Get started now!
Privacy Policy - VIMpay App

Privacy Policy

VIMpay App – as of 04 Mai 2026

Table of Contents

1. General Information and Mandatory Disclosures

General Information

This Privacy Policy is provided both in a detailed version (black text) and, where appropriate, in a simpler version that is easier to understand for children and young people (green text).

Children and young people who have questions about this Privacy Policy are welcome to contact us or their parents or guardians.

The following information gives a simple overview of what happens to your personal data when you use our app. Personal data is any data that can be used to identify you personally. For detailed information on data protection, please refer to our Privacy Policy set out below.

This section tells you what happens to your personal information (name, email address, etc.) when you use our app.

Who is responsible for data collection in the app?

The controller is the legal entity that, alone or jointly with others, determines the purposes and means of processing personal data (e.g. names, email addresses, etc.). Data processing in the app is carried out by:

PayCenter GmbH
Clemensänger Ring 24
85356 Freising, Germany
Phone: 08161 4060-300
Email: info@PayCenter.de

jointly with:

petaFuel GmbH
Clemensänger Ring 24
85356 Freising, Germany
Phone: 08161 4060-400
Email: info@petaFuel.de

The responsibility for processing your data (name, email address, etc.) is shared between PayCenter GmbH and petaFuel GmbH.

Responsibilities of the two companies:

PayCenter GmbH is the card-issuing e-money institution and offers registered users a prepaid Mastercard for use at all electronically connected Mastercard acceptance points.
The use of the VIMpay card is governed by a contractual relationship between the user and PayCenter.

The Mastercard you receive from VIMpay is provided by PayCenter.

petaFuel GmbH is the publisher of the VIMpay app and is responsible for the technology, app development and account management. A contractual relationship regarding the use of the VIMpay card is established solely between the cardholder and PayCenter.
petaFuel is not a directly Mastercard-authorised issuer, but merely forwards customer data to the authorised parties and acts as an intermediary between the user and the licensed issuer (the card-issuing e-money institution).

petaFuel is responsible for the technical side of the card.

How do we collect your data?

Your data is collected in part because you provide it to us, for example by entering it during the registration process. Other data is collected automatically by our IT systems when you use the app, primarily technical data (e.g. app version, operating system or timestamp of the app launch). This data is collected automatically as soon as you start the app.

Some information you give us yourself, e.g. when you register. Some technical data (e.g. app version, time of app launch) is collected automatically as soon as you start the app.

Why do we process your data?

  1. Where you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, where special categories of data within the meaning of Art. 9(1) GDPR are processed. Where you have expressly consented to the transfer of personal data to third countries, data processing is additionally based on Art. 49(1)(a) GDPR. Where you have consented to the storage of cookies or to access to information on your device (e.g. via device fingerprinting), data processing is additionally based on Section 25(1) TDDDG. Consent may be withdrawn at any time.
  2. Where your data is necessary for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR.
    This applies in particular to the use of the VIMpay card and its functions, such as paying with a smartphone, paying with wearables, express top-up of the card, P2P chat, and sending money in the chat.
    All VIMpay card functions can be found at www.vimpay.de/features.
  3. Furthermore, we process your data where this is necessary to comply with a legal obligation, on the basis of Art. 6(1)(c) GDPR.
    As an e-money institution, we are subject to various legal obligations, i.e. statutory requirements (e.g. the German Banking Act (KWG), the German Anti-Money Laundering Act (GwG), the German Payment Services Supervision Act (ZAG), tax laws) as well as banking supervisory requirements (e.g. those of the Federal Financial Supervisory Authority (BaFin)). The purposes of processing include, among others, identity and age verification, fraud and anti-money laundering prevention, fulfilment of tax reporting and control obligations, and assessment and management of risks within the company.
  4. Data processing may also be carried out on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR.
    Examples:
    • Securing express top-ups (transmission of your IP address to the account-holding bank)
    • Error-free provision of the app
    • Assertion of legal claims and defence in legal disputes
    • Ensuring IT security and IT operations
    • Prevention of criminal offences

The specific legal basis applicable in each individual case is set out in the following sections of this Privacy Policy.

We use the information we process about you for the following purposes:

  • To fulfil the contract (use of the VIMpay card)
  • To improve our app
  • For identity and age verification, fraud and anti-money laundering prevention
  • To analyse your usage behaviour

Who receives your data?

Within the company, access to your data is granted only to those departments that need it to fulfil our contractual and legal obligations. Service providers and agents engaged by us may also receive data for these purposes, provided they comply with banking secrecy obligations and our written data protection instructions. These are essentially companies from the categories listed below.

Regarding the disclosure of data to recipients outside the e-money institution, it should first be noted that, as an e-money institution, we are obliged to maintain confidentiality regarding all customer-related facts and assessments of which we become aware.

We may only disclose information about you if required by law, if you have consented, if we are authorised to provide a bank reference, and/or if processors engaged by us equally guarantee compliance with banking secrecy and the requirements of the EU General Data Protection Regulation/the German Federal Data Protection Act. Under these conditions, recipients of personal data may include, for example:

  • Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, Federal Central Tax Office) where required by law or official obligation.
  • Other credit and financial services institutions, comparable entities and processors (see Section 4, Data Processing Agreements), to which we transfer personal data in order to carry out our business relationship with you.
    In particular: processing of bank references, support/maintenance of EDP/IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, debt collection, payment card processing, customer management, telephony, video identification, website management, payment transactions.
    Further data recipients may be those entities for which you have given your consent to data transfer or from which you have released us from banking secrecy by agreement or consent.

We only pass on data to those entities or persons who absolutely need it or are authorised to receive it.

Data transfers to third countries

We use tools and service providers from providers based outside the EEA. Transfers of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) take place only where one of the following conditions is met:

  • To fulfil your orders: This may be the case, for example, when processing payment orders.
  • Due to legal obligations: This includes, for example, tax reporting obligations.
  • With your express consent: You will be informed in advance of the risks of the data transfer.
  • In the context of data processing: We use service providers based in third countries. In these cases, we ensure that either (i) an adequacy decision pursuant to Art. 45 GDPR is in place (e.g. for US recipients certified under the "EU-US Data Privacy Framework" (DPF)) or (ii) appropriate safeguards pursuant to Art. 46 GDPR have been agreed (e.g. Standard Contractual Clauses (SCCs)); where appropriate, we carry out a Transfer Impact Assessment (TIA) and implement additional protective measures.

One example of a data transfer to the USA is the automatic exchange of data under the Mastercard Automatic Billing Updater (ABU) to minimise the rejection of card payments when credit card data expires or changes. Data is transferred to the following entity:

  • Mastercard Inc., 2000 Purchase Street, Purchase, NY 10577, USA.

We draw your attention to the fact that, for transfers to third countries without an adequacy decision (Art. 45 GDPR) – in particular to US recipients not certified under the EU-US Data Privacy Framework (DPF) – a level of data protection equivalent to that of the European Union may not be guaranteed in all respects. This applies in particular to state access rights to your data. We endeavour, however, to ensure the highest possible level of protection for your data through the selection of suitable providers and the application of appropriate safeguards (e.g. SCCs) and, where necessary, additional protective measures (e.g. TIA).

Some of your data is transferred to Mastercard in the USA.

Recipients of personal data

In the course of our business activities, we work with various external parties. This sometimes requires the transfer of personal data to those external parties. We only pass on personal data to external parties where this is necessary for contract performance, where we are legally required to do so (e.g. transfer of data to tax authorities), where we have a legitimate interest pursuant to Art. 6(1)(f) GDPR in doing so, or where another legal basis permits such transfer. When using processors, we only pass on personal data of our customers on the basis of a valid data processing agreement. In the case of joint processing, a joint controller agreement is concluded.

Analytics Tools and Third-Party Tools

When you use our app, your usage behaviour may be statistically analysed, primarily using analytics programmes. The analysis of your usage behaviour is carried out anonymously; your behaviour cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. For details, please refer to our Privacy Policy under the heading "Analytics Tools".

Your rights at a glance

  1. Right to withdraw consent

    Many data processing operations are only possible with your express consent. You may withdraw consent already given at any time. The lawfulness of data processing carried out before withdrawal is not affected by the withdrawal.

  2. Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)

    Where data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right at any time to object, on grounds relating to your particular situation, to the processing of your personal data, including profiling based on those provisions. The respective legal basis on which processing is based is set out in this Privacy Policy. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims (objection pursuant to Art. 21(1) GDPR).

    Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, including profiling to the extent that it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for direct marketing purposes (objection pursuant to Art. 21(2) GDPR).

  3. Right to lodge a complaint with the competent supervisory authority

    In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or the place of the alleged infringement. This right exists without prejudice to other administrative or judicial remedies.

    The competent supervisory authority for data protection matters is:

    Bayerisches Landesamt für Datenschutzaufsicht
    (Bavarian State Office for Data Protection Supervision)
    Postfach 1349
    91504 Ansbach, Germany
    Phone: 0981/180093-0
    Fax: 0981/180093-800
    Email: poststelle@lda.bayern.de
    Website: www.lda.bayern.de

    If you feel that your data is not being properly protected, you have the right to contact this authority.

  4. Right to data portability

    You have the right to receive data that we process automatically on the basis of your consent or for the performance of a contract, in a structured, commonly used and machine-readable format, for yourself or for transfer to a third party. If you request direct transfer of data to another controller, this will only be done where technically feasible.

    If you would like us to forward your data to you or another company, just let us know.

  5. Right of access, rectification and erasure

    Within the scope of applicable statutory provisions, you have the right at any time to obtain free information about your stored personal data, its origin and recipients and the purpose of data processing, and if applicable the right to rectification or erasure of such data. You may contact us at any time regarding these and other questions about personal data.

  6. Right to restriction of processing

    You have the right to request restriction of processing of your personal data. You may contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

    • If you dispute the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the verification, you have the right to request restriction of processing of your personal data.
    • If the processing of your personal data was/is unlawful, you may request restriction of data processing instead of erasure.
    • If we no longer need your personal data but you require it for the exercise, defence or assertion of legal claims, you have the right to request restriction of processing of your personal data instead of erasure.
    • If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request restriction of processing of your personal data.

    Where processing of your personal data has been restricted, such data may – apart from being stored – only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

    • If you wish, we will tell you at any time where we got your data from and what we use it for.
    • If you no longer want us to use your data, just let us know.

2. Data Protection Officer

Legally required Data Protection Officer

We have appointed a Data Protection Officer for each of our companies. For all questions relating to data protection, the following contact details are available:

petaFuel GmbH
Data Protection Officer
Clemensänger Ring 24
85356 Freising, Germany
Phone: 08161 4060-400
Email: datenschutz@petafuel.de
PayCenter GmbH
Data Protection Officer
Clemensänger Ring 24
85356 Freising, Germany
Phone: 08161 4060-300
Email: datenschutz@paycenter.de

3. Data Processing in the App

Data processing during registration and subsequent card use

Users may register and create a user account. The data entered during registration is used for the purpose of using the service.

We only collect, process and use personal data to the extent necessary for the establishment, content or amendment of the legal relationship (master data). This is based on Art. 6(1)(b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures, and on Art. 6(1)(c) GDPR, which requires processing to comply with a legal obligation to which the controller is subject. Personal data relating to the use of our app (usage data) is only collected, processed and used to the extent necessary to enable the user to use the service or for billing purposes.

Collected customer data will be deleted after completion of the order or termination of the business relationship. Users are responsible for backing up their data after giving notice of termination before the contract ends. We are entitled to permanently delete all data stored during the contract period, unless this conflicts with statutory retention obligations.
Statutory retention obligations remain unaffected. These include commercial and tax law retention obligations: German Commercial Code (HGB), German Banking Act (KWG) and German Anti-Money Laundering Act (GwG). The periods specified therein are two to ten years. Where data is retained as evidence, it is subject to the limitation periods under the German Civil Code (BGB), Sections 195 ff., and may be retained for up to 30 years, with the standard limitation period being three years.
IP addresses are deleted after no more than 90 days.

Data will not be passed on to third parties as a general rule, unless this is necessary to enforce our claims or there is a legal obligation to do so pursuant to Art. 6(1)(c) GDPR.

It is also possible that your IP address may be transmitted to the account-holding bank when a payment is initiated (express top-up) for security and fraud prevention purposes. This is done on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR.

Where identification pursuant to Section 11 of the German Anti-Money Laundering Act (GwG) is required for registration, the personal data collected during identification by the identifying company (Deutsche Post AG or IDnow GmbH) is stored only to the extent necessary for the proper determination, billing and evaluation, and proof of correctness, of service charges (fee data). We also use the data provided during the PostIdent process to compare the personal master data stored by us in our database for the purposes of the legally required identification.

The data in your user account always belongs to you. We only use your data appropriately and confidentially and only pass it on to third parties within the scope of the services you have requested.

Once you have cancelled your user account, your data will be completely deleted.

If you wish to cancel your contract, please back up your data first.
All data that we are not legally required to retain would otherwise be automatically deleted.

In order to use the service, we may collect the following data from you:

  • Company name
  • First and last name
  • Address
  • Date of birth
  • Identity document data
  • Email address
  • Bank account details
  • Mobile phone number
  • PEP status
  • Direct debit mandates
  • IP address at time of registration
  • IP address at login
  • HBCI access data
  • Account numbers of payees
  • Account transactions
  • Tax ID
  • Communication data for managing your VIMpay card via the petaFuel GmbH interface
  • Message texts when using the chat function
  • User status when using the chat function

Age verification for age-restricted transactions

If you wish to pay with your VIMpay Mastercard at acceptance points where statutory age restrictions apply (e.g. cigarette vending machines), we carry out an automated age verification. We evaluate your date of birth stored with us internally and transmit to the merchant exclusively the result of whether you are of legal age or not. Your date of birth itself is not disclosed.

This processing is based on Art. 6(1)(f) GDPR. Our legitimate interest consists in fulfilling our contractual obligations towards Mastercard as a network partner and in supporting statutory youth protection requirements (Section 9 of the German Youth Protection Act (JuSchG)). You have the right to object to this processing pursuant to Art. 21 GDPR; doing so will mean that we can no longer authorise payments at the relevant acceptance points.

If you pay with your VIMpay card at a machine that is only for adults (e.g. a cigarette machine), we automatically check using your date of birth whether you are old enough. The machine only learns "yes" or "no" – your actual date of birth is not passed on.

Server log files

petaFuel GmbH automatically collects and stores information from the app in so-called server log files. The following information is transmitted to us by the app:

  • App name and version
  • Operating system used
  • Device model
  • Referrer URL
  • Hostname of the mobile device
  • Time of server request
  • IP address
  • Language and region

This data is not merged with other data sources.

The legal basis for data processing is Art. 6(1)(f) GDPR, which permits the processing of data to protect legitimate interests. We use this data both to operate and improve the app and for fraud prevention.

Data is automatically deleted after no more than 90 days.

We automatically store information from the app. This data is not combined with other data sources.

App permissions

The app may request the following permissions, which are classified as sensitive. These permissions can be set individually and separately by the customer.

  1. iOS

    • Network connections
      Required so that the app is fully functional and can transmit and receive data.
    • Background refresh
      Required by Apple Services, specifically for push notifications.
    • Notifications
      Required to receive messages, in this case push notifications.
    • Access to photos and camera
      Required to set a profile picture for the app, create card images (Picturecard and card avatars), use the QR scanner, and for identity verification via video identification.
    • Contacts
      Required to check whether a contact is also a VIMpay user in the chat and to top up prepaid mobile phone credit.
    • Microphone
      Used for communication for identity verification with video identification.

  2. Android

    • Read, modify or delete storage contents
      Required for exporting PDFs (e.g. when exporting account transactions as PDF).
    • Full network access
      Required so that the app is fully functional and can transmit and receive data.
    • Prevent device from sleeping
      Required to receive push notifications.
    • Contacts
      Required to check whether a contact is also a VIMpay user in the chat and to top up prepaid mobile phone credit.
    • Notifications
      Required to receive messages, in this case push notifications.
    • Access to photos and camera
      Required to set a profile picture for the app, create card images (Picturecard and card avatars), use the QR scanner, and for identity verification via video identification.
    • Microphone
      Used for communication for identity verification with video identification.

To enable use of the app, the app may request additional, non-sensitive permissions in addition to those listed here.

The app may request these permissions. These permissions can be set individually and separately by you.

HBCI error reports in the app

If you consent to the storage and transmission of the error report in the app, you agree that your HBCI data (e.g. account number and transactions) will be transmitted in encrypted form to petaFuel in order to analyse and fix errors occurring in the app. To protect your login from unauthorised access, the banking password is removed before transmission. Automated transmission of error reports with corresponding HBCI data does not take place. HBCI transaction data is stored exclusively locally in the app. Deleting the app also deletes the locally stored HBCI transaction data.

Transmission and storage is based on Art. 6(1)(a) GDPR (consent of the data subject).

If you consent to the storage and transmission of the error report in the app, you agree that your data (e.g. account number and transactions) will be transmitted in encrypted form to petaFuel in order to identify the error.

Your transaction data is stored locally in your app. If you decide to delete the app, your locally stored data will also be deleted.

4. Data Processing Agreements

We occasionally engage other companies to provide services on our behalf and within the scope of our business purpose, to a limited extent. These companies may only process the personal data necessary for the provision of the respective service. These companies undertake to treat the data confidentially. The companies are expressly prohibited from using the information for any other purpose. We have concluded data processing agreements with the following companies and pass on personal data insofar as this is necessary:

  • Between petaFuel and Deutsche Post AG (PostIdent, video identification, address verification): Deutsche Post AG, Charles-de-Gaules-Str. 20, 53113 Bonn, Germany
  • Between PayCenter and Deutsche Post Direkt GmbH (address verification): Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf, Germany
  • Between petaFuel and Melissa Data GmbH (address verification): Melissa Data GmbH, Cäcilienstr. 42-44, 50667 Cologne, Germany
  • Between PayCenter and Infoscore Consumer Data GmbH (address verification): Infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany
  • Between petaFuel and IDnow (video identification): IDnow GmbH, Auenstr. 100, 80469 Munich, Germany
  • Between petaFuel and Authada GmbH (identification via eID): Authada GmbH, Julius-Reiber-Str. 15a, 64293 Darmstadt, Germany

Where necessary to provide our services, we may pass on your data to third-party providers. These providers are, however, obliged to protect your data.

5. Analytics Tools

Matomo

This app uses the open source web analytics service Matomo (iOS version of the app only).

Matomo enables us to collect and analyse data about the use of our app by app visitors. This allows us to find out, among other things, when which pages were visited and from which region visitors come. We also collect various log files (e.g. IP address, referrer, browsers and operating systems used) and can measure whether our app visitors perform certain actions (e.g. clicks, purchases, etc.).

This analytics tool is used on the basis of Art. 6(1)(f) GDPR. The app operator has a legitimate interest in analysing user behaviour in order to optimise both its app and its advertising. Where corresponding consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent covers the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time.

IP anonymisation

When analysing with Matomo, we use IP anonymisation. Your IP address is truncated before analysis so that it can no longer be uniquely attributed to you.

Cookieless analysis

We have configured Matomo so that it does not store cookies.

Matomo processes the following data:

  • Anonymised IP addresses by removing the last 2 bytes (e.g. 192.68.0.0 instead of 192.68.100.54)
  • Pseudo-anonymised location (based on the anonymised IP address)
  • Date and time
  • Title of the page visited
  • URL of the page visited
  • URL of the previous page (if permitted by that page)
  • Screen resolution
  • Local time
  • Files clicked and downloaded
  • External links
  • Page load time
  • Country, region, city (with low accuracy due to IP address)
  • Primary language of the device
  • User agent of the device

You may object to the storage and analysis of this data by Matomo at any time. Navigate to SecurityImprove App.

6. Data Collection when Contacting Us

When you contact us by email, contact form, telephone or fax, your enquiry including all personal data arising from it (name, enquiry) will be stored and processed by us for the purpose of handling your request. We will not pass on this data without your consent.

Processing of this data is based on Art. 6(1)(b) GDPR, where your enquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) where this has been obtained; consent may be withdrawn at any time.

The data you send us via contact requests will be retained by us until you request deletion, withdraw your consent to storage, or the purpose for data storage ceases to apply (e.g. after your enquiry has been fully processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Standard automatic deletion periods:

  • Tickets from non-customers: 6 months
  • Tickets from customers: 1 year
  • Tickets relating to data protection: 3 years

When you contact us (e.g. via contact form, email, chat, telephone or via social media), your contact data is stored in order to respond to your enquiry. However, this data is regularly deleted by us. For messages in the support chat, the deletion periods set out in the "Chat Function" section apply.

7. Chat Function

The VIMpay app offers a chat function that allows users to contact both the customer service team and other VIMpay users.
In addition, VIMpay card functions can be used via the chat (e.g. sending money).
A list of all VIMpay card and chat functions can be found at www.vimpay.de/features (see also – Why do we process your data?).

The chat function for communication with customer service is permanently activated and cannot be deactivated.

The chat function for communication with other VIMpay users is disabled by default and must first be activated for use.

By activating and using this chat function, the user agrees that:

  • their current online status is displayed to other users,
  • their name registered with VIMpay (first and last name) is displayed to other users,
  • their profile picture is displayed to other users,
  • sent and received messages are stored server-side for a limited period (this storage enables messages to be restored after a fresh app installation).

Messages are automatically deleted server-side after a certain period:

  • Messages from single or group chats: after 30 days
  • Messages from the support chat:
    • Non-authenticated users: after 90 days
    • Authenticated users: after 10 years

If a user wishes to deactivate the chat function after activation, an opt-out option is available in the app (not possible for the customer service chat function!).

By opting out, the user agrees that all messages will be deleted server-side after the periods stated above.

Messages on the user's smartphone are not deleted by us and must be deleted by the user themselves.

The storage of chat messages is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

When you use the chat, other users can see, among other things, your name, your profile picture, your online status, and all messages are stored with us. If you no longer want to use the chat, you can deactivate it, but all messages will then be deleted after a certain period.

Use of chatbots

We use chatbots to communicate with you. Chatbots are able to respond to your questions and other inputs without human assistance. To do this, chatbots analyse your inputs as well as other data to provide suitable responses (e.g. names, email addresses and other contact data, customer numbers and other identifiers, orders and chat histories). Additionally, your IP address, log files, location information and other metadata may be collected via the chatbot. This data is stored on the chatbot provider's servers.

User profiles may be created on the basis of the data collected. Additionally, the data may be used to display interest-based advertising, provided the other legal requirements (in particular consent) are met. Chatbots may be linked with analytics and advertising tools for this purpose.

The data collected may also be used to improve our chatbots and their response behaviour (machine learning).

Data you enter during communication will remain with us or the chatbot operator until you request deletion, withdraw your consent to storage, or the purpose for data storage ceases to apply (e.g. after your enquiry has been fully processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

The legal basis for using chatbots is Art. 6(1)(b) GDPR, where the chatbot is used for contract initiation or within the scope of contract performance. Where corresponding consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent covers the storage of cookies or access to information on the user's device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent may be withdrawn at any time. In all other cases, use is based on our legitimate interest in the most effective customer communication possible (Art. 6(1)(f) GDPR).

Google Dialogflow

For our chat, we use Dialogflow, a service of Google LLC ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Dialogflow is a conversational interface for websites, mobile applications, common communication platforms and IoT devices that enables interactions between users and companies. Google Dialogflow is part of the Google Cloud Platform offered by Google. Your inputs are processed by Google in accordance with Google's privacy policies before being forwarded to our servers.

Dialogflow uses machine learning to "understand" inputs and provide responses. Dialogue questions or statements entered are stored and used without personal reference for learning and training purposes, and serve to improve the chat system.

For communication with Google Dialogflow, we exclusively use our own IP address.
Accordingly, personal data is only transmitted to Google when you disclose personal data in the course of the chat (= chat messages).

Data processing is based on both Art. 6(1)(f) GDPR (legitimate interests) and Art. 6(1)(a) GDPR (consent). Before starting the chat, you consent to the transfer of your data to Google.

Google relies on Standard Contractual Clauses pursuant to Art. 46 GDPR for data transfers outside the EEA.

Google's terms of use for Dialogflow data logging can be found here: Terms of Use

Google's Privacy Policy can be found here: Privacy Policy

ChatGPT

We use ChatGPT for our customer communications. The provider is OpenAI OpCo, LLC, 3180 18th St, San Francisco, CA 94110, USA, https://openai.com.

When you start a conversation with us via our app and ChatGPT is activated, your inputs including metadata are transmitted to the ChatGPT servers and processed there to generate a suitable response.

We have configured ChatGPT so that personal data entered is not used to train the ChatGPT algorithm.

The use of ChatGPT is based on Art. 6(1)(f) GDPR. The app operator has a legitimate interest in the most efficient customer communication possible using modern technical solutions. Where corresponding consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Consent may be withdrawn at any time.

Further information is available here: https://openai.com/policies/privacy-policy.

8. Wallet Services and Other Services

Use of Apple Pay

If you activate and use the Apple Pay widget, your personal data will be transmitted by Mastercard to Apple (Apple Distribution International, Holly Hill Industrial Estate, Cork, Ireland) for payment processing.

The following data is transmitted: Username, PAN, expiry date.

This data is transmitted to Apple in encrypted form. Apple decrypts the data, determines the payment network of the card (Mastercard) and re-encrypts the data with a key that can only be decrypted by the payment network. Apple retains anonymised transaction data, including the approximate purchase amount, the name of the app developer and the app, the approximate date and time, and whether the transaction was completed successfully.

The transmission of your data to Apple is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

If you choose Apple Pay, your data will be sent to Apple for payment processing.

Use of Google Pay

If you activate and use the Google Pay widget, your personal data will be transmitted by Mastercard to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States) for payment processing.

The following data is transmitted: Name, address, phone number, transaction data (e.g. merchant name, location, amount).

The transmission of your data to Google is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

If you choose Google Pay, your data will be sent to Google for payment processing.

Use of Samsung Pay

If you activate and use the Samsung Pay widget, your personal data will be transmitted by Mastercard to Samsung Electronics Co., Ltd. (416, Maetan 3-dong, Yeongtong-gu, Suwon-si, Gyeonggi-do 443-772, Korea) for payment processing.

The following data is transmitted: Name, card number, CVC, transaction data (e.g. merchant name, location, amount).

The transmission of your data to Samsung is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

If you choose Samsung Pay, your data will be sent to Samsung for payment processing.

Use of Swatch Pay

If you activate and use the Swatch Pay widget, your personal data will be transmitted by Mastercard to Fidesmo AB (Regeringsgatan 111, 111 39 Stockholm, Sweden) for payment processing.

The following data is transmitted: Name, address, phone number, transaction data (e.g. merchant name, location, amount).

The transmission of your data to Fidesmo AB is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

If you choose Swatch Pay, your data will be sent to Fidesmo AB for payment processing.

Use of Fidesmo Pay

If you activate and use the Fidesmo Pay widget, your personal data will be transmitted by Mastercard to Fidesmo AB (Regeringsgatan 111, 111 39 Stockholm, Sweden) for payment processing.

The following data is transmitted: Name, address, phone number, transaction data (e.g. merchant name, location, amount).

The transmission of your data to Fidesmo AB is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

If you choose Fidesmo Pay, your data will be sent to Fidesmo AB for payment processing.

Use of Digiseq

If you activate and use the Digiseq widget, your personal data will be transmitted by Mastercard to Digiseq Ltd. (International House, 64 Nile Street, London, N1 7SR, United Kingdom) for payment processing.

The following data is transmitted: Name, address, phone number, transaction data (e.g. merchant name, location, amount).

The transmission of your data to Digiseq is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

If you choose Digiseq, your data will be sent to Digiseq for payment processing.

Use of Click to Pay

If you activate and use the Click to Pay widget, your personal data will be transmitted to Mastercard (Mastercard Inc., 2000 Purchase Street, Purchase, NY 10577, USA) to enable payment processing.

The following data is transmitted: Name, address, phone number, card number (encrypted).

The transmission of your data to Mastercard is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

Further data protection information can be found in Mastercard's privacy notice at https://www.mastercard.com/global/click-to-pay/de-de/privacy-notice.html#dataTransfer.

If you choose Click to Pay, your data will be sent to Mastercard for payment processing.

Use of Garmin Pay

If you activate and use the Garmin Pay widget, your personal data will be transmitted by Mastercard to Garmin (Garmin Deutschland GmbH, Parkring 35, 85748 Garching, Germany) for payment processing.

The following data is transmitted: Name, address, phone number, card number (encrypted).

The transmission of your data to Garmin is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

Further data protection information can be found in Garmin's privacy notice at https://www.garmin.com/de-DE/privacy/garminpay/.

If you choose Garmin Pay, your data will be sent to Garmin for payment processing.

Use of Digital Receipts

If you activate and use Digital Receipts, we will transmit data to Mastercard (Mastercard Inc., 2000 Purchase Street, Purchase, NY 10577, USA) to provide digital receipts.

The following data is transmitted: Name, card number (encrypted), expiry date, CVC.

The transmission of your data to Mastercard is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

Further data protection information can be found in Mastercard's privacy notice at https://mea.mastercard.com/en-region-mea/vision/privacy.html.

If you choose Digital Receipts, your data will be sent to Mastercard for payment processing.

9. Prepaid Mobile Top-Up

For prepaid mobile top-ups, we use the service of our contractual partner transact Elektronische Zahlungssysteme GmbH, Fraunhoferstr. 10, 82152 Martinsried, Germany. If you wish to use this service, we will transmit your mobile phone number to transact Elektronische Zahlungssysteme GmbH. The legal basis for this is Art. 6(1)(b) GDPR (processing for the purpose of contract performance).

10. Social Media

We maintain publicly accessible profiles on social networks. The social networks we use individually are listed below.

Social networks such as Facebook, X, etc. can generally analyse your user behaviour extensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. In particular:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can attribute this visit to your user account. Your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. Data is collected in this case, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, the social media portal operators can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot trace all processing operations on social media portals. Depending on the provider, further processing operations may therefore be carried out by the social media portal operators. For details, please refer to the terms of use and privacy policies of the respective social media portals.

Legal basis

Our social media presences are intended to ensure the most comprehensive possible presence on the internet. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The analysis processes initiated by social networks may be based on different legal bases which must be stated by the social network operators (e.g. consent within the meaning of Art. 6(1)(a) GDPR).

Controller and exercise of rights

When you visit one of our social media presences (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by that visit. You may generally assert your rights (access, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. against Facebook).

Please note that despite joint responsibility with the social media portal operators, we do not have full influence over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage period

Data collected directly by us via the social media presence is deleted from our systems as soon as you request deletion, withdraw your consent to storage, or the purpose for data storage ceases to apply. Stored cookies remain on your device until you delete them. Mandatory statutory provisions – in particular retention periods – remain unaffected.

We have no influence over the storage period of your data that is stored by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g. in their privacy policy, see below).

Your rights

You have the right at any time to obtain free information about the origin, recipient and purpose of your stored personal data. You also have the right to object, the right to data portability, and the right to lodge a complaint with the competent supervisory authority. Furthermore, you may request rectification, erasure, and, under certain circumstances, restriction of processing of your personal data.

Individual social networks

Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter "Meta"). According to Meta, the data collected is also transferred to the USA and other third countries.

We have concluded a joint controller agreement (Controller Addendum) with Meta. This agreement sets out the respective responsibilities of us and Meta for data processing operations when you visit our Facebook page. This agreement can be viewed at: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings independently in your user account. Click the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy: https://www.facebook.com/about/privacy/.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards for data processing in the USA. Each company certified under the DPF undertakes to comply with these data protection standards. Further information is available from the provider at: https://www.dataprivacyframework.gov/participant/4452

X (formerly Twitter)

We use the microblogging service X (formerly Twitter). The provider is the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, is responsible for data processing of persons living outside the USA.

You can adjust your X privacy settings independently in your user account. Click the following link and log in: https://x.com/settings/account/personalization.

Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://gdpr.x.com/en/controller-to-controller-transfers.html.

For details, please refer to the privacy policy of X (formerly Twitter): https://x.com/de/privacy.

Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details on how Instagram handles your personal data, please refer to Instagram's privacy policy: https://privacycenter.instagram.com/policy/.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards for data processing in the USA. Each company certified under the DPF undertakes to comply with these data protection standards. Further information is available from the provider at: https://www.dataprivacyframework.gov/participant/4452

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how YouTube handles your personal data, please refer to YouTube's privacy policy: https://policies.google.com/privacy?hl=de.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards for data processing in the USA. Each company certified under the DPF undertakes to comply with these data protection standards. Further information is available from the provider at: https://www.dataprivacyframework.gov/participant/5780

TikTok

We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. For details on how TikTok handles your personal data, please refer to TikTok's privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=de.

TikTok transfers data to third countries, including the People's Republic of China. Data transfers were previously based on the EU Commission's Standard Contractual Clauses. In May 2025, the Irish Data Protection Commission (DPC) found that this transfer basis was inadequate, as access to EU user data by Chinese authorities could not be effectively excluded, and imposed a fine of EUR 530 million on TikTok. TikTok is required to bring transfers into compliance with the GDPR within 6 months. We are monitoring developments and will update this section accordingly.

11. Push Notifications

When you use our app, we may contact you with push notifications about new promotions, vouchers and personal offers from VIMpay. For the further development of our service and for statistical purposes, we record when and how often a push notification is opened. We collect this information in pseudonymised form. You can of course unsubscribe from push notifications at any time in the app settings. Push notifications are sent on the basis of our legitimate interest within the meaning of Art. 6(1)(f) GDPR.

12. Payment Services

Styx Customer Frontend

To enable customers whose bank does not offer its own web interface to log in (possibly with two-factor authentication), enter transactions or retrieve account information, PayCenter provides the Styx Customer Frontend in the VIMpay app.

The customer enters their bank login credentials. PayCenter processes this data and forwards it to the customer's bank. Data is not stored by PayCenter at any time.

The transmission of your data to the bank is based on Art. 6(1)(b) GDPR (processing for the performance of a contract).

13. VIMpay Scout Card (Sub-account for Minors = Scout Users)

Our app is aimed at primary cardholders (parents/guardians). Minors may use it under the VIMpay Scout Card. The primary cardholder sets up and manages the sub-account. If you suspect that data of a minor is being processed without authorisation, please inform us at datenschutz@petafuel.de.

What is it about?

The VIMpay Scout Card is an additional card for a scout user, linked to a sub-account of the primary cardholder (parent or guardian).
The controllers are – as described above – PayCenter GmbH (card-issuing e-money institution) and petaFuel GmbH (app provision) in joint controllership.
The general information (rights, recipients, third-country transfers, security, etc.) applies accordingly.
The scout user does not become a contracting party in their own right, but is a cardholder under the contract with the primary cardholder.

What data of the scout user do we process?

  • Master data (name, date of birth if applicable, family relationship to the primary cardholder)
  • Product/account data (sub-account ID, card identifier, configurations such as limits, MCC blocks, wallet approvals)
  • Usage/transaction data (time, amount, merchant details, ATM if applicable – as with cards generally)
  • Technical and communication data, if the scout user uses their own app view (e.g. device ID, app version, push notifications)
  • Wallet tokens / payment data when using Apple or Google Wallet (see section "Wallet Services")

Where does the data come from? (Art. 14 GDPR)

As a rule, we receive the data from the primary cardholder when setting up the Scout Card.
Where the scout user uses their own app view or provides information themselves, Art. 13 GDPR applies (information when data is collected directly).

For what purposes and on what legal basis do we process the data?

  • Provision of the Scout Card and sub-account (card management, limits, MCC blocks, transactions) – Art. 6(1)(b) GDPR (performance of contract with the primary cardholder)
  • Compliance with legal obligations (e.g. payment services, anti-money laundering or supervisory law requirements, fraud/misuse prevention) – Art. 6(1)(c) GDPR
  • Security and misuse prevention, IT operations, logging – Art. 6(1)(f) GDPR (legitimate interest; balancing in favour of youth protection / security)
  • Wallet use (e.g. Apple Pay / Google Pay) – Art. 6(1)(b) GDPR; the conditions of the respective wallet providers also apply (see section "Wallet Services").

No further processing for analytics or marketing purposes takes place.

Who receives the data?

Internal departments (card/app operations) as well as service providers and payment networks (e.g. Mastercard) and – where wallets are activated – Apple / Google / Samsung in accordance with their respective conditions (see section "Wallet Services").

Special transparency for scout users (Art. 12 GDPR)

We provide information for scout users in clear, simple and age-appropriate language – including in a simplified version (green text) available in the VIMpay app and on the website.
Data subjects may exercise their data protection rights themselves or through the primary cardholder.

Note – visibility for primary cardholders

The primary cardholder can view and control the transactions and settings of the sub-account. This is inherent to the product and serves youth protection purposes (Section 1626 of the German Civil Code (BGB)).

Wallet specifics

Integration with wallet services (e.g. Apple Pay / Google Pay) depends on the provider's policies and age requirements; features may be restricted or suspended.

What is it about?
The VIMpay Scout Card is your own card. It belongs to your parents' / guardians' account. They can manage your card and set the rules for how you use it.

What information do we need for your card to work?
We store your name, possibly your date of birth, who your primary cardholder is, what settings apply to your card (e.g. limits or blocked merchant categories), and what you pay for with the card. If you use your own app view, we also store technical information (e.g. app version).

Where do we get this information from?
Usually your parents / guardians provide this data when they set up your card. If you enter something yourself in the app, the same applies.

What do we use the information for?
So that your card works, you can pay safely, and legal requirements are met.

Who can see what?
Your parents / guardians can view your transactions and change settings – to keep you safe.

Wallets (e.g. Apple Pay / Google Pay)
These services have their own rules. That is why some features may not be available for all age groups.

Your rights
You (or your parents / guardians) can contact us if you have questions or would like access, rectification or erasure. If you do not understand something, you can always ask your parents or us.

14. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy at any time within the limits permitted by law. The current version can be accessed in the app under "Legal and Privacy".

We are constantly working on improvements, which may also affect the Privacy Policy. However, we will never make changes without informing you.