privacy policy vimpay app

1. general notes and mandatory information

General note

These data protection provisions are written both in a detailed version (black font) and (if necessary) in a simpler version (green font) that is easier for children and young people to understand.

Children and young people are welcome to contact us or their legal guardians if they have any questions about this privacy policy.

The following information provides a simple overview of what happens to your personal data when you use our app. Personal data is any data that can be used to identify you personally. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.

This section explains what happens to your personal information (name, email address, etc.) when you use our app.

Who is responsible for data collection in the app?

The controller is the legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.). Data processing in the app is carried out by

PayCenter GmbH
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-300
eMail: info@PayCenter.de

Responsibility for the processing of your data (name, e-mail address, etc.) is assumed by petaFuel GmbH together with PayCenter GmbH.

The responsibilities of the two companies:

PayCenter GmbH is the card-issuing e-money institution and offers registered users a prepaid Mastercard for use at all electronically connected Mastercard acceptance points.
The use of the VIMpay card is based on a contractual relationship between the user and PayCenter.

The Mastercard you receive from VIMpay is provided by PayCenter.

petaFuel GmbH is the publisher of the VIMpay app and is responsible for the technology, app development and account management. A contractual relationship regarding the use of the VIMpay card is established exclusively between the cardholder and PayCenter.
petaFuel is not an issuing office directly commissioned by Mastercard, but merely forwards the customer's data to the authorized offices and acts as an intermediary between the user and the licensed issuing office (card-issuing e-money institution).

The company petaFuel is responsible for the technical side of the card.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may be data that you enter during the registration process. Other data is collected automatically by our IT systems when you use the app. This is primarily technical data (e.g. app version, operating system or timestamp of the app call). This data is collected automatically as soon as you start the app.

There is information that you give us yourself, e.g. through your registration. We collect some technical data (e.g. app version, time the app was called up) automatically as soon as you start the app.

What do we process your data for?

If you have consented to data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, insofar as special categories of data are processed in accordance with Art. 9 para. 1 GDPR. In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or access to information in your end device (e.g. via device fingerprinting), the data processing is also carried out on the basis of Section 25 (1) TDDDG. Consent can be revoked at any time.
If your data is required to fulfill the contract or to carry out pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b GDPR.
This applies in particular to the use of the VIMpay card and its functions, such as paying with your smartphone, paying with wearables, flash charging of the card, P2P chat, sending money in chat.
You can find all the functions of the VIMpay card at www.vimpay.de/features.
Furthermore, we process your data if this is necessary to fulfill a legal obligation on the basis of Art. 6 para. 1 lit. c GDPR.
As an e-money institution, we are subject to various legal obligations, i.e. statutory requirements (e.g. German Banking Act, Money Laundering Act, tax laws) and banking supervisory requirements (e.g. German Federal Financial Supervisory Authority). The purposes of processing include identity and age verification, fraud and money laundering prevention, the fulfillment of tax control and reporting obligations as well as the assessment and management of risks within the company.
Data processing may also be carried out on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.
Examples:
- Securing flash top-ups (transmission of your IP address to the account-holding bank)
- Error-free provision of the app
- Advertising, provided you have previously consented to the use of your data
- Assertion of legal claims and defense in legal disputes
- Ensuring IT security and IT operations
- Prevention of criminal offenses

Information on the relevant legal bases in each individual case is provided in the following paragraphs of this privacy policy.

We use the information that we process from you for the following purposes:

To fulfill the contract (use of the VIMpay card)
To improve our app
For identity and age verification, fraud and money laundering prevention
To analyze your user behavior

Who receives your data?

Within the company, those departments that need your data to fulfill our contractual and legal obligations will have access to it. Service providers and vicarious agents employed by us may also receive data for these purposes if they comply with banking secrecy and our written instructions under data protection law. These are essentially companies from the categories listed below.

With regard to the transfer of data to recipients outside the e-money institution, it should first be noted that, as an e-money institution, we are obliged to maintain confidentiality about all customer-related facts and evaluations of which we become aware.

We may only pass on information about you if this is required by law, if you have given your consent, if we are authorized to provide bank information and/or if processors commissioned by us guarantee compliance with banking secrecy and the requirements of the EU General Data Protection Regulation/Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may be, for example

Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, Federal Central Tax Office) if there is a legal or official obligation.
Other credit and financial services institutions, comparable institutions and processors (see point 5. Order processing) to whom we transfer personal data in order to conduct the business relationship with you.
In detail: Processing of bank information, support/maintenance of EDP/IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, recovery, payment card processing, customer administration, telephony, video legitimation, website management, payment transactions.
Other data recipients may be those entities for which you have given your consent to the transfer of data or for which you have released us from banking secrecy in accordance with an agreement or consent.

We only pass on the data to the bodies or persons who absolutely need it or are authorized to do so

Is data transferred to a third country or an international organization?

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders (e.g. payment orders), is required by law (e.g. tax reporting obligations), if you have given us your consent or as part of commissioned data processing. If service providers are used in a third country, they are obliged to provide suitable guarantees in accordance with Art. 46 GDPR.

This also includes the automatic exchange of data as part of the Mastercard Automatic Billing Updater (ABU) database to minimize the rejection of card payments when credit card details expire or change. The data is transmitted to:

Mastercard Inc, 2000 Purchase Street, Purchase, NY 10577, USA.

Some of your data will be transferred to Mastercard in the USA.

Note on the transfer of data to third countries that are not secure under data protection law and the transfer to US companies that are not DPF-certified

Among other things, we use tools from companies based in third countries that are not secure under data protection law and US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). If these tools are active, your personal data may be transferred to these countries and processed there. We would like to point out that a level of data protection comparable to that in the EU cannot be guaranteed in third countries that are not secure under data protection law.

We would like to point out that the USA, as a safe third country, generally has a level of data protection comparable to that of the EU. Data transfer to the USA is therefore permitted if the recipient is certified under the "EU-US Data Privacy Framework" (DPF) or has suitable additional guarantees. Information on transfers to third countries, including data recipients, can be found in this privacy policy.

Recipients of personal data

As part of our business activities, we work together with various external bodies. In some cases, it is also necessary to transfer personal data to these external bodies. We only pass on personal data to external bodies if this is necessary for the fulfillment of a contract, if we are legally obliged to do so (e.g. passing on data to tax authorities), if we have a legitimate interest in the transfer in accordance with Art. 6 para. 1 lit. f GDPR or if another legal basis permits the transfer of data. When using processors, we only pass on our customers' personal data on the basis of a valid contract for order processing. In the case of joint processing, a joint processing agreement is concluded.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from http:// to https:// and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Analysis tools and tools from third-party providers

When you use our app, your usage behavior may be statistically evaluated. This is done primarily with so-called analysis programs. The analysis of your usage behavior is anonymous; the usage behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. Details on this can be found in our privacy policy under the heading "Analysis tools".

Your rights at a glance

Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)
If the data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. This also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims (objection pursuant to Art. 21 (1) GDPR).
If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling insofar as it is associated with such direct advertising. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 (2) GDPR).
Right to lodge a complaint with the competent supervisory authority
In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedies.
The competent supervisory authority for data protection issues is

Bavarian State Office for Data Protection Supervision
P.O. Box 1349
91504 Ansbach
Telephone: 0981/180093-0
Fax: 0981/180093-800
E-mail: poststelle@lda.bayern.de
Website: www.lda.bayern.de
If you feel that your data is not being properly protected, you have the right to contact this authority.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.
If you would like us to forward your data to you or another company, please let us know.
Information, correction and deletion
Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction or deletion of this data at any time. You can contact us at any time if you have further questions on the subject of personal data.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time to do this. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we generally need time to check this. You have the right to request the restriction of the processing of your personal data for the duration of the review.
- If the processing of your personal data was/is carried out unlawfully, you can request the restriction of data processing instead of erasure.
- If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection pursuant to Art. 21 (1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
- If you wish, we can provide you with information at any time about where we have obtained your data and what we do with it.
- If you no longer want us to use your data, all you have to do is let us know.

2. data protection officer

Data protection officer required by law

We have appointed a data protection officer for each of our companies. The following contact options are available to you for all questions relating to data protection:

petaFuel GmbH
Data Protection Officer
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-400
eMail: datenschutz@petaFuel.de

PayCenter GmbH
Data Protection Officer
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-300
eMail: datenschutz@PayCenter.de

3. data processing in the app

Data processing during registration and subsequent card use

Users can register and create a user account. The data entered during registration will be used for the purposes of using the service.

We collect, process and use personal data only insofar as it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures, as well as on the basis of Art. 6 para. 1 lit. c GDPR, which makes processing necessary for compliance with a legal obligation to which the controller is subject. We collect, process and use personal data about the use of our app (usage data) only insofar as this is necessary to enable or charge the user for the use of the service.

The customer data collected will be deleted after completion of the order or termination of the business relationship. It is the responsibility of users to back up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract if this does not conflict with statutory retention periods.
Statutory retention periods remain unaffected. These include the retention obligations under commercial and tax law: German Commercial Code (HGB), German Banking Act (KWG) and the German Money Laundering Act (GwG). The periods specified there are two to ten years. If data is retained as evidence, it is subject to the limitation periods of the German Civil Code (BGB) §§195ff. and can be up to 30 years, whereby the regular limitation period is three years.
IP addresses are deleted after 90 days at the latest.

This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR.

It is also possible that your IP address will be transmitted to the account-holding bank when a payment is triggered (flash top-up) for security and fraud prevention purposes. This is done on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

If legitimization is required for registration in accordance with Section 11 GWG, the personal data collected during identification will only be stored by the identifying company (Deutsche Post AG or IDnow GmbH) to the extent that this is necessary for the proper determination, billing and evaluation as well as for proof of the correctness of service charges (charge data). Furthermore, we use the data provided as part of the Postident procedure to compare the personal master data stored by us in our database for the purposes of legally required legitimation.

The data collected in your user account always belongs to you. We only use your data for the intended purpose and in confidence and only pass it on to third parties within the scope of the services you have requested.

If you have terminated your user account, your data will be completely deleted.

If you want to cancel your contract, save your data beforehand.
We would otherwise automatically delete all data that we are not required to keep by law.

In order to be able to use the service, we may collect the following data from you:

Company name
First and last name
Address
Date of birth
ID card data
eMail address
Account details
Mobile phone number
PEP status
Direct debit mandates
IP address at the time of registration
IP address of the login
HBCI access data
Account numbers of addressees
Account turnover
Tax ID
Communication data for managing your VIMpay card via the petaFuel GmbH interface
Message texts when using the chat function
Status of the user when using the chat function

Server log files

petaFuel GmbH automatically collects and stores information from the app in so-called server log files. The following information is transmitted to us by the app:

App name and version
Operating system used
Device model
Referrer URL
Host name of the mobile device
Time of the server request
IP address
Language and region

This data is not merged with other data sources.

The basis for data processing is Art. 6 para. 1 lit. f GDPR, which permits the processing of data to safeguard legitimate interests. We use this data both to operate and improve the app and to prevent fraud.

The data will be deleted automatically after 90 days at the latest.

We automatically store information from the app. This data is not merged with other data sources.

Access rights of the app

The app can request the following access rights, which are classified as critical. These access rights can be defined individually and separately by the customer.

iOS
- Network connections
  Is required so that the app is fully functional and can transmit and receive data.
- Background update
  Is required by Apple Services, here in particular for push notifications.
- Notifications
  Is required to receive messages, in this case push notifications
- Access to photos and camera
  Is required to set a profile picture for the app, to create card pictures (picturecard and card variants), to use the QR scanner and for identification verification using Videoident.
- Contacts
  Required to check whether a contact is also a VIMpay user in the chat and to top up credit for prepaid mobile phone contracts
- Microphone
  Used for communication for identification verification with Videoident
Android
- Read, change or delete memory contents
  Is required to export PDFs (this is the case, for example, if you export your sales as a PDF)
- Access to all networks
  Is required so that the app is fully functional and can transmit and receive data.
- Deactivate sleep mode
  Is required to be able to receive push notifications.
- Contacts
  Required to check whether a contact is also a VIMpay user in the chat and to top up credit for prepaid mobile phone contracts
- Notifications
  Is required to receive messages, in this case push notifications
- Access to photos and camera
  Is required to set a profile picture for the app, to create card pictures (picturecard and card variants), to use the QR scanner and for identification verification using Videoident.
- Microphone
  Used for communication for identification verification with Videoident

In order to enable the use of the app, the app can request additional, non-critical authorizations in addition to those listed here.

The app can request these access rights. You can set these access rights individually and separately.

HBCI error reports in the app

If you agree to the storage and transmission of the error report in the app, you agree that your HBCI data (e.g. account number and transactions) will be transmitted to petaFuel in encrypted form so that errors occurring in the app can be analyzed and rectified. To protect your login from unauthorized access, the banking password is removed before transmission. There is no automated transmission of error reports with corresponding HBCI data. HBCI transactions are only saved locally in the app. When the app is deleted, the locally stored HBCI transactions are also deleted.

The transmission and storage takes place on the basis of Art. 6 para. 1 lit. a GDPR (consent of the data subject).

If you agree to the storage and transmission of the error report in the app, you agree that your data (e.g. account number and sales) will be transmitted to petaFuel in encrypted form in order to determine the error.

Your sales data is saved locally in your app. If you decide to delete the app, your locally saved data will also be deleted.

4. order processing

We occasionally engage other companies to provide limited services on our behalf and within the scope of the business purpose. These companies may only process the personal data that is necessary for the provision of the respective service. These companies undertake to treat the data confidentially. The companies are expressly prohibited from using the information for other purposes. We have concluded an order processing contract with the following companies and pass on personal data where necessary:

Between petaFuel and Deutsche Post AG (PostIdent, Videoident, address verification): Deutsche Post AG, Charles-de-Gaules-Str. 20, 53113 Bonn
Between PayCenter and Deutsche Post Direkt GmbH (address verification): Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf
Between petaFuel and Melissa Data GmbH (address verification): Melissa Data GmbH, Cäcilienstr. 42-44, 50667 Cologne
Between PayCenter and Infoscore Consumer Data GmbH (address verification): Infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden
Between petaFuel and IDnow (Videoident): IDnow GmbH, Auenstr. 100, 80469 Munich
Between petaFuel and Authada GmbH (legitimization via eID): Authada GmbH, Julius-Reiber-Str. 15a, 64293 Darmstadt, Germany

We may have to pass on your data to third-party providers in order to provide our services. However, they are obliged to protect your data.

5. analysis tools

Matomo

This app uses the open source web analysis service Matomo.

With the help of Matomo, we are able to collect and analyze data about the use of our app by app visitors. This enables us to find out, among other things, when which pages were accessed and from which region. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our app visitors perform certain actions (e.g. clicks, purchases, etc.).

This analysis tool is used on the basis of Art. 6 para. 1 lit. f GDPR. The app operator has a legitimate interest in analysing user behavior in order to optimize both its app and its advertising. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

IP anonymization

We use IP anonymization for the analysis with Matomo. Your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.

Cookieless analysis

We have configured Matomo so that it does not store cookies.

Matomo processes the following data:

Anonymized IP addresses by removing the last 2 bytes (i.e. 192.68.0.0 instead of 192.68.100.54)
Pseudo-anonymized location (based on the anonymized IP address)
Date and time
Title of the page accessed
URL of the requested page
URL of the previous page (if this is permitted)
Screen resolution
Local time
Files that have been clicked and downloaded
External links
Duration of the page layout
Country, region, city (with low accuracy due to IP address)
Main language of the device
User agent of the device

You can object to the storage and analysis of this data by Matomo at any time by navigating to Security → Improve app.

6. data collection when contact is made

If you contact us by e-mail, contact form, telephone or fax, we will store and process your inquiry including all personal data (name, inquiry) for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

Basic automatic deletion periods:

Tickets from non-customers: 6 months
Tickets from customers: 1 year
Tickets with data protection reference: 3 years

When you contact us (e.g. by contact form, email, chat, telephone or via social media), your contact details will be stored for the purpose of responding to your inquiry. However, this data is also regularly deleted by us.

7. chat function

The VIMpay app offers a chat function that allows the user to contact customer service as well as other VIMpay users.
In addition, VIMpay card functions can be used via the chat (e.g. sending money).
A list of all the functions of the VIMpay card and the chat can be found at www.vimpay.de/features (see also - What do we process your data for).

The chat function for communicating with customer service is permanently activated. Deactivation is not possible.

The chat function for communicating with other VIMpay users is deactivated by default. To use it, it must first be activated.

By activating and using this chat function, the user agrees that

other users are shown their current online status.
his name (first name and surname) stored with VIMpay is displayed to other users
his profile picture is displayed to other users
the sent and received messages are stored on the server for a limited time (this storage ensures that the messages can be restored after reinstalling the app).

Messages are automatically deleted by the server after a certain period of time:

Messages from single or group chats after 30 days
Messages from the support chat:
- unauthenticated users: after 90 days
- authenticated users: after 10 years

If a user wants to deactivate the chat function again after activation, an opt-out option is available in the app (not possible for the chat function with customer service!).

By opting out, the user agrees that all messages will be deleted by the server after the above-mentioned periods:

Messages are not deleted from the user's smartphone, but must be deleted by the user themselves.

The chat messages are stored on the basis of Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).

When you use the chat, other users will see your name, your profile picture, your online status and all messages will be saved by us. If you no longer wish to use the chat, you can deactivate it, but all messages will be deleted after a certain period of time.

Use of chatbots

We use chatbots to communicate with you. Chatbots are able to respond to your questions and other input without human assistance. In addition to your input, the chatbots analyze other data to provide suitable answers (e.g. names, email addresses and other contact details, customer numbers and other identifiers, orders and chat histories). Your IP address, log files, location information and other metadata may also be collected via the chatbot. This data is stored on the chatbot provider's servers.

User profiles can be created on the basis of the data collected. The data can also be used to display interest-based advertising, provided that the other legal requirements (in particular consent) are met. For this purpose, the chatbots can be linked to analysis and advertising tools.

The data collected can also be used to improve our chatbots and their response behavior (machine learning).

The data entered by you in the course of communication will remain with us or the chatbot operator until you request us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular retention periods - remain unaffected.

The legal basis for the use of chatbots is Art. 6 para. 1 lit. b GDPR, insofar as the chatbot is used to initiate a contract or in the context of contract fulfillment. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time. In all other cases, the use is based on our legitimate interest in the most effective customer communication possible (Art. 6 para. 1 lit. f GDPR).

Google Dialogflow

For our chat, we use Dialogflow, a service provided by Google LLC ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Dialogflow is a dialog-oriented interface for websites, mobile applications, common communication platforms and IoT devices that enables interactions between users and companies. Google Dialogflow is part of the Google Cloud Platform offered by Google. Your input is processed by Google in accordance with Google's privacy policy before being forwarded to our servers.

Dialogflow uses machine learning to "understand" input and answer it. Dialog questions or information entered are stored and used without personal reference for learning and training purposes and serve to improve the chat system.

We only use our own IP address to communicate with Google Dialogflow.
Accordingly, personal data is only transmitted to Google if you disclose personal data in the chat (= chat messages).

Data processing is carried out on the basis of both Art. 6 para. 1 lit. f GDPR ("Legitimate interest") and Art. 6 para. 1 lit. a GDPR ("Consent"). Before starting the chat, you consent to the transfer of your data to Google.

When transferring data outside the EEA, Google relies on standard contractual clauses in accordance with Art. 28 GDPR.

The Google terms of use for Dialogflow data logging can be found here: Terms of Use

The Google Privacy Policy can be found here: Privacy Policy

ChatGPT

We use ChatGPT for our customer communication. The provider is OpenAI, 3180 18th St, San Francisco, CA 94110, USA, https://openai.com.

When you start a conversation with us via our app and ChatGPT is activated, your input, including metadata, is transmitted to ChatGPT's servers and processed there to generate a suitable response.

We have configured ChatGPT so that the personal data entered is not used to train ChatGPT's algorithm.

The use of ChatGPT is based on Art. 6 para. 1 lit. f GDPR. The app operator has a legitimate interest in the most efficient customer communication possible using modern technical solutions. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Further information is available here: https://openai.com/policies/privacy-policy.

8. wallet services and other services

Use of Apple Pay

If you activate and use the Apple Pay widget, your personal data will be transmitted by Mastercard to Apple (Apple Distribution International, Holly Hill Industrial Estate, Cork, Ireland) for payment processing.