meinRad Data Protection Policy

Including mandatory information in accordance with Article 13 of the EU General Data Protection Regulation (GDPR)

Valid from 6 May 2022

Starting from 1.6.2022 a new data protecions policy applies. By accepting our data protection policy valid from 2.3.2021 you are simultaneously accepting our new data protection policy vaild from 1.6.2022 which can be found here https://www.mainzer-mobilitaet.de/mehr-mobilitaet/meinrad/agb.

1.      Controller

2.      Data protection officer of MVGmeinRad GmbH under data protection law

3.      Registration and rental

3.1      Personal data required for registration

3.2     Usage data collected for bicycle rental

3.3       Use of the copy of your ID and image data

3.4       Purpose

3.5       Recipients of personal data

3.6       Legal basis

3.7       Storage period of personal data

4.      Other processing via the Smartphone app

4.1       App store providers

4.2       Information collected during download

4.3       Information collected automatically

4.4       Use of map services

4.5      App authorisations

4.6       Use of push services

5.      Right to obtain information and other rights of data subjects You have the right:

6.      Security

7.      Amendment of the privacy policy

 

1. Controller

MVGmeinRad GmbH
Mozartstraße 8
55118 Mainz
Email: verkehrscenter@mainzer-mobilitaet.de
Telephone: (06131) 12 77 77
Fax: (06131) 12 66 66

In the area of customer data management, MVGmeinRad GmbH cooperates with Mainzer Verkehrsgesellschaft mbH. For this purpose, a joint controllership contract pursuant to Article 26 GDPR has been concluded. You can find further information about the contents of this contract in the relevant sections of this data protection policy.

You can reach Mainzer Verkehrsgesellschaft mbH using the following contact details:

 

Mainzer Verkehrsgesellschaft mbH

Mozartstraße 8, 55118 Mainz

Telephone: 06131 – 12 77 77

Telefax: 06131 – 12 66 66

Email:

 

2. Data protection officer of MVGmeinRad GmbH under data protection law

Mainzer Verkehrsgesellschaft mbH
Data Protection Officer
Mozartstraße 8
55118 Mainz
datenschutz@mainzer-mobilität.de

3. Registration and rental

In order to rent bicycles, there is also the option of registering via the meinRad app and renting a bicycle at a station.

 

3.1 Personal data required for registration

The data required for verification are marked as mandatory fields in the meinRad app. This also includes information on your bank account, as the rental fees are paid via direct debit or by credit card. In addition, you can enter your telephone number and email address as optional information during registration.

Your personal data (mandatory data) are required as otherwise no contract can be brought about.

Newsletter subscription by email:

MVGmeinRad GmbH (MVG) will use the email address you submitted if you consent to MVG meinRad GmbH sending you its newsletter.

You can revoke your consent for the subscription of the newsletter in the app via an opt-out after log-in. Your email address will then be deactivated for the newsletter.

We will only forward your email address to Mainzer Verkehrsgesellschaft mbH, our cooperation partner, that uses the technical services of rapidmail GmbH in Freiburg, a newsletter service provider. As a third-party processor within the meaning of Article 28 GDPR, rapidmail processes the data based on MVG’s instructions.

 

3.2 Usage data collected for bicycle rental

The following data will be collected when you rent a bicycle using your customer card or the meinRad app:

Customer and bicycle number, start and end location, start and end time, time of the ride in minutes, tariff, price, battery status of the lock

The usage data are required for contractual purposes in order to enable us to make our bicycles available to you and bill you for their use.

 

3.3 Use of the copy of your ID and image data

To prove your identity during the registration process, you can upload a selfie and a copy of your ID.

 

3.4 Purpose

The mandatory data collected are processed exclusively for the purpose of creating a user account including the billing of usage times. We process optional data (telephone number and email address) exclusively for the purpose of direct customer communication and for sending you our newsletter.

 

3.5 Recipients of personal data

Mainzer Verkehrsgesellschaft mbH, Mozartstr. 8, 55118 Mainz and ESWE Verkehrsgesellschaft mbH, Gartenfeldstraße 18, 65189 Wiesbaden are commissioned with the management of the customer data of MVGmeinRad GmbH by MVGmeinRad GmbH and host and process the data on the servers of IT service provider ElectricFeel AG within the EU.

A joint controllership contract according to Article 26 GDPR has been concluded between MVGmeinRad GmbH and Mainzer Verkehrsgesellschaft mbH. Under this contract, each company is responsible itself for the data it processes.

IT systems are inspected and maintained by IT service providers operating as third-party processors (see Article 28 GDPR) on our behalf and depending on our instructions.

Overview of our recipients of data:

  • Hosting: ElectricFeel AG, Hardturmstraße 253, Zurich, 8005, Switzerland;
  • Hosting: nextbike GmbH, Erich-Zeigner-Allee 69-73, 04229 Leipzig
  • Customer management: ESWE Verkehrsgesellschaft mbH, Gartenfeldstraße 18, 65189 Wiesbaden, Germany;
  • Customer management: Mainzer Verkehrsgesellschaft mbH, Mozartstraße 8, 55118 Mainz, Germany;
  • Technical handling of payments: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Co. Dublin, Ireland;
  • Verification of users during registration: Rhein-Main-Verkehrsverbund Servicegesellschaft mbH, Am Hauptbahnhof 6, 60329 Frankfurt (Main), Germany.

The data are processed within the EU.

 

3.6 Legal basis

Your personal data and usage data are processed on the basis of Article 6 Section 1 Clause 1 (b) GDPR (performance of a contract). We process the optional data you provided based on your consent.

We process the copy of your ID or the image data your provided based on your consent (Article 6 Section 1 Clause 1 (a) GDPR); the same applies to the processing of your email address for sending you our newsletter.

 

3.7 Storage period of personal data

We process your personal data including your banking details during the term of your contractual relationship with MVGmeinRad GmbH.

The customer data will be deleted immediately upon the termination of the contractual relationship. The usage data (rides) will be stored in an anonymised manner. Billing receipts such as invoices and contractual data are stored for 10 years in accordance with the provisions of German tax law.

The uploaded copy of your ID and image data, if any, will be stored for a period of 3 months maximum.

 

4. Other processing via the smartphone app

 

4.1 App store providers

As a service for its customers, MVGmeinRad GmbH offers applications (apps) for mobile end devices (smartphones) for the operating systems iOS from Apple and Android from Google. The apps are available for free download and use in the respective app portals: App Store/iTunes and Google Play.

You can find the conditions of use for the App Store (iTunes) here: www.apple.com/legal/internet-services/itunes/de/terms.html. You can find detailed information about Apple’s data privacy policy here:  www.apple.com/legal/privacy/en-ww/.

You can find the conditions of use for Google Play here: play.google.com/intl/de_de/about/play-terms.html. You can find detailed information about Google’s data privacy policy here: www.google.de/intl/de/policies/privacy/.

 

4.2 Information collected during download

When you download the app, certain required information is transmitted to the app store of your choice (e.g. Google Play or Apple App Store), in particular your user name, email address, customer number of your account, time of download, payment information and individual device ID may be processed. These data are processed exclusively by the respective app store and are outside our sphere of influence.

 

4.3 Information collected automatically

As part of your use of the app, we automatically collect certain data that are required in order to use the app. This includes the internal device ID, the version of your operating system, time of access, your location at rental and return.

Purposes:

These data are transmitted to us automatically but not stored, in order to (1) provide you with the service and the associated functions; (2) improve the functions and performance features of the app; and (3) prevent and eliminate misuse and defects.

Legal basis:

The processing of these data is legitimate because (1) processing is necessary for the performance of the contract between you as the data subject and us pursuant to Article 6 Section 1 Clause 1 (b) GDPR regarding the use of the app or (2) we have a legitimate interest in ensuring the proper function and trouble-free operation of the app and in being able to offer a service in line with the market and interests and because our legitimate interest overrides your rights and interests regarding the protection of your personal data as defined by Article 6, Section 1 Clause 1 (f) GDPR.

 

4.4 Use of map services

Android operating system

 

This app uses the map service Google Maps. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

You can find the conditions of use for Google Maps here: www.google.com/intl/de_US/help/terms_maps.html. You can find detailed information about Google’s data privacy policy here: www.google.de/intl/de/policies/privacy/.

 

iOS operating system

 

This app uses the map service Apple Maps. Apple Maps is operated by Apple Inc., 1 Infinite Loop, Cupertino, California, USA, 95014, USA. By using this app, you agree with the collection, processing and use of the data automatically collected and the data you entered by Apple, by one of Apple’s representatives or a third-party provider.

You can find the conditions of use for Apple Maps here: www.apple.com/legal/internet-services/maps/terms-de.html. You can find detailed information about Apple’s data privacy policy here: www.apple.com/legal/privacy/de-ww/.

Legal basis:

The use of your location data and the establishment of a connection to the providers of the map services including the transmission of your IP address is based on your consent (Article 6 Section 1 Clause 1 (a) GDPR). Your active consent to the use of your location data is obtained in the app.

 

4.5 App authorisations

The following authorisations are needed for the use of the app:

  • Mobile data: To update and transmit booking-related data
  • Location (when using the app): To determine your location in order to verify the bicycle rental
  • Bluetooth: To communicate with bar locks at free stations or when you temporarily park the bicycle/continue the ride
  • Camera: To scan the QR code, to take a photograph of a travel pass when selecting the price, to take a photograph of an ID document and a selfie (for verification)
    1. Use of push services

The app uses push services provided by the manufacturers of the operating systems. These services are short messages which can be displayed on the user’s device display and actively inform the user.

Where the push services are used, a device token from Apple or a registration ID from Google is assigned. These are merely encrypted, anonymised device IDs. The sole purpose of their use is to provide the push services. The individual user cannot be traced. If required, the push service can be adjusted in the app settings. In addition, the receipt of push notifications can be switched off via the operating system of your smartphone.

 

5. Right to obtain information and other rights of data subjects


You have the right:

  • under Article 7 Section 3 GDPR to withdraw the consent given to us at any time. As a result, we will not be allowed in future to continue the processing of the data that was based on such consent;  
  • under Article 15 GDPR to request information about the personal data we process. In particular, you can request information about the purposes of the processing, the category of personal data, the category of recipients to whom the personal data have been or will be disclosed, the envisaged period of storage, the existence of the right to request rectification or erasure of the personal data, restriction of or objection to processing, the existence of the right to lodge a complaint, the origin of your personal data unless collected by us and the existence of automated decision-making including profiling and meaningful information regarding the details;
  • under Article 16 GDPR to request the rectification of inaccurate or the completion of incomplete personal data stored by us without undue delay;
  • under Article 17 GDPR to request the erasure of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
  • under Article 18 GDPR to request the restriction of processing of your personal data if you contest the accuracy of these data, if the processing is unlawful but you oppose the erasure of the data, if we no longer need the data but you require the data for the establishment, exercise or defence of legal claims, or if you have objected to the processing pursuant to Article 21 GDPR;
  • under Article 20 GDPR to receive the personal data you made available to us in a structured, commonly used and machine-readable format or to request the transmission of those data to another controller; and
  • under Article 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your habitual residence or place of work or that of our head office. The competent supervisory authority for our head office is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz [Commissioner for Data Protection and Freedom of Information for the State of Rhineland-Palatinate], Hintere Bleiche 34, 55116 Mainz.

You can also exercise your right to object to the processing of your personal data for the purposes of direct marketing.

Where your personal data are processed based on legitimate interests pursuant to Article 6, Section 1 Clause 1 (f) GDPR, you have the right under Article 21 GDPR to object to the processing of your personal data on grounds relating to your particular situation or if you object to direct marketing. In the latter case, you have a general right to object and your objection will be implemented by us without your having to state the grounds of your particular situation.

If you would like to exercise your right of revocation or objection, an email to  verkehrscenter@mainzer-mobilitaet.de will suffice.

Based on a joint controllership contract pursuant to Article 26 GDPR, each data subject has the right to assert his or her right towards both MVGmeinRad GmbH and Mainzer Verkehrsgesellschaft mbH.

 

6. Security

 

MVGmeinRad GmbH protects your data by technical and organisational measures against unauthorised access, loss or destruction. Our security measures are continuously improved to keep pace with technological progress.

 

7. Amendment of the privacy policy

Amendments of this data privacy policy may become necessary in line with the further development of the app or due to new legal provisions. MVGmeinRad or Mainzer Verkehrsgesellschaft mbH reserve the right to update the present data privacy policy at any time in compliance with the applicable data protection regulations. Based on a joint controllership agreement pursuant to Article 26 GDPR, both companies are jointly responsible for the lawfulness and completeness of the data privacy policy.