1.1 Journey bookings

1.1.1 Downloading the app

When the app is downloaded, the necessary information is transferred to the app store, i.e. in particular the user name, email address and customer number of your account, time of download and individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data provided to the extent necessary to download the app to your smartphone. It is not stored beyond this.

 

1.1.2 Device and connection data

When your device establishes a connection with our server, the operating system and the version of our app used are processed and transmitted to us. This is done to improve the app and for troubleshooting purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in improving the app.

 

1.1.3 Authorisation for location services

For optimal functionality, the app requires authorisation to use the location services of the end device. Authorisation is requested when the app is used for the first time. Location services can be used to find a current transport option in the area.
You are not obliged to grant this authorisation. If you do not agree to the authorisation, the functionality of the app will be impaired to the extent that you will have to enter your start address manually. You can revoke or allow the authorisation at any time in the settings of your end device.

 

1.1.4 Login and user data

User data is required for initial registration and subsequent re-registration.
A customer account is created as part of your registration. In addition to various mandatory details that are required for registration and use, you have the option of providing further voluntary details. Mandatory details are mobile phone number, surname and first name. Voluntary details after creating an account are e-mail address, payment details (credit card number, expiry date) and billing address.
The legal basis for the processing of this data is Article 6 (1) a) and b) GDPR.

 

1.1.5 Map display using Google Maps

The app uses the Google Maps API application operated by Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland ("Google").  
This allows us to display maps in the app and also enables you to use the maps. The app will not work without the Google Maps API application. You can find the terms of use for Google Maps at https://www.google.com/help/terms_maps.html. There you will also find a reference to Google's privacy policy: https://policies.google.com/privacy?hl=de. We use Google Maps to calculate the estimated charge for your journey and to interactively show you the distance to the vehicle carrying out your journey. If you have consented to its use, we process your GPS location data in accordance with Article 6(1)(a) GDPR. We only pass on your GPS location data to Google in anonymised form. The identification of your person is excluded.

 

1.1.6 Location data

As long as authorisation was granted when the app was installed and not deactivated again, location data is collected and used to find and display transport options in the vicinity. Your location is not stored temporarily and is only used to find possible pick-up locations in the neighbourhood.
If you book a journey, CeBus collects the following data: at the time of booking, start location (address), pick-up location (address), drop-off location (address) and destination (address), information about your end device (operating system) as well as payment method and any discounts granted, during or after the end of the journey, journey duration in minutes and kilometres travelled. If specified during the booking process, we store the number of seats required (if a booking is made for several people), details of the local transport ticket and whether you are a wheelchair user.

The legal basis for the processing of your GPS location data is Article 6 (1) sentence 1 lit. a GDPR, the other data is collected for contract processing on the basis of Article 6 (1) sentence 1 lit. b GDPR.

 

1.1.7 Driving history

The "Account" area displays your data for booked journeys (route, start time and location, route guidance, vehicle, exit, booking code, price).

1.1.8 Billing/payment

We pass on your personal data (first and last name, date of birth, address, e-mail address, bank account details, credit card details, telephone number if applicable and data on your respective purchases) and any changes to LogPay Financial Services GmbH for the purpose of selling and assigning our claims against you that arise in connection with your purchase or booking. This is done on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest on our part is the outsourcing of payment processing and receivables management. The legitimate interest on the part of LogPay Financial Services GmbH is the processing of data for the purpose of processing payments, receivables management, assessing the admissibility of payment methods and avoiding payment defaults.

The offer to conclude a purchase contract for a ticket will only be accepted if LogPay Financial Services GmbH acquires the claim arising from the ticket sale. If LogPay Financial Services GmbH refuses to purchase the receivable, your offer to conclude a purchase contract will be rejected.

You can object to the transmission of this data to LogPay Financial Services GmbH at any time, however, it will then no longer be possible to place an order via the electronic sales channel.

You can find the data protection information of LogPay Financial Services GmbH at  documents.logpay.com/data-protection-information.pdf retrieve.

In addition, we process your personal data that we receive from LogPay Financial Services GmbH (information on the decision whether or not to purchase the receivable).

If personal data is processed for the performance of tasks carried out in the public interest (Art. 6 para. 1 sentence 1 lit. e GDPR) or to safeguard legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), you can object to the processing of the personal data concerned at any time with effect for the future. In the event of an objection, we must refrain from any further processing of your data for the aforementioned purposes, unless

• there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
• the processing is necessary for the establishment, exercise or defence of legal claims.

 

1.2 Use of Firebase

Our app uses Firebase, a service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). With the help of this tool, information is transmitted to us anonymously in the event of an app crash so that we can trace the cause of the respective crash and rectify it more quickly. Existing errors are analysed and identified and the quality of the app is ensured. Firebase is also used to measure the success of individual app functions. Firebase analyses the acceptance of the functions by the user.
The transmitted data is of a purely technical nature and has no personal context.
If you wish to receive the push notifications, you must explicitly consent to receiving the push notifications. You can revoke your consent at any time. You will be asked for your consent to receive push notifications during installation or the first time you use the app.
We use the services Firebase Cloud Messaging from Google (Android) and Apple Push Notifications (iOS) for push notifications. Firebase and Apple generate a calculated key that is made up of the app identifier and your device identifier. This key is stored on our push platform from your selected settings in order to provide you with the content according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve exclusively as transmitters.

 

Data storage/data deletion

In principle, we only store your data for as long as it is necessary to fulfil the purpose for which it was collected or if this is provided for by law, in the event of an objection there are no compelling reasons worthy of protection on the part of CeBus to the contrary or in the event of revocation there is no other legal basis for data processing. In certain cases, e.g. if there is a legal obligation to retain data, your personal data will not be deleted immediately, but will first be blocked.

 

Data transfer

The app platform is hosted by ioki GmbH, An der Welle 3, 60322 Frankfurt am Main, Germany. You can find ioki's privacy policy at https://ioki.com/datenschutz/. Furthermore, we sometimes use external service providers to process your data (e.g. troubleshooting, creation of mailings, printing or shipping service providers, data centre services). This requires us to transfer your personal data to our external service providers for a specific purpose (limited to the respective purpose). Our service providers have been carefully selected by us and commissioned in writing. They are bound by our instructions and we have informed ourselves about their technical and organisational measures for the security of the processing of personal data. Furthermore, we require our service providers to comply with the applicable data protection regulations. We work with service providers from the EU. For this purpose, we have concluded order processing contracts with our external service providers within the EU or the European Economic Area in accordance with Article 28 (3) GDPR, insofar as this is necessary for the purpose of the contract.  
Your data will only be transmitted if you have given us your express consent to do so or on the basis of a legal regulation.
If necessary for our purposes, we may also transfer your data to recipients outside the EU in individual cases. If we transfer data to third countries, we ensure that the recipient has implemented an adequate level of data protection within the meaning of Art. 45 GDPR or suitable guarantees within the meaning of Art. 46 (2) and (3) GDPR and that no other interests worthy of protection speak against the transfer of data.

 

Security and automated individual decisions

We use technical and organisational measures to protect your data from unauthorised access, loss or destruction. The transmission of your personal data from your end device (e.g. smartphone) to us is always encrypted. We do not use your personal data for automated individual decisions.

 

Rights of data subjects

You can request information about what data is stored about you. You can request authorisation, deletion and restriction of the processing of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship. If you have given us your consent to process your data, you can withdraw this at any time.

 

Right of appeal

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR). You can assert this right with a supervisory authority in the member state of your place of residence, place of work or the place of the alleged infringement. You can contact the competent supervisory authorities of the federal states here view.

 

Changes to the privacy policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adapted accordingly. You will be notified accordingly in the event of changes to the privacy policy.

Status: September 2023