Privacy

Schwarz Mobility Solutions GmbH
Privacy policy for twogo website and service

We take the protection of your personal data very seriously and strive to provide you with comprehensive information about the processing of your personal data. The following privacy policy explains how and for what purposes we process your personal data when you visit our website, visit us on social media, contact us and/or use our twogo app.

As a rule, the personal data of yours that we collect is obtained directly from you. The statutory basis is, in particular, the EU General Data Protection Regulation (GDPR).

Version 4.0

Contents

A. Controller within the meaning of Article 4(7) GDPR

The controller within the meaning of Article 4(7) GDPR responsible for the processing of data described below is:

Schwarz Mobility Solutions GmbH
Stiftsbergstraße 1
74172 Neckarsulm, Germany

e-mail: info@twogo.com.

Where a licensed user is one of our corporate customers, we and their employer/customer are joint controllers within the meaning of Article 26 GDPR for data processing. We enter into agreements with the relevant corporate customer that govern joint responsibility and set out the respective division of duties. For further information, refer to (G) below.

B. Visiting our website and our social media sites

1. Communication by e-mail/telephone/mail/contact form

1.1. Purposes of the processing/legal basis

We treat all personal data that we receive from you by e-mail, telephone, mail or contact form confidentially. We use your data solely for the limited purpose of processing your inquiry. The legal basis for the processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the interest in responding to your inquiries so that customer satisfaction is ensured and promoted.

When you send us personal data by contacting us for purposes of initiating or performing an existing contractual relationship, Article 6(1)(b) GDPR is the legal basis for data processing.

Where you provide us with additional information in the required fields in our contact form, the legal basis is your consent pursuant to Article 6(1)(a) GDPR. You may withdraw this consent at any time with effect for the future.

1.2. Recipients/categories of recipient

We transfer your personal data on an ad hoc basis and to the extent necessary to Netlution GmbH, Landteilstr. 33, 68163 Mannheim, Germany, which processes any customer inquiries you make by telephone, mail and/or e-mail on our behalf.

1.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, if you do not provide us with the data required to process your request, we will not be able to process or respond to it.

1.4. Storage time/criteria for determining storage time

We delete or securely anonymize all information we receive from you when you make inquiries no later than 90 days after the final response is sent to you. The information is retained for 90 days in case you contact us again after a receiving a response from us on the same matter and we need to refer to our previous correspondence. Based on experience, we generally do not receive any questions concerning our responses after 90 days. If you assert your rights as a data subject, your personal data will be stored for three years after the final response in order to document the fact that we provided you with comprehensive information and that the legal requirements have been met.

Personal data that you send to us as part of initiating or performing a contract will be deleted after no more than 12 years.

Optional information is deleted if you withdraw your consent.

2. Data processed when you visit this website

2.1. Purposes and legal basis of data processing

When you visit this website, log files are generated containing the following information:

• the website from which you visit our site;
• the IP address;
• the date and time of access;
• the client request;
• the http response code;
• the data volume transmitted; 
• information about the type of browser and operating system you are using.

Access to our website is protected by a firewall. Your IP address and the client request are logged for this purpose (purpose for request).

The legal basis for the processing is Article 6(1)(f) GDPR. Our legitimate interest arises from our interest in protecting our systems and preventing improper and/or fraudulent activity each time that a user accesses this website.

Where processing of the aforementioned data is necessary for preparing or performing a contractual relationship, we process your data on the basis of Article 6(1)(b) GDPR.

2.2. Recipients/categories of recipient

In exceptional cases, your personal data may be accessible to Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, for support and maintenance purposes because the twogo app and its data are hosted and stored on our behalf on servers provided and operated by Schwarz IT KG.

The data logged in connection with the use of the firewall can be accessed by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland because we use Microsoft's services to operate our firewall.

2.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. However, such data will be processed for technical reasons as soon as you access our site. The only way to prevent your data from being processed is to stop using our website.

2.4. Duration of storage

We store the aforementioned log files for a period of 32 days. The data logged by the firewall is stored for 30 days.

3. Cookies

We, Schwarz Mobility Solutions GmbH, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, are the controller with respect to data processing in connection with the use of "Cookies" and other similar technologies to process usage data on all (sub-)domains at www.twogo.com / www.twogo.de.

Cookies are small text files that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our websites. Cookies do not cause any harm to your end device, nor do they contain any viruses, trojans or other malware. The cookie stores certain information that results in connection with the specific end device deployed. This does not, however, mean that we will immediately become aware of your identity.

You may also configure your browser to ensure that a warning appears every time a new cookie is placed. This makes the use of cookies more transparent for you. You may also configure your browser to refuse acceptance of all or some cookies from certain sources. Please be advised, however, that disabling cookies may limit the functionality of this website.

3.1. Purposes and legal basis of data processing

Cookies and the other technologies used to process usage data are deployed for the following purposes, depending on the categories of cookie/other technologies:

• Necessary: these cookies help to make a website usable by enabling basic functions such as site navigation and access to secure pages. The website cannot function properly without these cookies.
• Preferences: using these methods, we can take into account your actual or perceived preferences to enhance the user experience. For example, we can use your settings to display our website in a language relevant to you. They also mean we can avoid displaying products that may not be available in your region.
• Statistics: These methods enable us to tailor the design of our services by producing anonymized statistics about how they are used. For example, we can use them to determine how better to adapt our websites to user habits.
• Marketing: These enable us to display relevant advertising content based on an analysis of your usage behavior. Your usage behavior can also be tracked over various websites, browsers or devices via a user ID (unique identifier).

Depending on the purpose, the use of cookies and similar technologies to process usage data involves processing the following types of personal data in particular:

Necessary:

• Authentication data to identify a user after signing in, enabling you to access authorized content on subsequent visits (e.g., access to your customer account);
• security-related events (e.g., identifying repeat failed sign-in attempts);
• Data to play back multimedia content (e.g., playing (product) videos selected by you).

Preferences:

• Settings to customize the user interface that are not linked to a permanent identifier (e.g., selecting the displayed language).

Statistics:

• Pseudonymized usage profiles containing information on the use of our websites. These contain in particular:
  • browser type/browser version;
  • operating system used;
  • referrer URL (i.e., the previously visited page);
  • host name of the accessing computer (IP address);
  • time of the server request;
  • individual user ID; and
  • events triggered on the website (web browsing behavior).
• The IP address is routinely anonymized, which in principle means it is no longer possible to identify you.
• We only store the user ID together with other data you provide (e.g., name, e-mail address) if you give us separate express permission to do so. In itself, we cannot use the user ID to identify you.

Marketing

• Pseudonymized usage profiles containing information on the use of our websites. These contain in particular:
  • IP address;
  • individual user ID;
  • products potentially of interest;
  • events triggered on the website (web browsing behavior). 
•  IP addresses are routinely anonymized, which in principle means it is no longer possible to identify you. 
• We only store the user ID together with other data you provide (e.g., name, e-mail address) if you give us separate express permission to do so. In itself, we cannot use the user ID to identify you. We may potentially share the user ID and associated usage profiles with third parties via providers of advertising networks.

The legal basis for using preference, statistics and marketing cookies and similar technologies is your consent given pursuant to Article 6(1)(a) GDPR. The legal basis for using technically necessary cookies and similar technologies is your consent given pursuant to Article 6(1)(b) GDPR.

You may withdraw/modify your consent at any time with effect for the future without this affecting the lawfulness of the processing based on consent before its withdrawal. Click here to make your selection. For an overview of the cookies and other technologies we use, including the respective purposes of processing, storage periods and any third party providers involved, see our cookie policy.

3.2. Recipients/categories of recipient

When using cookies and similar technologies to process usage data, we may on occasion retain specialized service providers, particularly from the field of online marketing, to process data. These service providers process data on our behalf. If you have consented to processing for marketing purposes, we may potentially share your User ID and the associated user profiles with third parties via the providers of advertising networks. For information about other recipients in connection with using cookies to process data, see our cookie policy under the heading "Providers".

3.3. Transfer of data to third countries

To the extent that you have consented to the use of the relevant cookies, your data will be transferred to the servers of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, if it is processed using Google Analytics. Some of these servers are located in the USA. There is no EU adequacy decision in place for the USA, meaning that a level of data protection comparable to the EU standard cannot be guaranteed. This could mean that third parties could access your data and that this would be beyond our or your control. In addition, Google LLC can use the data for its own purposes and link it with other datasets of yours. We have agreed standard contractual clauses with Google LLC that require Google LLC to comply with legal data protection standards.

3.4. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. You may prevent cookies from being stored by adjusting the aforementioned settings, selecting the categories of cookies accordingly or by withdrawing or modifying any consent you may have given.

3.5. Duration of storage

For information on the storage time for cookies, see our cookie policy. If "persistent" is entered in the "expiration" column, the cookie will be stored permanently until the corresponding consent is withdrawn.If you withdraw your consent, the data will be deleted immediately.

4. Newsletter

4.1. Purposes and legal basis of data processing

We offer you the opportunity to subscribe to our newsletter. If you consent to receive our newsletter, we will use your e-mail address and name (if provided) to send you (where possible personalized) information about twogo and related promotions, prize draws and news.

The legal basis for such processing is your consent pursuant to Article 6(1)(a) GDPR.

With your consent, we record your usage behavior on our site. The analysis of usage behavior includes, in particular, which areas of the respective website or newsletter you visit and which links you click on there. In the process, personalized usage profiles are created under your name and/or e-mail address in order to send you more targeted interest-based marketing communications in the form of newsletters and optimize our online services.

The legal basis for such processing is your consent pursuant to Article 6(1)(a) GDPR. To ensure that no mistakes are made when entering the e-mail address, we use the "double opt-in" procedure: once you enter your e-mail address in the registration field, we will send you a confirmation link. Your e-mail address will not be added to our distribution list until you click on the confirmation link.

You may withdraw your consent to receiving the newsletter and to having a personalized usage profile at any time with effect for the future, e.g., by unsubscribing from the newsletter on our website. The link to the unsubscribe page is provided here or at the bottom of every newsletter. When you unsubscribe, we consider your consent to the creation of a personalized user profile and the receipt of newsletter based thereon as withdrawn. We will delete your usage data. The lawfulness of the processing carried out until such time as we receive your notice of withdrawal shall not be affected.

4.2. Recipients/categories of recipient

In exceptional cases, your personal data may be accessible to Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, for support and maintenance purposes because the twogo app and its data are hosted and stored on our behalf on servers provided and operated by Schwarz IT KG.

We also use the services of Clever Elements GmbH, Lohmühlenstr. 65, 12435 Berlin, Germany for our newsletter tools, which means that Clever Elements GmbH can access your data.

4.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide your personal data to us. Subscribing to our newsletter is voluntary and always subject to your consent.

4.4. Duration of storage

Your e-mail address and your name (if provided) will be deleted as soon as you unsubscribe from our newsletter.

5. Our social media sites

5.1. Responsibilities

The party responsible for the collection and processing of data described below (the controller) is in some cases us, Schwarz Mobility Solutions GmbH, and in some cases the operator of the relevant social media platform. For certain types of processing, we and the platform operator act as joint controllers as defined in Article 26 GDPR.

We use the following social media sites:

• LinkedIn: https://www.linkedin.com/showcase/twogo
• YouTube: https://www.youtube.com/channel/UC4esWVPfggo_oWbIIfIPJcA

5.1.1. The platform operator as controller

We have only limited control over the processing of data by the operators of social media platforms (e.g., the management of members and the information shared). In the situations in which we are able to have influence and can set parameters for the data processing, we endeavor to ensure within the confines of the options available to us that the social media platform operator deals with the data in accordance with data protection law requirements. In many cases, however, we are unable to influence the way in which social media platform operators process data and also do not know exactly which data they process.

Platform operators operate the entire IT infrastructure of the service, have their own privacy policies and maintain their own user agreements with you (where you are a registered user of the social media service). The operator is also solely responsible for all questions relating to the data that makes up your user profile, which we as a company have no access to. You will find further information about the data processing performed by social media platform operators and your rights to object in the privacy policies of the operators.

• LinkedIn: https://www.linkedin.com/legal/privacy-policy?trk=d_org_guest_company_overview_footer-privacy-policy
• YouTube: https://www.youtube.com/intl/de/about/policies/

5.1.2. Our responsibility as Schwarz Mobility Solutions GmbH

5.1.2.1. Purposes and legal basis of data processing

We process data on our social media sites for the purpose of providing information to customers about services, promotions, prize draws, specific topics and latest company news, to interact with visitors to our social media sites on these topics, and to respond to relevant inquiries and positive or negative feedback.

We merely reserve the right to delete content if it becomes necessary to do so. We may share your content on our site if this is one of the functions of the social media platform, and communicate with you through the social media platform. Article 6(1)(f) GDPR is the legal basis for this. The processing is carried out for the purpose of our public relations work and communications. Operators have no ability to influence our processing of your data in connection with customer communications or prize draws.

As already mentioned, where social media platform operators give us the option, we make sure we design our social media sites to be as compliant as possible with data protection laws.

5.1.2.2. Recipients/categories of recipient

The data entered by you on our social media sites, such as comments, videos, images, likes, public messages, etc., is published by the social media platforms and is not used or processed by us for other purposes at any time. We merely reserve the right to delete unlawful content if it becomes necessary to do so. This would be the case, for example, for posts that infringe rights or violate the law, comments that incite hatred, offensive comments (sexually explicit content) or attachments (e.g., images or videos), which may be in violation of copyright laws, moral rights/rights of publicity or criminal law.
We may share your content on our site if this is one of the functions of the social media platform, and communicate through the social media platform. If you post an inquiry on the social media platform, we may also, depending on the required response, refer you to other more secure modes of communication that guarantee confidentiality. You always have the option of sending confidential inquiries to us at our address listed under no. 1 above or in the "legal notice" section of our website.

5.1.2.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us. When you use our social media sites for purely informational purposes, we do not collect any personal data. You can still visit our sites even if you do not wish to provide us with any personal data, but you will not be able to use any enhanced features such as the news function and the function allowing you to post images or comments etc.

5.1.2.4. Duration of storage

We delete or securely anonymize all information we receive from you when you make inquiries no later than 90 days after the final response is sent to you. The information is retained for 90 days in case you contact us again after a receiving a response from us on the same matter and we need to refer to our previous correspondence. Based on experience, we generally do not receive any questions concerning our responses after 90 days. If you assert your rights as a data subject, your personal data will be stored for three years after the final response in order to document the fact that we provided you with comprehensive information and that the legal requirements have been met.

All public posts that you put on our social media sites remain in the timeline for an indefinite period, unless we delete them as part of updating the information on the topic, they violate the law or breach our guidelines or policies, or you delete the post yourself. We have no control over the deletion of your data by the operator itself. The privacy policy of the relevant operator therefore also applies in relation to the storage period.

5.2. Processing as joint controllers

In some cases, we and the operator of the social media service act as joint controllers as defined in Article 26(1) GDPR:

We and the platform operator act as joint controllers with regard to the web tracking methods used by the social media platform operator. Web tracking can occur regardless of whether you are logged in or registered on the social media platform. As already explained, unfortunately we have almost no control over the web tracking methods used by social media platforms. We are unable, for example, to switch web tracking off.

The legal basis for the web tracking methods is Article 6(1)(f) GDPR. Optimizing social media platforms and the relevant fan pages is seen as a legitimate interest for the purpose of the above provision.

For further information about recipients and categories of recipients and the storage time/criteria for determining storage time, please refer to the privacy policies of the platform operators. We do not have any control over this.

You will find information on the rights available to you to prevent these web tracking methods in the privacy policies of the platform operators. You can also contact the platform operators about this using the contact details provided in the legal notice section of their respective websites.

We have only a very limited ability to influence and prevent the provision of statistics to us by social media platform operators. However, we do make sure that we do not receive any additional optional statistics.

Please be aware that it is possible that social media platforms will use your profile and user behavior data in order to analyze, for example, your habits, personal relationships and preferences etc. Schwarz Mobility Solutions GmbH has no control over the processing or disclosure of your data by social media platform operators.

C. Using twogo

1. Setting up a twogo user account and using twogo (web application and app)

1.1. Purposes and legal basis of data processing

1.1.1. Information required to use twogo

If you wish to set up a twogo user account and use twogo, you must register with the following data:

1.1.1.1. Corporate customers

As a corporate customer, we collect your master data and contact details to initiate and perform the contractual relationship on the basis of Article 6(1)(b) GDPR. We also collect a contact's master and contact data on the basis of Article 6(1)(f) in the legitimate interest of communicating effectively.

After we have set you up as a customer, you will receive a request form allowing you to define your preferred settings and a corporate admin. You can save an e-mail domain that enables us to assign your company users to your organization.

1.1.1.2. End users

As an end user, we process the following personal data: 

• First and last name (master data):
  • are displayed to all carpool members and their followers as well as to those users to whom you send a ride request.

• E-mail address (contact data)
  • is used by the users for registration.
  • We also use your e-mail address to communicate with you, confirm the activation of your account and send you information about how to use twogo.
  • If you are a licensed user, we will send you an e-mail at regular intervals to the e-mail address you provided asking you to click on a confirmation link. In this way we verify that you are still with the licensed company.
  • If you are a licensed customer, your employer/customer can send you an e-mail assigning a parking space to you.

• Password:
  • is used by the users for registration.

• Cellphone number (contact data):
  • We also use your cellphone number if you wish to receive notifications from twogo. (This twogo function is only available in selected countries, in which case your data will only be processed in those countries for the stated purposes.)
  • The telephone number is also used to verify the user account.

• Home address (contact data):
  • standard settings for departure point and destinations for regular rides.
  • Is used to quickly enter ride requests and receive ride recommendations from twogo.

• Ride request data:
  • includes role as driver, passenger or both, departure and destination address, earliest departure date and time, latest arrival date and time, maximum number of passengers, whether a round-trip is required (incl. departure and destination address and times for any return ride), maximum detour time and whether it is a rental or shared vehicle.
  • Is used by twogo to arrange the suitable carpool and also by your followers and the users to whom you sent a ride request.
  • Is displayed to the licensed company for purposes of statistical analyses when a pool vehicle of the licensed company, which is your employer or customer, is booked.

• Vehicle data:
  • if you use twogo as a driver, this information is required for using twogo.
  • Includes model, license plate number, fuel type, available seats and whether it is a standard vehicle.
  • If you offer rides as a driver, your vehicle data will be sent to all carpool members.
  • Followers and users to whom you send a ride request will be notified of the number of available seats and your desired role.
  • The profile shows the carbon emissions and traveled kilometers accrued by twogo users as divers or passengers.

• Information about your employer (for independent contractors, information about your customer):
  • using the e-mail address or any token you used to registered with twogo, we check whether you are an independent subcontractor or employee of a licensed company so that we can assign you to that company and offer you expanded functions in twogo.

We process your data on the basis of Article 6(1)(b) GDPR so that we can create and provide your user account and make twogo services available to you and you can link to the ride requests and carpools that you create or join while using our service. This information is also used for exchanging information with you and your followers and passengers for a ride request or ride referral.

1.1.2. Optional information

You may enter additional optional information into your twogo account. Depending on the data you enter and in addition to the aforementioned required data, we also process the following data in particular:

• Profile data:
  • nickname so that your real name is not visible when certain application functions are used
  • gender, if "only ride with women" is set for rides
  • profile picture to personalize the profile

• Vehicle data:
  • vehicle picture
  • interim destinations during rides
  • recurring rides

• work address or other favorite places (e. g., buildings on the company premises as the departure and destination address):
  • are used to provide the user with predefined (company-specific) locations for quick entry.

• If you use the twogo points account, the ride request or ride data (as driver, passenger or outstanding ride request) is used to manage your points account.

• If you are a licensed twogo user and wish to participate in a challenge initiated by your licensed company, we send your name, the points you earned for the challenge and e-mail address to the licensed company.

We process your data on the basis of your consent pursuant to Article 6(1)(a) GDPR, which you provided either expressly or by activating a particular function. You may withdraw your consent at any time with effect for the future, e.g., by deactivating the relevant services.

1.1.3. Experience scores and leaderboard

The leaderboard contains a ranking that displays users according to their experience scores. Experience scores are given for things like rides completed with others. If you would like to collect experience scores and participate in the ranking, you must activate the relevant pop-up. We then process your rating data on the basis of your consent given pursuant to Article 6(1)(a) GDPR, which you can withdraw at any time with effect for the future, e.g., by deactivating the function.

1.1.4. Processing location data

You can activate the location function in the app to enable your exact location to be determined using GPS data from your end device. In addition, you can select whether you would like to share your exact location with other passengers 10 minutes before a ride begins. If you would like to use the integrated map, you must first agree to share your location. Your location data is processed only for the specified purposes, in particular we do not generate any sort of tracking profile for you. Your location data is processed only with your consent pursuant to Article 6(1)(a) GDPR, which you can withdraw with effect for the future at any time.

1.1.5. "Follow user" and "block user"

As soon as someone has a match with a user, that person will see that user's profile and can follow the user by clicking on the "+ follow" button. This function allows that person's rides to be viewed more quickly. In particular, the user can share rides with followers. By clicking on the same button, the user can be unfollowed. Followers are listed in the profile under "Followers" and "Following" in the menu. Users can also be blocked, the opposite of following. Blocked individuals are listed under "Security". Blocked individuals are not taken into account for matching purposes. The user can unblock blocked individuals at any time. The legal basis for this processing is your consent pursuant to Article 6(1)(a) GDPR, which you can withdraw with effect for the future at any time.

1.1.6. Group chats and chat function

Users matched for a ride can use the group chat or chat function in the app. The ride passengers can message each other there. After the ride is over the chat is deleted. Use of the chat function is voluntary, the legal basis being your consent given pursuant to Article 6(1)(a) GDPR, which can be withdrawn.

1.1.7. Push notifications

With your consent, you will receive push notifications, especially about matches and rides, on your end device. The legal basis for the data processing is your consent pursuant to Article 6(1)(a) GDPR. You can deactivate push notifications at any time and withdraw your consent.

1.1.8. Calendar function

You can also book your desired ride directly through your e-mail calendar. To do so, create an invitation with the relevant location, time and role details and enter our e-mail address ride@twogo.com as a required attendee. Your ride will be transferred to the twogo app automatically. The rides will then be matched using the aforementioned matching process. By making the request, your calendar will be automatically blocked from the earliest possible departure time to the latest possible arrival time that you have given. Use of the calendar function is voluntary, the legal basis being your consent given pursuant to Article 6(1)(a) GDPR, which can be withdrawn.

1.2. Recipients/categories of recipient

Your personal data may to the extent necessary be sent to other twogo users so that we can make various twogo services available to you. If these users are licensed users, the data transferred may also be accessible to the licensed company with which they are affiliated as that company generally has access to the e-mail address used by the licensed users to which data of yours may be sent. See section 1.1 for information on the purposes of the data transfer and the categories of potential recipients.

If you are a licensed user, your licensed company may designate one or more person(s) as administrators for the licensed version of twogo. For support purposes, the administrators may have access to all of your personal data and carpools/ride requests and block/unblock your account. If you are a licensed user and book a pool vehicle of your licensed company, statistical analyses (see also, point 4) for your ride data may be transmitted to the licensed company.

If you carpool as a passenger in a pool vehicle of a licensed company, your ride data may be displayed to the licensed company for purposes of statistical analysis (see also point 4). This is the case even if you are not a licensed user and thus not an independent contractor/employee of the licensed company.

If you are a licensed user and your licensed company offers reserved parking, we will disclose your license plate number to authorized persons of that company upon request to verify that you have a parking permit if you are the driver of a booked or still unbooked carpool.

In exceptional cases, your personal data may be accessible to Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, for support and maintenance purposes because the twogo app and its data are hosted and stored on our behalf on servers provided and operated by Schwarz IT KG.

We transfer your personal data on an ad hoc basis and to the extent necessary to Netlution GmbH, Landteilstr. 33, 68163 Mannheim, Germany, which processes any customer inquiries you make by telephone, mail and/or e-mail on our behalf.

Other recipients may be given access to your personal data on an ad hoc basis, but only to the extent necessary and where the provision of the twogo service so requires. This includes CometChat Inc., Suite 200, 1002 Walnut St, Boulder, CO, 80302, USA as the operator of the chat service and Google LLC as the operator of Google Maps. It cannot be ruled out that service providers process the data in countries outside of the EU without an EU adequacy decision, which means the level of data protection is lower than that in the EU. This means that third parties could access your data and that your rights as a data subject are limited. We have no control in this respect. However, we have contractually obliged service providers to comply with legal data protection requirements through EU standard contract clauses. Where your data can be accessed by a service provider in a third country and you consent to voluntary data processing anyway (e.g. Google Maps), your consent will also apply to transmitting the data to a third country.

In addition, to generate invoices for corporate customers, data is transferred to Schwarz Dienstleistung KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany.

1.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide personal data to us if you are not interested in using twogo. However, if you do wish to use twogo and create a user account, our Terms of Use require that you provide the correct and complete mandatory information.

If you provide optional information or use additional functions, you do so on a voluntary basis. You are under no legal or contractual obligation to provide such data. Not providing the data will only mean that you will not be able to use the relevant functions.

1.4. Duration of storage

We store personal data only for as long as required to fulfill the purpose and until there are no (further) statutory retention periods. We delete your personal data from your customer account as follows:

name, e-mail address, password:

• deleted 7 days after registration if the registration is not confirmed. 
• deleted after 365 days of inactivity on the part of the registered user. 
• deleted when the contractual term of a license expires: if you are a licensed user and the license of your licensed company expires, your twogo user account will be permanently deleted at that time.
• permission to use deleted if you are an unauthorized license user.
• deleted promptly after you delete your user account or request deletion from an admin.

Other profile data:

• deleted after 365 days of inactivity on the part of the registered user.
• deleted when the contractual term of a license expires: if you are a licensed user and the license of your licensed company expires, your twogo user account will be permanently deleted at that time.
• permission to use deleted if you are an unauthorized license user.
• deleted promptly after you delete your user account.

Ride request data (departure and destination address, earliest departure date and time, latest arrival date and time)

• deleted promptly if the user cancels the ride request
• deleted 41 days after the ride date.

For data processed on the basis of your consent, we delete the data promptly after your consent has been withdrawn.

2. Special considerations when using twogo via the twogo app

2.1. Purposes and legal basis of data processing

2.1.1. Data from your end device

Apart from any processing of the data mentioned above, when you use twogo via the twogo app, we process the following personal data in particular:

• The date on which you accessed the service and the action you executed. We use this data for support purposes and to measure the frequency of use.
• We also log your IP address. This helps us to fend off attacks on the system and rectify errors in service.

We process the aforementioned data on the basis of Article 6(1)(f) GDPR. We have a legitimate interest in measuring how often twogo is used and ensuring the technical stability and security of the app.

2.1.2. Google Analytics for Firebase

For the purposes of the needs-based design and ongoing optimization of our websites, we use Google Analytics for Firebase, a web analytics service of Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA ("Google") on the basis of consent given pursuant to Article 6(1)(a) GDPR. Pseudonymized usage profiles are generated and cookies are used in this regard. The cookie generates the following information about your use of this website:

• browser type/browser version;
• operating system used;
• referrer URL (i.e., the previously visited page);
• host name of the accessing computer (IP address);
• the name and URL of the requested files;
• time of the server request.

The information is used to analyze users of our website to prepare reports about website activities and provide other services related to website and internet usage for market research purposes and to design these websites to meet requirements.

You can withdraw your consent at any time. To do so, please follow this link and select the relevant settings using our banner.

You can also prevent cookies from being installed by selecting the corresponding settings in your browser software. You can prevent the data generated by the cookie and the data related to your website use from being collected, and prevent Google from processing these data, by downloading and installing this browser add-on.

2.1.3. Firebase Crashlytics

If the twogo app crashes, we receive anonymous data indicating which twogo app functions the user had last used before it crashed. This data relates solely to the twogo app and its functions and cannot be associated with any individual user. It is used solely for purposes of error analysis.

2.2. Recipients/categories of recipient

In exceptional cases, your personal data may be accessible to Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, for support and maintenance purposes because the twogo app and its data are hosted and stored on our behalf on servers provided and operated by Schwarz IT KG.

We transfer your personal data on an ad hoc basis and to the extent necessary to Netlution GmbH, Landteilstr. 33, 68163 Mannheim, Germany, which processes any customer inquiries you make by telephone, mail and/or e-mail on our behalf.

To the extent that you have consented to the use of the relevant cookies, your data will be transferred to the servers of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, if it is processed using Google Analytics. Some of these servers are located in the USA. There is no EU adequacy decision in place for the USA, meaning that a level of data protection comparable to the EU standard cannot be guaranteed. This could mean that third parties could access your data and that this would be beyond our or your control. In addition, Google LLC can use the data for its own purposes and link it with other datasets of yours. We have agreed standard contractual clauses with Google LLC that require Google LLC to comply with legal data protection standards.

Other recipients may be given access to your personal data on an ad hoc basis, but only to the extent necessary and where the provision of the twogo service so requires. It cannot be ruled out that service providers process the data in countries outside of the EU without an EU adequacy decision, which means the level of data protection is lower than that in the EU. This means that third parties could access your data and that your rights as a data subject are limited. We have no control in this respect. However, we have contractually obliged service providers to comply with legal data protection requirements through EU standard contract clauses.

2.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide the specified personal data of yours to us. However, if you do not provide the data to us, you may not be able to use all the functions in the twogo app.

2.4. Duration of storage

We store the aforementioned log files for a period of 32 days. We delete your data when you withdraw your consent or delete your user account. For information on the storage time for cookies, see our cookie policy. If "persistent" is entered in the "expiration" column, the cookie will be stored permanently until the corresponding consent is withdrawn. If you withdraw your consent, the data will be deleted immediately.

3. Use of data for statistical purposes

3.1. Purposes and legal basis of data processing

If you use twogo as a licensed user, the following data in particular is collected and used for purposes of statistical analysis. We process the aforementioned data on the basis of Article 6(1)(f) GDPR. We have a legitimate interest in providing our licensed business customers with the aforementioned data in the aforementioned form, as this is part of the service we offer our business customers.

These statistics are not linked to any specific individual. It involves aggregated and therefore anonymized data comprising the information set out below:.

4.2. Recipients/categories of recipient

In exceptional cases, your personal data may be accessible to Schwarz IT KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, for support and maintenance purposes because the twogo app and its data are hosted and stored on our behalf on servers provided and operated by Schwarz IT KG.

Statistical data is transferred to your employer/customer provided that it is a licensed business customer of twogo and you use twogo in your capacity as a licensed user. 

Other recipients may be given access to your personal data on an ad hoc basis, but only to the extent necessary and where the provision of the twogo service so requires. It cannot be ruled out that service providers process the data in countries outside of the EU without an EU adequacy decision, which means the level of data protection is lower than that in the EU. This means that third parties could access your data and that your rights as a data subject are limited. We have no control in this respect. However, we have contractually obliged service providers to comply with legal data protection requirements through EU standard contract clauses.

3.3. Obligation to provide your data

You are under no statutory or contractual obligation to provide the specified data to us. However, as you use twogo, the data will be generated and processed by us for the specified purposes and in the specified form and manner.

3.4. Duration of storage

We store the specified statistical data for one year. Your employer/customer may store the data for a longer period, however we have no control over this.

4. Rating function for drivers and passengers

4.1. Purposes and legal basis of data processing

As a driver (or passenger), you have a period of six weeks after completing a ride to rate your passengers (or driver, respectively) based on your overall level of satisfaction and individual criteria, so-called "comments" (cleanliness, punctuality, communication, considerateness, navigation, driving) according to three levels ("Not so great", "OK" and "Top notch"). You can submit the rating by clicking on the notification icon in your trip history within the aforementioned period of time. 

A twogo user can rate the same driver or passenger a maximum of three times within 365 days to prevent abuse of the rating function.

The legal basis for the processing connected with the rating function is Article 6(1)(f) GDPR. Our legitimate interest is in enhancing users' trust in twogo and providing them with the opportunity to share their experiences about using twogo with other users and/or getting information about other users' experiences with matched drivers/passengers before a ride.

If you believe that the ratings you have been given are not appropriate, please contact us at: info@twogo.com

4.2. Recipients/categories of recipient

If you have been rated by a driver and/or passenger, the rating will only be displayed in your profile once you have received at least seven ratings. The rating that applies to you can then be viewed by other users only if they are suggested to you as a match for a potential shared ride because that is the only time when data that other users can access, including rating, can be seen in your profile.

Ratings are submitted without disclosing the name of the user providing the rating. However, it cannot be ruled out entirely that the rated user can piece together clues about the user providing the rating. If for example, a driver only completes three rides with the same three passengers who rate the driver each time, an overall rating will be displayed for the driver because nine ratings have been received and the minimum threshold of seven ratings has been met. Because the driver knows that they have only driven three passengers that month, they can conclude that the overall rating is from the ratings provided by these three passengers. Please therefore bear in mind that a rating is not always anonymous. 

Overall level of satisfaction represents the average of all the submitted ratings and can be viewed in your profile. When a match is made, a comment is displayed to other users in detail only if it is "Top notch", i.e., if your communication was given that rating. For any other comment, the only thing that is displayed is the note in your profile that there is "Room for improvement" (rating = "Not so great") or "Something went a bit off track" (rating = "OK"). Only you can see exactly what comments were made with which rating, even when it is not "Top notch". However, the twogo user is still anonymous.

4.3. Obligation to provide your data

Using the rating function is voluntary. Choosing not to use them does not result in any disadvantage and you can still use twogo as usual. After every ride, you can once again decide individually whether you would like to rate the relevant driver or passenger or not.

4.4. Duration of storage

Ratings are recognized permanently and not deleted as a general rule. If you believe that the ratings you have been given are not appropriate and would like them to be deleted, please contact us at: info@twogo.com

D. Processing of corporate customers' personal data 

Apart from the data processing described elsewhere herein, we process the personal data of corporate customers in connection with the associated contractual relationship and/or taking steps prior to entering into a contract.

As a rule, the personal data of yours that we collect is obtained directly from you. However, it may also be necessary to process personal data that we obtain from other companies, authorities or other third parties, such as credit agencies, tax offices and the like. This may include personal data that we obtain through our whistleblower channels about potential compliance violations or in the context of compliance investigations.

Relevant personal data may include: personal details (e.g., first name, last name, address and other contact details, date and place of birth and nationality), identification and authentication data (e.g., commercial register excerpts, I.D. data, specimen signature), data within the scope of our business relationship (e.g., payment data, data on orders), creditworthiness data, data on corporate and ownership structure, photos and videos, and other data comparable to the aforementioned categories.

You may elect to communicate with us by e-mail or mail. For technical reasons, e-mail communications may be unencrypted.

1. Purposes and legal basis of data processing

1.1. For the performance of contractual obligations (Article 6(1)(b) GDPR)

The purposes of processing follow from the need to take steps prior to entering into a contract, in advance of a contractual business relationship and to perform obligations under an existing contract.

1.2. For compliance with a legal obligation (Article 6(1)(c) GDPR)

The purposes of processing follow from statutory requirements in the individual case. Such legal obligations include, e.g., complying with retention and identification obligations, e.g., in the context of anti-money laundering requirements, tax monitoring and reporting requirements and data processing in the context of requests from authorities.

1.3. For the purposes of legitimate interests (Article 6(1)(f) GDPR)

It may be necessary to process the personal data you provide for purposes beyond the actual performance of the contract. Legitimate interests in this case include, in particular, selecting suitable customers, asserting legal claims, defending against liability claims, protecting our IT infrastructure, managing system access authorizations, data access controls, other internal administrative purposes (such as optimizing processes and workflows), sending the invitation to provide feedback you previously agreed to provide about your contact within the Schwarz Group, facilitating communication and contact via our Group-wide user directory, clarifying potential compliance violations, preventing crimes and settling claims arising out of the business relationship.

At the time of contracting, we occasionally obtain data on your credit history from credit agencies to serve the aforementioned legitimate interests. We use the credit history information from the credit agencies to assess your creditworthiness. Credit agencies store data that they receive from banks or companies, for example. Such data includes in particular last name, first name, date of birth, address and information on payment history. Information on the data stored about you can be obtained directly from the credit agencies.

If you accept our offer of contract by means of digital signature (e.g., Adobe Sign), we process your data, such as in particular e-mail address, IP address as well as the time and date of any modifications you make to the respective contract document, for instance when you approved, displayed or digitally signed it. We have a legitimate interest in ensuring that the process for signing contracts digitally is fast and efficient and that the signing process can be logged for verification purposes. Certain contracts may also be signed using a so-called qualified electronic signature. In this case we also process the certificate data associated with your signature in addition to the aforementioned data. We have a legitimate interest in being able to verify whether you are able to provide a valid qualified electronic signature serving to replace any written form prescribed by statute. To use a qualified electronic signature, you must independently register with a trust service provider (e.g., D-TRUST/Bundesdruckerei). When you register, the respective provider will process your data under its own responsibility and not on our behalf, however.

2. Recipients/categories of recipient

Within our company, access to the data provided by you will be granted to those departments that require such data for the purposes of performing contractual obligations, complying with legal obligations or serving legitimate interests. In the context of the contractual relationships, we also engage processors or service providers who may be given access to your personal data. Their compliance with data protection requirements is ensured by contractual agreement.

In addition, the data may be transferred to Schwarz Group companies for purposes of performing contractual obligations.

In the case of contracts executed by digital signature, your data is also accessible to all persons involved in the approval and signing of the contract, as they receive a log after the contract has been signed indicating all processing steps, including e-mail address, IP address, date and time. Your data may also be accessible to the respective service providers that we use for the relevant digital signature procedure. In the case of Adobe Sign, this would be Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West, Business Campus, Saggart D24, Dublin, Ireland. If a qualified electronic signature is used to execute digital contracts, your data will also be accessible to D-Trust GmbH, Kommandantenstraße 18, 10969 Berlin, Germany, which is the provider responsible for checking the validity of the signature.

3. Obligation to provide your data

Within the scope of our business relationship, you must provide us with the personal data needed to commence, execute and terminate a business relationship and to perform the obligations associated therewith, which we are legally obligated to collect or are entitled to collect on the basis of legitimate interests. Without such data, we would generally not be able to enter into a business relationship with you.

4. Duration of storage

The personal data will be stored for as long as necessary for fulfilling the above-mentioned purposes. Particularly relevant in this context are the statutory retention obligations under the German Commercial Code (Handelsgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO), which provide for retention periods of up to 12 years.

E. Your data subject rights

Under Article 15(1) GDPR, you have the right to obtain information, free of charge, on the personal data stored about you.

If the statutory requirements are met, you also have a right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR) of your personal data.

If the basis of processing is Article 6(1)(e) or (f) GDPR, you have a right to object under Article 21 GDPR. If you object to processing, your data will no longer be processed thereafter, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests of the data subject in the objection.

If you have provided the processed data yourself, you have a right to data portability under Article 20 GDPR. If the data processing is carried out on the basis of consent granted under Article 6(1)(a) or Article 9(2)(a) GDPR, you may withdraw that consent at any time with effect for the future without this affecting the lawfulness of the previous processing.

In the above-mentioned cases, or if you have questions or complaints, please contact the data protection officer named below. You also have a right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority located in the state in which you live or where the controller is domiciled has jurisdiction.

When exercising your data subject rights in relation to the data processing referenced in this privacy policy for which we and your employer/customer are joint controllers, you may also contact your employer/customer.

F. Data protection officer contact information

For further questions concerning the processing of your data or the exercise of your rights, please contact our data protection officer:

datenschutz süd GmbH
– Schwarz Mobility Solutions –
Wörthstraße 15
97082 Würzburg, Germany

e-mail: office@datenschutz-sued.de

G. Further information on joint controllers

The duties connected with joint controllership have been divided as follows between us and your employer/customer:

The respective functions and obligations of each controller are marked with an "X".