Privacy statement ioki-Vehicle-App

1 Provider and data protection officer

The provider of this ioki vehicle app (hereinafter: "App") and the responsible party in terms of data protection law is ioki GmbH, An der Welle 3, 60322 Frankfurt am Main.

Our Group Data Protection Officer, Dr Marein Müller, can be reached at privacy@ioki.com. The privacy representatives (VPDS) in the group company ioki GmbH are Mr Stephan Klöckner, ioki GmbH, stephan.kloeckner@ioki.com and Ms Majura Ganeshamoorthy, ioki GmbH, majura.ganeshamoorthy@ioki.com.

2 Data processing and purpose

Depending on the specific use of the app, personal data is processed for the purpose specified below. Unless otherwise stated, the legal basis is Art. 6 para. 1 p. 1 lit. b GDPR.

2.1 Microsoft AppCenter

Our app uses the AppCenter service from Microsoft, Inc. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

You can find Microsoft's privacy statement at: https://privacy.microsoft.com/en-us/privacystatement

You can find the terms of use here: https://www.microsoft.com/en-us/legal/terms-of-use

We use the AppCenter platform to enable customers to access the app on Android end user devices. For external users, a user account is set up at AppCenter with an email address provided to us by the customer. After the account has been set up, the email address entered will receive an email with an access link which can be used to complete the registration of the account. The AppCenter user account is a basic requirement for accessing the app on Android end user devices. After registering on the AppCenter platform, the driver can install and use the app on his end user device.

The registered email address may receive notifications from AppCenter when new app versions are available.

2.2 App Store Connect

We use the App Store Connect platform to distribute our app for Apple end user devices and to enable customers to access it. External users who receive access to the app through us are registered in the App Store Connect test environment "Testflight" with an email address and a user name provided to us by the customer. After registration by us, the registered email address will receive an email with an access code. This code is the basic requirement for accessing the app on an Apple end user device. The code must be redeemed in the Apple app "Testflight", which must be downloaded by the driver from the Apple App Store. After redeeming the code, the driver can install and use the vehicle app on his end user device.

Registered drivers may receive notifications from Apple Connect via "Testflight" to their stored email address when a new version of the app is available.

In order to display push messages on Apple end user devices, the services Firebase Cloud Messaging (see 2.3) and Apple Push Notifications (iOS) are used. Firebase and Apple generate a calculated key that is composed of the app's identifier and its device identifier. This key is stored on our push platform with the settings you have selected in order to provide you with the content according to your wishes. The servers of the service providers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve solely as intermediaries.

2.3 Google Play Store

We use the Google Play Store to provide customers with access to our app. A valid user account is a prerequisite for accessing the app on Android end user devices. After logging in, the user can install and use the app on his end user device.

You can find the privacy statement from the Google Play Store at: https://policies.google.com/privacy

2.4 Apple App Store

We use the Apple App Store to provide customers with access to our app. A valid user account is a basic requirement for accessing the app on IOS end user devices. After logging in, the user can install and use the app on his end user device.

The privacy statement from the App Store can be found at: https://www.apple.com/de/legal/privacy/data/de/app-store/

2.5 Firebase

Our app uses Firebase, a service provided by Google Inc (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

The app uses the following Firebase tools: Authentication, In-App Messaging (see also in 2.2) and Realtime Database.

The transmitted data is of a purely technical nature and has no personal data context.

If you wish to receive push notifications, you must explicitly consent to receiving them. You can revoke your consent at any time. During installation or when using the app for the first time, you will be asked for your consent to receive push notifications.

We use the services Firebase Cloud Messaging from Google (Android) and Apple Push Notifications (iOS) for push notifications. In the process, Firebase and Apple generate a calculated key that is made up of the app's identifier and its device identifier. This key is stored on our push platform with the settings you have selected in order to make the content available to you according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve solely as transmitters.

Further details can be found in Google's privacy statement: https://firebase.google.com/support/privacy#data_protection

https://policies.google.com/privacy

2.6 Sentry

The App uses Sentry, a registered trademark of Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105.

For more details, please see Sentry's privacy statement: https://sentry.io/privacy/

With the help of this tool, information is transferred to us anonymously in the event of an app crash, so that the cause of the respective crash can be traced and remedied more quickly. In this way, existing errors are analysed and identified, and the quality of the app is ensured.

2.7 Map display by HERE

Our app uses the mapping service operated by HERE Global B.V., Kennedyplein 222-226, 5611 ZT Eindhoven, The Netherlands.

This allows us to enable you to view and use maps in our app. Without the Vector Tiles API application, the app will not work.

The terms of use for HERE can be found at: https://legal.here.com/en-gb/terms

The privacy statement can be found at the following address: https://legal.here.com/en-gb/privacy

We use HERE to show you a map for navigation (map tiles). Your location data is not passed on to HERE. The identification of your person is excluded.

2.8 Mapbox

Our app uses Mapbox, 50 Beale St floor 9, San Francisco, CA 94105, USA.

You can find the privacy statement at: https://www.mapbox.com/legal/privacy

With the help of this application we enable navigation via our app (map rendering).

The transmitted data is of a purely technical nature and has no personal data context.

3 Disclosure of your data to third parties

In some cases, we use external service providers to process your data (e.g. troubleshooting). For this purpose, it is necessary that we transfer your personal data to our external service providers for a specific purpose (limited to the respective purpose). Our service providers have been carefully selected by us and commissioned in writing. They are - insofar as they act as processors for us - bound by our instructions and we have informed ourselves about their technical and organisational measures for the security of processing of personal data. Furthermore, we require our service providers to comply with the applicable data protection regulations. We work predominantly with service providers from the EU. To this end, we have concluded order processing contracts with our external service providers within the EU or the European Economic Area in accordance with Article 28(3) of the GDPR, insofar as this is necessary due to the purpose of the contract.

Your data will only be transferred if you have given us your express consent to do so or on the basis of a statutory regulation.

As far as necessary for our purposes, we may also transfer your data to recipients outside the EU in individual cases. If we transfer data to third countries, we ensure that the recipient has implemented an adequate level of data protection within the meaning of Article 45 of the GDPR or appropriate safeguards within the meaning of Article 46 (2) and (3) of the GDPR and that no other interests worthy of protection speak against the transfer of data.

4 Storage period/deletion periods

Your personal data will be stored by us for as long as is necessary for the aforementioned purposes of the processing, in the event of an objection there are no compelling reasons worthy of protection on the part of ioki GmbH or in the event of a revocation there is no other legal basis for the data processing. However, in certain cases, e.g. if there is a legal obligation to retain data, your personal data will not be deleted immediately but will first be blocked.

5 Security measure to protect your personal data

We protect your data against unauthorised access, loss or destruction through technical and organisational measures. Our security measures are continuously improved in line with technological developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to handle personal data confidentially. Our employees are trained accordingly.

The transmission of your personal data to us is encrypted.

6 Your rights

You have the right to receive information free of charge at any time about the origin, recipient and purpose of your stored personal data. Furthermore, you have the right to correction, deletion and restriction of your personal data, insofar as this is legally permissible and possible within the framework of an existing contractual relationship.

The right of the data subject to restriction of processing exists in the following cases:

Whether and to what extent these rights exist in the individual case and which conditions apply to them can be seen from the GDPR. The GDPR also grants you a right to data portability under certain circumstances (Art. 20 GDPR). If you have given your consent under data protection law, you can revoke this at any time with effect for the future. You also have the right to lodge a complaint with the competent data protection supervisory authority.

The supervisory authority responsible for ioki GmbH is:
Hessian Data Protection Commissioner
Gustav-Stresemann-Ring 1
65189 Wiesbaden

To exercise your rights, simply send a letter by post or e-mail to:
ioki GmbH
An der Welle 3
60322 Frankfurt am Main
E-mail: hello@ioki.com

7 Right of objection

In the case of processing of personal data for the performance of tasks in the public interest (Art. 6 (1) sentence 1 lit. e) GDPR) or for the performance of legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR), you may object to the processing of personal data relating to you at any time with effect for the future. In the event of an objection, we must refrain from any further processing of your data for the aforementioned purposes unless,

8 No automated individual case decision

We do not use your personal data for automated individual decisions.

9 Amendment of the privacy statement

We adapt the privacy statement to changed functionalities or changed legal situations. We therefore recommend that you read the privacy statement at regular intervals. If your consent is required or components of the privacy statement contain provisions of the contractual relationship with you, the changes will only be made with your consent.

Status October 2023