Privacy Policy

Ver. 2.0
Status: 07.12.2022

With the following data protection notice, we would like to inform you (the user) about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to the processing of personal data carried out by us in connection with the MOTIONTAG app operated by us, the white label apps developed from it and the RECORD SDK, which is integrated into other apps by our customers and partners.

Data Controller (GDPR)

MOTIONTAG GmbH
Rudolf-Breitscheid-Str. 162
14482 Potsdam

Data Protection Officer

MOTIONTAG GmbH has appointed a data protection officer. He can be reached via datenschutz@motion-tag.com.

Depending on the use case of this app, other independent data controllers within the meaning of the GDPR may be involved in the processing of your personal data. These are regularly cooperation partners that work together with MOTIONTAG GmbH, for example universities, research institutes, market research companies, mobility service providers, transport companies or associations, cities and municipalities and similar organizations. The legal basis for processing is explained in the respective privacy policies or contract texts of the cooperation partners involved.

Before using the app or the SDK, it is necessary to accept the applicable contractual regulations of MOTIONTAG GmbH and the cooperation partners or to grant the requested consents. If the current contracts are terminated or consents granted are revoked, the app cannot be used any further. The procedures with already collected or processed data are governed by the contractual regulations and the privacy policies of possible cooperation partners.

Relevant Legal Bases

Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these at the appropriate point in the privacy policy.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, safeguarding of availability and its separation. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data compromise. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through privacy-friendly default settings.

SSL encryption (https): To protect your data transmitted via our apps or our SDK, we use state-of-the-art TLS encryption.

Data Processing in Third Countries

If we process data in a third country (i. e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only be done in accordance with the legal requirements.

Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, a contractual obligation through so-called standard contractual clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de.

Note on processing of your collected data in the USA: For technical and organizational reasons, we sometimes use service providers who process personal data in the USA. Unfortunately, this cannot be avoided in all cases - however, we endeavor to obtain appropriate guarantees pursuant to Art. 46 GDPR via current standard contractual clauses as well as additional security measures in accordance with the case law of the European Court of Justice (ECJ).

If we ask for your consent before you use our offers, you consent to the processing of your data in the USA pursuant to Art. 49 (1) sentence 1 lit. a) GDPR. Alternatively, this type of processing can also be the subject of a contractual arrangement pursuant to Art. 49 (1) sentence 1 lit. b) GDPR, provided you conclude such an arrangement in advance of using the app. The USA is considered by the European Court of Justice to be a country with an insufficient level of data protection according to EU standards. In particular, there is a risk that your data may be processed by U.S. authorities for control and monitoring purposes, possibly without any legal remedy.

Against the background of all measures taken, we consider the risk to the rights and freedoms of the users concerned to be low, but we would also like to provide transparent information about potential risks.

Contact and Request Management

When contacting us (e. g. by e-mail or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

We use software services accessible via the internet and running on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e. g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).

In this context, personal data may be processed and stored on the servers of the providers to the extent that these are part of communication processes with us or are otherwise processed by us as set out in the context of this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their contents. The cloud service providers also process usage data and metadata used by them for security purposes and service optimization.

The answering of contact inquiries as well as the administration of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre)contractual inquiries and otherwise on the basis of legitimate interests in answering inquiries and maintaining user or business relationships.

Services used:

Registration, Login and User Account

(Does not apply to: RECORD SDK)

Users of the apps must first create a personalized user account. As part of the registration process, users are informed of the required mandatory information and this data is processed for the purpose of providing the user account on the basis of the contractual fulfillment of obligations. The processed data includes in particular the login information (e-mail address and password). This allows the user account to be set up on another mobile device and used for mobility data collection. The registration information is stored separately from the mobility data.

Within the scope of the registration and login functions as well as the use of the user account, the IP address is processed and the time of the respective user action is stored. This is done on the basis of our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. In principle, this data is not passed on to third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.

Users can be informed by email about events relevant to their user account, such as technical changes.

Further notes on procedures and services:

Mobility Data Acquisition, Data Analysis and Visualization

When using the app, the distances traveled are recorded together with the means of transport used and the resulting CO2 emissions are calculated. The determination of the tracks and means of transport as well as the calculation of the CO2 emissions is subsequently carried out after data collection in the course of a data analysis on the servers of the named service provider (see section "Provision of the offer"). The data can be used, for example, to provide data-based insights into the following areas:

In the app, user mobility data is used to create pseudonymized and aggregated analyses and their graphical visualization - among other things with the help of online map services. Conclusions about the identity of individual users are neither necessary nor desirable. The data collected is only stored temporarily on the cell phone. Once the data has been transferred to the server, it is deleted from the cell phone. Based on the analysis of the mobility data, recommendations can ultimately be derived and empirically validated decisions can be made with regard to the design of mobility.

Third-Party Utilization of Anonymized Mobility Data

In order to be able to develop good solutions for people's mobility needs and to counteract negative traffic consequences, reliable data on everyday mobility is required. In the apps or the SDK, mobility data is collected and used for anonymized and aggregated evaluations. Based on these evaluations, recommendations can be derived and empirically validated decisions can be made.

The aforementioned anonymized and aggregated evaluations may also be passed on to third parties and used for further analyses (e. g. by means of procedures to be developed in the future) outside the app designated here. Conclusions about the identity of individual users are neither necessary nor desirable and are consistently prevented by means of technical and organizational measures.

If the user has concluded a separate usage agreement with a third party or has given the third party corresponding consent (e. g., as part of participation in a study that this third party is conducting with the aid of the app), raw personal data may also be passed on to this third party in accordance with the terms of the agreement or consent.

Push Messages and Crash Reports

(Does not apply to: RECORD SDK)

Push messages: With the consent of users, we may send users so-called "push messages". These are messages that are displayed on users' devices even if they are not actively using our app. In order to sign up for the push messages, users must confirm the request of their end device to receive the push messages. Users can change the receipt of push messages at any time using the notification settings of their respective end devices. Push messages may be necessary for the fulfillment of contractual obligations (e. g., for relevant technical and organizational information of a transactional nature) and are otherwise sent on the basis of user consent, unless specifically stated below.

Disabling push notifications: As part of the app onboarding process, users are asked if they want to grant permission to send notifications. Users are free to accept or decline the offer. If users decline, no notifications are sent. The setting can be revoked at any time in the device settings or restricted to certain categories of notifications (e. g. error messages).

Contents

Crash Reports: As part of the app onboarding process, users are asked if they would like to participate in the submission to collect crash reports using Firebase Crashlytics. Users have the free choice to accept or decline the offer. If users decline, no crash reports will be sent. In the app settings, the decision can be reviewed at any time and settings for crash reports can be (de)activated at any time. The application uses only the default Firebase Crashlytics configuration and shares as little data as possible. The application does not make use of the options Firebase Crashlytics provides to add additional parameters and user identities to a crash report.

Services used:

Surveys and Polls

(Does not apply to: RECORD SDK)

We strive for a high degree of representativeness for aggregated and anonymized mobility analyses that we create, which describe the mobility behavior of a population. For this purpose, we conduct surveys and interviews in the app - exclusively to be able to describe the collected mobility data sociodemographically and socioeconomically, to optimize their quality, and to further develop our services. Conclusions about the identity of individual users are neither necessary nor desirable. The answers entered by users are stored pseudonymously and separately from the mobility data and are only evaluated on an aggregated level.

Service providers used:

Service Provision

In order to provide our services securely and efficiently, we use the services of one or more hosting providers, from whose servers (or servers managed by them) the offer can be accessed via app, among other things. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

The data processed within the scope of the provision of the hosting services may include all information relating to the users of our offer, which accrues within the scope of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the content of offers to apps, and all entries made within our offer.

Service provider used:

Embedded Functions and Content

(Does not apply to: RECORD SDK)

We integrate functional and content elements into our app offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the user, since without the IP address they cannot send the content to their browser. The IP address is thus required for the display of this content or function. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content.

Services used:

Rights of the Data Subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

Data Deletion

Users of the MOTIONTAG app and the white label apps developed from it can request the deletion of their personal data and their user account from the app at any time. Users of the RECORD SDK or users who do not have access to the app (e. g. in the case of a defective mobile device) can request the deletion of the data and the user account from the provider.

Furthermore, the processed data will be deleted in accordance with the legal requirements as soon as the consents granted for processing are revoked or other permissions cease to apply (e. g. if the purpose of processing this data has ceased to apply or it is not required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted to these purposes, i.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.

This privacy policy may also contain further information on the retention and deletion of data, which shall apply with priority to the respective processing operations.

Amendment and Update of the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e. g. consent) or other individual notification.

Where we provide addresses and contact information of companies and organizations in this privacy statement, please note that the addresses may change over time and please check the information before contacting us.