Privacy Policy

§ 1 Controller

Unless otherwise stated, the controller in accordance with Article 4 No. 7 of the EU General Data Protection Regulation (GDPR) is HEAG mobilo GmbH, represented by its management, Klappacher Straße 172, 64285 Darmstadt, info@heagmobilo.de (HEAG mobilo). 

In Section B (Increased Transport Charge), HEAG mobiBus GmbH & Co.KG, represented by its management, Klappacher Straße 172, 64285 Darmstadt, info@heagmobibus.de (HEAG mobiBus) is also the controller for the bus sector, and in Section G (eTicket Rhein-Main) all transport companies mentioned there are controllers. 

§ 2 Company data protection officer, data protection coordinators 

HEAG mobilo and HEAG mobiBus have appointed a joint company data protection officer.This is CTM-COM GmbH, Marienburgstraße 27, 64297 Darmstadt, datenschutz@ctm-com.de or telephone 06151 3942-72. 

If you have any questions about data protection, please feel free to contact our internal data protection coordinators at datenschutz@heagmobilo.de. 

§ 3 Contacting us

When you contact us, the data you provide (depending on the contact method, your email address and your request, first and last name, callback number, time of the request etc.) will be stored to respond to your request. We will delete any data collected in this process as soon as storage is no longer necessary. If there are legal retention obligations, we will restrict processing until deletion. The processing of your personal data is based on your consent in accordance with Article 6(1)(a) GDPR. If you have questions about your existing subscription, Article 6(1)(b) GDPR also applies.

§ 4 Your rights as a data subject 

You always have the following rights regarding your personal data in relation to the data processing mentioned in the following sections: 

• Right to information free of charge 
• Right to correction or deletion 
• Right to restriction of processing
• Right to object to processing
• Right to data portability.

§ 5 Complaints to a supervisory authority 

You can also lodge a complaint with the competent supervisory authority (Article 77 GDPR). The supervisory authority responsible for us is 

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1, 65189 Wiesbaden
Telephone 0611 1408-0 
https://datenschutz.hessen.de/

Alternatively, you can contact your local supervisory authority.

§ 6 Revocation or objection to the processing of your data

(1) If you have given us your consent to process your personal data, you can revoke this consent at any time, in whole or in part, without giving reasons. The legality of the processing up to the point of your revocation remains unaffected.

(2) If we base the processing of your personal data on the protection of legitimate interests, you can object to this at any time. In doing so, we ask you to explain the reasons for your objection. These serve to review your objection and weigh up the interests involved. Depending on the result of the review, we will discontinue or adjust the data processing. Alternatively, we will inform you why we believe the further processing of your personal data is justified despite your objection. 

§ 7 No automated individual decision-making  

We refrain from any form of automated individual decision-making, including profiling (Article 22 GDPR). 

§ 8 No transfer of data to third countries 

Unless explicitly stated otherwise, your personal data will not be transferred to a third country (countries outside the European Economic Area – EEA). 

§ 1 Collection of personal data when visiting our website, cookies 

(1) You can use our website for informational purposes only (without registering or contacting us). In this case, we only collect the personal data that your browser transmits to our server. The following data is technically necessary to display our website to you and to ensure stability and security (the legal basis is Article 6(1)(f) GDPR): 

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred in each case
• Website from which the request originates
• Browser, language, and version
• Operating system and screen resolution

(2) In addition to the aforementioned data, cookies are stored on your computer when you visit our website. Cookies are small pieces of text information that are stored in the browser on the device you are using. The cookie provides us with certain information. Cookies serve to make our website more user-friendly and effective overall.

(3) Use of cookies: 

a) This website uses the following types of cookies, the scope and functionality of which are explained below: 

• Transient cookies (see b) 
• Persistent cookies (see c). 

b) Transient cookies are automatically deleted when you close your browser. These include, in particular, session cookies. These store a so-called session ID, which can be used to assign various requests from your browser to the shared session. This allows your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close your browser.

c) Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can manually delete cookies at any time in your browser settings.

§ 2 Additional functions and offers on our website 

(1) In addition, you can use various services on our website if you are interested. To do so, you will usually need to provide additional personal data, which we will use to provide the respective service. The essential principles of data processing according to Article 5 of the GDPR apply.

(2) We sometimes use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions, and are regularly monitored.

(3) Furthermore, we may pass on your personal data to third parties if we offer participation in promotions, competitions, contract conclusions, or similar services. Details can be found in the respective offer.

(4) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of this in the respective offer. 

§ 3 Tracking – Use of Matomo 

(1) This website uses the web analysis service Matomo. The legal basis for the use of Matomo is Article 6(1)(f) GDPR. Our legitimate interest lies in being able to analyse the use of our website based on the statistics obtained and to regularly improve it for you as a user.

(2) In order to comply with the principle of data minimization, we do not use cookies. Instead, Matomo uses a so-called Config_ID. Details on the technical process can be found at https://matomo.org/faq/general/how-is-the-visitor-config_id-processed/. 

(3) This website uses Matomo with the “AnonymizeIP” extension. This means that the IP address is anonymized before it is stored. It is not merged with other data collected by us.

(4) The controller stores the collected information exclusively on servers in Germany. This includes the following data: 

• Number and time of visitors 
• Average length of stay
• Bounced visitors (leaving the website after one page) 
• Actions per visit (page views, downloads, outgoing links, internal searches) 
• (Unique) page views 
• Devices used and software installed by visitors 
• Actions per visit (page views, downloads, outgoing links, internal searches), (unique) page views, user behavior (entry pages, exit pages, origin of visitors, e.g., search engine, etc.) 
• Devices used and software installed by visitors

(5) The Matomo program is an open source project. Information on data protection from the third-party provider can be found at https://matomo.org/privacy-policy/. 

§ 4 Newsletter 

(1) You have the option of registering for our newsletter (press releases, traffic reports, etc.). To do so, you only need to provide your email address. You can provide additional data if you wish. When you click on “Subscribe to newsletter,” we will first send a notification to the email address you provided, asking you to confirm your subscription. Only then will you receive our newsletter (double opt-in). Your personal data will be processed based on your consent in accordance with Article 6(1)(a) of the GDPR. 

(2) For certain newsletters, we collect additional data from you to ensure qualified processing. For our press distribution list, this includes your first and last name and the organ you work for. In our contact form, this includes your first and last name. The processing of your additional personal data is based on our legitimate interest pursuant to Article 6(1)(f) GDPR. We want to ensure that our press distribution list only reaches members of the press to enable a personal and professionally qualified exchange.

(3) You can revoke your consent to receive our newsletters at any time without giving reasons. You will find an option to do so at the end of each newsletter. You can also revoke your consent by post (HEAG mobilo GmbH, Klappacher Straße 172, 64285 Darmstadt, Germany) or by email (kommunikation@heagmobilo.de).

(4) We use the Brevo newsletter tool from Sendinblue GmbH in Berlin to send certain newsletters (press distribution list, IGEL3 newsletter). We have concluded a contract with them for order processing. The data you provide when registering for the newsletter and additional technical data (time and date of registration, IP address) are processed by Brevo. Your personal data is processed based on your consent in accordance with Article 6(1)(a) GDPR. The technical data is required to be able to prove that you have actually subscribed to the newsletter in the event of a dispute (Article 6(1)(c) GDPR). It will be deleted as soon as you unsubscribe from the newsletter. We also collect information on whether you have opened the newsletter we sent you. This is done based on our legitimate interest pursuant to Article 6(1)(f) GDPR. This enables us to continuously improve our offering. No further tracking takes place.

(5) You have the option to object to the processing of your data based on our legitimate interest (see General Information on Data Protection, § 6).

§ 5 Google Maps 

(1) This site uses the Google Maps map service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. This service allows us to embed map material on our website.

(2) To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. We have no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform font display. When you access Google Maps, your browser loads the required web fonts into your browser cache to display text and fonts correctly.

(3) Due to the data transfer, the Google Maps service is deactivated by default. If you wish to use it, you must give us your consent. The processing of your personal data is then carried out based on Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. Your consent can be revoked at any time (see above).

(4) Google also processes your personal data in the US. Data transfer is based on certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that aims to ensure compliance with European data protection standards when data is processed in the US.  

(5) Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/. You can find more information on the handling of user data in Google’s privacy policy: https://policies.google.com/privacy?hl=de. 

§ 6 Google reCAPTCHA 

(1) We use “Google reCAPTCHA” (“reCAPTCHA”) on this website. The provider is Google. reCAPTCHA is used to verify whether the data entered on this website (e.g., in a contact form) is entered by a human or by an automated program. To do this, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. 

(2) For analysis purposes, reCAPTCHA evaluates various information and forwards it to Google (e.g., page that integrates reCAPTCHA, page from which the user comes, user’s IP address, device settings such as language, browser, location, length of stay, mouse movements and keystrokes, screen and window resolution, time zone, and installation of browser plugins).  

(3) reCAPTCHA analyses run completely in the background, provided you have given us your consent to do so. Processing is then carried out based on Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. Your consent can be revoked at any time (see above).

(4) For more information about reCAPTCHA, please refer to Google’s privacy policy and Google’s terms of use at https://policies.google.com/terms?hl=de.  

(5) Google also processes your data in the USA. For details, please refer to Section A § 5 (4) and (5) (see above).

§ 7 Multilingualism – Polylang 

(1) We would like to offer you our website in multiple languages. To do this, we use the WordPress plugin Polylang. The provider is WP SYNTEX, 8, rue Joseph Cugnot 38307 Bourgoin Jallieu, France. Further information can be found at https://polylang.pro/documentation/support/faq/.  

(2) The Polylang cookie (‘pll_language’) only stores your language selection. It remains stored for one year and is then deleted. No data is sent to the provider.

(3) The legal basis for its use is Article 6(1)(f) GDPR. Our legitimate interest lies in being able to offer you our website in multiple languages. You have the option to object to its use (see General Information on Data Protection, § 6). 

§ 8 All In One WP Security 

(1) We use the plugin “All-In-One Security (AIOS) – Security and Firewall” to ensure the security of our website. The provider is Team Updraft or Updraft WP Software Ltd. Details can be found at https://de.wordpress.org/plugins/all-in-one-wp-security-and-firewall/.    

(2) This plugin may set cookies and thereby collect and store IP addresses. These are stored exclusively on our servers. The storage period is a maximum of three hours. The recipients of the data may be technical service providers who act as processors for the operation and maintenance of our website.

(3) The legal basis for use is Article 6(1)(f) GDPR. Our legitimate interest lies in protecting our website against malicious software, brute force attacks, spam, and other malicious activities. You have the option to object to the use of cookies (see General Information on Data Protection, § 6).

§ 9 Use of social media platforms 

(1) We currently use the following social media platforms for information and marketing purposes: YouTube, Facebook, and Instagram. The legal basis for this is Article 6(1)(f) GDPR. Technically, our respective presences are integrated via a simple link. Personal data is only transferred to a platform operator when you click on the respective link. The links to the platforms can be found in the header of our website. Please note that the aforementioned platforms are based in the USA. When you visit their websites, your personal data may therefore be transferred there and stored. We have no influence on the data processing procedures, and we are not aware of the full scope of data collection, the purposes of processing, the storage periods, or details regarding deletion. Data collection takes place regardless of whether you have an account with the platform operator and are logged in there. If you are logged in to the platform, the data we collect will be directly assigned to your existing account. If you do not want this to happen, you should log out after using the respective platform. 

(2) The platforms store the personal data collected about you as usage profiles and use them for advertising, market research, and/or the needs-based design of their website. You have the right to object to the creation of usage profiles. For details, please refer to the respective privacy policy of the platform.

§ 10 Facebook fanpage 

(1) Links to the social network Facebook are integrated into our website. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries. An overview of Facebook social media elements can be found here: https://developers.facebook.com/docs/plugins/?locale=de_DE.

(2) When you click on the link, a direct connection is established between your device and the Facebook server. Facebook receives the information that you have visited our website with your IP address. If you click on the Facebook “Like” button while you are logged into your Facebook account, you can link the content of this website to your Facebook profile. This allows Facebook to associate your visit to this website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Facebook. Further information on this can be found in Facebook’s privacy policy at: https://de-de.facebook.com/privacy/explanation. 

(3) The use of this service is based on your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be revoked at any time.

(4) Insofar as personal data is collected on our website and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transfer to Facebook. The processing that takes place after the transfer is carried out solely by Facebook. The obligations incumbent upon us jointly have been set out in a joint processing agreement. The wording of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using Facebook and for ensuring that it is implemented on our website in a manner that complies with data protection laws. Facebook is responsible for the data security of Facebook products.

(5) You can assert your rights as a data subject (e.g., requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your rights as a data subject with us, we are obliged to forward them to Facebook.

(6) Facebook/Meta also processes your personal data in the US. Data transfer is based on certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that aims to ensure compliance with European data protection standards when data is processed in the US. 

§ 11 Integration of YouTube videos 

(1) We have integrated the video service YouTube.com into our online offering. YouTube is a platform where users can post videos and make them publicly available. The platform is operated by Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA. The contact for customers in Europe is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

(2) The videos can be played directly on our website and are all integrated in “extended data protection mode,” which means that no data about you as a user is transferred to YouTube if you do not play the videos. Only when you play the videos will the data mentioned in paragraph 3 be transferred. We have no influence on this data transfer.

(3) By playing a video, YouTube receives information that you have accessed the corresponding subpage of our website. This occurs regardless of whether YouTube provides a user account that you are logged into or whether no user account exists. If you are logged into Google, your data will be directly associated with your account. If you do not want this association with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for advertising, market research, and/or the needs-based design of its website. Such evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.

(4) Further information on the purpose and scope of data collection and its processing by YouTube can be found in the privacy policy. There you will also find further information on your rights and settings options for protecting your privacy: https://policies.google.com/privacy?hl=de&gl=de.

(5) Google also processes your personal data in the US. Data transfer is based on certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that aims to ensure compliance with European data protection standards when data is processed in the US.

§ 12 Instagram 

(1) This website incorporates features of the Instagram service. These features are provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. For more information, please refer to Instagram’s privacy policy: https://privacycenter.instagram.com/policy/.  

(2) When you click on the link, a direct connection is established between your device and the Instagram server. Instagram receives information about your visit to this website. If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate your visit to our website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Instagram.  

(3) The use of this service is based on your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be revoked at any time.  

(4) Insofar as personal data is collected on our website and forwarded to Meta or Instagram, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Article 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transfer to Meta or Instagram. The processing that takes place after the transfer is carried out solely by Instagram. The obligations incumbent upon us jointly have been set out in a joint processing agreement. The wording of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using Instagram and for ensuring that it is implemented on our website in a manner that complies with data protection laws. Meta is solely responsible for the data security of Instagram products. 

(5) You can assert your rights as a data subject (e.g., requests for information) regarding the data processed by Instagram directly with Meta. If you assert your rights as a data subject with us, we are obliged to forward them to Meta.
 
(6) Facebook/Meta also processes your personal data in the US. Data transfer is based on certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that aims to ensure compliance with European data protection standards when data is processed in the US.