Skip to main content

Privacy policy

Protecting your personal data (also referred to as ‘data’) is important to us. Below, we would like to inform you about the categories of data we process and the purposes for which they are processed when you use our ParkYourBike services. We handle your personal data confidentially and in accordance with legal data protection regulations (particularly the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG)), as well as this privacy policy. To ensure you are fully informed about your rights and the collection and use of personal data, please review the following information.

Please note that our privacy policy may change over time due to the implementation of new technologies or legislative changes.

The following privacy policy provides information on the processing of your data when using our website (Section II below), the web version and the mobile version of the ParkYourBike app (unless explicitly differentiated, both are hereinafter referred to as the ‘ParkYourBike app’ or ‘app,’ Section III below), as well as for the option of on-site payment at a bicycle parking facility (Section IV below). General information applicable to all data processing activities is explained in Section I.

I. General information

1. Data controller, data protection officer, and contact information

 

Who is responsible for data processing, and whom can I contact?

The data controller responsible for processing data on this website is:

GB infraVelo GmbH
Mariendorfer Damm 1
12099 Berlin
Telephone: +49 (0) 30 700 906 301
Email: info@infravelo.de

You can reach our data protection officer at:
Data Protection Officer of Grün Berlin GmbH 
Mariendorfer Damm 1
Ullsteinhaus
12099 Berlin
E-Mail: datenschutz@gruen-berlin.de

2. Your Rights

a) Right to withdraw consent to data processing
Many data processing activities are only possible with your explicit consent. You can withdraw consent you have already given at any time. A simple email to us is sufficient for this purpose. The legality of data processing carried out before the withdrawal remains unaffected.

b) Right to object to data collection in special cases and to direct marketing (Article 21 GDPR)
If data processing is based on Article 6(1)(e) or (f) GDPR, you have the right at any time to object to the processing of your personal data for reasons arising from your particular situation; this also applies to profiling based on these provisions. The legal bases on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims (objection pursuant to Article 21(1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling, insofar as it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for direct marketing purposes (objection pursuant to Article 21(2) GDPR).

Should you wish to exercise your right to object, simply send an email to support@parkyourbike.berlin.

c) Right to lodge a complaint with the competent supervisory authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

d) Right to access information, blocking, erasure, and rectification
You have the right, within the framework of the applicable legal provisions, to obtain information free of charge at any time about your stored personal data, its origin and recipients, and the purpose of data processing, and, if applicable, a right to rectification, blocking, or erasure of this data. For this purpose, and for further questions about personal data, you can contact us at any time at the address provided in Section I.1.

e) Right to restriction of processing
You have the right to request the restriction of processing of your personal data. For this purpose, you can contact us at any time at the address provided in Section I.1. The right to restriction of processing applies in the following cases: If you contest the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of processing of your personal data.

If the processing of your personal data was/is unlawful, you may request the restriction of data processing instead of erasure. If we no longer need your personal data, but you need them to exercise, defend, or assert legal claims, you have the right to request the restriction of processing of your personal data instead of erasure. If you have lodged an objection pursuant to Article 21(1) GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request the restriction of processing of your personal data.

If you have restricted the processing of your personal data, this data – apart from being stored – may only be processed with your consent or to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

3. Legal bases

We only process data if we have a legal basis to do so. We will go into more detail on the specific legal bases in each processing operation. In general, however, the following applies:

  • Where we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing.
  • When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis for the processing. This also applies to processing operations necessary prior to entering into a contract.
  • If processing is necessary to fulfil a legal obligation to which we are subject, Article 6(1)(c) GDPR serves as the legal basis for the processing.
  • If processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not override the first-mentioned interest, Article 6(1)(f) GDPR serves as the legal basis for the processing.

4. Retention period

We erase the data processed by us or restrict processing in accordance with legal requirements, particularly pursuant to Articles 17 and 18 GDPR. Unless expressly stated in this privacy policy, we erase stored data as soon as it is no longer required for its intended purpose. Personal data will only be retained beyond this point if necessary for other legally permissible purposes or if the personal data must be retained due to statutory retention obligations. In these cases, processing is restricted, meaning that the data is blocked and not processed for other purposes.

Statutory retention obligations arise, for example, from Section 257(1) of the German Commercial Code (HGB) (6 years for account books, inventories, opening statements of financial position, annual financial statements, commercial correspondence, accounting documentation, etc.) and from Section 147(1) of the German Fiscal Code (AO) (10 years for books, records, management reports, accounting documentation, commercial and business correspondence, documents relevant for taxation, etc.). The legal basis for continued storage is Article 6(1)(c) GDPR in conjunction with the aforementioned processing obligations. Where specific retention periods can already be stated at this point, these can be found directly with the respective processing procedures described below.

5. Children

Our app offer is not extended to children under the age of 18.

6. Data security

We apply technical and organisational measures to protect your personal data against loss, manipulation, destruction, or other attacks by unauthorised persons. We continuously improve our security measures in line with technological developments.

This site uses SSL or TLS encryption for security reasons and to protect the transmission of sensitive content, such as orders or enquiries that you send to us as the site operator. An encrypted connection is indicated by the browser’s address line switching from ‘http://’ to ‘https://’ and the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

7. Automated decision-making, including profiling

We do not engage in automated decision-making, including profiling.

8. Requests by email, chatbot, or contact form

You can contact us by email, chatbot (see details in Section I.9), or the contact form in the ParkYourBike app to receive assistance if needed or to engage in other correspondence with us.

To process your request, we will process your email address, as well as your first and last name and any other data you voluntarily provided during contact. The processing of your data in connection with the contact is based on Article 6(1)(f) GDPR. We have a legitimate interest in responding to your enquiries. If your contact relates to an existing or pre-contractual relationship between you and us, Article 6(1)(b) GDPR also serves as the legal basis for data processing.

To process your request via the contact form, we use the Jira Service Management service provided by Atlassian PTY Ltd., Level 6, 341 George Street, Sydney NSW 2000, Australia (‘Atlassian’). We have concluded a data processing agreement with Atlassian pursuant to Article 28 of the GDPR, incorporating the European Commission’s standard contractual clauses. Atlassian is committed to conducting data processing only on servers located within the EU or the EEA. For exceptional cases, Atlassian guarantees that your data will be adequately protected even if transferred to a country outside the EU or the EEA. Further details can be found here.

We retain information regarding your contact requests based on Article 6(1)(f) GDPR for a maximum of 18 months from receipt, unless statutory retention periods require further storage. Since ParkYourBike is a very new service, we have a legitimate interest in aggregated analysis of the contact requests we have received. This allows us to understand any issues related to the use of the app and improve the app’s functionality overall. Before this analysis, your personal data will be removed from the contact requests as far as possible. Therefore, the balance of interests conducted here results in the conclusion that there are no overriding exclusion interests of the users.

9. Chatbot

You can interact with our chatbot on our website. To do this, you must click on the chatbot icon. This will activate the widget, allowing you to chat with our virtual service bot. The chatbot partly uses generative artificial intelligence.

Once you click the icon, data is stored in your local storage to enable the chatbot to function properly. This also prevents the chat from closing immediately if you leave the page briefly, allowing you to continue your query without interruption. This local storage data is absolutely necessary for the technical provision of the chatbot you have activated, pursuant to Section 25(2)(2) of the Telecommunications Digital Services Data Protection Act (TDDDG). In addition to an anonymous DeviceID, only the date of the last active use is stored.

We have concluded a data processing agreement with Nortal AG, Knesebeckstraße 59-61/61a, 10719 Berlin (‘Nortal’), pursuant to Article 28 GDPR. This agreement means that Nortal may only process your data based on our instructions and solely for the purpose of fulfilling the contract between you and us. To send text messages, we use the Bird messaging service (formerly MessageBird, ‘Bird’), Trompenburgstraat 2C, 1079 TX Amsterdam, Netherlands. The technical design of the chatbot is handled by the service provider Samhammer AG, Zur Kesselschmiede 3, 92637 Weiden (‘Samhammer’). Samhammer has also entered into its own data processing agreements with Bird and Nortal pursuant to Article 28 GDPR. These agreements mean that your data may only be processed based on our instructions and only for the purposes mentioned above.

Regarding its generative artificial intelligence, the chatbot is based on the Chat GPT software provided by Open AI L.L.C., 3180 18th Street, San Francisco, California 94110, USA (‘Open AI’). Your inputs are not combined with the training data of Open AI.

Your inputs are not combined with your IP address or your contract data with us. Your inputs are generally not further processed for training purposes, and chat logs are erased after 30 days. Statistical data is retained for up to two years. If the communication does not lead to a satisfactory result, this is recorded as an error and anonymised for the continuous improvement of the chatbot.

II. Website

1. Notice regarding cookies

Cookies are used to make our services more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer and saved by your browser. Cookies do not harm your computer and do not contain viruses.

Most of the cookies we use are known as ‘session cookies,’ which are automatically erased at the end of your visit. Other cookies continue to be stored on your device until you erase them. These cookies make it possible for us to recognise your browser on your next visit. You can set your browser so that you are informed when cookies are set and only allow cookies on a case-by-case basis, exclude the acceptance of cookies only for certain cases or in general, and enable automatic erasure of cookies when you close your browser. If cookies are disabled, the functionality of this website may be limited.

Cookies that are necessary to carry out the electronic communication process or to provide certain functions you desire are stored based on Article 6(1)(f) GDPR (for data processing) and Section 25(2)(2) TDDDG (for the use of cookies). We, as the website operator, have a legitimate interest in storing cookies for the technically error-free and optimised provision of our services.

To access or change your settings, please click here.

2. Google Analytics

a) Scope of processing
Google Analytics uses cookies that enable analysis of your use of our websites. The information collected by the cookies about your use of this website is processed on servers by Google in the EU/EEA and the USA.

With Google Analytics 4, IP address anonymisation is enabled by default. Google anonymises your IP address by truncating it within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. According to Google, the IP address that your browser transmits as part of Google Analytics is not merged with other Google data.

During your visit to the website, your user behaviour is recorded in the form of ‘events’. Events can include:

  • Page views
  • First visit to the website
  • Start of a session
  • Your ‘click path,’ interaction with the website
  • Scrolls (whenever users scroll to the bottom of the page (90%))
  • Clicks on external links 
  • Internal searches
  • Interaction with videos
  • File downloads
  • Ads viewed/clicked
  • Language setting

The following data is also recorded:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the devices you use (e.g. language setting, screen resolution)
  • Your internet service provider
  • The referrer URL (the website/advertising medium that referred you to this website)

b) Purpose of processing
On behalf of the operator of this website, Google will use this information to evaluate your use of the website and compile reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website.

c) Recipients
Recipients of the data are/may be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a processor pursuant to Article 28 GDPR)
  • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

d) Third-country transfer
Google also transfers and processes personal data in countries outside the EU/EEA in connection with Google Analytics. For the primary application case, the transfer of personal data to the USA, there has been a new adequacy decision from the European Commission under Article 45 GDPR since July 2023. In this decision, the European Commission confirms that an essentially equivalent level of data protection exists as within the EU. The transfer of personal data to the USA is lawful under this adequacy decision.

Transfers to other third countries without an adequacy decision are based on the EU standard contractual clauses concluded between Google entities or with customers.

e) Retention period
The data sent by us and linked to cookies is automatically erased after two months. Once a month, the system automatically erases data that has reached the end of its retention period.

f) Legal basis
The legal basis for this data processing is your consent pursuant to Article 6(1)(a) GDPR and Section 25(1) TDDDG.

g) Withdrawal
You may withdraw your consent at any time with future effect by accessing the cookie settings and changing your selection there. The lawfulness of processing carried out based on the consent until the withdrawal remains unaffected.

You can also prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, this may restrict the functionality of this and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google, as well as the processing of this data by Google by:

  • not giving your consent to set the cookie or
  • downloading and installing the browser add-on to disable Google Analytics here.

More information on the terms of use of Google Analytics and data protection at Google can be found at https://marketingplatform.google.com/about/analytics/terms/de/and https://policies.google.com/?hl=en.

3. Intelligent FAQ

We offer intelligent FAQ on our website. These capture your input and assign it to an article from our FAQ. Then, a suitable article is suggested to you. The time and input are recorded to help us improve our FAQ. No further storage of data that could identify you takes place. Data processing is justified based on Article 6(1)(f) GDPR. As the website operator, we have a legitimate interest in providing functions that enhance the usability of our website. Since the associated data processing is minimal and only anonymised data is stored, there are no overriding exclusionary interests of the data subjects.

We use the service provider Nortal AG, Knesebeckstraße 59-61/61a, 10719 Berlin (‘Nortal’) to provide the FAQ and its functions. A data processing agreement pursuant to Article 28 GDPR has been concluded with Nortal. This agreement means that Nortal may only process your data based on our instructions and solely for the purpose of fulfilling the contract between you and us. The data will be erased after a maximum of two years.

The technical design of the FAQ is handled by the service provider Samhammer AG, Zur Kesselschmiede 3, 92637 Weiden (‘Samhammer’).

Samhammer has also entered into its own data processing agreements with Nortal pursuant to Article 28 GDPR. These agreements mean that your data may only be processed based on our instructions and only for the purposes mentioned above.

III. Data processed when using the app

1. Technical operation of the app and hosting

When you use the ParkYourBike app, the following data, in particular, is processed: country, version of the mobile operating system, version of the mobile browser, time of use, IP address, and email address. This data is automatically transmitted to us. Processing is used, on the one hand, to fulfil the contract for the use of the app pursuant to Article 6(1)(b) GDPR. Processing is also in our legitimate interest to ensure error-free operation and functionality of the app and to prevent and avoid misuse and malfunctions, Article 6(1)(f) GDPR. The balancing of interests required here concludes that there are no overriding exclusionary interests of the users. No personalised evaluation of the data, particularly for marketing purposes, takes place without prior consent.

We use the service provider Viaboxx GmbH, 53639 Königswinter (‘Viaboxx’) to provide and operate our app. We have concluded a data processing agreement with Viaboxx pursuant to Article 28 GDPR. This agreement means that Viaboxx may only process your data based on our instructions and solely for the purpose of fulfilling the contract between you and us.

The data will be erased as soon as it is no longer required for achieving the purpose for which it was collected. For the provision of the app, this is the case when the respective session has ended. The log files are stored exclusively for access by administrators and are automatically erased after 60 days.

2. Other plugins and embedded content – Mapbox

Our service provider Viaboxx uses the map service of the service provider Mapbox Inc. 740 15th Street NW, 5th Floor, Washington DC 20005, USA (‘Mapbox’) to display interactive maps in our app.

Mapbox is used to provide an interactive map that shows you where bicycle parking facilities are located and how to get there. This service enables us to present our website in an appealing way by loading map material from an external server.

When displaying, the IP address of your terminal device is transmitted to the servers of Mapbox. Your location is not transmitted.

The legal basis for processing the IP address in relation to the Mapbox service is Article 6(1)(f) and (b) GDPR. The legitimate interest arises from our need for an attractive presentation of our online services and the easy location of the bicycle parking facilities offered on our homepage. Furthermore, the display of interactive maps serves to fulfil the contract.

Our service provider Viaboxx has concluded a data processing agreement with Mapbox. Mapbox is located in the United States of America, a third country outside the EU. For third-country transfers to the USA, certified companies are assumed to have an adequate level of data protection according to the EU Commission’s adequacy decision (DPF). Mapbox is a certified company.

Mapbox typically processes the data within 30 days.

3. Commercial and business services

a) Registering an account in the app and logging in
You can register an account in our app to use the service. When registering, you must provide an email address and create a password.

If you register by providing your email address and a password, you will receive an email with a code in the next step. You must click on this code to verify yourself.

Once you have successfully registered, a User ID is assigned to your account internally, and a personal PIN is generated, which you can use as an access code when booking a bike slot. If necessary, you can also store your BVG/VBB RFID card as a means of access instead of the PIN. No forwarding to the BVG, VBB, etc., takes place; the RFID card is only used to unlock access. You must also specify a payment method of your choice.

We use your data to identify you and manage your account. We use your User ID to uniquely identify you in the system and to associate reservations and parking processes with you. We also need your email address to contact you, for example, to send you technical or legal notices, updates, security alerts, or other messages related to account management. The email address is not used for advertising purposes. Furthermore, the email address is used if you forget your password to reset it.

This data processing is justified because the processing is necessary to fulfil the contract between you and us pursuant to Article 6(1)(b) GDPR to use the app. Furthermore, we have a legitimate interest under Article 6(1)(f) GDPR to ensure the functionality and error-free operation of the app. The balancing of interests required here concludes that there are no overriding exclusionary interests of the users.

Please ensure that no unauthorised person gains access to your account login details.

This data is processed until the account is closed and is erased once any statutory retention periods have expired. For data directly relevant to accounting, statutory retention periods of up to 10 years may apply. During this time, the data will only be reprocessed in the event of an audit by tax authorities. The legal basis for further retention is Article 6(1)(c) GDPR in conjunction with Section 147 AO, Section 257 HGB.

b) Use of the app after login: data processing for a bike slot booking
If you decide to book a bike slot using our app, the following data and information will be processed in connection with subsequent bookings of slots in bicycle parking facilities:

  • Email address (as account ID)
  • If applicable, personal PIN
  • Payment method: payment method ID
  • Information on reservations made: location, number of bikes, and date of reservation
  • Information on the parking process: location, number of bikes, type of ticket used, start and end of the parking process
  • When purchasing season tickets: number of bikes, duration, start and end time
  • Booking number
  • RFID card number (number of the eTicket of the VBB/BVG environmental season ticket)

This data processing is justified because the processing is necessary to fulfil the contract between you and us pursuant to Article 6(1)(b) GDPR to use the app and book a bike slot.

The payment method ID is generated by the respective payment service provider in its own data protection responsibility and transmitted to us. The data will be erased as soon as it is no longer required for achieving the purpose for which it was collected and no statutory retention periods oppose erasure. For data directly relevant to accounting, statutory retention periods of up to 10 years may apply. During this time, the data will only be reprocessed in the event of an audit by tax authorities. The legal basis for further retention is Article 6(1)(c) GDPR in conjunction with Section 147 AO, Section 257 HGB.

c) Payment using VR Payment
You can use various payment methods to pay the fee charged for a booking. We use the VR Payment service provided by VR Payment GmbH, Saonestraße 3a, 60528 Frankfurt am Main, Germany (‘VR Payment’). Using VR Payment makes it possible for you to pay for your order by credit card (e.g. VISA) or PayPal and makes it easier for us to process your booking. The payment information required in each case is processed.

Different data about you may be processed by the respective payment service provider. This may involve the processing of your email address, name, phone number, and credit card number. The transmission of the email address to the card issuer is for additional security of the payment process (3D-Secure procedure). The respective bank or card issuer is responsible for processing this data according to data protection law.

The legal basis for processing your payment data is Article 6(1)(b) GDPR. Data transfer is solely for billing purposes and thus for contract fulfilment. The transmission of your email address to the card issuer for enhanced security of the payment process is based on your consent. This data is processed until the account is closed and is erased once any statutory retention periods have expired. For data directly relevant to accounting, statutory retention periods of up to 10 years may apply. During this time, the data will only be reprocessed in the event of an audit by tax authorities. The legal basis for further retention is Article 6(1)(c) GDPR in conjunction with Section 147 AO, Section 257 HGB.

4. Use of cookies

Neither the web version nor the mobile version of the app uses cookies, pixels, tags, or similar technologies. When accessing the app, only tokens are stored in the local storage of your device. Tokens contain information about the issue time, expiration date, issuer, and a User ID and serve to identify the user to the server. They are essential for providing and operating the app. The legal basis for storing this information in the local storage of your device is Section 25(2)(2) TDDDG and, in terms of data protection law, Article 6(1)(f) GDPR. Offering our app securely and conveniently is considered a legitimate interest within the meaning of the aforementioned GDPR provision. Tokens are usually valid for one hour and are renewed upon repeated access.

IV. Collection and processing of your personal data related to the use of the bicycle parking facility without registration

1. Technical operation of the terminal software

We use the service provider Viaboxx GmbH, 53639 Königswinter (‘Viaboxx’) to provide the terminal software and operate the backend systems. We have concluded a data processing agreement with Viaboxx pursuant to Article 28 GDPR. This agreement means that Viaboxx may only process your data based on our instructions and solely for the purpose of fulfilling the contract between you and us.

The data will be erased as soon as it is no longer required for achieving the purpose for which it was collected. The log files are stored exclusively for access by administrators and are automatically erased after 60 days.

Issued: August 29th, 2024