Data Privacy Subscription

This Privacy Policy applies to the website https://abo.miles-mobility.com/, which is offered and operated by MILES Mobility GmbH, and all data processing carried out in this context.

Handling your data in accordance with data protection regulations is more than just a legal requirement for MILES Mobility GmbH. It is our calling! Regardless of whether you use our mobility services, obtain information about our services or our company, are in contact with us as a service provider or partner, work for us as an employee or apply to us as an applicant - you can rely on the correct handling of your data at all times.

With this Privacy Policy, we would like to inform you in accordance with Art. 13 and 14 of the General Data Protection Regulation (DSGVO) and §§ 32 and 33 of the Federal Data Protection Act (BDSG) about how our company and third parties process personal data in the context of our website, and inform you about your rights in this regard.

This Privacy Policy uses the terminology of the DSGVO. Other terms used, such as "visitor", "user" or "recipient", are chosen for the sake of clarity and are to be understood as gender-neutral.

I. Name und Contact Details of the Controller and its Data Protection Officer

I.1. Contact Details of the Controller

MILES Mobility GmbH

represented by the managing directors: Oliver Mackprang, Eyvindur Kristjansson

Leibnizstraße 49

10629 Berlin, Germany

Email: hello@miles-mobility.com

Phone: +49 (0) 30 2016 4975

Website: https://abo.miles-mobility.com/

Email address for all data protection related concerns: data-protection@miles-mobility.com

I.2. Contact Details of the Data Protection Officer

Pridatect S.L.
Carrer de Tarragona 161, Planta 11ª

08014 Barcelona, Spain

Website: www.pridatect.de

II. General Overview of our Data Processing

II.1. Extent of Data Processing

As a matter of principle, we only process personal data of our users insofar as this is necessary for the provision of a functional website as well as our contents and services. The processing of personal data of our users is regularly only carried out with the consent of the user. An exception applies in those cases in which obtaining prior consent is not possible for actual reasons and/or the processing of the data is permitted by legal regulations.

II.2. Purposes of Data Processing

We process personal data of visitors and users of our website (visitors and users hereinafter collectively referred to as "users") if this data is technically necessary for the functionality, display or security of our website or our consent request or if this data is made available to us by our users or third parties. The extent to which the following explanations apply to you depends on how you interact with us.

We process personal data for one or more of the following purposes:

for the provision, functionality, security and presentation of our website,
to comply with legal requirements, e.g. in relation to your consent,
for the creation and provision of customer accounts,
for contacting you and processing your enquiry,
to initiate or perform contracts between you and us or between you and cooperation partners,
to protect the vital interests of your person or another natural person,
for statistical evaluation, analysis and further development of our services, and/or
for advertising and optimisation purposes.

II.3. Legal Basis for the Processing of Personal Data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (“GDPR”) serves as the legal basis.

When processing personal data that is necessary for the initiation or performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

II.3. Retention period and Data Deletion

Retention period

We will only store your personal data for as long as is necessary to achieve the relevant processing purpose. We store your data (i) if you have consented to the processing, at most until you revoke your consent to us by simply sending an email to data-protection@miles-mobility.com or using the „Your cookie settings“ function; (ii) if we need the data to perform a contract, at most for as long as the contractual relationship with you exists (including the defence and enforcement of claims within the limitation periods); (iii) if we process the data to protect vital interests, for no longer than is necessary to protect the vital interests of the data subject or another natural person; (iv) if we use the data on the basis of a legitimate interest, for no longer than is necessary to protect your interest in having the data deleted or anonymised.

In addition, data may be stored if this has been provided for by the European or national legislator in regulations, laws or other provisions to which the responsible party is subject or if this is necessary to secure, assert or enforce legal claims (Art. 6 (1) (f) GDPR). In order not to violate legal regulations or to lose the possibility to enforce or defend ourselves against a claim, we reserve the right to delete the data only upon expiry of the last expiring retention period that legitimises the data storage.

Deletion upon request

In the case of processing based on consent, the revocation of consent is usually implemented immediately and automatically by the systems of MILES Mobility GmbH and service providers used. In rare cases, synchronisation may take a few hours.

If customers successfully request their right to erasure for data processed on a legal basis other than consent, the customer account will be deleted in accordance with the following information: The personal data to be deleted will be blocked in the system, partially obscured or blackened and access to the data strictly limited. After one year, the data listed above will be automatically deleted from the system, with the exception of personal data which must be kept for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Tax Code (AO). After ten years, this data is also automatically and irrevocably deleted.

The recipients of the data will be informed of the erasure request by MILES Mobility GmbH.

If overriding interests stand in the way of deletion, the customer will be informed of the reasons for the restriction of the erasure request. This is particularly the case if MILES Mobility GmbH needs the data to enforce or defend legal claims.

Deletion after the purpose has ceased to exist

If data is processed for the initiation or performance of a contract, the data is generally stored for the duration of the (pre-)contractual relationship. This does not apply in particular to usage data, which is only stored for a period of 1 year.

After the termination of the contractual relationship (cessation of the purpose), the personal data of the data subject to be deleted are blocked in the system, partially made unreadable or blackened and access to the data is strictly limited. After one year, the data listed above will be automatically deleted from the system, with the exception of personal data which must be kept for a period of ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Tax Code (AO). After ten years, this data is also automatically and irrevocably deleted.

If data is processed to comply with legal requirements, the deletion claims of the persons concerned shall cease to apply until the expiry of the respective periods with regard to the data to be stored. MILES Mobility GmbH does not use this data for any further purposes. This expressly includes storage for the purpose of proving proper accounting. For violations of the German Road Transport Law (StVG), the retention periods are based on the limitation periods. These are up to 30 years.

MILES Mobility GmbH reserves the right to permanently store data of blocked users in order to prevent re-registration. This is a legitimate interest in accordance with Art. 6 (1) (f) DSGVO.

II.4. Data Transfer and Commissioning of Processors

If, in the course of our processing, we disclose data to other persons, companies or public bodies, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if a transfer of the data to third parties, such as payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1) (b) GDPR), if you have consented, if a legal obligation provides for this or on the basis of a legitimate interest.

Unless we are dealing with public bodies, our data transfer to third parties is regularly the subject of contracts under data protection law, which we conclude with our service providers bound by instructions (data processing agreement according to Art. 28 DSGVO) and cooperation partners (joint responsibility agreement according to Art. 26 DSGVO, agreement between independent data controllers).

If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) and process it there, or if this is done in the context of using third-party services, this will only be done if and insofar as this is legally permitted, the special requirements of Art. 44 et seq. GDPR are fulfilled and, in particular, an adequate level of protection is ensured. In this regard, we rely on the provisions set out in Article 49 of the GDPR or, where applicable, on guarantees pursuant to Article 46 of the GDPR.

Please note: For more information, please contact us at any time at data-protection@miles-mobility.com.

II.5. Data Sources

Unless otherwise stated in this Privacy Policy, we obtain the data from you (including data about the devices you use). If we do not collect the personal data directly from you, we will also tell you the source of the personal data and, if applicable, whether it comes from publicly available sources.

II.6. Necessity of Providing Personal Data

Unless expressly stated at the time of collection or otherwise specified in this Privacy Policy, the provision of data is not required or obligatory. Such an obligation may result from legal requirements or contractual regulations. Failure to provide required personal data generally results in a contract not being able to be concluded and/or in us not being able to provide a requested service. Our employees will clarify on a case-by-case basis whether the provision of personal data is required by law or contract or is necessary for the conclusion of a contract, whether there is an obligation to provide the personal data and what the consequences of not providing the personal data would be.

Please note: For more information, please contact us at any time at data-protection@miles-mobility.com.

II.7. Automated Decision-Making

Unless otherwise stated in this Privacy Policy, we do not use any automated decision-making mechanisms - including profiling - that have legal effect vis-à-vis the data subject or similarly significantly affect him or her.

XV. Data Security

We make every effort to ensure the security of your data within the framework of the applicable data protection laws and technical and financial possibilities. To secure your data, we maintain technical and organisational security measures in accordance with Art. 25 and 32 DSGVO, which protect your data, for example, against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. We constantly adapt our security measures to the latest state of the art.

If we also use the services of third parties for the processing of your data, they are selected carefully and in accordance with the legal provisions.

Please note: For more information, please contact us at any time at data-protection@miles-mobility.com.

III. Your Rights as a Data Subject

When your personal data is processed, the GDPR grants you the following rights. To assert and exercise the rights described in sections III.1.-III.3., you can contact us at any time, preferably by e-mail to data-protection@miles-mobility.com. The right to lodge a complaint described in section III.4. must be exercised vis-à-vis the respective competent supervisory authority.

Please note: When exercising your rights under Articles 15 to 22 of the GDPR, the personal data you provide will be processed in order to process your request and to be able to provide evidence thereof. This processing is carried out for the fulfilment of a legal obligation according to Art. 6 (1) (c) GDPR in conjunction with Section 34 (2) BDSG or Article 12 GDPR and/or for the purpose of pursuing the controller's legitimate interest in an evidence-based defence against (official) assumptions and legal claims in accordance with Article 6 (1) (f) or, if applicable, Article 9 (2) (f) GDPR.

III.1. Your Rights

As a data subject, you may have the right under applicable data protection law to:

Access/Information, pursuant to Article 15 GDPR,
Rectification, pursuant to Art. 16 GDPR,
Erasure ("right to be forgotten"), pursuant to Art. 17 GDPR,
Restriction of processing, pursuant to Art. 18 GDPR,
Data portability, pursuant to Art. 20 GDPR and/or
Objection to processing, pursuant to Article 21 GDPR.

III.2. Information on the Right to Object pursuant to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If your personal data are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

III.3. Revocation of Consent

You also have the right to revoke your consent to the processing of personal data at any time with effect for the future. To do this, you can send us an informal message by e-mail at the above-mentioned e-mail address or use the „Your cookie settings“ function provided. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

III.4. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Pursuant to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR or other data protection provisions. This right of appeal is without prejudice to any other administrative or judicial remedy.

The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Berlin Commissioner for Data Protection and Freedom of Information

Address: Alt-Moabit 59-61

10555 Berlin

Phone: +49 (0) 30 13889-0

Fax: +49 (0) 30 2155050

Email: mailbox@datenschutz-berlin.de

IV. Our Data Processing in Detail

In the following, we will inform you in detail about the specific processing operations, the data processed in each case, the scope and purpose of the respective data processing as well as the relevant legal basis. For ease of reference, we have divided the presentation into the following four chapters:

IV.1. Privacy Policy for Users of our Website and Social Media Presences

In the following, we explain (first in general, then in detail) how third parties and we handle the data of the users of our website and social media presences. The focus here is on the data processing on our website (https://abo.miles-mobility.com/) and its subpages (e.g. https://support.miles-mobility.com) as well as the data processing carried out within the scope of our social media presences on Twitter, Facebook, Instagram, LinkedIn, Xing and YouTube.

IV.1.1. General Information on our Data Processing

IV.1.1.1. Data Subjects

Data subjects of the data processing are users of our website or our aforementioned social media channels.

IV.1.1.2. Purposes of the Processing

The purposes of the processing are (i.) the provision of information about our company and our services, (ii.) the provision of our website and ensuring the security of our appearances, (iii.) the offer of communication channels to our company, (iv.) the statistical evaluation, analysis and further development of our appearances and economic activity, (iv.) the promotional approach of interested parties, (v.) the analysis of the effectiveness of our advertising measures, as well as (vi.) anonymised market research.

IV.1.1.3. Categories of Processed Data

The following data types can be processed:

Meta/communication data (e.g.: IP address; access data).
Device information (e.g.: Device identification number and type; browser and operating system and version information; location).
Contact and contract data (e.g. address, e-mail address, telephone number, bank and account data)
Information on interest in content and user behaviour
Your details in our contact forms
Demographic characteristics (via our advertising partners)

The data is usually collected when our services are used.

IV.1.1.4. Legal Basis

The processing of the aforementioned personal data is carried out in accordance with and on the basis of the following legal grounds: your consent in accordance with Art. 6 (1) (a) GDPR or, if applicable, Art. 9 (2) (a) GDPR; for the initiation and/or performance of a contract with you in accordance with Art. 6 (1) (b) GDPR; for the fulfilment of legal obligations in accordance with Art. 6 (1) (c) GDPR; or for a legitimate interest in accordance with Art. 6 (1) (f) GDPR.

IV.1.1.5. Cookies and Personalised Tracking

Our website uses so-called cookies and similar technologies (collectively referred to below as "cookies"). Cookies do not cause any damage to your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Technically necessary cookies are those without which our website cannot function and be used. This category only includes cookies and technologies that provide basic website functionality and security features. Technically necessary cookies and technologies can be set without the user's consent. Non-essential cookies are all cookies that are not directly necessary for the function and security of a website and are used, for example, specifically to collect personal data from the user via analytics tools, ads and other embedded content. Non-essential cookies and technologies (for example, cookies for marketing, advertising or analytics purposes) require the prior consent of the user. To find out which cookies we use and for what purpose, please refer to our cookie banner via the following link: „Your cookie settings“.

Most of the cookies we use are so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your terminal device until you delete them. These cookies enable us to recognise your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or generally and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested are stored on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. Insofar as other cookies (e.g. cookies for analysing surfing behaviour) are stored, these are dealt with below in this data protection declaration and used with the corresponding consent.

Once you have given your consent, you can revoke it at any time with future effect via the following link: Your cookie settings. Please note that the legality of any processing carried out on the basis of your consent up to the time of revocation remains unaffected.

IV.1.1.6. Recipient Categories

When processing your data, we work together with service providers who have access to your data. In addition, data may also be transferred to public authorities if this is permitted and necessary or required by law. Possible recipients of your personal data are: (i) software companies that enable us to provide our services, help us to improve them and/or serve us for statistical and marketing purposes (for example, to send emails, manage customer contacts or applications); (ii) public bodies and administrations to the extent that we are legally obliged to do so; (iii) payment service providers; (iv) hosting providers; (v) service companies, such as tax advisors or lawyers.

For the purpose of fulfilling the contract, we may also transfer your personal data to anyone to whom we assign rights resulting from the contractual relationship with you.

IV.1.1.7. Risk Notice on Possible Third Country Transfers

Please note that our company works with partners in third countries, in particular the United States. Personal information that we collect from you may therefore be transferred to and processed in the United States or other third countries. Some of these third countries, such as the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same level of protection there as under the GDPR.

Until new decisions are made regarding data transfers to the United States or other third countries, we rely on exemptions for specific situations as set out in Article 49 of the GDPR and, where applicable, the safeguards set out in Article 46 of the GDPR. In particular, we only collect and transfer personal data to the United States or third countries with your explicit consent, or to perform a contract with you. We and our processors will endeavour to apply appropriate measures to protect the privacy and security of your personal data and to use it only in accordance with your relationship with us and the practices described in this Privacy Policy.

IV.1.2. The Data Processing Operations in Detail

IV.1.2.1. Hosting of our Website

Our website is hosted by an external service provider. The personal data collected on our website is stored on the hoster's servers in Europe. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contractual data, contact details, names, website accesses and other data generated via a website.

The use of the hoster is in the interest of a secure, fast and efficient provision of our website by a professional provider (Art. 6 (1) (f) DSGVO).

In order to ensure data protection-compliant processing and protection of your data, we have concluded a data processing agreement with our hoster in the sense of Art. 28 DSGVO. In this contract, our hoster guarantees in particular that it will only process personal data if and to the extent that this is necessary for the fulfilment of its service obligations.

According to our processor's assurance, the processing is to take place within the EU. In individual cases (e.g. in support cases), however, access to personal data from the United States of America cannot be ruled out. We have therefore concluded standard contractual clauses with our hoster in order to ensure an appropriate level of data protection even in cases of access from and transfer to the USA.

IV.1.2.2. Functionality, Security and Display of the Website and Consent Request

When you visit our website, it is technically necessary for your internet browser to transmit data to our web server. The following data is recorded in a server log file during an ongoing connection for communication between your internet browser and our web server:

IP address of the requesting end device (if applicable, also internet provider)
Date and time of the server request
End device information (device identification number, host name, type)
Web browser and browser version used
Operating system and version used
Referrer URL
Access status (file transferred, file not found, etc.)
Amount of data transferred

In addition, the following data may be stored by us as part of the required consent request (“cookie banner”):

IP address
Consent status
Time and date of consent given

The log file data records are stored for 7 days and evaluated if necessary in order to protect our website against attacks, to find and correct errors and to control the utilisation of servers. This is also based on our legitimate interest (Art. 6 (1) (f) GDPR) in the secure provision of our website and in confidential, available and intact data processing. Conflicting interests are not apparent. We reserve the right to check the log data if there is a justified suspicion of unlawful use on the basis of concrete indications. If the suspicion of unlawful use is confirmed in an individual case, we will retain the log file data records concerned for as long as is necessary for the purpose of criminal prosecution or the enforcement of legal claims (Art. 6 (1) (f) GDPR).

Technically necessary cookies may also be required for the complete and correct display of our website and for obtaining and storing your consent. Unless otherwise specified, the complete and correct display of our website is a legitimate interest according to Art. 6 (1) (f) GDPR. Due to the legal obligation resulting from § 25 TTDSG to ensure that technically unnecessary cookies and technologies are not deployed and used without your prior consent, we also request your consent to the use of these technologies via our cookie banner, Art. 6 (1) (c) and (f) GDPR. Your consent preferences are stored on the one hand to ensure that technically unnecessary cookies and technologies are not used without your prior consent. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. On the other hand, your consent preferences are stored in order to comply with legal documentation and verification requirements, Art. 6 (1) (c) in conjunction with 7 (1) GDPR. You can revoke your consent for certain cookie categories at any time via the „Your cookie settings“ function provided by us with effect for the future. The lawfulness of any processing carried out on the basis of your consent up to the revocation remains unaffected by this. You can also delete the aforementioned cookies simply by deleting your history from your browser. If you delete the cookies from your browser, your consent will be requested again when you reopen our website.

The aforementioned data/records will not be merged with other data/records.

IV.1.2.3. Management of Analysis Tools by means of Google Tag Manager

We use the Google Tag Manager in order to be able to integrate and manage website evaluations centrally and via a user interface. Tags are different tracking codes (JavaScript code lines) with which we can record or track your activities on our website.

The advantage of the Tag Manager is that we can use it not only to manage Google services, but also to centrally manage other analytics services. This way we can better identify which tracking technology provides us with the information we need and avoid unnecessary data collection. The Tag Manager itself does not process any data, but helps us organise the data from Google Analytics, Facebook or Instagram.

We use the Tag Manager to make our website as useful, comfortable and usable as possible for you and other visitors. To do this, we need the analytics data. We use the Tag Manager on the basis of Art. (1) (f) GDPR, which allows processing on the basis of a balancing of interests. We have a legitimate interest in seeing which content appeals to our prospective customers. This allows us to realign our marketing to attract more people to our offers. Please see section IV.1.1.7. for more information on the transfer of data to third countries and the risks involved.

IV.1.2.4. Registration for Customer Account and Verification

You can register for certain services on our website and create a customer account. We process the personal data you provide in order to make our online services available to you.

For the new registration, we collect master data (e.g. first and last name, date of birth), contact data (e.g. e-mail address, address), bank and payment data, verification of driving licence and a valid identity document as well as access data (e.g. user name, password).

The processing of your customer account data is based on the contractual relationship (initiation, performance) that you enter into with us, insofar as the data is required for the conclusion and/or performance of the contract. The basis for this data processing is Art. 6 (1) (b) GDPR. The legal basis for the verification of the driving licence results from Art. 6 (1) (c) GDPR in connection with Section 21 (1) no. 2 StVG. According to this, MILES Mobility GmbH, as the vehicle owner, is obliged to verify a user's driving licence. In addition, the photocopy of another identification document is requested in order to make identity theft more difficult and to be able to prove the identity of the customer beyond doubt in the event of accidents for the purpose of claims settlement, but also in the event of criminal offences and misdemeanours as well as older and international driving licences. The legal basis for this verification also results from Art. 6. (1) (c) GDPR in conjunction with Section 21 (1) no. 2 StVG. This requirement remains in principle for the duration of a customer relationship. Even at a later point in time (in particular in the event of damage), MILES Mobility GmbH is obliged to be able to prove that the legal obligations have been fulfilled. In the event of damage, this proof may also be required vis-à-vis insurance companies and state authorities. Therefore, the data from the driver's licence and ID verification are stored at least for the duration of the customer relationship.

IV.1.2.5. Contact Request

If you contact us (e.g. by email, contact form or telephone), we process your information to process your enquiry and in the event that follow-up questions arise. The data processed in this way includes at least the contact details you have provided (e.g. in the case of an email enquiry, your email address) as well as the other details you have provided in the course of contacting us or in the course of follow-up communication. In order to comply with the data minimisation principle as best as possible, we therefore kindly ask you to limit your information to what is necessary as far as possible.

If and insofar as you wish to contact us, for example because you send us an e-mail message or write to us via a contact form, the legal basis for the processing is Art. 6 (1) (f) GDPR. We have a legitimate interest in processing your request quickly, efficiently and completely. Since you are contacting us, we assume that there are no interests on your part that conflict with our processing of your request. If the contact request is aimed at the initiation or performance of a contract with us, the legal basis for the processing is Art. 6 (1) (b) GDPR. If we have your consent, the legal basis for the processing is your consent, Art. 6 (1) (a) GDPR or, if applicable, Art. 9 (2) (a) GDPR.

In order to ensure data protection-compliant processing and the protection of your data within the scope of our support and our contact forms at all times, we have concluded a data processing agreement with our service provider within the meaning of Art. 28 GDPR. In this contract, our service provider guarantees in particular that it will only process personal data if and to the extent that this is necessary for the fulfilment of its service obligations. Since processing may take place in America, we have also concluded standard contractual clauses with our service provider in order to ensure an appropriate level of data protection even in cases of access from the United States and transfer to the USA.

Please note: For more information on tools used, please contact us at any time at data-protection@miles-mobility.com. For more information on the possible transfer of data to third countries and the associated risks, please see section IV.1.1.7. of this Privacy Policy.

IV.1.2.6. Statistical Evaluation, Analysis and further Development of our Online Presences

Based on your prior consent, we process your personal data for the statistical evaluation and analysis of our website services, social media interactions and our economic activity, as well as for the purpose of further developing our website and social media presences. To collect relevant data, we use cookies from integrated service providers, which you can find in our cookie banner. The data collected in this way is:

a) converted into a neutral user ID, which prevents tracing it back, but which, for the purpose of evaluation, allows us to recognise in a non-attributable manner, for example, the date and time of the visit as well as usage data,

b) subsequently used for the purpose of statistical evaluation, analysis and further development of our online presences, and

c) finally used in aggregated form for statistical evaluation of the key figures of our economic activity.

The personal data processed in the context of the use of these tools include:

IP address (pseudonymised or partially anonymised)
Time of the visit
Date and time of access
Usage data (incl. scroll depth, conversions and conversion funnels)
Click path
App updates
Browser information (browser and version)
Device information (device ID and operating system)
JavaScript support
Visited pages and sub-pages
Referring URL
Downloaded files
Flash version
Location information
Screen size and resolution.
Approximate location (IP location)
Language

The legal basis for the processing of the aforementioned personal data is your consent in accordance with Art. 6 (1) (a) GDPR and § 25 TTDSG, which we request via our cookie banner. Once you have given your consent, you can revoke it at any time with future effect using the „Your cookie settings" function on our website or by sending an email to data-protection@miles-mobility.com. Any processing that has already taken place up to the time of the revocation remains unaffected by this.

In order to ensure data protection-compliant processing and the protection of your data, we have concluded order processing agreements within the meaning of Art. 28 GDPR with our service providers. In these contracts, our service providers guarantee in particular that they will only process personal data if and insofar as this is necessary for the fulfilment of their service obligations.

According to the assurance of our processors, the processing shall take place within the EU. In individual cases (e.g. in support cases), however, access to personal data from the United States of America could not be ruled out for one of our service providers. We have therefore concluded standard contractual clauses with the service provider in question in order to ensure an appropriate level of data protection even in cases of access from and transfer to the USA.

IV.1.2.7. Performance, Advertising and Marketing Measures

We also process personal data within the scope of performance, advertising and marketing measures, for analysis, advertising and/or optimisation purposes. The following data is processed in the context of the respective measures:

IV.1.2.7.1. Tracking tracking Pixel

This website uses the visitor action pixel from Facebook for conversion measurement. The provider of this service is Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland; "Facebook"). Via this Pixel, the behavior of website visitors can be tracked after they have been redirected to the operator's website by clicking on a Facebook ad. This allows the effectiveness of the Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The collected data is anonymous for us as the operator of this website. We cannot draw any conclusions about the identity of the users. However, the personal data is processed by Facebook. This allows Facebook to enable the placement of advertisements on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.

Specifically, the following data is processed by Facebook and us:

● IP address

● User agent

● Facebook user ID

● Browser type

● HTTP header

● Device information (device ID, device operating system).

● Geographic location

● Browser information

● Usage/click behavior, including content viewed and items clicked on

● Facebook cookie information

● Pixel ID

● Pages visited

● Referrer URL

● Marketing information, including ads viewed and interactions with ads, services, and products

The use of the Facebook Tracking Pixel takes place exclusively with and on the basis of your prior consent, Art. 6 para. 1 lit. a GDPR. Your consent can be revoked at any time via the "Your cookie settings" function provided on our website, effective from this point forward. The legality of processing based on your consent prior to the revocation remains unaffected.

As long as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Facebook Ireland Limited, (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the forwarding is not part of the joint responsibility and is the sole responsibility of Facebook. Our joint obligations have been set forth in a Joint Processing Agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for implementing the tool on our website in a privacy-secure manner. Facebook is responsible for the data security of the Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert the data subject rights against us, we are obliged to forward your request to Facebook.

According to Facebook, the collected data is also transferred to the US and other third countries, and processed there. Facebook bases the data transfer to the US on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum.

Please note: Despite the fact that Facebook Ireland Ltd. is based in Ireland, your personal data, including the IP address of the internet connection you are using, may be transferred to Facebook servers in the United States or other third countries if you consent to our performance cookies. The United States of America is currently classified as an unsafe third country, i.e. as a third country where neither an adequacy decision pursuant to Article 45 of the GDPR exists, nor a comparable level of protection can be assumed. The same applies to other third countries. With the transmission of your data, both Facebook and, if applicable, US or other third country authorities have access to the transmitted data. Facebook may combine your data with other data, such as your personal accounts, usage data from other devices, and any other data Facebook holds about you, and may also share your personal data with third parties. In addition, US or other third country authorities may access and process your data without notice or notification to you (during and after the processing is completed) or without providing you with similar remedies and data subject rights. Unfortunately, we have no influence on the processing by Facebook and US or other third country authorities in these cases.

If you wish, you can deactivate the "Custom Audiences" remarketing feature in the ad settings section at : https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen if you are registered with Facebook. If you do not have a Facebook account, you can also deactivate Facebook's usage-based advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

For more information about Facebook's privacy practices, please see Facebook's privacy policy at the following link: https://de-de.facebook.com/about/privacy/.

IV.1.2.7.2. Newsletter

When you subscribe to our newsletter, during subscription and when you unsubscribe from our newsletter, we process personal data if you provide us with the relevant data and subscribe to our newsletter using our double opt-in procedure.

When you register for our newsletter, we need and process your e-mail address. No further data is collected or only on a voluntary basis. The legal basis for the processing of your personal data during registration is our legitimate interest in carrying out the verification procedure in accordance with Art. 6 (1) (f) GDPR. Since you initiate this procedure by registering, we assume that our processing is not opposed by any weighty interests on your part.

To verify your email address, you will then receive a registration email, which you must confirm via a link (double opt-in). When you register for the newsletter, we store your IP address as well as the date and time of your registration. The processing of this data is necessary in order to be able to prove that you have given your consent. The legal basis for the processing is the legal obligation to prove your consent (Art. 6 (1) (c) in conjunction with Art. 7 (1) GDPR).

The aforementioned personal data is also stored by our mailing service provider and used for the purpose of mailings. In addition, the success of the newsletter is evaluated and measured (e.g. number of accesses, duration of stay, click paths and conversion rates). The legal basis for the processing of your personal data during subscription is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time with effect for the future via the link provided for this purpose in the newsletter. The legal basis for the processing of your data in the context of evaluating and measuring the success of the newsletter is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. A conflicting interest on your part is not apparent.

In a few cases, the processing of your personal data may also take place on the basis of our legitimate interest in advertising our products (Art. 6 (1) (f) GDPR), for example if you are an existing customer of our company (see also recital 47 GDPR and § 7 UWG).

If you unsubscribe from our newsletter via the "unsubscribe" link, your aforementioned personal data will be deleted from the distribution list, but your email address will be stored in a blacklist at our company or at our service provider in order to prevent future mailings. Data stored by us for other purposes will not be affected by this. The data from the blacklist will only be used to prevent future mailings and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending our newsletter (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). The storage in the blacklist is not limited in time. If you object to the storage, we will delete your personal data if your interests outweigh our legitimate interest.

IV.1.2.7.3. Youtube

Our website integrates videos from YouTube LLC (901 Cherry Avenue, San Bruno, CA 94066, USA; "YouTube"), which is a subsidiary of Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; "Google"). The European operator of the YouTube video portal is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

We use YouTube in extended data protection mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch a video. However, the disclosure of data to YouTube partners is not necessarily excluded by the extended data protection mode. For example, YouTube connects to the Google DoubleClick network regardless of whether you watch a video.

As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your usage behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account. Furthermore, after starting a video, YouTube can save various cookies on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience and prevent fraud attempts. If necessary, further data processing operations may be triggered after the start of a YouTube video. We have no influence on the respective data processing by YouTube or Google.

The integration of YouTube is done in the interest of an appealing presentation of our website. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. You can revoke your consent at any time with effect for the future via our „Your cookie settings" function. The lawfulness of any processing carried out on the basis of your consent until revocation remains unaffected.

You can find further information on data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de

IV.1.2.7.4. Promotion of our Social Media Presences via External Graphic Link

We also advertise our presence on the following social networks on our website:

Facebook – Social network of Meta Platforms Inc. (1601 Willow Road, Menlo Park, CA 94025, USA „Facebook“)“), which is operated in Europa by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland).
Instagram – Social network of Meta Platforms Inc. (1601 Willow Road, Menlo Park, CA 94025, USA „Facebook“)“), which is operated in Europa by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland).
LinkedIn – Social network of LinkedIn Corporation Inc. (1000 West Maude Avenue, Sunnyvale, CA 94085, USA; „LinkedIn“), which is operated in Europa by LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland).
Twitter – Social network of Twitter Inc. (1355 Market Street, Suite 900, San Francisco, CA 94103, USA; „Twitter“).
XING – Social network of New Work SE (Am Strandkai 1, 20457 Hamburg, Deutschland „XING“).
Youtube – Social video platform of YouTube LLC (901 Cherry Avenue, San Bruno, CA 94066, USA; "YouTube"), which is a subsidiary of Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; "Google") and operated in Europe by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

The integration takes place via a linked graphic of the network. The use of this linked graphic prevents a connection from being automatically established to the respective server of the social network when a website with a social media application is called up. The user is only redirected to the service of the social network by clicking on the corresponding graphic.

After the user has been forwarded, information about the user is collected by the social network. It cannot be ruled out that the data collected in this way will be processed in the USA. The responsible party has no influence whatsoever on the processing that takes place under the responsibility of the respective social network.

The data processed here is initially personal data such as IP address, date, time and page visited. If the user is also logged into his or her user account of the respective network during this time, the network operator may be able to assign the collected information of the user's specific visit to the user's personal account. If the user interacts via a "share" button of the respective network, this information can be stored in the user's personal user account and possibly published. If the user wants to prevent the collected information from being directly assigned to his/her user account, he/she must log out of his/her account before clicking on the graphic. In addition, it is possible to configure the respective user account accordingly.

The legal basis for the integration of the graphic links on our website is our legitimate interest in the promotion and visibility of our social media presences, Art. 6 (1) (f) GDPR. A conflicting interest is not apparent.

Please note: If you click on the respective graphic link, you will be redirected to the website of the relevant social network. As a result of a redirect, your personal data may be transferred to servers in the USA. The United States of America is currently classified as an unsafe third country, meaning as a third country with regard to which neither an adequacy decision pursuant to Article 45 of the GDPR exists nor a comparable level of protection can be assumed. With the transmission of your data, both the network operator and, if applicable, US authorities have access to the transmitted data. The network operator may link your data with other data, such as your personal accounts, the usage data of other devices and all other data that the network operator has about you, and may also pass on your personal data to third parties. In addition, U.S. authorities may access and process your data without notice or notification to you (during and after the processing is completed) or without providing you with similar remedies and data subject rights. Unfortunately, we have no influence on the processing by the network operator and US authorities.

You can find more information on the respective data protection regulations of the social networks under the following links:

IV.2. Privacy Policy for Users of our Webshop

Below we explain (first in general, then in detail) how we process personal data of the users of our webshop.

IV.2.1. General Information on our Data Processing

IV.2.1.1. Data Subjects

Data subjects concerned are users of our webshop.

IV.2.1.2. Purposes of Processing

In the context of our webshop, personal data is processed for one or more of the following purposes:

Customer management, customer approach and customer support
Registration with identification and verification of driving licence
Delivery and return of vehicles
Billing and payment tracking
Processing of violations of the law, in particular against the StVG
Receivables management and collection
Security checks and fraud control
Claims settlement

IV.2.1.3. Categories and Sources of Processed Data / Types of Data

The following categories of data are collected directly from the data subject during registration and use of the account and subsequently processed:

Master data (e.g. first name, last name, date of birth)
Contact data (e.g. address, e-mail address, telephone (mobile))
ID data (e.g. on identity card, passport, driving licence)
Payment information (e.g.: information on the desired means of payment, bank and account data)
Contract data
(E-mail) correspondence / contact history
If applicable, information on language preferences
Black box in the vehicle (no personal data collection, but can be related to individuals)

The following data is collected via third parties and subsequently processed by MILES Mobility GmbH:

Schufa score as part of the credit report (Schufa)
Payment data

IV.2.1.4. Legal Basis

The processing of the aforementioned personal data is carried out in accordance with and on the basis of the following legal grounds: your consent in accordance with Art. 6 (1) (a) GDPR or, if applicable, Art. 9 (2) (a) GDPR; for the initiation or performance of a contract with you in accordance with Art. 6 (1) (b) GDPR; for the fulfilment of legal obligations in accordance with Art. 6 (1) (c) GDPR; or for a legitimate interest in accordance with Art. 6 (1) (f) GDPR.

IV.2.1.5. Recipient Categories

For the purpose of fulfilling the contract, we may also transfer your personal data to anyone to whom we assign rights resulting from the contractual relationship with you.

IV.2.1.6. Risk Notice on Possible Third Country Transfers

We would like to point out that our company works with partners in third countries, in particular the United States. Personal information that we collect from you may therefore be transferred to and processed in the United States or other third countries. Some of these third countries, such as the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same level of protection there as under the GDPR.

IV.2.1.7. Automated Decision-Making

In deviation from section II.7. of this data protection declaration, automated decision-making takes place within the framework of our security checks and within the framework of the credit report obtained by MILES Mobility from SCHUFA (note: responsibility for the latter does not lie with MILES Mobility GmbH, but with SCHUFA). The respective decision may also significantly affect the person concerned to the extent that MILES Mobility GmbH refrains from concluding a contract or providing services.

In this context, MILES Mobility GmbH points out that the data subject has the right to present his or her point of view and to contest these decisions. In this case, we will be happy to carry out a manual review of the automated decision.

IV.2.2. Our Data Processing in Detail

IV.2.2.1. Registration for user account and verification

The use of our webshop is only possible via a user account with MILES Mobility GmbH. As the creation of the user account, including the verification required in this respect, takes place as part of the registration via the website, reference is made at this point to the information in section IV.1.2.4. of this Privacy Policy.

IV.2.2.2. Credit Check

As a company, we have a legitimate interest in protecting ourselves against payment defaults. For this reason, our General Terms and Conditions allow us to check the creditworthiness of our customers with credit agencies or Schufa. We process personal data within the scope of the enquiry of the creditworthiness of our customers as well as in the context of the processing of their results.

The creditworthiness check is necessary to secure and enforce the rights and claims of MILES Mobility GmbH. The credit checks serve to protect MILES Mobility GmbH from payment defaults and are intended to ensure that MILES Mobility GmbH has recourse to the originator in the event of a claim.

The processing of personal data as part of the credit check is based on Art. 6 (1) (f) GDPR. We assume that the check and confirmation of solvency is generally also in the interest of our customers, as this form of creditworthiness assessment does not pose any significant risks to rights and freedoms. In this way the transmission of additional data on creditworthiness can be avoided and a simple and convenient process can be provided.

When determining your creditworthiness, your data is transmitted to Schufa. This can be e.g. name, address, date of birth and bank details, insofar as these are necessary for establishing your identity. We receive a scoring value from Schufa or other credit agencies involved, as well as other information from which the risk of non-payment can be deduced. These are, for example, unpaid debts, deferments due to insolvency, current insolvency proceedings, participation in debt counselling. If we receive a too low scoring value in the course of the credit assessment, we can temporarily deactivate the user account. You have the right to explain your point of view to us and to challenge the decision. In this case, we will gladly carry out a manual review of the automated decision.

As a rule, we do not report any payment defaults to Schufa. However, we reserve the right to do so if and to the extent that the legal requirements for a report are met. In this case, customers will be sent repeated reminders in compliance with formal requirements and the possibility of transmission will be pointed out in the reminder.

SCHUFA processes your data and also uses them for the purpose of profiling (scoring). Schufa is responsible for forwarding your data to companies in the EEA and Switzerland and, if applicable, to third countries outside the EEA. Further information on the activities of SCHUFA can be obtained at www.schufa.de/datenschutz. Data processing and profiling is carried out by Schufa; Schufa is the body responsible for this processing within the meaning of data protection law. Therefore, Schufa is also responsible for the lawfulness of the processing.

General information about the data used by Schufa can be found here: https://www.schufa.de/de/faq/privatpersonen/daten/. To find out exactly what data Schufa processes about you, please contact Schufa.

IV.2.2.3. Customer Management, Customer Approach and Customer Support

IV.2.2.3.1. Customer Management

To manage our customer data, we use a customer relationship management system of a US service provider bound by instructions, which is connected to our website. All registration, usage and billing data as well as customer history are stored in this customer database. We use the customer relationship management system to be able to organise customer care quickly and effectively and to respond to enquiries.

We process the data of our customers in accordance with Art. 6 (1) (b) GDPR, for the initiation and performance of contracts. The data processed in this context, the type, scope, purpose and necessity of its processing are determined by the underlying contractual relationship. Furthermore, we use the contact data to inform our customers about relevant changes regarding our services, Art. 6 (1) (b) and (f) GDPR. In the context of the use of our services, we also process master data, communication data, contract data, location data and payment data of our customers. The processing is carried out for the purpose of providing contractual services, billing, providing customer service, customer communication, determining the course of accidents and settling claims. The processing is carried out on the basis of Art. 6 (1) (b) (data processing for the initiation or performance of a contract) and Art. 6 (1) (c) GDPR (fulfilment of legal obligations). Legally prescribed processing results, for example, in archiving or from the owner obligations of the StVG.

As a rule, this data is not passed on to third parties unless it is necessary to enforce our legal claims or there is a legal obligation to do so pursuant to Art. 6 (1) (c) GDPR.

In order to ensure that your data is processed and protected in accordance with data protection regulations, we have concluded a data processing agreement with our CRM service provider in accordance with Art. 28 GDPR. In particular, our service provider guarantees that it will only process personal data if and to the extent that this is necessary for the fulfilment of any service obligations. Since data processing may take place in the USA, we have also concluded standard contractual clauses with our CRM service provider to ensure an appropriate level of data protection even if your data is transferred to the USA and processed there.

Please note: For more information, please contact us at data-protection@miles-mobility.com. For more information on the transfer of data to third countries and the risks involved, please see section IV.2.1.6. of this Privacy Policy.

IV.2.2.3.2. Customer Support and Approach

Customer Support

As part of our customer support, we use the customer relationship management system of a US service provider bound by instructions in order to be able to process our customers' enquiries more quickly and efficiently. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

In order to ensure data protection-compliant processing and the protection of your data, we have concluded a data processing agreement with our CRM service provider within the meaning of Art. 28 GDPR. In particular, our service provider guarantees that it will only process personal data if and to the extent that this is necessary for the fulfilment of any service obligations. Since data processing may take place in the USA, we have also concluded standard contractual clauses with our CRM service provider to ensure an appropriate level of data protection even if your data is transferred to the USA and processed there.

If customers or users do not agree to data collection via and data storage in the external system of our service provider, we offer them alternative contact options for submitting service requests by e-mail, telephone or post.

Customer Approach

The customer approach for private customers is carried out via Customer Care using the services of our CRM service provider and processing personal data from the customer database. In particular, we use the master data, contact data and the language stored for a customer to contact the customer. For customer support, we also use an EU-based telephone service provider with whom we have concluded a data processing agreement within the meaning of Article 28 GDPR to protect your data.

The legal basis for this processing is Art. 6 (1) (b) GDPR.

IV.2.2.4. Vehicle Delivery and Return

We also process personal data within the scope of and for the purpose of the delivery and return of our vehicles. Processed personal data may include, for example, your first and last name, the delivery address, the return location and other contact details (e.g. telephone number). In the context of the return, an expert handover and damage report will also be drawn up by our cooperation partner - in your presence - whereby the necessary personal data will again be processed. The legal basis for the aforementioned data processing is the contractual relationship to be fulfilled or settled between you and us, Art. 6 (1) (b) GDPR.

Please note: For more information, please contact us at data-protection@miles-mobility.com.

IV.2.2.5. Billing, Payment Processing and Payment Tracking

We further process our customers' data in the context of billing, payment processing and payment tracking.

The data processed in the context of billing includes the master data of our contractual partners and customers (e.g. names and addresses) as well as their contact data (e.g. e-mail addresses and telephone numbers), contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history). The processing of the aforementioned personal data is based on Art. 6 (1) (b) GDPR.

In the context of payment processing, it is also necessary to pass on data to the payment service providers for the purpose of carrying out the transaction. The data processed in each case varies according to the payment service provider used. However, payment service providers regularly receive the name and address, the deposited payment method and, if applicable, bank data, a pseudonymous ID and the billing data. The basis for processing in this regard is Art. 6 (1) (b) GDPR. In order to be able to offer and ensure efficient, secure and convenient processing of payments, we also use other payment service providers in addition to banks and credit institutions, Art. 6 (1) (f) GDPR.

MILES Mobility GmbH is also informed by the payment service providers used about payments made or missed for the purpose of payment tracking. In this context, the data transmitted to the payment service providers may be processed. The processing in this respect is based on the legitimate interest of MILES Mobility in efficient payment processing, Art. 6 (1) (f) GDPR.

As a matter of principle, the aforementioned data will not be passed on to other third parties unless it is necessary for the pursuit of our claims pursuant to Art. 6 (1) (f) GDPR or there is a legal obligation to do so pursuant to Art. 6 (1) (c) GDPR. However, we expressly reserve the right to use the services of legal service providers (debt collection, lawyers, etc.) to assert our claims and to transmit personal data of our contractual partners and customers to them to the extent necessary, provided this is permissible and necessary.

The deletion of the data takes place when the data is no longer required for the fulfilment of contractual or legal obligations as well as for dealing with any warranty and comparable obligations. Legal storage obligations remain unaffected.

In order to ensure data protection-compliant processing and the protection of your data, we have concluded a data processing agreement with our service providers in accordance with Art. 28 GDPR. In this contract, our service providers guarantee in particular that they will only process personal data if and insofar as this is necessary for the fulfilment of any service obligations. Since data processing may take place in the USA, we have also concluded standard contractual clauses with the relevant service providers in order to ensure an appropriate level of data protection even if your data is transferred to the USA and processed there.

IV.2.2.6. Outstanding Receivables & Debt Collection

MILES Mobility GmbH works together with debt collection service providers. The involvement of a debt collection service provider is a legal service within the meaning of the German Legal Services Act Section 10 (1) (1). It is the free decision of MILES Mobility GmbH to use the services of a lawyer or a debt collection agency in disputes regarding an - even if only alleged - outstanding debt. In such cases, MILES Mobility GmbH may and must pass on personal data of the debtor to the collection agency, as it is only with this data that the collection agency is able to approach the debtor and assert the claim.

In this context, MILES Mobility GmbH will pass on the following data in particular:

First name, surname (title, if recorded and e.g. name component).
Name of the company (for commercial customers)
Address (business) (for commercial customers)
Address (private)
Billing address (if different and recorded)
E-mail address
Telephone number
Date of birth
Customer number
Contact history (where relevant)
Payment details
Contract data (reason for claim, amount and due date of the claim)
Data on the ability to pay

The legal basis for the disclosure and processing is Art. 6 (1) (b) and (f) GDPR (data processing for the performance of the contract, data processing based on the legitimate interest of the creditor). The user's/client's consent to the transfer of data and the processing of data by the legal service provider is not required.

Please note: For more information, please contact us at data-protection@miles-mobility.com.

IV.2.2.7. Data processing in the Event of Violations of the Law and in particular in the Event of Violations of the StVG

Unfortunately, user accounts are blocked time and again due to reports of unusual driving behaviour. MILES Mobility GmbH may become aware of this in various ways (e.g. reports by other road users, police or public order offices).

In the case of a report by other road users (third party), the driving behaviour described is recorded together with the telephone number and e-mail address of the reporting person and assigned to the relevant user account. No automated decision is made. Rather, the support staff check the information for plausibility.

In order to protect the legal interests of third parties and to comply with the owner's obligations under Section 21 of the German Road Transport Act (StVG), MILES Mobility GmbH blocks the accounts of reported users as a precautionary measure if there is any suspicion of driver misconduct. This measure results not least from the special situation that MILES Mobility GmbH only checks the existence of a driving licence and fitness to drive at the beginning of the contractual relationship by means of a verifying query and thus grants its users a high degree of trust.

A verification of reported misconduct by MILES Mobility only takes place in the event of an objection by the person concerned or in the event of enquiries by government agencies. The data from the black box, which is installed in all vehicles, is evaluated.

The black box determines the G-forces as well as activities of the driver (e.g.: acceleration and deceleration, steering movements, indicators, jolts). This data is not personalised, but can be personalised, and is only analysed by MILES Mobility staff in cases of suspicion.

Data will only be passed on to legal counsel or public authorities if MILES Mobility GmbH is legally obliged to do so or if this is necessary to enforce legal claims against the user. The data is processed in the European legal area.

The legal basis for the recording of facts, the plausibility check, the blocking of the user account in the event of suspected misconduct and the collection of data via the BlackBox is Art. 6 (1) (f) GDPR. MILES Mobility GmbH has a legitimate interest in protecting the legal interests of third parties and complying with its owner obligations under Section 21 StVG. The legal basis for the examination of the matter in the event of an objection and in particular the evaluation of the black box is Art. 6 (1) (f) GDPR. MILES Mobility GmbH has an interest in fully clarifying the facts or contributing to clarification. Conflicting interests are not apparent as a result of your objection.

IV.2.2.8. Data Processing in the Event of Breaches of our GTC, in the context of Fraud Prevention and Security Checks

MILES Mobility GmbH also has a legitimate interest in protecting itself against attempted fraud and breaches of its General Terms & Conditions. In addition to verification as part of the registration process (driving licence, identity document), MILES Mobility GmbH also checks other details for this purpose. This may include the e-mail address, telephone number and bank account details provided during registration. Newly provided data is also regularly compared with the existing data in order to prevent multiple registrations.

The processing of personal data in the context of fraud prevention is based on Art. 6 (1) (f) GDPR. We assume that these checks are generally also in the interest of the customers. The type of security checks do not represent a significant interference with the rights and freedoms of our users. Fraud prevention measures are necessary to enforce rights and claims.

Furthermore, MILES Mobility GmbH reserves the right, with reference to Section 32 (1) no. 4 of the German Federal Data Protection Act (BDSG), not to inform the data subject about the results of security checks carried out.

IV.2.2.9. Data Processing in the Event of Damage Claims and Claims Settlement

In the event of damage, it is necessary to process further data.

The purposes and legal bases of the processing are:

Support for our customers in the event of damage (Art. 6 (1) (b) GDPR)
Reconstruction of the course of events of the accident (Art. 6 (1) (f) GDPR, if applicable in conjunction with Art. 6 (1) (c) GDPR and Section 24 BDSG)
Settlement/liquidation of damages (Art. 6 (1) (b) and (c) GDPR)
Pursuit and enforcement of own legal claims (Art. 6 (1) (f) GDPR)

In the event of a claim, we will process your master data, usage data, data from the vehicles, statements and information from third parties (police, other parties involved in the accident, witnesses, other Miles users) and payment data relating to you for one or more of these purposes, if permitted and necessary.

Under certain circumstances, we may also receive health-related data in this context. Examples of this are injuries or indications of alcohol and narcotics consumption. In this case, the legal basis for our processing is Art. 9 (2) (f) GDPR.

In the event of an incident for which you are responsible and for which we receive a claim for damages or another claim from an injured or otherwise entitled third party (e.g. costs due to a private towing operation in the event of disturbance of the property owner), we transmit your stored contact data to the claimant and/or to our insurance broker (SHL Versicherungsmakler GmbH) so that the liability issues can be clarified directly in the relationship between you as the party responsible and the claimant or you can release us from the claim in accordance with the provisions of the General Terms & Conditions. The transmission is necessary for the fulfilment of your contract with us (Art. 6 (1) (b) GDPR) and to protect our legitimate interest in pursuing and enforcing the legal claims that the claimant and we have against you (Art. 6 (1) (f) GDPR).

In the event of damage, we are also legally obliged to cooperate in documenting the course of the accident, (Art. 6 (1) (c) GDPR). Furthermore, there are contractual obligations to, among others, claims adjusters, the fulfilment of which constitutes a legitimate interest (Art. 6 (1) (f) GDPR) to process the data of those who caused the damage. As the defence of legal claims is decisive here, the right to object is subject to the restrictions of Art. 21 GDPR.

IV.3. Privacy Policy on Video Recordings by Tesla Model Y Vehicles

Tesla Model Y vehicles are equipped at the factory with certain features that record video of the area around the vehicle. The processing of personal data associated with the video recording may affect anyone who is in the vicinity of the vehicle.

You can recognise the corresponding vehicles by the following pictogram, which is attached to the outside of the vehicles and whose QR code may have led you to this data protection notice:

We have put in place a number of measures to protect your personal data in relation to the outdoor video recordings made by the vehicles. These strictly define the scenarios in which stored recordings are viewed at all, as well as the extent to which they may be used to investigate specific offences.

IV.3.1. The Data Processing in Detail

Tesla Model Y vehicles have the following recording systems:

Dashcam: While the vehicle is ready to drive, four camera systems continuously record the outside area around the vehicle and temporarily store it locally. The stored recordings are always overwritten every 60 minutes. If a safety-relevant behaviour is registered by the vehicle (e.g. triggering of the airbags), a local storage takes place and the overwriting is suspended for this recording, so that e.g. an accident can be reconstructed. The stored records are specially protected and can only be read out by our service team on site at the vehicle. We cannot access them via the internet. In the vehicle, tenants are shown by corresponding symbols that the dashcam function is active.

Sentry mode: When the vehicle is parked, the four cameras remain in "stand-by" mode and record the outside area around the vehicle to detect threats to the vehicle (the Sentry mode is also called "guard mode"), whereby the recordings are basically permanently overwritten again. If a potential threat to the vehicle is detected (e.g. if the vehicle is touched), a temporary local storage of the last ten minutes of the video recording before the event and the subsequent 30 seconds takes place. The stored recordings are specially protected and can only be read out by our service team on site at the vehicle. We cannot access them via the internet. Depending on the severity of the impact on the vehicle, persons in the vicinity of the vehicle will be notified of the storage of a recording by flickering of the headlights (warning mode), message on the large and externally visible screen in the vehicle and triggering of an alarm (alarm mode).

Review and utilisation of the records: We only read out the locally stored records for evaluation if there are liability issues due to involvement in an accident, if there is suspicion of a criminal offence due to vandalism of the vehicle or if there are indications that the vehicle was moved in a grossly irregular and reckless manner and thus a criminal offence could have been committed. The evaluation of the recordings is then carried out in accordance with a strict internal guideline, only by specially authorised employees and only for the specific purposes of providing evidence exclusively to the absolutely necessary extent. In particular, it is ruled out that the recordings are utilised without cause or in relation to bystanders.

IV.3.2. Legal Basis and Purposes of Data Processing

Video recordings of the exterior of the respective vehicle are processed exclusively for the purpose of clarifying and proving involvement in accidents or criminal offences in the form of vandalism of the vehicle or grossly irregular and reckless movement of the vehicle. With regard to the investigation of such incidents, the information on breaches of the law pursuant to section IV.2.2.7. of this Privacy Policy also applies.

The collection, storage, viewing and, if applicable, utilisation for the aforementioned purposes is necessary and thus justified pursuant to Art. 6 (1) (f) GDPR for the protection of our property and for the assertion, exercise or defence of legal claims. In addition to pursuing our own legal claims, we also support our customers (tenants of a Tesla Model Y) in reconstructing an accident and providing evidence if they were involved in an accident. In this case, the processing is based on Art. 6 (1) (b) and Art. 6 (1) (f) GDPR, as we also pursue legitimate third-party interests and fulfil our obligations under the rental agreement.

In the course of processing claims, further personal data may be processed in addition to the video recording. The processing of this personal data is governed by the principles of claims settlement, which are explained in section IV.2.2.9. of this Privacy Policy.

IV.3.3. Data Types and Sources

The types of data processed include image recordings of the environment of a Tesla Model Y, and thus, if applicable, video recordings of your person in image. The data is generated by the underlying recording system of our Tesla Model Y vehicles and therefore by us.

IV.3.4. Recipients of the Video Recordings

Video recordings are only disclosed by us to other persons after viewing by specially authorised and trained employees if this is necessary for the clarification or enforcement of claims or criminal offences. In these individual cases, the disclosure only concerns the time period of the video recording relevant for the clarification or enforcement and the disclosure is only made to third parties who have a legitimate interest or claim for disclosure (claimants, insurance companies, lawyers, involved public bodies and courts). We intentionally do not disclose video recordings to Tesla Inc. or its affiliates.

IV.3.5. Retention

Dashcam: Recordings are overwritten every 60 minutes. Safety-relevant recordings (e.g. after the airbags have been deployed) are stored locally and usually for a maximum of one week before being overwritten due to the limited storage space. The local storage period is shorter if we read out and view the recording beforehand on the basis of a specific tip. Immediately after viewing, the record is manually deleted, unless further storage of the record is necessary to achieve the purposes described above.

Sentry mode: Only safety-relevant recordings (e.g. when the vehicle is touched) are stored locally and usually for a maximum of one week before being overwritten due to the limited storage space. The local storage period is shorter if we read out and view the recording beforehand on the basis of a specific tip. Immediately after viewing, the record is manually deleted, unless further storage of the record is necessary to achieve the purposes described above.

IV.3.6. Rights as a Data Subject, Identification & Decision-making Notice

As described in more detail in section III of this Privacy Policy, you have data subject rights under the GDPR in connection with the processing of your personal data.

We would like to point out at this point that we do not process any other personal data together with the video recordings in order to identify you, for example, on the video recordings. Such an allocation would only take place in the context of concrete measures to clarify or enforce claims or criminal offences. This also means that if you exercise your rights, we will not normally be able to identify you without further specifying information, nor will we be able to determine whether you are part of a video recording.

Automated decision-making does not take place. In the limited cases described, a member of our claims department always views and checks the video recordings and the necessity of further use.

IV.4. Privacy Policy for Business Customers, Partners and Service Providers

IV.4.1. Business Customers

For business customers, essentially all the points that apply to users of the website and webshop apply. However, company-related contact data and billing data may also be processed.

For the administration and support of business customers, we use another CRM service provider in addition to our general customer administration. The legal basis for the use of the CRM system of the provider is our legitimate interest in an efficient and fast processing of enquiries, an efficient existing customer management and an effective and efficient new customer business, Art. 6 (1) (f) GDPR.

In order to ensure data protection-compliant processing and the protection of your data, we have concluded a data processing agreement with our CRM service provider in accordance with Art. 28 GDPR. In this contract, our CRM service provider guarantees in particular that it will only process personal data if and to the extent that this is necessary for the fulfilment of its service obligations.

According to our processor's assurance, the processing is to take place within the EU. In individual cases (e.g. in support cases), however, access to personal data from the United States of America cannot be ruled out. We have therefore also concluded standard contractual clauses with our service provider to ensure an appropriate level of data protection even in cases of access from the USA.

Please note: For more information, please contact us at data-protection@miles-mobility.com.

IV.4.2. General Administration, Accounting and Business Development

We process personal data as part of administrative tasks, the organisation of our operations, our financial accounting and to comply with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of providing our contractual services. The legal processing bases are Art. 6 (1) (c) GDPR, as well as for all processing not affected by a legal obligation our legitimate interest according to Art. 6 (1) (f) GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities (see above).

In this context, we disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date.

IV.4.2. Business Analyses

In order to run our business economically and to be able to recognise market trends and wishes of contractual partners and users, we analyse the data we have on business transactions, contracts, enquiries, etc.. We process master data, communication data, contract data, payment data, usage data and metadata on the basis of Art. 6 (1) (f) GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with information, e.g. on the services they have used. The analyses serve us to increase user-friendliness, to optimise our offer and to improve business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised values.

If these analyses or profiles are personal, they are deleted or anonymised when the user terminates the contract, otherwise after two years from the end of the contract. In all other respects, the overall business analyses and general trend analyses are prepared anonymously wherever possible.

V. State of this Privacy Policy & Changes

We reserve the right to change this Privacy Policy at any time in compliance with applicable laws and regulations.

The version available online at the time of your visit applies to the use of our website. The current version of this Privacy Policy is always available at https://abo.miles-mobility.com/en/data-privacy-and-cookie-policy.

State: 27.10.2022