Data Privacy Policy ioki Route App

Privacy statement

For the use of our ioki Route App (hereinafter: „App “), a contract is concluded for the provision of the ioki Route License. The app is released to qualified users via ioki Route Control (Control Centre).

This privacy statement provides you with information about the data we collect from you, the way we use it and how you can object to the use of your data.

1. Provider and data protection officer

The provider of this App and the party responsible for data collecting and processing is:

ioki GmbH

An der Welle 3

60322 Frankfurt am Main

You can contact the data protection officer of Deutsche Bahn AG, Dr Marein Müller, at privacy@ioki.com. The privacy representatives at the DB Group company ioki GmbH are Mr Stephan Klöckner, stephan.kloeckner@ioki.com and Ms Majura Ganeshamoorthy, majura.ganeshamoorthy@ioki.com.

However, if you have any questions, suggestions, or complaints regarding data protection on ioki GmbH’s Route App, we recommend that you first contact our DB Group data protection officer, Dr Marein Müller (privacy@ioki.com). We recommend that you also provide us with your last name and first name in addition to your e-mail address so that we can process your request quickly.

2. Data processing and purpose

This privacy statement describes how your personal data is collected, recorded, used, disclosed, transmitted, and stored („processed “). We only collect and process your data for specific purposes. These may result from technical necessity or contractual requirements.

No personal data is processed during the specific use of the app.

This statement relates to the following App:

https://ioki.com/route/

This privacy statement is subject to continuous updates due to the evolution of our services or based on legal or official requirements.

2.1 Downloading the App

We use the Google Play Store to give customers access to the app on Android devices. When the app is downloaded, the necessary information is transmitted to the App Store, i.e. in particular the username, e-mail address and customer number of your account, time of download and individual device identification number. We have no influence on this data collection and are not responsible for it.

The privacy policy of Google’s Play Store can be found at: https://policies.google.com/privacy

2.2 Automatically collected data when you are using the app

If you use the app on your smartphone, your device establishes a connection with our servers. In this case, the operating system and the currently used version of our app are transmitted to us and processed. The transmission and processing are carried out for the purpose of improving the app and troubleshooting. The legal basis for this is Art. 6 (1) sentence 1 (f) GDPR.

We collect and analyze anonymized data on user behavior in order to improve our app. This includes, for example, which pages have been opened, which buttons have been clicked, or how long a user has spent on a particular page. The data collected does not allow any conclusions to be drawn about a natural person and does not constitute personal data. They are therefore not covered by the GDPR.

2.3 What personal data is collected?

To be able to use the app, it must first be linked to an ioki Route Control product. For this purpose, an ioki Route Control Account is required. If a device is linked to an ioki Route Control product, the app can be used without a login and user account. When using the app, the following information is collected:

2.4 Use of location services

To function optimally, the app needs permission to use the location services of the end device.

You have the option of granting permission to use the location services when you use the app for the first time. If you do not grant permission, the app will not be usable. You can revoke the permission granted at any time in the settings of your device.

2.5 Recipients of your personal data

Companies that process data (see 3: Tools for the address and privacy policies of the companies below): - MapTiler - IP address - Sentry – Device information, IP address - Mapbox – IP address

2.6 App Tracking

We collect and analyze anonymized data on usage behavior in order to improve our app. This includes, for example, which pages have been opened, which buttons have been clicked, or how long a user has spent on a particular page. The data collected does not allow any conclusions to be drawn about a natural person and does not constitute personal data. They are therefore not covered by the GDPR.

3. Tools

3.1 MapTiler

The App uses MapTiler, a service by MapTiler AG, Höfnerstrasse 98, Unterägeri, Zug 6314, Switzerland ("MapTiler").

For more information, please refer to MapTiler’s Privacy Policy: https://www.maptiler.com/privacy-policy/

We use MapTiler to display the map while navigating. Only necessary data is sent to the MapTiler servers. This includes the IP address and the position of the visible map section. This data is not stored by MapTiler.

3.2 Sentry

The App uses Sentry, a registered trademark of Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105.

For more information, please refer to Sentry’s Privacy Policy: https://sentry.io/privacy/

With the help of this tool, information is transmitted to us anonymously in the event of an app error to be able to trace the cause of the respective error and to be able to fix it more quickly. Existing errors are analysed and identified, and the quality of the app is ensured. The transmission includes device information and the IP address.

3.3 Mapbox

The App uses Mapbox, a service by Mapbox, 50 Beale St floor 9, San Francisco, CA 94105, USA.

For more information, please refer to Mapbox’s Privacy Policy: https://www.mapbox.com/legal/privacy

With the help of this application, we make it possible to navigate through our app. The data transmitted is purely technical and has no personal context.

4. Sharing your data with third parties

In some cases, we use external service providers (see 3: Tools) to process your data (e.g. Troubleshooting). For this purpose, it is necessary for us to transmit your personal data to our external service providers for a specific purpose (limited to the respective purpose). No personal data will be transmitted. Our service providers have been carefully selected by us and commissioned in writing. Insofar as you work for us as a processor, you are bound by our instructions, and we have informed ourselves about their technical and organisational measures for the security of processing personal data. Furthermore, we require our service providers to comply with the applicable data protection regulations. We mainly work with service providers from the EU. For this purpose, we have concluded data processing agreements with our external service providers within the EU or the European Economic Area in accordance with Article 28 (3) GDPR, insofar as this is necessary due to the purpose of the contract.

If necessary for our purposes, we may also transmit your data to recipients outside of the EU in individual cases. If we transfer data to third countries, we ensure that the recipients have implemented an adequate level of data protection within the meaning of Art. 45 GDPR or suitable safeguards within the meaning of Art. 46 (2) and (3) GDPR and that no other legitimate interests speak against the data transfer.

5. Storage period / erasure deadlines

We do not store your personal data.

6. Security measures to protect your personal data

We protect your data from unauthorized access, loss, or destruction by means of technical and organizational measures. Our security measures are continuously improved in line with technological developments. Our employees and all persons involved in data processing are obliged to comply with data protection-related laws and to handle personal data confidentially. Our employees are trained accordingly.

7. Automated decision making

We do not use your personal data for automated individual decisions or for profiling measures.

8. Right to object

In the case of the processing of personal data for the performance of tasks in the public interest (Art. 6 (1) sentence (1) e) GDPR) or for the protection of legitimate interests (Art. 6 (1) sentence (1) f) GDPR), you can object to the procession of your personal data at any time with effect for the future. In the event of an objection, we must refrain from any further processing of your data for the aforementioned purposes, unless

9. Your rights

Within the framework of the legal requirements, you have the right to receive information about the origin, recipient, and purpose of your stored personal data at any time free of charge. Furthermore, you have the right to rectification, deletion, and restriction of your personal data, insofar as this is legally permissible and is possible within the framework of an existing contractual relationship.

The right to restriction of processing exists in the following cases:

If you have restricted the processing of your personal data, this data may only be processed – apart from their storage – with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.

Whether and to what extent these rights exist in individual cases and what conditions apply to them results from the GDPR. The GDPR also grants you a right to data portability under certain circumstances (Art. 20 GDPR). If you have given your consent under data protection law, you can revoke it at any time with effect for the future. You also have the right to lodge a complaint with the competent data protection supervisory authority.

The supervisory authority responsible for ioki GmbH is:

Hessischer Datenschutzbeauftragter

Gustav-Stresemann-Ring 1

65189 Wiesbaden

To exercise your rights, simply send a letter or e-mail to the following address:

ioki GmbH

An der Welle 3

60322 Frankfurt am Main

Germany

hello@ioki.com

10. Updates to our privacy statement

We update our privacy statement in line with changes to functions or the legal situation. We therefore recommend that you review our privacy statement at regular intervals. In cases where your consent is required or where parts of our privacy notice include provisions of our contract with you, any such changes will take place only if you give consent.

March 2024