (mobile or desktop) you are using to open the link.  The legal basis for this processing is Art. 6 para. 1 lit. f GDPR (IT security reasons). 

C.19. Reimbursement of taxi costs for unfulfilled pre-bookings

If we are unable to fulfill a pre-booking, we will reimburse your incurred taxi costs. To process this reimbursement, we collect your bank details and a copy of the taxi receipt. This data is processed solely for the purpose of reimbursing the costs.

• Legal basis: Fulfullment of the contract in accordance with Art. 6 (1) lit. b GDPR.
• Storage period: The data will be deleted after the reimbursement has been completed and statutory retention periods have expired.

C.20. Dunning process for unpaid cleaning costs

If a customer dirties a MOIA vehicle and the payment for the required cleaning is not made, we will charge the deposited payment method. If this is not possible, we will request payment via bank transfer. If payment is still not made, a three-step dunning process is initiated. For this, we process billing and contact data (email address).

• Legal basis: Legitimate interest in enforcing our claims in accordance with Art. 6 (1) lit. f GDPR.
• Recipients: Courts, lawyers, bailiffs, etc.
• Storage period: The data will be deleted after the conclusion of the dunning process and the expiration of statutory retention periods.

C.21. Telephone processing of tickets

Our customer service may proactively call you or offer a callback if you need to discuss an issue. In doing so, we use the phone number that you have either provided to us directly or that is stored in your MOIA account.

• Legal basis: Fulfullment of the contract in accordance with Art. 6 (1) lit. b GDPR.
• Storage period: The phone number is stored as long as the user account exists.

D.1. Video surveillance of the MOIA hubs

As part of our obligation to ensure the safety and integrity of our property, in particular to protect against damage, vandalism and theft, as well as our employees, our hubs are under video surveillance. Video surveillance also serves to minimise the response time of emergency services (such as the police or security service) if necessary, to detect damage to property and hazards, e.g. due to excessive speed at our depots, and to efficiently coordinate the use of parking spaces. These measures are essential for maintaining our business activities and protecting our tangible and intangible assets as well as our employees.

Video surveillance involves the processing of personal data of employees and potential third parties, in particular information about the appearance and whereabouts of the persons concerned, using cameras.

MOIA Operations Germany GmbH, Ballindamm 39, 20095 Hamburg as Controller is responsible for the data processing. Video surveillance is carried out on our behalf by our service provider SECONTEC GmbH, Georgstraße 38, 30159 Hannover in accordance with the requirements of the GDPR. The video recordings are transmitted to our service provider and stored there. Automatic deletion takes place after 72 hours.

Data processing for the aforementioned purposes through video surveillance is based on our legitimate interest in accordance with Art. 6 (1) lit. f) GDPR. Accordingly, the processing is lawful if it is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. Our legitimate interest in ensuring the security and protection of our tangible and intangible assets and our employees as well as in the efficient organisation of our operational processes outweighs the possible impact on the personal rights, in particular the privacy, of the persons affected by the video surveillance in view of the specific nature of the video surveillance.