Privacy Policy for the App “WDRflyer“

Date: April 2021

1. Controller

This Privacy Policy applies to the Processing of Personal Data by us as Controller in accordance with Art. 4 Para. 7 of the General Data Protection Regulation (GDPR). Our contact details are:
RailAppSolutions Roth und Heydenreich GbR
Wieckstrasse 44
22527 Hamburg
Germany

Partners: Marcus Roth and Thomas Heydenreich

Telephone: +49 40 238 069 70
Fax: +49 40 238 069 07
E-Mail: info@wdrflyer.com

2. Definitions of terms

Insofar as this Privacy Policy does not contain or imply a different definition, we refer to the definitions in Art. 4 GDPR with regarding the terms used.

3. Processing of your Personal Data

3.1. When downloading the App

When downloading the app, the required information will be transferred to the Google Play Store if you are using our app on an Android device or to the Apple App Store if you are using our app on an iOS device. In particular, it requires your username, email address and customer number of your account, time of download, payment information and the unique device identification number, as well as other information, if any. We have no control over and are not responsible for this Collection and Processing of Personal Data. We process the data only to the extent necessary for downloading the app to your end device.

Please also refer to the Privacy Policy of Google (https://www.google.de/intl/en/policies/privacy/) or Apple (https://www.apple.com/de/privacy/privacy-policy/).

3.2. When using the App

3.2.1. Technically required Processing of Personal Data

As part of your use of the app, we automatically collect certain data that is technically necessary for the use of the app. These data are automatically transferred to us, but are not stored. This includes

• IP Address
• Timestamp of access
• URL accessed

This data is necessary for us to make our app available to you. The legal basis for this Processing of Personal Data is Art. 6 Para. 1 S. 1 lit. f GDPR. The deletion takes place after one month.

In order to carry out the aforementioned Processing of Personal Data, we make use of the services of carefully selected service providers, who process your data on our behalf and according to our instructions and which we monitor regularly.

3.2.2. Processing of Personal Data for the fulfilment of our contractual obligations

In addition, we process personal data, which is necessary to provide you with the functions of the app. This includes

• Your account data and password
• Timestamp of taking damage pictures
• Timestamp of submitting a damage report
• Contact information of the person reporting a damage

We process use this information to provide you with the Service and related functions to fulfill our portion of the User Agreement. The legal basis for this is Art. 6 Para. 1 lit. b GDPR.

In order to carry out the aforementioned Processing of Personal Data, we make use of the services of carefully selected service providers, who process your data on our behalf and according to our instructions and which we monitor regularly.

3.2.3. Transfer of damage reports to third parties

We transfer the damage reports, including any personal data contained therein, to the office responsible for receiving the damage reports (GCU Broker). In this way, we fulfill the contract of use concluded between you and us. The legal basis for this is Art. 6 para. 1 p. 1 lit. b GDPR.

In addition, we may transfer the damage reports prepared by you, including any personal data contained therein, as well as information regarding the transfer referred to in the aforementioned paragraph (so-called transmission data) to the following companies:

1. the company you work for,
2. the company on whose assignment you are preparing the damage report.

In this way, we support you in fulfilling your obligation (e.g., under your employment or service contract) to transfer the damage reports to the respective receiver mentioned in 1. and 2. The legal basis for this is Art. 6 para. p. 1 lit. b GDPR.

3.2.4. Analysis of your Usage for product development and support

In order to improve the functions and features of the app as well as to prevent and eliminate malfunctions, we analyse your use of the app. For this purpose we collect and process the following data about your use of the App:

• Device ID
• Model information of your device
• Operating System of your device

We process this data, because we have a legitimate interest in ensuring the functionality and error-free operation of the app and to be able to offer a market- and interest-oriented service. We and the service providers commissioned by us use the knowledge gained from this for the continuous further development of the App and the associated technical platform. The legal basis for this Processing of Personal Data is Art. 6 para. 1 lit. f GDPR.

3.2.5. Further processing of non-personal data

We will further process the data on the wagons and the type of damage provided by you in the damage reports in order to be able to offer the owners and/or manufacturers of the wagons services in the field of maintenance optimisation. This does not include personal data.

4. Storage Period

We will delete or anonymise your personal data as soon as it is no longer required for the purposes for which we have collected or processed it in accordance with the preceding Clauses. As a rule, we retain your personal data for the duration of the usage or contractual relationship for the App plus a period of 2 years during which we store backup copies after the deletion, unless this data is longer necessary for criminal prosecution or to secure, assert or enforce legal claims.

If the data is not deleted because it is required for other, legally permitted purposes, the Processing of Personal Data will be restricted. This means that the data will be blocked and not used. This applies, for example, to data that must be stored for commercial or tax reasons.
In accordance with legal requirements in Germany, the storage of commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc. is carried out for six years according in accordance with § 257 (1) of the German Commercial Code (HGB). We also store books, records, management reports, accounting documents, commercial and business letters as well as documents relevant for taxation, etc. according in particular § 147 (1) of the German Tax Code (AO) for ten years.

5. Transfer to Third Countries

Your personal data is currently stored exclusively within the European Union (EU) or the European Economic Area (EEA).

Processing of your personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) only takes place if it is necessary for the fulfilment of our (pre)contractual obligations (in accordance with Art. 6 Para. 1 S. 1 lit. b GDPR), on the basis of your consent (pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR), on the basis of a legal obligation (pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR) or on the basis of our legitimate interests (pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR). The same applies if third parties process your data on our behalf in a third country. Furthermore, your data will only be transferred to a third country if this is expressly permitted under Art. 44 ff. of the German Data Protection Act. GDPR is permitted.

6. Rights of Data Subjects

You have the right:

• to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you may request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data, if these have not been collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information on their details;
• in accordance with Art. 16 GDPR, to demand the correction of incorrect or complete personal data stored by us without delay;
• to request the deletion of your personal data stored with us in accordance with Art. 17 DSGVO, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
• in accordance with Art. 18 GDPR, to restrict the processing of your personal data if you dispute the accuracy of the data, if the processing is unlawful but you refuse to delete the data and we no longer need the data, but if you need it to assert, exercise or defend legal claims or if you have filed an objection to the processing in accordance with Art. 21 GDPR;
• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, current and machine-readable format or to request its transfer to another controller;
• to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at our company headquarters.

7. Rights of Revocation and Objection

7.1. Revocation of Consent

If we process your personal data on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR, you have the right to revoke any consent granted to us pursuant to Art. 7 para. 3 GDPR with effect for the future.
If you would like to make use of your right of revocation, you can inform us by e-mail to privacy@wdrflyer.com. Alternatively, you can also use the contact data listed under 1. above.

7.2. Objection in case of processing on the basis of our legitimate interest

If we process your personal data on the basis of our legitimate interests pursuant to Art. 6 para. 1 sentence 1 f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons for this which arise from your particular situation or the objection to direct advertising is directed. In the latter case, you have a general Right to object, which we will implement without specifying a particular situation.
If you would like to exercise your Right to object, you can inform us by e-mail to privacy@wdrflyer.com. Alternatively, you can also use the contact data listed under 1. above.

8. Security Measures

We take organizational, contractual and tech-nical security measures in accordance with the state of the art in order to ensure that the regulations of data protection laws are observed and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. The security measures include in particular the encrypted transmission of data between your browser and our server.

9. Concluding provisions

We reserve the right to change our Privacy Policy if this should be necessary due to new technologies or changes in our data processing processes or to adapt it to changes in the legal situation relevant to us. However, this only applies to this data protection declaration. If we process your personal data on the basis of a consent given by you, any changes will only be made with your consent. If the change includes mandate data, we will inform you at the time of each new processing that takes place for the first time after a change to the Privacy Policy takes effect.
You can find the current version of our Privacy Policy within the WDRflyer app at “Miscellaneous“.