Privacy policy app

Data protection guideline PowUnity // BikeTrax

This guideline applies to the use of the BikeTrax app and to all related services and other possible interactions between BikeTrax and you.

This privacy policy describes how BikeTrax collects, uses and shares information and what options you have with regard to this information.

Who are we?

PowUnity GmbH
Feldstrasse 9d, 6020 Innsbruck, Tirol
Austria
Telephone + 43-512-319751
info (at) powunity (dot) com

Which access authorizations are required?

In order to use BikeTrax properly, you have to grant certain permissions on your smartphone. These permissions allow us to offer you the best tracking functionality. BikeTrax requires access to the following categories:

Location

• approximate location (cellular based)
• precise location (GPS and cellular based)

Location permission is optional and is used to show your current position relative to the position of the tracker on the map.

Camera

• Take photos and videos

This authorization is optional and is only required if you want to scan the QR code for the installation of the tracker or to photograph the invoice and the bike for a bike pass. However, you also have the option of entering the BikeTraxID manually.

Other

• Push messages

This authorization is optional and is used to notify you directly of events from the use of our products and services through push messages.

• Control over vibration

This permission is optional and is used to send out notifications with vibrations.

What information do we process and for what purpose?

We collect information about you if you voluntarily provide it to us and if you use our products and the services of BikeTrax. BikeTrax can process your profile information, payment information, location data and activity data in the following way:

Profile information

As soon as you register for a BikeTrax account and set up interactions within BikeTrax, you enter your email address and a password. This information is mandatory information, without which access to BikeTrax would not be possible. You also have the option of voluntarily uploading your own profile picture.

We need this information to enable you to use BikeTrax properly and to better personalize your account. The legal basis for the processing of your data is your consent in accordance with Article 6 (1) (a) GDPR with regard to the mandatory information and Article 6 (1) (a) GDPR with regard to the voluntarily disclosed data.

Your profile information will be deleted 1 year after your BikeTrax account has been deactivated.

Payment Information

We collect certain payment and billing information about you if you choose to pay for a bikeTrax service. This data is required in accordance with Art 6 (1) (b) GDPR to process the contractual service. This data is only shared with those third parties e.g. Banks and payment service providers are provided, who must be involved in order to make payments.

Furthermore, it may happen that, in the event of legal claims being pursued, we may process your data to authorized third parties, e.g. Have to provide collection agencies, lawyers or courts.

Your payment information will be stored by us in accordance with the statutory provisions from the Federal Tax Code for 7 years after the end of the calendar year in which it was incurred or as long as legal action is necessary.

Location data

By using the BikeTrax services, we collect and store data about your GPS positions or other telephone-related location data (e.g. via WLAN or Bluetooth). On the one hand, we process localization data generated by the use of your product, which you secure with one of our GPS trackers, on the other hand we process data about your current location if you voluntarily disclose it via the settings of your smartphone. We use this data exclusively to guarantee the function of our product in connection with BikeTrax. From the location data, route information is generated for you, which you can view on a daily basis within BikeTrax. We have provided options for you to decide how long you want to keep your route data within BikeTrax. As soon as you end the contract with BikeTrax, no further location data will be processed. As we are obliged to take security measures under data protection law, your location data will still be stored in our backup system for a maximum of 1 year.

Activity data

We automatically collect information about you as soon as you use BikeTrax. This includes the use of certain functions within BikeTrax. This generates data that provides additional information about the way users work with BikeTrax. This gives us conclusions that we use for the further development of BikeTrax in the interest of our users. Activity data can e.g. be the IP address, the page that was visited before using a function, the date and time of using a function and cookie data. The processing of this data is based on our legitimate interest in optimizing and further developing BikeTrax in accordance with Art.6 Para. 1 Letter f GDPR. Furthermore, due to data protection regulations in accordance with Article 32 GDPR, processing steps must be documented in a comprehensible manner. Activity data will be deleted no later than 1 year after it was created.

What data protection technologies do we use at BikeTrax?

Registration via Auth0

We use the Auth0 service to carry out the registration and registration with BikeTrax. The provider of this service is Auth0, Inc.- d, 10800 NE 8th St, Suite 700, Bellevue, Washington 98004, USA (“Auth0”).

As far as data from Auth0 is transmitted to the USA, we point out that Auth0 is certified under the Privacy Shield and thus guarantees that all measures have been taken to comply with European data protection law. See also: https://www.privacyshield.gov/participant?id=a2zt0000000TQsZAAW&status=Active. A transmission of the data to Auth0 is therefore permitted according to Art 45 GDPR.

For the processing of the profile information necessary for the implementation of registration and registration, we have concluded an order processing contract in accordance with Art.28 GDPR with Auth0.

You can find more information about data protection at Auth0 here: https://auth0.com/privacy.

Registration via Google Sign In

We offer you the possibility to register with BikeTrax directly with us using Google Sign In via a Google account. This service is provided by Google Ireland Limited, Barrow Street, Dublin 4, Ireland (“Google”). If you decide to register with Google Sign In and click on the “Login with Google” button, you will be automatically redirected to the Google platform. There you can log in with your user data.

This will link your Google profile to BikeTrax. This link gives us access to your data stored on Google. These are in particular your Google name, the Google profile picture and the email address deposited with Google. This data is used to set up, provide and personalize your account with BikeTrax.

Registration via Facebook Connect

We offer BikeTrax the option of registering directly with us via Facebook Connect using a Facebook account. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin Dublin 2, Ireland (“Facebook”).

To log in or register yourself, you will be redirected to the Facebook page, where you can log in with your user data.

When registering via Facebook, we receive the general and publicly available information stored in your profile, depending on your privacy settings made on Facebook. This information includes e.g. the user ID, name and profile picture.

The data transmitted by Facebook is stored and processed by us to create a user account with the necessary data, if you have released it on Facebook.

If data from Facebook is processed in the USA, we would like to point out that Facebook Inc., based in the USA, is certified under the Privacy Shield Agreement and thereby guarantees that European data protection law is complied with (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). The transmission of data to the USA is therefore permitted under Art. 45 GDPR.

For the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights and setting options to protect your privacy, please refer to Facebook’s data protection information: https://de-de.facebook.com/policy.php.

Payments through payment service providers

We use external payment service providers who can be used to make payments to us. You will be informed of the specific payment service providers we use in our payment system. The payment service providers are used by us to fulfill contracts on the basis of Art. 6 Para. 1 Letter b GDPR and we transmit the data we need to make the payment to them.

The respective payment service providers are responsible for themselves within the meaning of Article 24 GDPR. They are independently responsible for the processing of your data under data protection law. Should you therefore wish further information or the assertion of revocation, information and other data subject rights against the payment service provider, we refer you to the respective payment service provider. The data processed by the payment service providers include data such as your name and address, bank details, e.g. Account numbers or credit card numbers, passwords, TANs as well as the contract, sums and recipient-related information, insofar as these are absolutely necessary for the execution of the payment.

However, the data entered will only be processed and saved by the payment service providers. I.e. we do not receive any account or credit card-related information, only information with confirmation or negative information about the payment. The data may be transmitted by the payment service provider to companies that check the creditworthiness. Your data will be deleted from us after the expiry of legal warranty and compensation obligations or other contractual or legal obligations.

The general terms and conditions and the data protection information and declarations of the respective payment service providers apply to the execution of the payment transactions.

You can find a selection of the data protection regulations of the most important payment service providers here:

• Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full)
• Klarna / Sofortüberweisung (https://www.klarna.com/de/datenschutz/)
• Visa (https://www.visaeurope.at/legal/privacy-policy.html)
• Mastercard (https://www.mastercard.at/de-at/datenschutz.html)
• American Express (https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html)
• Stripe (https://stripe.com/de/privacy)

Error analysis using Sentry

We used a bug analysis service within BikeTrax Sentry. This service is provided by Functional Software Inc., 132 Hawthorne Street
San Francisco, California 94107, USA (“Sentry”).

The information generated by Sentry about your use of BikeTrax is usually transferred to a Sentry server in the USA and stored there.

As far as data from Sentry is transmitted to the USA, we would like to point out that Sentry is certified under the Privacy Shield and thus guarantees that all measures have been taken to comply with European data protection law. See also: https://www.privacyshield.gov/participant?id=a2zt0000000TNDzAAO&status=Active. A transmission of the data to Sentry is therefore permitted according to Art 45 GDPR.

We have concluded an order processing contract in accordance with Art.28 GDPR with Sentry to carry out the data necessary for the error analysis. Sentry’s terms of use and privacy policy can be found at: https://sentry.io/privacy/.

SIM card management with Cisco Jasper

We use the Cisco Jasper Control Center to manage SIM cards that are built into our products. It is technical information about the respective SIM card. A personal reference can only be established using the SIM card number and our other systems.

Management of user requests and FAQ with Groove

We use the Groove service to manage user requests and create FAQs. This service stores request data.

Service updates and news using Active Campaign

For BikeTrax we use the services of ActiveCampaign for service updates and news to our customers. The provider is ActiveCampaign, Inc., 1 N Dearborn, 5th Floor Chicago, Illinois 60602, USA (“ActiveCampaign”). This service uses your email address to send you information. The legal basis for this is the legitimate interest in looking after our active customers in accordance with. Art 6 para. 1 letter f GDPR. You can object to this legitimate interest at any time if you do not want any service updates or news about your products and services.

ActiveCampaign is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with the European data protection level (https://www.privacyshield.gov/participant?id=a2zt0000000GnH6AAK&status=Active). The transmission of data to the USA is therefore permitted under Art. 45 GDPR.

You can find more information in the data protection regulations of ActiveCampaign at https://www.activecampaign.com/privacy-policy/.

Analysis by Google Firebase

At BikeTrax we use the tracking service “Firebase” from Google Ireland Limited, Barrow Street, Dublin 4, Ireland (“Google”). Firebase uses tracking technologies that enable an analysis of your use of BikeTrax, e.g. for performance monitoring, for error logs and for analyzing user behavior, e.g. which screens were viewed and which publications were opened and how often. The purpose of using Firebase is to analyze the use of BikeTrax, to improve it regularly and to be able to operate it more economically. We can use the statistics obtained to improve our offer and make it more interesting for you as a user. The legal basis for this data processing is Art. 6 Para. 1 Letter f GDPR, since we have a legitimate interest in the analysis, optimization and economic operation of BikeTrax and the data processing is necessary to safeguard this interest.

Firebase collects information about the use of BikeTrax and transfers it to Google and stores it there. The data is only collected anonymously and transmitted to Firebase. There is no link to other user data.
Google will use the information mentioned to evaluate your use of BikeTrax for us and to provide us with other services related to the use of apps.

You can find more information on Google Firebase and data protection at firebase.google.com.

General information on the use of Google services

If data from Google should be processed in the USA, we would like to point out that Google is certified under the Privacy Shield Agreement and thereby guarantees that European data protection law is complied with (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

The Privacy Shield Agreement is an agreement between the European Union and the United States, which is intended to ensure compliance with European data protection standards in the United States. The transmission of data to the USA is therefore permitted under Art. 45 GDPR.

You can find further information on data use by Google, setting and objection options in Google’s data protection declaration at https://policies.google.com/privacy?hl=de.

Disclosure of data

Your personal data will not be passed on to third parties for purposes other than those specified in this policy. If data is transmitted to third countries in accordance with the foregoing, this will only be done without sufficient guarantees within the meaning of Art. 44 – 49 GDPR.

Data retention

According to Art 5 Para. 1 lit e GDPR, we are obliged to delete personal data immediately as soon as the purpose for processing has been resolved. Insofar as no information on the storage period of data has been given in this guideline, we would like to point out that statutory retention obligations and deadlines represent a legitimate purpose for the processing of personal data.

Unless otherwise stated in this guideline, we will process personal data until the end of the business relationship or until the expiry of the statute of limitations; furthermore until the end of any legal disputes in which the data is required as evidence; or at least until the end of the third year after the last contact with a business partner.

Order processing

For the operation of BikeTrax, we use the following sub-processors based on an agreement in accordance with Art 28 GDPR:

Sub-processor Purpose Domicile
Mittwald CM Service GmbH & Co. KG Web hosting service provider Espelkamp (Germany)
Amazon Web Services Web hosting service provider Frankfurt (Germany)
Google Ireland Limited Analysis service provider

Registration

Dublin (Ireland)
Facebook Ireland Limited Registration Dublin (Ireland)
Functional Software Inc. (Sentry) Error analysis California (USA)
Active Campaign Service Updates / News Chicago (USA)
Stasto Order processing Innsbruck (Austria)
Groove User requests / FAQ
Auth0 Inc. User registration Washington (USA)
Cloudinary Image storage California (USA)

Data security

Taking regular account of the state of the art, the implementation costs, the type, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of a risk to the rights and freedoms of natural persons, we at BikeTrax in accordance with Art and organizational measures to ensure that you have a level of protection for your data that is commensurate with the risk.

We have set up options at BikeTrax that guarantee the exercise of data subject rights. The protection of personal data is also taken into account already during the development of BikeTrax, in accordance with the principle of data protection through technology design and through data protection-friendly default settings in accordance with Article 25 GDPR.

You can request a list of the specific technical and organizational measures we have taken from us at any time.

Your rights

You have the right:

• to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can obtain information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or opposition, the existence of a Right to lodge a complaint, the origin of your data, unless it was collected by us, and the existence of automated decision-making, including profiling and, if necessary, meaningful information about its details;

• according to Art. 16 GDPR, to immediately request the correction of incorrect or the completion of your personal data stored by us;

• to request the deletion of your personal data stored by us, in accordance with Art. 17 GDPR, unless the processing for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for asserting, exercising or defending Legal claims is required;

To request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, provided that you dispute the accuracy of the data, the processing is unlawful, but you refuse to delete it and we no longer need the data, You need to exercise or defend legal claims or you have objected to processing in accordance with Art. 21 GDPR;

• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another person responsible;

• In accordance with Art.21 GDPR, if your personal data are processed on the basis of our legitimate interest, to object to the processing of your personal data, provided that there are reasons for this that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which we will implement without specifying a particular situation.

• revoke your consent given to us at any time in accordance with Art. 7 Para. 3 GDPR. As a result, we are no longer allowed to continue processing the data based on this consent in the future.

• to complain to a supervisory authority regarding the illegal processing of your data by us in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or work or our company headquarters. The supervisory authority responsible for BikeTrax is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Austria
Tel .: +43 1 52 152-0, dsb@dsb.gv.at.

Changes to this privacy policy

BikeTrax reserves the right to change this policy from time to time due to changes in laws and regulations. We will post these changes on this page, and we encourage you to review our policy updates here. If we make significant changes, however, you will receive a separate notification e.g. received by email. If you do not agree to the existing policy, you can deactivate your BikeTrax account at any time.

Innsbruck, January 2020

PowUnity GmbH
Feldstrasse 9d, 6020 Innsbruck, Tirol
Austria
Telephone + 43-512-319751
info (at) powunity (dot) com