Data protection information

The controller responsible for processing your data is:
Verkehrsverbund Rhein-Ruhr AöR
Augustastr. 1
45879 Gelsenkirchen
Tel. 0209 / 1584-0
info@vrr.de
www.vrr.de

Further information about our company and contact details can be found in the legal notice in the app and on our website.
You can reach our data protection officer at:
datenschutz@vrr.de

We process personal data that you voluntarily provide to us or that is collected in the course of using the app and the website. Which data we process for which purpose depends largely on the respective services and functionalities that you use in the app and on the website. Below you will find an overview of the individual processing purposes and the corresponding legal bases on which the respective processing is based:

2.1. log files, usage and log data
To ensure that our website and our app are presented to you in the most effective way possible and to guarantee stability and security, we collect the following data that your device automatically transmits to us each time you visit: IP address, operating system used, referrer URL, time of server request. The IP address is deleted from all systems used in connection with the operation of the app and website after one month at the latest.
The processing of the aforementioned personal data is based on the aforementioned legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR

2.2 Use of cookies
We use cookies to make visiting our app and website attractive and to enable the use of certain functions.
Cookies are small text files that are stored on your end device. The cookies can be transmitted to a page when it is called up and thus enable the user to be identified. Cookies help to simplify the use of websites for users. Some of the cookies we use are deleted again after the end of the usage process, for example after closing your browser (so-called session cookies). Other cookies remain on your end device and enable us to recognise you on your next visit (so-called persistent cookies).
You can set your devices so that you exclude the acceptance of cookies for certain cases or in general. You can delete cookies that have already been set. If you do not accept cookies, the functionality of our app and website may be limited.
The app and website also use cookies from third-party providers. This relates to the use of marketing and tracking tools. In this respect, we refer to the information in sections 2.6 and 2.7.
An overview of the cookies used can be found at the end of this privacy policy.

2.3 Registration
By registering, you switch to the customer contract partner's area of responsibility and leave ours.

2.4. contact
In order to process your contact with us by email, we process your email address and, if you provide it, your name and telephone number as well as any other information you provide to us.
The processing of this personal data is based on the legal basis of Art. 6 para. 1 lit. b GDPR, provided that the communication is made in connection with the execution of your ticket purchase. The processing for other communication is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, namely for the needs-based processing of your contact enquiry.

2.5 Display of journey history and search queries
In order to display the history of your journeys and search queries in the app, some of your personal data is stored locally in the app. This includes History of points entered (e.g. stop, address, etc.), history of connections entered, history of lines entered, user settings, certain states of the app, certain content retrieved from the timetable information server (e.g. map tiles) and the journey authorisation. The GPS position is not stored, but is sent once to the timetable information server in the case of timetable information in order to enable an address to be calculated for timetable information.
The processing of the locally stored data is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to provide you with a functional and user-friendly app.
You can delete the map data and histories stored in the app's local app memory in the app's privacy settings.

2.6 Marketing
In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin), with whom we have concluded an agreement on order processing in accordance with Art. 28 GDPR. Further information on data processing by Adjust can be found at https://www.adjust.com/privacy-policy/.
Adjust collects the following personal data from you IP and MAC address, device IDs, including all advertising IDs, http header including SDK version, user agent (country, language, local settings, version of the operating system), user device and advertising activities, app and event token, access to the ticket overview page, shopping basket status (occupied/not occupied), login status, location, current speed (slow, medium, fast), action that the user performed in the app before the current action, registration status in the ticket shop, number and type of additional means of transport.
The processing of your personal data for this purpose is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by deactivating the settings for usage analysis in the data protection settings in the app via the "Data for marketing effectiveness" slider.

2.7 Use of Google Firebase services

In our app, we use selected functions of the Google Firebase platform, which is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Certain functions may involve the transfer of personal data to servers of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

We have concluded an order processing contract with Google in accordance with Art. 28 (3) GDPR. A transfer to the USA only takes place on the basis of your express consent in accordance with Art. 49 para. 1 lit. a GDPR.

The processing of personal data by Firebase takes place exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with Art. 25 para. 1 TDDD .§ 25 para. 1 TDDDG.

2.7.1 Processed data types and purposes

We use the following Firebase services:

2.7.1.1 Firebase Analytics

We use Firebase Analytics to analyse and optimise app usage. This allows us to understand how our app is used, which functions are frequently used and where there is potential for optimisation.

Processed data:

• Device information (model, operating system, language settings)
• App usage (session duration, number of sessions, functions used)
• Movement and location data (if activated), e.g. speed, region, time
• Information on ticket usage and selected means of transport
• Actions within the app (e.g. selected ticket shop, login status, selected payment method)
• Pseudonymised Firebase instance ID (no user name, no account data).
• We completely dispense with cross-device tracking (user ID is deactivated). There is also no linking with other Google services or for advertising purposes.

2.7.1.2 Firebase Crashlytics

We use Firebase Crashlytics to diagnose errors and improve app stability. In the event of an app crash, the service collects technical information about the incident and helps us to resolve problems quickly.

Processed data:

• App status at the time of the crash
• Device type, operating system version
• Time and duration of the fault
• Crash reports (e.g. stack trace, log messages)
• Randomly generated instance ID (UUID)

2.7.3 Privacy-friendly configuration

The VRR app is configured so that:

• all Firebase services are only activated after your active consent
• no data is transmitted before consent is given
• there isno product link with other Google services
• no target group formation, no re-marketing and no profiling takes place
• data sharing with Google is completely deactivated
• Consent management and revocation

You can voluntarily consent to data processing in the context of Google Firebase when you start the app for the first time. This is activated via the "Data for app use" slider in the app's privacy settings.

You can revoke your consent at any time with effect for the future by deactivating the slider in the settings. No further data will be transferred to Google Firebase once you have withdrawn your consent.

2.7.4 Data transfer to third countries

Data is only transferred to servers in the USA on the basis of your express consent in accordance with Art. 49 para. 1 lit. a GDPR. Google is also certified in accordance with the EU-U.S. Data Privacy Framework.
We have concluded standard contractual clauses of the EU Commission with Google for further protection.

2.7.5 Storage duration

The instance ID is stored locally until the app is uninstalled.

The data stored in Firebase is automatically deleted after a maximum of 14 months.

Crash reports are stored by Google Crashlytics for 180 days.

2.7.6 Further information on processing by Google

Google processes your data exclusively on our behalf and only to provide the above-mentioned functions. Google may not use the data for its own purposes or link it to other services.

You can find out more about the services used in plain language at

Firebase Privacy Policy (German):
https://firebase.google.com/support/privacy

Overview of collected data (German):
https://support.google.com/firebase/answer/6318039?hl=de

Contractual data processing by Google:
https://firebase.google.com/terms/data-processing-terms
 

2.8 Other purposes
In addition to the aforementioned processing purposes, we also process your personal data for the following purposes:
- To fulfil our statutory retention obligations or obligations under data protection law. This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR.
- To exercise any legal claims or to defend ourselves against claims. This processing is based on the legal basis of Art. 6 para. 1 lit. f GDPR.
- To respond to and comply with requests from public authorities. This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR.

When you use our app and our website, your usage and log data is automatically transmitted by your browser (see section 2.1). Without this technical data, it is not possible to display our app or our website properly for you.

We will only retain your data for as long as is necessary to fulfil the purposes set out above. In addition, we are subject to various retention and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods specified there are up to ten years. Finally, the storage period is also determined by the statutory limitation periods, which can be up to thirty years in accordance with Sections 195 et seq. of the German Civil Code (BGB), for example, whereby the regular limitation period is three years.

When providing our services, we use external service providers who process your data on our behalf. These include companies in the following categories:
- Technical service providers for the operation and maintenance of our IT systems and server infrastructure
- Marketing and tracking providers for our advertising activities
In addition, we also share your data with other third parties who process your data on their own responsibility. These include companies in the following categories:
- Authorities or other state institutions, insofar as we are legally obliged to do so.
With regard to the aforementioned recipients, you will find further information on the purposes of data processing under section 2.

Insofar as this is necessary for the aforementioned purposes, we also transfer your data to recipients outside the European Economic Area (EEA). We ensure that data is only transferred to third countries if there is a legal basis for this. This means that we only transfer your data if the EU Commission has issued a decision on an adequate level of data protection for the respective third country (Art. 45 GDPR), suitable guarantees are provided for the protection of your personal data (cf. Art. 46 GDPR) or a legal authorisation standard exists (see Art. 49 GDPR).
Specifically, this concerns the following recipients:
If you have consented to the data transfer in accordance with Art. 49 para. 2 lit. a GDPR, we will transfer your personal data listed under section 2.7 to our service providers in the USA. Please note that there is no comparable level of data protection in the USA as in the EU/EEA and therefore it cannot be completely ruled out that your data may be disclosed to government agencies without adequate legal remedies. You can revoke your consent to the data transfer at any time by deactivating the "Data for marketing effectiveness" slider in the data protection settings in the app under the tab Settings for usage analysis.
We also transfer your personal data to the technical service providers we use, who support us in operation and maintenance and are based in the USA. Your personal data is stored exclusively on servers within the EU/EEA. However, it cannot be completely ruled out that your personal data may be transferred to the USA (e.g. for support requests). For this purpose, we or the technical service providers we use have taken appropriate measures to ensure an adequate level of protection for your personal data. In addition to the conclusion of the EU Commission's standard contractual clauses, this also includes the implementation of additional technical organisational and contractual protective measures. We do not transfer your other personal data to any countries outside the EEA.

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. If we process your personal data on the basis of your consent, you can revoke this consent at any time without any formal requirements with effect for the future. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
If your personal data is processed to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, you can object to this processing in accordance with the legal requirements in Art. 21 GDPR. Further information on your right to object can be found in section 10.

To exercise the aforementioned rights, please contact the bodies named in Section 1.
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR) if you believe that your personal data is being processed unlawfully. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The address of the data protection supervisory authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit NRW, Kavalleriestr. 2-4, 40213 Düsseldorf, Germany, Tel.: 0211/38424-0, Fax: 0211/38424-10, E-Mail: poststelle@ldi.nrw.de

When using our app and our website, there is no automated decision-making in accordance with Art. 22 GDPR.

Below you will find a description of the cookies that we use on our website. These are functional cookies as well as marketing and analysis cookies. Analysis and marketing cookies are only used if you have consented to the activation of these cookies. You can revoke your consent to the use of marketing and analysis cookies at any time in the settings options in the app or on the website.

10.1 Functional cookies
These cookies are absolutely necessary for the display and operation of the app or website, including the associated functions and services. As the app or website cannot be provided without these cookies, these cookies are set automatically when the app or website is accessed.

Name / Provider / Storage period / Description

UserID / MENTZ / Validity is limited to one session / This is a cookie that assigns a unique ID for the user's specific session. The assigned ID ensures that the ticket shop works during the entire visit and that the interactions made by the user (e.g. product selection) are properly assigned to the respective user. The ID acts as a bracket for the user's information stored on the server.

ClientID / MENTZ / See above / See above

OrganisationID / MENTZ / See above / See above

ClientID / MENTZ / See above / See above

OrganisationName / MENTZ / See above / See above

10.2 Marketing and analysis cookies
These cookies are used to improve the functionality and user-friendliness of our website and to track preferences. They collect information about your usage behaviour, e.g. which pages you visit most frequently and whether you receive error messages from pages.

Name / Provider / Storage period / Description

Adjust / Adjust / Within the scope of the legal provisions / See section 2.6

Google Firebase / Google / 2 months / See section 2.7

Firebase Analytics / Google / 2 months / See section 2.7.1

Firebase Crashlytics / Google / 2 months / See section 2.7.2

We will revise this data protection notice in the event of changes to the app or the website or other occasions that make this necessary. We will inform you of the changes (e.g. by email or in the app or on the website). You will always find the latest version in the app or on the website.