Privacy Policy

Privacy policy of TecBakery GmbH - WavePointer for the use of the eJourney app and the survey campaigns provided there by partners.

This declaration was written in German (DE). If there are discrepancies between the translated versions of this declaration and the German version, the German version will always prevail.

Date: 01.09.2024

In this document, TecBakery GmbH - WavePointer (hereinafter referred to as "WP") as the processor informs you about the processing of your (personal) data in connection with the use of the eJourney App (hereinafter referred to as "App") and, in particular, the survey campaigns provided by WP partners (hereinafter referred to as "CP" or "KP") and the rights to which you are entitled under data protection laws.

The aim of the service is to collect data to determine the demand for public transport services (hereinafter referred to as "public transport"). The service is designed to be permanent. The end date of a survey - if any - is determined by the CP in a respective campaign for which you as a participant have received an invitation code from the CP. However, all participants have the option of cancelling their participation independently at any time.

By accepting the separate conditions of participation, you guarantee that you will only use the mobile phone registered to you - in connection with a survey campaign - yourself. The mobile phone may not be passed on to third parties in connection with a survey campaign. If your mobile phone, which you use for your participation in the offer of a KP, is accidentally used by other persons, we will also process their data. In this case, please also inform these persons about the content of this privacy policy.

1. Centre responsible for data processing

For the offer to participate in a survey campaign in the eJourney app, the respective CP who invited you to the campaign and sent you an invitation code for a respective campaign is responsible within the meaning of Art. 4 (7) GDPR.

The contact details of the data protection officer or data processing controller can be found in the information provided by the KP. You will find this information in the KP's invitation email for each campaign.

2. The data processor is

TecBakery GmbH - WavePointer Data Protection Officer 6415 Arth am See, Switzerland E-Mail: datenschutz@wavepointer.com

3. Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject").

4. Purpose and legal basis of data processing

WP itself does not process any personal survey data, as WP does not know the actual identity of a campaign participant. WP only knows the invitation code that the participant has received from the CP and does not itself have access to background systems at a CP. 

Only a KP can derive personal data, produce it and process it exclusively within the framework of data protection regulations or pass it on for processing in compliance with regulations.

5.1 Collection of mobility data

Providers of transport and mobility services, particularly in the public transport sector, are creating new ticket offers to increase the use of public transport and make it even more attractive for passengers. The "eJourney" app is being used to gain a better understanding of the occasions and routes on which passengers use these new ticket offers. The app - and an associated campaign - are used to measure the transport services provided by the transport companies involved in each journey.

The app automatically records the mobility of campaign participants in the respective public transport environment. As a result, participants are increasingly no longer burdened with filling out questionnaires or other passenger survey methods, for example.

The data collected by WP is only collected on the basis of pseudonymised (quasi-anonymous) data, which does not allow any conclusions to be drawn about individual participants. Nevertheless, as a precaution, we would like to point out that, for example, recurring locations could allow conclusions to be drawn about your place of residence and work and thus about you personally. To prevent this, precautions have been taken, which can be found under order processing.

5.2 Legal basis for data processing

KP processes your personal data as part of a dedicated campaign invitation because you have given KP your consent to do so by joining a campaign. The legal basis is therefore Art. 6 para. 1 a) GDPR. Only with regard to customer service is the legal basis Art. 6 para. 1 f) GDPR.

6. Data processing in the context of your participation in a campaign

In the following, we will inform you about the individual data processing operations that are required as part of your participation in a KP campaign.

6.1 App

The first step in your participation is to install the app provided by WP, which you can use to track your movements and mobility behaviour in everyday life - in connection with public transport - in accordance with the terms and conditions of participation. By entering your e-mail address, a password and the invitation code, you consent to the processing of your personal data required for the purposes described here when using the app and the mobile phone, and you agree to the terms and conditions of participation.

6.1.1 Movement data

We use the app to collect your movement data (hereinafter referred to as "movement data"). We carry out traffic analyses on the basis of this movement data. This serves to derive mobility-related indicators. In addition, backgrounds can be determined on the basis of the cross-daily movement patterns and spatial analyses can be carried out..

As soon as you start recording in the app, data points are collected that contain spatial coordinates, points in time and movement states. We have developed algorithms that interpret these data points in terms of stages with different modes of transport and associated attributes such as duration and length. If you use the app over several days, multi-day movement profiles are created.

Even if the movement profiles are collected in pseudonymised form, recurring locations could theoretically be used to draw conclusions about the place of residence and place of work and thus possibly about individual persons. Even if the participants are not identified by WP, the movement profiles collected are conditionally personal data. Accordingly, they are treated just as sensitively as your personal login data (e-mail address).

Both the app for the iOS and Android operating systems transmit the following information from your mobile device to WP:

the mobile phone model,
the version of the respective operating system,
the version of the app,
location data (GPS coordinates) beacon signals from the vicinity of the public transport system movement activity pre-evaluated by the mobile phone.

WP also collects the following data in the app:

Primary identification data E-mail address for making contact. Login information for logging in via the app (e-mail address). Smartphone application. Time of localisation Geo coordinates and accuracy (determined by the GPS chip) Acceleration values (determined via sensors in the mobile phone). Gyroscope sensor/gyroscope values (determined via sensors in the mobile phone). Barometer/air pressure data (determined via sensors in the mobile phone). Magnetometer (determined via sensors in the mobile phone)Barometer/air pressure data (determined via sensors in the mobile phone). Magnetometer (determined via sensors in the mobile phone). Movement activity from operating system. Recognition reliability (confidence) of movement activity. Bluetooth signals from beacons attached to means of transport/stops. Further Bluetooth signals from beacons used in the public transport environment.

Further information such as the means of transport used or lines and courses are calculated using algorithms based on input data and by correlation with geodata (so-called "geo-matching") and, if necessary, stored in addition to the movement profile. The geodata includes data from the OpenStreetMap project.

6.1.2 Processing of movement data

After the app has recorded the data shown in 6.1.1, this data is transferred to a data centre via a WLAN connection or, if switched on, via mobile data to the WP server and stored there in a database. WP's data centre is located exclusively in the EU/Switzerland and is certified in accordance with ISO/IEC 27001. ISO/IEC 27001 is the international standard for a documented information security management system. The data collected by the app is transmitted exclusively using secure encryption procedures. The raw data is processed on the WP server using the analyses described in section 6.1.1.

6.1.3 Additional surveys

In order to find out more about the use of ticket offers, e.g. how satisfied you are with the offer, we plan to carry out additional surveys at irregular intervals. For these surveys, we will contact you by email using the email address you provided when registering or within the app. Participation is voluntary and you will not suffer any disadvantages if you do not take part.

6.1.4 Storage of data in the app

In addition to the collected data points themselves, the app only stores the email for the login of the last use. This makes it easier to log in again, as the email does not have to be entered again. Passwords and other user-related data are not saved. Once the data points have been transferred to the server, they are deleted in the app.

6.1.5 Contact

If it is necessary to contact you, e.g. if we notice technical errors during data collection or if we need to inform you about important news, we will use the e-mail address you used when registering in the app.

6.2 Customer service

In the event of any faults, you have the option of contacting the customer service provided by the KP by sending an e-mail to the e-mail address communicated by the KP. You will usually receive this e-mail address with the invitation code for a campaign. Your personal data will then only be used to process your enquiry. Your enquiry(s) may be stored until the end of the app's collection period so that we can look back at your history in the event of several enquiries and use the questions resolved there to answer a new enquiry.

7. Processor

The collection and analysis of the data described in section 6 is carried out by WP as a processor:

WP processes the data on HostEurope GmbH servers with locations in the EU (Germany and France).

In addition, WP currently uses the following service providers:

7.1 Firebase Crashlytics

This is a software development kit (SDK) from Google LLC for crash reporting and application logging. The service is used to track errors in the app. Further information can be found at firebase.google.com.

7.2 Map visualisations

The app displays a map in the background. In order to be able to load the graphics required for the map display and to request these graphics, requests are sent to the map service provider OpenStreetMap. Within this request, the IP address of the participants is transmitted to the map service provider.

The map service is used equally for the iOS and Android mobile operating systems.

The privacy policy can be found athttps://osmfoundation.org/wiki/Privacy_Policy

7.3 Data transfer to the USA:

Since products (software) from US service providers (such as Firebase - Google) are used, a transfer of your personal data (e.g. IP address) to the USA cannot be ruled out. Where possible, your data will only be processed within Europe; however, due to legal provisions in the USA, data transmission cannot be ruled out in certain cases - for example, if service providers of a US group are used and a US authority requests the respective customer data.

You are hereby informed that the European Court of Justice has certified the USA as a country with an inadequate level of data protection. In particular, there is a risk that US authorities and intelligence services may access personal data and use it for monitoring and surveillance purposes. The enforcement of data subjects' rights is not guaranteed by appropriate legal protection instruments in the USA. To protect your data from such access, it is pseudonymised and only transmitted in encrypted form (see 6.1.2). 

8. Other recipients of personal data

On a contractual basis, companies that work for WP/KP as part of order processing also process your data to the extent necessary, in some cases selectively, for example data centres or specialists for market research, data analysis.

On a contractual basis, recipients outside our company who do not work for us as part of order processing also process your personal data to the extent necessary, for example lawyers in the event of legal disputes.

These - or other qualified - subcontractors or recipients are obliged to comply with data protection on the basis of legal or professional obligations or contractual agreements.

9. Deletion of personal data

We generally delete personal data when it is no longer required for the above-mentioned purposes. Your personal data stored for the purpose of efficiently answering your questions through customer service will also be deleted at the latest when you delete your profile/account. If you delete your app profile/account, we will delete all your data from WP, unless this is not possible for legal reasons.

10. Your rights

As a data subject within the meaning of the GDPR, you have the following rights in principle - or under certain legal conditions.

Please send an e-mail to the KP who sent you the invitation code for a campaign if 

you would like to receive information about your processed data (Art. 15 GDPR).

you wish to rectify inaccurate personal data or complete incomplete data (Art. 16 GDPR)

you wish to have your personal data erased (Art. 17 GDPR).

you wish to restrict the processing of your data (Art. 18 GDPR)

You wish to receive or transfer the personal data concerning you (Art. 20 GDPR).

you wish to revoke your consent to the processing of your personal data at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected by the revocation. We will inform you of how you can declare your revocation when we obtain your consent.

Alternatively, you can also contact the KP in writing with your request

You will find the contact details above under point 1.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

You can contact the data protection authority in your country of residence.

11. Your right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1)(f) GDPR, including profiling based on those provisions. We will then no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. You can raise such objections via the data controller, see section 1 above.

12. Changes to the data protection information

As changes to the law or changes to our internal company processes may make it necessary to adapt this data protection notice, which we reserve the right to do accordingly, we ask you to access this data protection notice regularly at www.ejourney.app.