We collect data on the basis of your consent (Art. 6 para. 1 lit. a GDPR), for (pre-)contractual reasons (Art. 6 para. 1 lit. b GDPR) or legitimate interest (Art. 6 para. 1 lit. f GDPR) in order to provide our services in the best possible way and as easily as possible for you.

The provider of the bus2go and bus2gether app (hereinafter: "app") and the controller within the meaning of data protection law is KVG Stade GmbH & Co. KG (KVG), Harburger Str. 96, 21680 Stade.

You can reach our data protection officer at datenschutz@kvg-bus.de.

Data collected by us

1.1

1.1.1 Downloading the app

When the app is downloaded, the necessary information is transferred to the App Store, i.e. in particular the user name, email address and customer number of your account, time of download and individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data provided to the extent necessary to download the app to your smartphone. They are not stored beyond this.

1.1.2 Device and connection data

When a connection is established between your device and our server, the operating system and the version of our app used are processed and transmitted to us. This is done to improve the app and for troubleshooting purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in improving the app.

1.1.3 Authorisation for location services

Optionally, the app requires authorisation to use the location services of the end device. Authorisation is requested when the app is used for the first time. Location services can be used to find toilet locations in the surrounding area.  
You are not obliged to grant this authorisation. If you do not agree to the authorisation, the functionality of the app will be impaired to the extent that you will have to enter your start address manually. You can revoke or allow authorisation at any time in the settings of your end device.

1.1.4 Login and user data

User data is generated/provided by KVG and is required for subsequent repeated logins. The initial password can be changed and is then no longer known to KVG.
The surname, first name and personnel number are used. The legal basis for the processing of this data is Article 6 (1) a) and b) GDPR.

1.1.5 Map display using Google Maps

The app uses the Google Maps API application operated by Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland ("Google").
This allows us to display maps in the app and also enables you to use the maps. Without the Google Maps API application, the app may not work or may not work correctly. You can find the terms of use for Google Maps at www.google.com/help/terms_maps.html. There you will also find a reference to Google's privacy policy: policies.google.com/privacy. We use Google Maps to calculate the estimated charge for your journey and to interactively show you the distance to the vehicle carrying out your journey. If you have consented to its use, we process your GPS location data in accordance with Article 6(1)(a) GDPR. We only pass on your GPS location data to Google in anonymised form. The identification of your person is excluded.

1.1.6 Access to system functions and content on your end device

Various access options and information may be required for the technical functionality of the bus2gether app and to provide the services offered with the bus2gether app. For example, the bus2gether app can use the "Profile picture" function in the user settings to access the camera system functions of the end device or content stored on the end device, such as photos.
Whether you allow this access depends on your system settings. The bus2gether app can only access the system functions of your end device if you expressly authorise this. If you allow the bus2gether app to do this, the personal data collected (e.g. the content of a photo and metadata) will be processed and used by the bus2gether app exclusively for the function you have requested (e.g. uploading a photo from your end device to the bus2gether app).

1.2 Use of Firebase

Our app uses Firebase, a service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). With the help of this tool, information is transmitted to us anonymously in the event of an app crash so that we can trace the cause of the respective crash and rectify it more quickly. Existing errors are analysed and identified and the quality of the app is ensured. Firebase is also used to measure the success of individual app functions. Firebase analyses the acceptance of the functions by the user.
The transmitted data is of a purely technical nature and has no personal context.
If you wish to receive push notifications, you must explicitly consent to receiving push notifications. You can revoke your consent at any time. You will be asked for your consent to receive push notifications during installation or the first time you use the app.
We use the services Firebase Cloud Messaging from Google (Android) and Apple Push Notifications (iOS) for push notifications. Firebase and Apple generate a calculated key made up of the app identifier and your device identifier. This key is stored on our push platform with the settings you have selected in order to make the content available to you according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve exclusively as transmitters.
 

Data storage/data deletion

In principle, we only store your data for as long as it is necessary to fulfil the purpose for which it was collected or if this is provided for by law, in the event of an objection there are no compelling legitimate grounds for KVG to the contrary or in the event of revocation there is no other legal basis for data processing. In certain cases, e.g. if there is a legal obligation to retain data, your personal data will not be deleted immediately, but will first be blocked. If you have any further questions on the subject of personal data, you can contact us at any time at the address given in the legal notice or fill out our contact form.
 

Data transfer

The app platform is hosted locally by the KVG. We sometimes use external service providers to process your data (e.g. troubleshooting, creation of mailings, printing or dispatch service providers, data centre services). This requires us to transfer your personal data to our external service providers for a specific purpose (limited to the respective purpose). Our service providers have been carefully selected by us and commissioned in writing. They are bound by our instructions and we have informed ourselves about their technical and organisational measures for the security of the processing of personal data. Furthermore, we require our service providers to comply with the applicable data protection regulations. We work with service providers from the EU. For this purpose, we have concluded order processing contracts with our external service providers within the EU or the European Economic Area in accordance with Article 28 (3) GDPR, insofar as this is necessary for the purpose of the contract.
Your data will only be transmitted if you have given us your express consent to do so or on the basis of a legal regulation.
If necessary for our purposes, we may also transfer your data to recipients outside the EU in individual cases. If we transfer data to third countries, we ensure that the recipient has implemented an adequate level of data protection within the meaning of Art. 45 GDPR or suitable guarantees within the meaning of Art. 46 (2) and (3) GDPR and that no other interests worthy of protection speak against the transfer of data.

Security and automated individual decisions

We use technical and organisational measures to protect your data from unauthorised access, loss or destruction.
The transmission of your personal data from your end device (e.g. smartphone) to us is always encrypted.
We do not use your personal data for automated individual decisions.

 

Rights of data subjects

You can request information about what data is stored about you. You can request authorisation, deletion and restriction of the processing of your personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship. If you have given us your consent to process your data, you can revoke this at any time.

Right of appeal

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR). You can assert this right with a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. You can view the competent supervisory authorities of the federal states here.

Changes to the privacy policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adapted accordingly. You will be notified of any changes to the privacy policy.

Status: April 2024