The protection of your personal data is important to us. It is generally possible to use our websites without providing personal data. If you wish to use particular services of our company via our website or app, the processing of personal data is required. If there is no existing legal basis for such processing (e.g. the performance of a contractual agreement), we will ask for your consent.

On this page, we inform you which of your data we collect on our website and in the app, what we need this data for and how you can object to the collection of data.

Our privacy statement has a modular structure. It consists of a general section for all processing of personal data and processing situations that apply each time a website is accessed (A. General information) and a specific section, the content of which relates only to the specified processing situation and the specified offer or product, particularly visits to the websites (B. Visiting websites) or the use of the apps (C. Use of the apps). Finally, we will inform you about your rights (D. Your rights).

Structure of the privacy statement

A. General information
B. Visiting websites
C. Use of the apps
D. Your rights

A. General information

Who is responsible for data collection and processing?

We are the controller within the meaning of Article 4(7) GDPR for the processing of your personal data:

Deutsche Bahn Connect GmbH (DB Connect)
Mainzer Landstrasse 169
60327 Frankfurt am Main.

The appointed data protection officer is Dr. Marein Müller.

If you have any questions or suggestions regarding data protection, please contact us by emailing dbconnect-datenschutz@deutschebahn.com

or

by postal mail to
Deutsche Bahn Connect GmbH
Mainzer Landstrasse 169
60327 Frankfurt am Main.

If you have any questions, suggestions or criticism regarding our bike sharing products, please contact us by email at info@callabike.de.

Legal basis for data processing

We collect and process your data exclusively for specific purposes. These may result from technical necessities, contractual requirements or explicit user requests.

Insofar as we obtain your consent for the processing of personal data (e.g. when you subscribe to a newsletter), this serves as the legal basis in accordance with Article 6(1)(a) GDPR.

When we process personal data that is necessary for the performance of a contract with you, the contract forms the legal basis for that processing in accordance with Article 6(1)(b) GDPR. Article 6(1)(b) GDPR also applies to processing that is necessary prior to entering into a contract, for example in the case of inquiries about our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Article 6(1)(c) GDPR. In order to continuously improve our offer, we store and analyze usage data collected online on a pseudonymous basis. The legal basis for this is Article 6(1)(f) GDPR.

We are also interested in maintaining our customer relationship with you and providing you with information and offers that we believe match your travel wishes and interests. We therefore process your data on the basis of Article 6(1)(f) GDPR (including with the help of service providers) in order to send you information and offers. We use your email address, which we have received from you as part of our business relationship with you, for advertising purposes. Your contact details (surname, first name, postal address) may also be used for advertising by post and for market research, unless you object to such use.

You can object to this use of your data for advertising purposes at any time with effect for the future. You can send your objection by email to info@callabike.de.

The legal basis for the processing operations we carry out is indicated below. There may also be multiple legal bases for processing.

How long will your data be stored?

We only store your data for as long as it is necessary to fulfill the purpose for which it was collected (e.g. as part of a contractual relationship) or if this is required by law. As part of a contractual relationship, we store your data at least until the contract is fully terminated. The data will then be stored for the duration of the statutory retention periods.

Is data passed on?

In order to fulfill the contract, it is usually necessary to involve processors who are bound by instructions, such as data center operators, printing or shipping service providers or other parties involved in contract performance. External service providers who process data on our behalf are carefully selected by us and placed under strict contractual obligations. Strict contractual provisions, technical and organizational measures and additional controls ensure that the service providers work in accordance with our instructions. Your data will only be transferred if you have given us your express consent or on the basis of a legal regulation. Data will not be transferred to third countries outside the EU/EEA or to an international organization unless appropriate safeguards are in place. These include the EU standard contractual clauses or an adequacy decision of the European Commission.

Data may be transferred to third parties in the following cases:

• Debt collection
  In the event of payment irregularities/default, information on outstanding payments may be passed on to a debt collection agency.

• Payment by credit card
  If you choose to pay by credit card, the data you enter will be forwarded directly to the system of our payment service providers.

• Payment service providers
  We use payment service providers to process payments. Encrypted data is therefore transmitted to these service providers as part of payment processing.

• Payment by direct debit
  If you choose to pay by direct debit, your data will be passed on to our payment service providers for the purpose of checking your account.

• Customer satisfaction survey
  We use your contact information for market research, provided you have given your consent.

Data processing in general

Regardless of whether you use our websites or apps, data processing is necessary in the following cases:

Registration

A customer account is created as part of your registration with Call a Bike, StadtRAD Hamburg, StadtRAD Lüneburg or RegioRadStuttgart. In addition to the mandatory information required for registration and use, you have the option of providing further voluntary information.

Mandatory information:

• Address (title, first name, surname, street, house number, zip code, city, country)

• Contact details (email address, mobile phone number)

• Date of birth

• Payment details (credit card number and expiry date or IBAN and BIC)

Depending on the selected tariff, further data may be collected to check compliance with registration requirements, e.g. your BahnCard number or the name of your university. To authorize the credit card payment, the check digit is requested for each payment transaction. This is not saved.

Voluntary information:

• BahnBonus number

Tracking of bikes

The location at which you hire and return your bike will be tracked. This enables us to determine the start and end of the journey and to bill you accordingly. This data is linked to your identity.

In addition, the location of the bike may be tracked in the following situations (however, this data is never stored in a way that makes you personally identifiable):

• The route of the bike may be tracked in order to analyze data for different cities and time periods. This information helps us and the cities to make strategic and operational decisions, e.g. where to install bike hire stations or plan cycle paths.

• The location of the bike may be tracked during the ride to update the status LED attached to the bike. Customers can use this LED to check whether they are in a valid parking zone.

• Bikes' locations may be randomly identified for maintenance purposes.

• The location may be tracked in the event of suspected misuse.

Contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored and processed by us for the purpose of processing the inquiry and responding to any follow-up questions. Your data will only be used for the purpose of answering and processing your inquiry and will then be deleted. Data is processed on the basis of Article 6(1)(b) GDPR (steps prior to entering into a contract, for example in cases of inquiries about our products or services) or on the basis of Article 6(1)(f) GDPR (due to legitimate business interests).

When you use the contact form, we store the IP address assigned by the internet service provider (ISP) to the computer system you use to contact us as well as the date and time of use. The collection of this data is necessary to enable us to identify the (possible) misuse of a data subject's email address at a later date and therefore serves our legal protection.

Participation in competitions

If you take part in competitions, data is collected for organizational reasons. You can find further details, such as what data is collected and for what purpose, on the page of the respective competition.

Newsletter

If you subscribe to a newsletter from us, the following mandatory information is required:

• Email address

Your email address is processed for the purpose of sending the newsletter. By subscribing to our newsletter, you consent to the processing of your personal data (legal basis is Article 6(1)(a) GDPR). In this case, we may use your email address for advertising purposes. If you object to the use of your data for advertising, your data will only be used anonymously for statistical evaluation purposes.

When you register for the newsletter, we store

• the IP address assigned to your computer system by the internet service provider (ISP) and

• the date and time at which you register for the newsletter.

The collection of this data serves our legal protection by enabling us to identify misuse of your email address at a later date.

You can unsubscribe from the newsletter at any time by sending an email to info@callabike.de or by clicking on the unsubscribe link at the bottom of a newsletter.

Encryption

Data and emails are often transmitted unencrypted on the internet and are therefore not protected against unauthorized access. As the confidentiality of information sent to us by email cannot be guaranteed during transmission, we recommend that you only send confidential information by letter.

Links to external sites

If you click on a link to an external site, you are moving outside our bike sharing product world. Deutsche Bahn Connect GmbH is therefore not responsible for the content, services or products offered on the linked website. We are also not responsible for data protection or technical security on the linked website.

B. Visiting websites

The websites operated by us are as follows:

• https://www.callabike.de/en/home

• https://stadtrad.hamburg.de/en/home

• https://stadtradlueneburg.de/en/home

• https://www.regioradstuttgart.de/en/home

Encryption

Your data is transmitted to us via the website using SSL encryption. If SSL encryption is activated, the data transmitted to us cannot be read by third parties. The encrypted connection is indicated by the address bar in your browser changing from "http://" to "https" and by a padlock icon in the address bar.

Use of cookies

Cookies are small text files in which personal data can be stored. The cookies can be transmitted to a page when it is accessed and thus enable the user to be identified. Cookies help to simplify the use of websites for users.

We differentiate between cookies that are strictly necessary for the proper functioning of the website and cookies that are not strictly necessary for the proper functioning.

It is generally possible to use the above-mentioned websites without non-technical cookies. You can therefore prevent tracking by cookies in your browser (do-not-track, tracking protection list) or block the storage of third-party cookies. We also recommend that you check stored cookies regularly unless you expressly wish tracking to take place. Please note: If you delete all cookies, any opt-out cookies that have been set will also be deleted, meaning that you will have to opt out again.

Analysis of data by Deutsche Bahn AG

Our websites use the Consent Management System and DB WAS website tracking. You can find more information on data processing as part of analysis by Deutsche Bahn AG and the relevant settings under "Manage consent" at the bottom of our websites.

C. Use of the apps: Call a Bike, StadtRAD Hamburg, StadtRAD Lueneburg and RegioRadStuttgart Downloading

When you download the app

• your user name,

• your email address and

• customer number,

• the time of the download,

• the payment information and the

• individual device number

are transmitted to the app store. We have no influence on this data processing and are not responsible for it.

Data protection-friendly default settings (privacy by default)

Services that are not strictly necessary for the operation of the app or that do not serve to improve it are deactivated by default.

Location data

We provide functions in the app that offer you special services tailored to your location. In order for you to use these functions, it is necessary for your current location to be transmitted and for the app to have access to your device's location data. The app will only access your location once you have authorized the app to access location data. The legal basis for location data processing is Article 6(1)(b) GDPR. You can object to the processing of your location data at any time and disable access to your location in the settings of your smartphone's operating system.

You can also use the app without sharing your location. Bikes and stations can be found using the map in the app or on the website.

However, booking a bike is only possible with location sharing enabled.

Notifications

The app offers you the opportunity to be informed about important events and news concerning our service even without opening our app. We use push services for this purpose. For the purpose of sending you these messages, we process pseudonymous data on servers of your operating system provider, which may also be located in the USA. The legal basis for the use of push services is Article 6(1)(f) GDPR. You will only receive push notifications if you activate this function in the settings of your smartphone's operating system.

Analysis of data by Deutsche Bahn AG

Our apps use the Consent Management System and DB WAS app tracking. You can find more information on data processing as part of analysis by Deutsche Bahn AG and the relevant settings under "Manage consent" in the "Profile" menu of our apps.

D. Your rights

User rights

• You can request information about what data is stored about you.

• You can request the correction, erasure and restriction of processing of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship.

• If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a data protection supervisory authority, in particular in accordance with Article 77(1) GDPR. The supervisory authority responsible for Deutsche Bahn Connect GmbH is: Der Hessische Beauftragte für Datenschutz und Informationssicherheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden.

• You have the right to the portability of data that you have provided to us on the basis of consent or a contract (data portability).

• If you have given us your consent to process your data, you can withdraw this at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

• To exercise your rights, simply send a letter by post to Deutsche Bahn Connect GmbH, Mainzer Landstrasse 169, 60327 Frankfurt am Main or by email to dbconnect-datenschutz@deutschebahn.com.

No automated decision-making (including profiling)

We do not intend to use personal data collected from you for automated decision-making (including profiling).

Legal obligation to transfer certain data

Under certain circumstances, we may be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public authorities (Article 6(1)(c) GDPR).

Updates to the privacy statement

In the context of the ongoing development of data protection law as well as technological or organizational changes, our privacy statement is regularly reviewed to determine whether it needs to be amended or supplemented. We therefore recommend that you re-read the privacy statement when you visit the website/app again.

Last amended: November 2024