Data Privacy Subscription

Privacy Policy Subscription

This Privacy Policy applies to all processing of personal data carried out in connection with the subscription offering of MILES Mobility GmbH. This includes, in particular, but is not limited to, the use of the website https://abo.miles-mobility.com/, as well as all related processes for the management, execution, and handling of subscription contracts with customers.

The data protection-compliant handling of your data is more than just a legal requirement for MILES Mobility GmbH. It is our obligation! Whether you use our mobility services, seek information about our services or our company, are in contact with us as a service provider or partner, work for us as an employee, or wish to apply to us as an applicant — you can rely on the proper handling of your data at all times.

With this Privacy Policy, we would like to inform you in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) and Sections 32 and 33 of the Federal Data Protection Act (BDSG) about how our company and third parties process personal data in the context of our website, and to inform you about your related rights.

This Privacy Policy uses the terminology of the GDPR. Other terms used, such as “visitor,” “user,” or “recipient,” are chosen for the sake of clarity and are to be understood as gender-neutral.

1. Name and contact details of the controllers and their data protection officer

Contact details of the responsible parties

MILES Mobility GmbH

represented by the managing directors: Oliver Mackprang, Eyvindur Kristjansson 

Leibnizstraße 49

10629 Berlin 

Email address: hello@miles-mobility.com 

Telephone: +49 (0) 30 2016 4975 

Website:  https://abo.miles-mobility.com/

Email address for data protection inquiries: data-protection@miles-mobility.com 

Contact details of the data protection officer

ISiCO GmbH
Am Hamburger Bahnhof 4
10557 Berlin

E-mail: data-protection@miles-mobility.com 
Website: www.isico-datenschutz.de/en/start

 

2. General Overview of Our Data Processing Activities

Scope of the processing of personal data

We process personal data of our users only to the extent necessary for the provision and execution of our subscription offer as well as the associated services and benefits. Processing is generally carried out only with the user's consent. An exception applies in cases where it is not possible to obtain prior consent for factual reasons and/or the processing of the data is permitted by statutory provisions.

Purposes of processing personal data

We process personal data of interested parties, visitors and users of our subscription service (hereinafter collectively referred to as "users"), when such data is necessary for the provision, execution, or improvement of our subscription service, e.g., for technical functionality, security, customer communication, or contractual processing. This includes both digital interactions via our website and app as well as all other points of contact. The extent to which the following explanations apply to you depends on how you interact with our service.

We process personal data for one or more of the following purposes:

·      for the creation and management of your MILES subscription account

·      for the purpose of conducting a credit check (e.g. by SCHUFA)

·      to assess your creditworthiness,

·      for the selection and booking of a vehicle as well as for the conclusion and execution of your subscription contract

·      for the provision, functionality and security of our digital offering (e.g. website and app), for payment processing and management of the payment methods you have stored,

·      for the desired contact and processing of your inquiries to our customer service

·      for the purpose of conducting analyses for the further development and optimization of our subscription offering,

·      for the fulfillment of legal requirements (e.g. tax retention obligations, documentation of consents)

for communication for marketing and advertising purposes – but only with your explicit consent.
 

Legal bases for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data that is necessary for the initiation or performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.

Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that the vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and the interests or fundamental rights and freedoms of the data subject do not override the aforementioned interests, Article 6(1)(f) GDPR serves as the legal basis for the processing.

Retention Period and Data Deletion

Retention period

We store your personal data only for as long as is necessary to achieve the respective processing purpose. We store your data (i) if you have consented to the processing, at most until you revoke your consent by simply sending an email to data-protection@miles-mobility.com or via the “Your cookie settings” function; (ii) if we need the data for the performance of a contract, at most for as long as the contractual relationship with you exists (including the defense and enforcement of claims within the limitation periods); (iii) if we process the data to protect vital interests, at most for as long as is necessary to protect the vital interests of the data subject or another natural person; (iv) if we use the data on the basis of a legitimate interest, at most for as long as your interest in the deletion or anonymization of the data does not outweigh ours.

Storage may also take place if this is provided for by European or national legislators in regulations, laws, or other provisions to which the Controller is subject, or if it is necessary for the safeguarding, assertion, or enforcement of legal claims (Art. 6 para. 1 lit. f GDPR). In order not to violate legal provisions or lose the possibility to assert a claim or defend ourselves against such a claim, we reserve the right to delete the data only after the expiration of the last applicable retention period that legitimizes the data storage.

Deletion upon request

For processing based on consent the withdrawal of consent is generally implemented immediately and automatically by the systems of MILES Mobility and service providers used. In rare cases, synchronization may take several hours.

If customers successfully exercise their right to data erasure for data processed on a legal basis other than consent, the customer account will be deleted in accordance with the following information: The personal data of the data subject to be deleted will be blocked in the system, partially anonymized or redacted, and access to the data will be strictly restricted. After one year, the aforementioned data will be automatically deleted from the system, with the exception of personal data that must be retained for a period of six years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO). After the six-year period has expired, these data will also be automatically and irrevocably deleted.

The recipients of the data will be informed of the deletion request by MILES Mobility GmbH.

If overriding interests oppose the deletion, the customer will be informed of the reasons for the restriction of the right to deletion. This is particularly the case if MILES Mobility GmbH requires the data for the assertion or defense of legal claims.

Deletion after the purpose has ceased to exist

If data is processed for the fulfillment of a contract, the data is generally stored for the duration of the contractual relationship. An exception to this are, in particular, usage data, which are only retained for a period of 1 year.

After the termination of the contractual relationship (cessation of purpose), the personal data of the data subject to be deleted will be blocked in the system, partially anonymized or redacted, and access to the data will be strictly restricted. After one year, the aforementioned data will be automatically deleted from the system, with the exception of personal data that must be retained for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO). After the expiration of ten years, these data will also be automatically and irrevocably deleted.

If data is processed for compliance with legal requirements, the right of the data subjects to have their data deleted is suspended until the respective retention periods for the data to be stored have expired. MILES Mobility GmbH does not use this data for any other purposes. This expressly includes retention for the purpose of demonstrating proper accounting. For violations of the StVG, the retention periods are based on the limitation periods. These can be up to 30 years.

MILES Mobility GmbH reserves the right to permanently store the data of blocked users in order to prevent re-registration. This constitutes a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

2.1  Data Disclosure and Engagement of Processors 

If, in the course of our processing, we disclose data to other individuals, companies, or public authorities, transmit it to them, or otherwise grant them access to the data, this is done solely on the basis of a legal authorization (e.g., if the transmission of data to third parties, such as payment service providers, is required for the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR), if you have given your consent, if a legal obligation provides for this, or on the basis of a legitimate interest. 

Unless the recipients are public authorities, our data transfers to third parties are regularly governed by data protection agreements, which we conclude with our service providers bound by instructions (data processing agreement pursuant to Art. 28 GDPR) and cooperation partners (joint controllership agreement pursuant to Art. 26 GDPR, agreement between independent data controllers).

If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) and process it there, or if this occurs in the context of using third-party services, this is done only if and to the extent that it is legally permitted, the specific requirements of Art. 44 et seq. GDPR are met, and, in particular, an adequate level of protection is ensured. In this regard, we rely on the provisions set out in Article 49 of the GDPR or, where applicable, on safeguards pursuant to Article 46 GDPR.

Note: If you require further information in this regard, please feel free to contact us at any time at data-protection@miles-mobility.com.

2.2 Origin of the Data

Unless otherwise specified in this Privacy Policy, we receive the data from you (including data about the devices you use). If we do not collect the personal data directly from you, we will additionally inform you of the source from which the personal data originates and, if applicable, whether it comes from publicly accessible sources.

2.3 Necessity of Providing Personal Data

Unless expressly stated otherwise at the time of collection or otherwise specified in this Privacy Policy, the provision of data is not required or mandatory. Such an obligation may arise from legal requirements or contractual arrangements. Failure to provide the required personal data will generally result in a contract not being concluded and/or our inability to provide a requested service. Our employees will clarify on a case-by-case basis whether the provision of personal data is required by law or contract or is necessary for the conclusion of a contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.

Note: If you require further information in this regard, please feel free to contact us at any time at data-protection@miles-mobility.com.

2.4  Automated Decisions

Unless otherwise specified in this Privacy Policy, we do not use any mechanisms for automated decision-making—including profiling—that produce legal effects concerning the data subject or similarly significantly affect them.

2.5 Data Security

We are maximally committed to the security of your data within the framework of applicable data protection laws and technical as well as financial possibilities. To secure your data, we maintain technical and organizational security measures in accordance with Art. 25 and 32 GDPR, which protect your data, for example, against accidental or intentional manipulation, loss, destruction, or against access by unauthorized persons. We continuously adapt our security measures to the latest state of technology.

Insofar as we also use services provided by third parties for the processing of your data, the selection of such third parties is carried out with due care and in compliance with the statutory provisions.

Note: If you require further information in this regard, please feel free to contact us at any time at data-protection@miles-mobility.com.

2.6  Your rights as a data subject

When processing your personal data, the GDPR grants you the following rights. To assert and exercise the rights described under sections III.1.-III.3., you may contact us at any time, preferably by email at data-protection@miles-mobility.com. The right to lodge a complaint explained under section III.4. must be exercised with the competent supervisory authority.

Please note: When exercising your rights under Articles 15 to 22 GDPR, the personal data you provide will be processed in order to handle your request and to be able to provide evidence thereof. This processing is carried out for the purpose of fulfilling a legal obligation pursuant to Article 6(1)(c) GDPR in conjunction with Section 34(2) BDSG and/or Article 12 GDPR and/or for the purpose of pursuing the legitimate interest of the controller in an evidence-based defense against (administrative) assumptions and legal claims in accordance with Article 6(1)(f) and, where applicable, Article 9(2)(f) GDPR.

As a data subject, you are entitled to the following rights under the conditions of the General Data Protection Regulation (GDPR):

  • Right of Access pursuant to Art. 15 GDPR: You have the right to obtain information about the personal data stored concerning you.

  • Right to rectification pursuant to Art. 16 GDPR: You may request the rectification of inaccurate data or the completion of incomplete data.

  • Right to erasure ("right to be forgotten") pursuant to Art. 17 GDPR: You may request the erasure of your personal data, provided that there are no statutory retention obligations to the contrary.

  • Right to restriction of processing pursuant to Art. 18 GDPR: Under certain conditions, you may request the restriction of the processing of your data.

  • Right to data portability pursuant to Art. 20 GDPR: You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and to transmit those data to another controller.

  • Right to Object pursuant to Art. 21 GDPR: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data.

2.6.1 Information on the right to object pursuant to Art. 21 (4) GDPR

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling, insofar as it is connected with such direct marketing.

2.6.2 Revocation of Consents

You also have the right to revoke any consent given for the processing of personal data at any time with effect for the future. To do so, you can send us an informal notification by email to the email address mentioned above or use the designated function "Your cookie settings". The revocation of consent does not affect the lawfulness of processing carried out on the basis of the consent before its revocation.

2.6.3 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR or other data protection regulations. This right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.

The supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information

Address: Alt-Moabit 59-61

10555 Berlin

Phone: +49 (0) 30 13889-0

Fax: +49 (0) 30 2155050

Email: mailbox@datenschutz-berlin.de 

3. Our Data Processing Activities in Detail

Below, we provide you with detailed information about the specific processing operations, the data processed in each case, the scope and purpose of each data processing, as well as the relevant legal bases. For ease of reference, we have divided the presentation into the following four chapters:

  • Privacy Policy for Users of Our Website (3.1.)
  • Privacy Policy for Users of Our Subscription Offerings (3.2.)
  • Privacy Policy for Business Customers, Partners and Service Providers (3.3.)

3.1. Privacy Policy for Users of Our Website

Below, we explain (first in general, then in detail) how third parties and we handle the data of users of our website. The focus here is on data processing on our website (https://abo.miles-mobility.com/) and its subpages (e.g.: https://support.miles-mobility.com.

3.1.1. General Information on Data Processing 

3.1.1.1. Data Subjects

The data processing subjects are users of our website.

3.1.1.2. Purposes of Processing

The purposes of the processing are (i.) the provision of information about our company and our services, (ii.) the provision of our website and the assurance of the security of our presences, (iii.) the provision of communication channels to our company, (iv.) the statistical evaluation, analysis, and further development of our presences and business activities, (iv.) the promotional approach to interested parties, (v.) the analysis of the effectiveness of our advertising measures, as well as (vi.) anonymized market research.

3.1.1.3. Categories of processed data / Types of data

The following data types can be processed:

  • Meta/communication data (e.g.: IP address; access data)
  • Device information (e.g.: device identification number and type; information about browser and operating system as well as version; location)
  • Contact and contract data (e.g. address, email address, telephone number, bank and account data)
  • Information on interest in content and user behavior
  • your information in our contact forms
  • Demographic characteristics (via our advertising partners)

The data is generally collected when using the services.

3.1.1.4. Legal Bases

The processing of the aforementioned personal data is carried out in accordance with and on the basis of the following legal grounds: your consent pursuant to Art. 6 para. 1 lit. a) GDPR and, if applicable, Art. 9 para. 2 lit. a) GDPR; for the performance of a contract with you pursuant to Art. 6 para. 1 lit. b) GDPR; for compliance with legal obligations pursuant to Art. 6 para. 1 lit. c) GDPR; or on the basis of a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

3.1.1.5. Cookies and personalized tracking 

Our website uses so-called cookies and similar technologies (hereinafter collectively referred to as "cookies"). Cookies do not cause any damage to your computer and do not contain viruses. Cookies are used to make our offering more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Technically necessary cookies are those without which our website would not be functional and usable. This category includes only cookies and technologies that ensure the basic functions and security features of the website. Technically necessary cookies and technologies may be set without the user's consent.

Non-essential cookies are all cookies that are not strictly necessary for the functionality and security of a website and are, for example, specifically used to collect personal data of the user through analytics tools, advertisements, and other embedded content. Non-essential cookies and technologies (for example, cookies for marketing, advertising, or analytics purposes) require the prior consent of the user. Please refer to our cookie banner via the following link to see which cookies we use for which purpose: Your cookie settings.

Most of the cookies we use are so-called “session cookies.” They are automatically deleted after your visit ends. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser upon your next visit.

You can configure your browser to notify you when cookies are set and to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or in general, as well as to activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

Cookies that are necessary for carrying out the electronic communication process or for providing certain functions you have requested are stored on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimized provision of its services. Insofar as other cookies (e.g. cookies for analyzing browsing behavior) are stored, these are addressed below in this Privacy Policy and used with the corresponding consent.

You may revoke your consent at any time with effect for the future via the following link: Your cookie settings. Please note that the lawfulness of any processing carried out on the basis of your consent prior to its revocation remains unaffected.

Cookie consent with the Consent Manager from Osano

This website uses the cookie consent technology of Osano to obtain your consent for the storage of certain cookies on your device and to document this in compliance with data protection regulations.

The provider of this technology is Osano, Inc., 3800 N Lamar Blvd, Ste 200, Austin, TX 78756, USA, website: https://www.osano.com/ (hereinafter "Osano").

When you access our website, you will be asked to provide your consent or refusal regarding the use of cookies and tracking technologies. In this process, your IP address, information about the browser used, as well as the device employed, will be transmitted to Osano.

Osano stores a cookie in your browser in order to assign your granted consent or its withdrawal. The data collected in this manner will be stored until you request us to delete it or delete the cookie yourself. In this case, you will be asked for your consent again on your next visit.

The use of Osano serves the purpose of obtaining the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the legally compliant implementation of data protection requirements regarding consent to cookies.

3.1.2. The individual data processing operations 

3.1.2.1. Hosting of our website

Our website is hosted by Amazon Web Services (AWS). The personal data collected through our website is stored on AWS servers in Frankfurt am Main (Germany). This may include, in particular, IP addresses, contact inquiries, meta and communication data, contract data, contact details, names, website accesses, and other data generated via a website.

The use of the hosting provider is carried out in the interest of ensuring the secure, fast, and efficient provision of our website by a professional provider (Art. 6 para. 1 lit. f GDPR).

In order to ensure the data protection-compliant processing and protection of your data, we have concluded a data processing agreement with our hosting provider in accordance with Art. 28 GDPR. In this agreement, our hosting provider in particular undertakes to process personal data only if and to the extent that this is necessary for the fulfillment of its service obligations.

According to the assurance of our data processor, the processing is to take place within the EU. In individual cases (such as support cases), however, access to personal data from the United States of America cannot be ruled out. We have therefore concluded standard contractual clauses with our hosting provider in order to ensure an adequate level of data protection even in cases of access from the USA and transmission to the USA.

3.1.2.2. Functionality, security and presentation of the website as well as consent request 

When you access our website, it is technically necessary for your internet browser to transmit data to our web server. The following data is recorded in a server log file during an active connection for communication between your internet browser and our web server:

  • IP address of the requesting terminal device (if applicable, also Internet service provider)

  • Date and time of the server request

  • Terminal information (device identifier, hostname, type)

  • Web browser used and browser version used 

  • Operating System Used and Version

  • Referrer URL

  • Access status (file transferred, file not found, etc.)

  • Transferred data volume

In addition, the following data may be stored by us as part of the required consent query (cookie banner):

  • IP address

  • Consent status 

  • Time and date of a given consent

The log file records are stored for 7 days and, if necessary, evaluated in order to protect our website against attacks, to identify and rectify errors, and to manage server load. This also constitutes our legitimate interest (Art. 6 para. 1 lit. f GDPR) in the secure provision of our website as well as in confidential, available, and integral data processing. No overriding interests are apparent. We reserve the right to review the log data if there are concrete indications of a justified suspicion of unlawful use. Should the suspicion of unlawful use be confirmed in an individual case, the affected log file records will be retained by us for as long as is necessary for the purpose of criminal prosecution or the enforcement of legal claims (Art. 6 para. 1 lit. f GDPR).

Technically necessary cookies may also be required for the complete and correct display of our website as well as for obtaining and storing your consent. Unless otherwise specified, the complete and correct display of our website constitutes a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

Due to the legal obligation arising from Section 25 TTDSG to ensure that technically unnecessary cookies and technologies are not used and applied without your prior consent, we also request your consent to the use of these technologies via our cookie banner, Art. 6 para. 1 lit. c and f GDPR. The storage of your consent preferences takes place, on the one hand, to ensure that technically unnecessary cookies and technologies are not used without your prior consent. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. On the other hand, the storage of your consent preferences is carried out in order to comply with statutory documentation and proof requirements, Art. 6 para. 1 lit. c in conjunction with 7 para. 1 GDPR. Consent granted as part of the consent query for certain cookie categories can be revoked at any time with effect for the future via the function "Your cookie settings" provided by us. The lawfulness of processing carried out on the basis of your consent until revocation remains unaffected. However, you can also simply delete the aforementioned cookies by clearing your history from your browser. If you delete the cookies from your browser, your consent will be requested again when you reopen our website.

The aforementioned data/records will not be merged with other data/records.

3.1.2.3. Management of analysis tools via Google Tag Manager

We use Google Tag Manager to centrally integrate and manage website analytics via a user interface. Tags are various tracking codes (JavaScript code lines) that allow us to record or track your activities on our website.

The advantage of the Tag Manager is that it allows us not only to manage Google services, but also to centrally manage other analytics services. In this way, we can better identify which tracking technology provides us with the information we need and avoid unnecessary data collection. The Tag Manager itself does not process any data, but helps us to organize the data from Google Analytics, Facebook, or Instagram.

We use the Tag Manager to make our website as beneficial, comfortable, and user-friendly as possible for you and other visitors. For this purpose, we require analytical data. We use the Tag Manager on the basis of Art. 6 para. 1 lit. f GDPR, which permits processing based on a balancing of interests. We have a legitimate interest in seeing which content appeals to our interested parties. This enables us to realign our marketing in order to draw more people’s attention to our offerings. Please read Section IV.1.1.7. for further information regarding the transfer of data to third countries and the associated risks.

3.1.2.6. Statistical evaluation, analysis and further development of our online presence

On the basis of your prior consent, we process your personal data for the purpose of statistical evaluation and analysis of our website services and our business activities, as well as for the further development of our website. For the collection of relevant data, we use cookies from integrated service providers, which you can find in our cookie banner. The data obtained in this way is used within the scope of the use of these tools:

a) converted into a neutral user identifier that prevents tracing by us, but allows recognition of, for example, date and time of the visit as well as usage data in a non-attributable manner for evaluation purposes,

b) subsequently used for the purpose of statistical evaluation, analysis, and further development of our online presences and 

c) finally, in aggregated form, used for the statistical evaluation of the key figures of our economic activity.

The personal data processed in the context of the use of these tools includes:

  • IP address (pseudonymized or partially anonymized)
  • Time of visit 
  • Date and time of access
  • Usage data (including scroll depth, conversions, and conversion funnels)
  • Click Path
  • App Updates
  • Browser information (browser and version)
  • Device information (device ID and operating system)
  • JavaScript support
  • Visited pages and subpages
  • Referring URL
  • Downloaded Files
  • Flash version
  • Location Information
  • Screen size and resolution.
  • Approximate location (IP location)
  • Language

The legal basis for the processing of the aforementioned personal data is your consent pursuant to Art. 6 (1) (lit. a) GDPR and § 25 TTDSG, which we obtain via our cookie banner. You may withdraw your consent at any time with effect for the future via the function "Your cookie settings" on our website or by email to data-protection@miles-mobility.com. Any processing carried out prior to the withdrawal of consent remains unaffected.

To ensure data protection-compliant processing and the protection of your data, we have concluded data processing agreements in accordance with Art. 28 GDPR with our service providers. In these agreements, our service providers particularly guarantee to process personal data only if and to the extent necessary for the fulfillment of their service obligations.

According to the assurances of our processors, processing is to take place within the EU. In individual cases (such as support cases), however, access to personal data from the United States of America by one of our service providers cannot be ruled out. We have therefore concluded standard contractual clauses with the relevant service provider in order to ensure an adequate level of data protection even in cases of access from the USA and transfer to the USA.

Note: If you require further information about the tools used, please feel free to contact us at any time at data-protection@miles-mobility.com. For further information regarding any potential data transfer to third countries and the associated risks, please refer to Section IV.1.1.7. of this Privacy Policy.

3.2. Privacy Policy for Users of the Subscription Offer

Below we explain (first in general, then in detail) how we process personal data of users of our subscription service.

3.2.1. General Information on Data Processing 

3.2.1.1. Data Subjects

A data subject is any natural person whose personal data is processed in connection with the conclusion, use, or termination of a subscription contract, in particular prospective customers, registered users, subscription customers, additional drivers, as well as, where applicable, contact persons for corporate customers.

3.2.1.2. Purposes of Processing

In the context of our subscription offer, personal data is processed for one or more of the following purposes:

·       Registration for User Account and Verification

·       Credit check

·       Customer Management

·       Customer communication and customer support,

·       Conducting a credit check to assess creditworthiness (e.g., through credit agencies such as SCHUFA),

·       Creation and management of customer and user accounts, including access data,

·       Delivery, provision, and return of the vehicles,

·       Carrying out regular vehicle inspections (e.g. main inspection, maintenance, servicing),

·       Recording and management of rental and contract data, including additional drivers,

·       Adding and verifying additional drivers under an existing subscription,

·       Billing, payment processing, and payment tracking,

·       Receivables management, debt collection, and communication with payment service providers,

·       Processing of vehicle telemetry data (e.g., for location, maintenance, diagnosis)

·       Use of location and app data for service provision, security, and analysis,

·       Processing of voluntary information such as preferred vehicle or additional services,

·       Processing of legal violations, in particular against the StVG, as well as support for authorities,

·       Conducting security audits, fraud prevention, and abuse detection,

·       Claims processing and settlement (e.g., after accidents, in cases of theft or vandalism),

·       Fulfillment of legal, tax, or regulatory obligations (e.g., retention obligations, obligations to provide information to authorities).

3.2.1.3. Categories and origin of processed data / types of data

The following categories of data are collected directly from the data subject during registration and use of the account and subsequently processed:

  • Master data: First name, Last name, Date of birth, private and/or business address Communication data: E-mail address, Telephone number(s), if applicable Fax number
  • Payment data: bank account details (e.g. IBAN, BIC), credit card details, SEPA mandate
  • Access data: Username, Password
  • Identification data: driver's license (partially redacted if applicable), identity card or passport (as a copy for verification) F
  • voluntary information: e.g. desired vehicle equipment, preferred vehicle class
  • Data of secondary drivers: if provided by the primary user – their master data and identification data

The following data is collected by MILES Mobility GmbH through third parties and subsequently processed:

  • Schufa score as part of the credit report (Schufa)
  • Telemetry and location data of the vehicle
  • Payment Data
  • Legally required information (e.g., in criminal or insurance cases)

3.2.1.4. Legal Bases

The processing of the aforementioned personal data is carried out in accordance with and on the basis of the following legal grounds: your consent pursuant to Art. 6 para. 1 lit. a) GDPR and, if applicable, Art. 9 para. 2 lit. a) GDPR; for the performance of a contract with you pursuant to Art. 6 para. 1 lit. b) GDPR; for compliance with legal obligations pursuant to Art. 6 para. 1 lit. c) GDPR; or on the basis of a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

3.2.1.5. Categories of recipients

In the context of our subscription offers, we work with service providers bound by instructions who have access to your personal data.

Below, we provide an overview of the service providers. You can find further information in the respective sections on processing:

AWS (hosting)

Zendesk

Inverse (driving data)

Braze

Postmark

Typeform

Stripe

TÜV Süd

Onlogist

Flipcar

Debtist

Furthermore, data may be exchanged with the following recipients :

  • governmental or other authorized bodies, provided and to the extent that this is permitted and required by law.

  • any legal successor of our company or any part thereof.

Note: If you require further information in this regard, please contact us at data-protection@miles-mobility.com.

3.2.1.6. Risk Notice Regarding Possible Third Country Transfers

We would like to point out that, as part of our business processes, we also cooperate with service providers in so-called third countries, in particular with companies based in the United States of America. In this context, personal data may be transferred to these countries.

For the United States, the European Commission adopted an adequacy decision pursuant to Article 45 GDPR under the EU-U.S. Data Privacy Framework on July 10, 2023. Companies certified under this framework provide a level of data protection that is recognized by the European Union as equivalent to the protection within the EU. We work exclusively with U.S. service providers that are certified under the Data Privacy Framework, such as Braze Inc., Stripe Inc., or Zendesk Inc.

If data is to be transferred to countries for which there is no adequacy decision, such transfer will only take place on the basis of appropriate safeguards in accordance with Article 46 GDPR, in particular through the conclusion of standard contractual clauses, or, in exceptional cases, on the basis of your explicit consent or for the performance of a contract in accordance with Article 49 GDPR.

Regardless of the destination country, we ensure through appropriate contractual, technical, and organizational measures that the level of protection of your personal data is maintained and that processing takes place exclusively in accordance with the purposes described in this Privacy Policy.

3.2.1.7. Automated Decision-Making

If an automated decision-making process takes place within the scope of the credit check obtained by MILES Mobility from SCHUFA (Note: Responsibility for the latter does not lie with MILES Mobility GmbH, but with SCHUFA). The respective decision may also significantly affect the data subject in such a way that MILES Mobility GmbH refrains from entering into a contract or providing services. 

In this context, MILES Mobility GmbH points out that the data subject has the right to present their point of view to us and to contest these decisions. In such cases, we are happy to conduct a manual review of the automated decision.

3.2.2. Our Data Processing Activities in Detail

3.2.2.1. Registration for User Account and Verification

As part of the registration process for our subscription offer, we process personal data in order to create a customer account, verify the identity of our users, and validate the driving license. These processing activities are necessary to enable access to our subscription service and to comply with legal obligations.

In doing so, we process in particular the following categories of data:

  • Master data: First and last name, date of birth, address

  • Communication data: Email address, telephone number

  • Payment data: Bank details, credit card information

  • Identification data: Driver's license (partially redacted) as well as a valid identification document (ID card or passport)

  • Access and usage data: Username, password

  • Creditworthiness data: SCHUFA base score or other information from credit agencies (only if necessary and in compliance with data protection requirements)

For the verification of driving licenses and the identity of our users, the verification service provider Jumio Software Development GmbH, Lunaplatz 5, A-4030 Linz, is used. Jumio acts as a processor within the meaning of Art. 28 GDPR and is subject to the instructions of MILES Mobility GmbH.

As the processing by Jumio may also take place in the USA and Jumio is not certified under the Transatlantic Data Privacy Framework, we have concluded EU Standard Contractual Clauses (Standard Contractual Clauses – SCCs) with Jumio. This ensures an adequate level of data protection when transferring data to third countries.

Jumio is also subject to the security requirements of the PCI DSS (Payment Card Industry Data Security Standard) and ensures a high level of data security. For more information on data protection at Jumio, please visit:
https://www.jumio.com/privacy-center/privacy-notices/

The verification of the driving license is carried out on the basis of Art. 6 Para. 1 lit. c GDPR in conjunction with § 21 Para. 1 No. 2 Road Traffic Act. As the vehicle owner, MILES Mobility GmbH is legally obligated to verify the validity of the driving license before the start of a contractual relationship.

For identity verification and protection against identity theft, a second official identification document is requested in addition to the driver's license. This serves in particular to fulfill the obligation to provide proof in connection with claims, cooperation with authorities in cases of administrative offenses or criminal acts, as well as the verification of international or older driver's license documents.

This obligation to provide proof remains in effect for the entire duration of the customer relationship. The verification data will be stored accordingly for this period.

If you are already a verified member of the car sharing service offered by MILES Mobility GmbH, a renewed verification is not required. In this case, we will use the verification data that has already been stored and checked. 

3.2.2.2. Credit Assessment

As a company, we have a legitimate interest in protecting ourselves against payment defaults. For this reason, our General Terms and Conditions provide for the authority to verify the creditworthiness of our customers with credit agencies or Schufa. In the course of checking the creditworthiness of our customers and in the context of processing their results, we process personal data.

The credit check is necessary to ensure and enforce the rights and claims of MILES Mobility GmbH. The credit checks serve to protect MILES Mobility GmbH against payment defaults and are intended to ensure that MILES Mobility GmbH can seek recourse from the party responsible in the event of damage.

The processing of personal data within the scope of the creditworthiness check is carried out on the basis of Art. 6 para. 1 lit. f GDPR. We assume that the verification and confirmation of creditworthiness is generally also in the interest of our customers, as this form of credit assessment does not pose significant risks to rights and freedoms, allows the transmission of additional creditworthiness data to be avoided, and enables a simple and convenient process to be provided.

During the credit assessment, your data will be transmitted to Schufa. This may include, for example, your name, address, date of birth, and bank account details, insofar as these are required for identity verification. We receive from Schufa or affiliated credit agencies a scoring value as well as, if applicable, further information from which the risk of payment default can be derived. This may include, for example, outstanding claims, deferments due to insolvency, ongoing insolvency proceedings, or participation in debt counseling. If we receive a scoring value that is too low as part of the credit check, we may temporarily deactivate the user account. You have the right to present your point of view to us and to contest the decision. In this case, we are happy to conduct a manual review of the automated decision.

As a rule, we do not report payment defaults to Schufa on our part. However, we reserve the right to do so if and to the extent that the legal requirements for such a report are met. In this case, customers will be repeatedly reminded in compliance with formal requirements and informed in the reminder of the possibility of such a report being made.

SCHUFA processes your data and also uses it for the purpose of profiling (scoring). The transfer of your data to companies in the EEA and Switzerland as well as, if applicable, to third countries outside the EEA is carried out under the responsibility of SCHUFA. Further information on the activities of SCHUFA can be obtained at www.schufa.de/datenschutz. Data processing and profiling are carried out by SCHUFA; SCHUFA is the controller for this processing within the meaning of data protection law. Therefore, SCHUFA is also responsible for the lawfulness of the processing.

General information about the data used by Schufa can be found here: https://www.schufa.de/de/faq/privatpersonen/daten/.  For details on exactly which data Schufa processes about you, please contact Schufa directly.

3.2.2.3. Customer management, customer communication, customer support, newsletter dispatch

3.2.2.3.1. Customer Management

To manage our customer data, we use our own platform, which is hosted at Amazon Web Services (AWS) in Frankfurt am Main, Germany. In our system, the data collected in the course of registration, contract execution, and customer communication is processed and stored. This includes, in particular, master data, communication data, contract data, payment data, as well as information regarding vehicle usage.

The processing of this data is carried out on the basis of:

  • Art. 6 para. 1 lit. b GDPR for the initiation, execution and processing of the subscription contract,

  • Art. 6 para. 1 lit. c GDPR for the fulfillment of legal obligations (e.g. owner obligations under the StVG),

  • as well as Art. 6 para. 1 lit. f GDPR, for example for processing inquiries, customer communication, and system maintenance.

Data is only shared with third parties if this is required by law or becomes necessary to enforce our legal claims.

The storage and processing on AWS servers in Germany is carried out in compliance with the applicable data protection regulations. AWS acts as a processor in accordance with Art. 28 GDPR. A corresponding data processing agreement has been concluded.

3.2.2.3.2. Customer Support and Communication

Customer support, customer communication

For the efficient processing of customer inquiries, we use the ticket and CRM system Zendesk, a service of Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA. The use is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, to be able to process support requests quickly and in a structured manner.

Zendesk processes personal data exclusively for the technical handling of inquiries and does not disclose this data to third parties. The use of Zendesk requires the provision of a valid email address; the use of a pseudonym is generally possible. In the course of processing, it may be necessary to collect additional information (e.g., name, address).

Zendesk is certified under the EU-U.S. Data Privacy Framework. This means that, on the basis of the adequacy decision of the European Commission pursuant to Art. 45 GDPR, an adequate level of data protection exists for data transfers to the USA. In addition, we have entered into contractual agreements with Zendesk to ensure compliance with the data protection requirements of the GDPR.

If users do not consent to processing via Zendesk, we offer alternative contact options by telephone or mail.

3.2.2.3.4. Newsletter Dispatch

As part of the registration for our newsletter, as well as when subscribing to and after unsubscribing from the newsletter, we process personal data, provided that you choose to subscribe and subscribe to our newsletter using the double opt-in procedure.

To subscribe to the newsletter, we require your email address. No further data will be collected, or only on a voluntary basis. The legal basis for processing in the context of registration is our legitimate interest in carrying out the verification process pursuant to Art. 6 para. 1 lit. f GDPR. The actual dispatch of the newsletter is based on your explicit consent pursuant to Art. 6 para. 1 lit. a GDPR.

To verify your email address, you will receive a confirmation email (double opt-in) after registration. In this process, we store your IP address, the registration date, and the time in order to document and demonstrate your consent. This processing is carried out in accordance with Art. 6 para. 1 lit. c in conjunction with Art. 7 para. 1 GDPR due to our legal obligation to provide proof of consent.

We send newsletters containing relevant product information, notices of special promotions, as well as mandatory customer information such as changes to the terms of use, tariff adjustments, or technical notices. The latter do not constitute advertising in the strict sense, but serve to fulfill the contract and cannot be unsubscribed from automatically. The right to object pursuant to Art. 21 GDPR remains unaffected, but requires active notification by the data subject.

For the dispatch of our newsletters, we use the services of Braze Inc., 330 West 34th Street, 18th Floor, New York, NY 10001, USA, as well as Postmark (Wildbit LLC), 225 Chestnut St., Philadelphia, PA 19106, USA. We have concluded a data processing agreement with Braze Inc. in accordance with Art. 28 GDPR, in which the service provider undertakes to comply with European data protection requirements.

As part of the newsletter distribution, a reach analysis is also carried out. When an email is opened, a connection is established to the servers of Braze in the USA in order to statistically evaluate whether the newsletter was opened and which links were clicked. In this process, technical information such as the time of retrieval, IP address, browser type, and operating system is collected. This data is anonymized and does not allow any conclusions to be drawn about specific recipients. The analysis serves to optimize future content. If you do not wish to participate in this analysis, you can unsubscribe from the newsletter at any time – a corresponding link is included in every email.

After you unsubscribe, your email address will be stored in a so-called blacklist in order to prevent future mailings. The storage is indefinite and exclusively for this purpose. The data from the blacklist will not be combined with other data. The legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in complying with legal requirements for the sending of electronic communications. You may object to the storage at any time if your legitimate interest outweighs our legitimate interest.

 

 

 3.2.2.4. Vehicle Delivery

The delivery of the subscribed vehicle is carried out either by employees of MILES Mobility GmbH or by specialized logistics partners. As a rule, the vehicle is handed over at the location requested by the customer, e.g., at their place of residence or workplace. We are currently working with the following partners for delivery:

  • FlipCar GmbH, Konsul-Smidt-Straße 24, 28217 Bremen, Germany

  • ONLOGIST GmbH, Frankenstraße 29, 20097 Hamburg, Germany

Order processing contracts pursuant to Art. 28 GDPR exist with both partners, ensuring the data protection-compliant handling of personal data.

As part of the vehicle handover, the verification of the user’s identity and driving license is carried out. This includes:

  • Visual inspection and photographic documentation of the identity card or passport

  • Visual inspection and photographic documentation of the driver’s license

  • Comparison of the data with the information provided during registration

  • Creation of a digital handover protocol that documents the condition of the vehicle through comprehensive photographic documentation (e.g. bodywork, mileage, fuel level, damages)

These data processing activities are carried out on the basis of Art. 6 para. 1 lit. b GDPR (performance of a contract) as well as Art. 6 para. 1 lit. c GDPR in conjunction with § 21 para. 1 no. 2 StVG (statutory obligations of the vehicle owner to verify the driving license).

All personal data collected in the course of the handover is used for legally compliant handover documentation, fraud prevention, securing evidence in the event of subsequent damage, and vehicle tracing in case of loss or misuse.

The transfer data is stored in encrypted form in our system and is used exclusively for contract processing and, if necessary, for the assertion of legal claims. Access is granted only to authorized employees or processors within the scope of their respective duties.

3.2.2.5 Processing during vehicle use

During the use of the subscribed vehicle, we process certain usage-related and technical data in order to ensure the proper execution of the contract, promote road safety, and continuously improve our service. This includes, in particular, information about the location of the vehicle, technical condition data (such as mileage, tire pressure, fuel level, or charge level in the case of electric vehicles), as well as vehicle-specific telemetry data related to the use, control, and maintenance of the vehicle.

In addition, certain events such as the opening or closing of the vehicle, the start and end time of use, as well as any technical error messages are automatically recorded via the system installed in the vehicle. In individual cases, for example in the event of safety-relevant incidents such as an accident or an unexpected braking maneuver, a more detailed analysis of the vehicle movement data may be carried out in order to trace the causes and to be able to settle any potential damages.

The relevant technical data is provided by INVERS GmbH, Leostraße 16, 57078 Siegen, Germany, which supports us as a technical service provider. A data processing agreement pursuant to Art. 28 GDPR has been concluded with INVERS, which ensures the data protection-compliant processing of this information.

The processing of this data is carried out on the basis of Art. 6 para. 1 lit. b GDPR, insofar as it is necessary for the fulfillment of the contractual relationship, in particular with regard to billing, returns, and technical support. In addition, we rely on Art. 6 para. 1 lit. f GDPR, insofar as there is a legitimate interest in ensuring operations, preventing misuse, conducting technical analysis, and optimizing our services.

No permanent monitoring of user behavior takes place. Disclosure of this data to third parties occurs exclusively when this is necessary for the fulfillment of the contract, for the processing of a damage case, or for the protection of our legitimate interests.

3.2.2.6 Vehicle Return

The return of the vehicle at the end of the subscription period generally takes place in cooperation with TÜV SÜD Auto Service GmbH, Westendstraße 199, 80686 Munich, Germany. The return is carried out at an agreed location and includes a technical and visual inspection of the vehicle by employees of TÜV SÜD.

As part of organizing the return process, we transmit the contact details of the affected person – in particular the name and telephone number – to TÜV SÜD for the purpose of making contact and arranging appointments. This data processing is carried out on the basis of Art. 6 Para. 1 lit. b GDPR for the implementation of the existing contractual relationship as well as pursuant to Art. 6 Para. 1 lit. f GDPR on the basis of our legitimate interest in a proper and documented return of the vehicle.

TÜV SÜD acts as an independently responsible entity in accordance with Art. 4 No. 7 GDPR. The company is contractually and technically obligated to use the transmitted personal data exclusively for the purpose of appointment processing and vehicle inspection and not to disclose it to third parties without authorization.

The data and inspection results recorded upon return (e.g., photos, documentation of damages, mileage) are processed and stored for further handling in the context of settlement and, if applicable, for claims adjustment.

3.2.2.7 Processing of personal data when adding additional drivers

If additional drivers (secondary drivers) are designated under a subscription contract, we also process their personal data. The inclusion of an additional driver is carried out exclusively at the request of the primary customer and requires the express consent of the respective additional driver.

For verification and to check eligibility, we collect in particular the following information as part of this process:

  • First and last name

  • Date of Birth

  • Address

  • Driver's license data

  • a valid identification document (e.g. identity card or passport)

Data collection is carried out via a form system provided by Typeform S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain. In this context, Typeform acts as a processor in accordance with Art. 28 GDPR. The information submitted via the form is manually reviewed and processed by employees of MILES Mobility GmbH.

As part of our security measures and for the purpose of credit assessment, a SCHUFA inquiry (base score) is also carried out for additional drivers. This processing is based on Art. 6 para. 1 lit. f GDPR in conjunction with our legitimate interest in risk minimization prior to the provision of a vehicle. The data is used exclusively for the purpose of contract evaluation and is not disclosed to unrelated third parties.

The legal basis for the processing of personal data in the context of the inclusion of additional drivers is Art. 6 para. 1 lit. b GDPR (performance of a contract) in conjunction with Art. 6 para. 1 lit. f GDPR (legitimate interest in security checks and credit analyses).

3.2.2.8. Billing, payment processing, and payment tracking

We also process our customers' data in the context of billing, payment processing, and payment tracking.

The data processed in the context of billing includes the master data of our contractual partners and customers (e.g., names and addresses) as well as their contact details (e.g., email addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) and payment data (e.g., bank details, payment history). The processing of the aforementioned personal data is based on Art. 6 Para. 1 lit. b GDPR.

As part of payment processing, it is also necessary to transfer data to payment service providers for the purpose of executing the transaction. The data processed in each case varies depending on the payment service provider used. Typically, this includes the name, address, stored payment method, invoice data, a pseudonymized transaction ID, and, if applicable, bank account details.

For payment processing, we particularly use the service provider Stripe Payments Europe, Ltd. as well as Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA. Stripe processes the transmitted data exclusively for the technical execution of payment transactions. Stripe is certified under the EU-U.S. Data Privacy Framework, thereby ensuring an adequate level of data protection in accordance with the Adequacy Decision of the European Commission pursuant to Art. 45 GDPR. In addition, we have concluded contractual guarantees with Stripe, in particular Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR, to ensure the protection of data in the event of any processing in the USA.

In order to offer and ensure efficient, secure, and convenient processing of payments, we rely not only on banks and credit institutions but also on specialized payment service providers such as Stripe. This processing is additionally carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

MILES Mobility GmbH is also informed by the payment service providers used about payments that have been made or not made. In this context, the same data that was transmitted for payment processing may be processed again. This processing is also based on the legitimate interest of MILES Mobility in secure payment processing and risk monitoring pursuant to Art. 6 para. 1 lit. f GDPR.

The aforementioned data will generally not be disclosed to other third parties unless it is necessary for the pursuit of our legitimate interests or for the fulfillment of legal obligations (Art. 6 para. 1 lit. f or lit. c GDPR). This particularly includes disclosure to debt collection service providers or legal representatives in the event of payment arrears.

The data will be deleted as soon as they are no longer required for the aforementioned purposes, subject to statutory retention periods in accordance with commercial and tax law. These remain unaffected by this.

In order to ensure the data protection-compliant processing and protection of your data, appropriate data processing agreements pursuant to Art. 28 GDPR have been concluded with all payment service providers used. These agreements obligate the service providers to process personal data only in accordance with our instructions and in compliance with data protection regulations.

Note: If you require further information in this regard, please contact us at data-protection@miles-mobility.com. For further information regarding the transfer of data to third countries and the associated risks, please refer to Section IV.2.1.6. of this Privacy Policy.

3.2.2.9 Outstanding Receivables & Debt Collection

MILES Mobility GmbH cooperates with debt collection service providers to enforce outstanding claims. The engagement of a debt collection service provider constitutes a legal service within the meaning of Section 10 (1) sentence 1 of the Legal Services Act (RDG). It is at the discretion of MILES Mobility GmbH to engage a lawyer or a debt collection company in the event of disputes regarding an – even allegedly – outstanding claim.​

In these cases, MILES Mobility GmbH is authorized and obligated to transfer the debtor's personal data to the commissioned collection agency, as the collection agency can only approach the debtor and assert the claim with this data.​

To enforce outstanding claims, MILES Mobility GmbH cooperates with the specialized debt collection service provider Debtist GmbH, Taunustor 1, 60310 Frankfurt am Main, Germany. The cooperation is based on a data processing agreement pursuant to Art. 28 GDPR, which ensures the data protection-compliant handling of personal data.

As part of the debt collection process, the personal data required for claim processing is transmitted to Debtist GmbH. This includes, in particular, names, addresses, contact details, contract information, as well as information regarding the amount of the claim, due date, and payment history. The processing of this data is carried out on the basis of Art. 6 para. 1 lit. b GDPR for the performance of a contract, as well as Art. 6 para. 1 lit. f GDPR due to our legitimate interest in asserting lawful claims.

Debtist acts as a processor bound by instructions and undertakes to comply with data protection regulations. Further information on data protection at Debtist can be found at:
https://www.debtist.de/privacy/

Note: If you require further information in this regard, please contact us at data-protection@miles-mobility.com

3.2.2.10 Data processing in the event of violations of our Terms and Conditions, in the context of fraud prevention, and during security checks

MILES Mobility GmbH also has a legitimate interest in protecting itself against attempted fraud and violations of its General Terms and Conditions. In addition to verification during registration (driver's license, identification document), further information is checked by MILES Mobility GmbH for this purpose. This may include the email address, telephone number, and bank account details provided during registration. There is also a regular comparison of newly provided data with existing data in order to prevent multiple registrations.

The processing of personal data in the context of fraud prevention is carried out on the basis of Art. 6 Para. 1 lit. f GDPR. We assume that these checks are generally also in the interest of customers. The type of security checks do not constitute a significant interference with the rights and freedoms of our users. Measures for fraud prevention are necessary for the enforcement of rights and claims.

Furthermore, MILES Mobility GmbH reserves the right, with reference to Section 32 (1) No. 4 of the BDSG, not to inform the data subject about the results of security checks carried out.

3.2.2.11. Data processing in the event of damage and claims settlement

In the event of a claim, it is necessary to process additional data.

The purposes and legal bases of the processing here are the 

  • Support of our customers in the event of a claim (Art. 6.1.b GDPR)
  • Reconstruction of the course of the accident (Art. 6.1.f GDPR, if applicable in conjunction with Art. 6.1.c GDPR and Section 24 BDSG)
  • Regulation/Liquidation of damages (Art. 6.1.b and c GDPR)  
  • Pursuit and enforcement of one’s own legal claims (Art. 6.1.f GDPR)

For one or more of these purposes, in the event of a claim, we process, where permissible and necessary, your master data, usage data, data from the vehicles, statements and information from third parties (police, opposing parties in an accident, witnesses, other Miles users), as well as payment data relating to you.

In certain circumstances, we may also receive health-related data in this context. Examples of this include injuries or indications of alcohol and narcotics consumption. In this case, the legal basis for our processing is Art. 9 para. 2 lit. f GDPR.

In the event of an incident for which you are responsible, and for which we receive a claim for damages or another claim from an injured party or another entitled third party (e.g., costs due to a private towing operation in the event of disturbance of the property owner), we will transmit your stored contact details to the claimant and/or to our insurance broker (SHL Versicherungsmakler GmbH), so that liability issues can be clarified directly between you as the responsible party and the claimant, or so that you can indemnify us from the claim in accordance with the provisions of the General Terms and Conditions. The transmission is necessary for the fulfillment of your contract with us (Art. 6 para. 1 lit. b GDPR) and for the protection of our legitimate interest in pursuing and enforcing the legal claims that the claimant and we have against you (Art. 6 para. 1 lit. f GDPR).

In the event of damage, we are also legally obligated to participate in the documentation of the accident process, Art. 6 Para. 1 lit. c GDPR. Furthermore, there are contractual obligations, among others, towards claims adjusters, the fulfillment of which represents a legitimate interest (Art. 6 Para. 1 lit. f GDPR) to process the data of those who caused the damage. Since the defense of legal claims is decisive here, the right to object is subject to the restrictions of Art. 21 GDPR.

3.3. Privacy Policy for Business Customers, Partners and Service Providers

3.3.1. Business Customers

For business customers, essentially all points that also apply to users of the website and the subscription offer apply. However, additional company-related contact data and billing data may be processed.

For the administration and support of business customers, we use an additional CRM service provider in addition to our general customer management. The legal basis for the use of the provider's CRM system is our legitimate interest in efficient and prompt processing of inquiries, efficient existing customer management, and effective and efficient new customer business, Art. 6 Para. 1 lit. f GDPR.

In order to ensure the data protection-compliant processing and protection of your data, we have concluded a data processing agreement with our CRM service provider in accordance with Art. 28 GDPR. In this agreement, our CRM service provider in particular undertakes to process personal data only if and to the extent that this is necessary for the fulfillment of its service obligations.

According to the assurance of our data processor, the processing is to take place within the EU. In individual cases (such as support cases), however, access to personal data from the United States of America cannot be ruled out. We have therefore also concluded standard contractual clauses with our service provider in order to ensure an adequate level of data protection even in cases of access from the USA.

Note: If you require further information about the tools used, please feel free to contact us at any time at data-protection@miles-mobility.com.

4. General Administration, Accounting and Business Development

We process personal data in the context of administrative tasks, the organization of our operations, our financial accounting, and to comply with legal obligations, such as archiving. In this context, we process the same data that we process in the course of providing our contractual services. The legal bases for processing are Art. 6 para. 1 lit. c GDPR, as well as, for all processing not subject to a legal obligation, our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The data subjects affected by the processing are customers, interested parties, business partners, and website visitors. The purpose and our interest in the processing lie in administration, financial accounting, office organization, data archiving, i.e., tasks that serve to maintain our business operations, fulfill our duties, and provide our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided for these processing activities (see above).

In this context, we disclose or transmit data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, on the basis of our business interests, we store information about suppliers, organizers, and other business partners, e.g., for the purpose of future contact.

5. Business Management Analyses

In order to operate our business economically, to identify market trends, and to recognize the wishes of our contracting parties and users, we analyze the data available to us regarding business transactions, contracts, inquiries, etc. In this context, we process inventory data, communication data, contract data, payment data, usage data, and metadata on the basis of Art. 6 para. 1 lit. f GDPR, whereby the data subjects include contracting parties, interested parties, customers, visitors, and users of our online offering.

The analyses are carried out for the purposes of business management evaluations, marketing, and market research. In this context, we may take into account the profiles of registered users, including information such as the services they have used. The analyses serve to increase user-friendliness, optimize our offering, and improve business efficiency. The analyses are for our internal use only and are not disclosed externally, unless they are anonymous analyses with aggregated values.

If these analyses or profiles are related to personal data, they will be deleted or anonymized upon termination of the user, otherwise after two years from the end of the contract. Furthermore, overall business analyses and general trend determinations will, where possible, be created anonymously.

6. Status of this Privacy Policy & Amendments

We reserve the right to amend this Privacy Policy at any time in compliance with applicable laws and regulations.

The version available online at the time of your visit applies to the use of our website. The current version of this Privacy Policy is always available at https://abo.miles-mobility.com/de/data-privacy-and-cookie-policy.

Last updated: 14.05.2025