Privacy Notice MICycle App

General information about the processing of your data

We are required by law to inform you about the processing of your personal data (hereinafter "data") when using our app. We take the protection of your personal data very seriously. This data protection notice informs you about the details of the processing of your data and about your legal rights in this regard. For terms such as "personal data" or "processing", the legal definitions from Art. 4 GDPR are authoritative. We reserve the right to adapt the data protection declaration with effect for the future, in particular in the event of further development of the apps, the use of new technologies or changes to the legal basis or the corresponding case law. We recommend that you read the privacy policy from time to time and take a printout or copy for your records.

1. Controller

   The controller responsible for processing personal data within the scope of application of this Privacy Policyis:

   
   

   CULT d.o.o. Tržaška cesta 77

   1370 Logatec Slovenia

   
   

   Contact: info@cult.si

   
   

2. Data Protection Officer

   You can reach our data protection officer at info@cult.si or at the above postal address ("Attn: Data Protection Officer"). We expressly point out that when using the email address, the contents are not exclusively noted by our data protection officer. If you wish to exchange confidential information, please therefore first contact us directly via this email address.

   
   

3. Security

   We have taken comprehensive technical and organizational measures to protect your personal data from unauthorized access, misuse, loss, and other external interference. To this end, we regularly review our security measures and adapt them to the state of the Art.

   
   

4. Your rights

   You have the following rights with respect to personal information concerning you which you may en- force against us:

   • Right to information: According to Art. 15 GDPR, you can demand information on the personal data which we process.

   • Right to rectification: Should the information in question not (no longer) be correct, you can demand rectification according to Art. 16 GDPR. Should your data be incomplete, you can de- mand that your data be completed.

   • Right to erasure: According to Art. 17 GDPR, you can demand erasure of your personal data.

     
     

   • Right to restriction of processing: According to Art. 18 GDPR, you have the right to demand restriction of your personal data.

   • Right to object: According to Art. 21(1) GDPR, you have the right at all times to object to the processing of your personal data as performed on the basis Art. 6(1)(1) point e) or point f) for reasons relating to your particular situation. In this instance, we will not continue processing your data unless we can demonstrate mandatory grounds for processing that require protection and which are superior to your interests, rights, and freedoms, including if such processing is being undertaken to establish, exercise or defend legal claims (Art. 21(1) GDPR). According to Art. 21(2) GDPR, you are furthermore entitled to the right to object to the processing of personal data relating to your person for the purposes of direct marketing at any time; this also applies in the event of any profiling insofar as such is directly connected to such direct marketing. We refer you to the right to object in this Data Protection Policy with regards to the respective pro- cessing.

   • Right to withdraw your consent: Insofar as you have given your consent to processing, you have the right to withdraw such according to Art. 7(3) GDPR.

   • Right to data portability: You have the right to receive such personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format (“data portability”), and the right to have these data transmitted to a further controller, provided the prerequisite under Art. 20(1) point a), b) GDPR has been fulfilled (Art. 20 GDPR).

     You may enforce your rights by sending communication using the contact details named under “Con- troller” , or the Data Protection Officer we have named.

     If you are of the opinion that the processing of your personal data breaches data protection law, you also have the right to lodge a complaint with a data supervisory authority of your choice according to Art. 77 GDPR.

     
     

5. Use of our apps

   Installing our apps

   Our MICycle apps are made available on platforms provided by third party providers (iOS and Android) for downloading onto your end device. In order to be able to download the respective apps, these platforms may require registration. MICycle has no influence whatsoever on the processing of the data collected, which may possibly arise in the course of registration on the respective platform.

   
   

   Location-based service in our apps

   If you have registered in our app and use our service, we collect location data to offer you MICycle bikes in your area. In addition, we collect the return location of your MICycle bike so that the MICycle bike you returned can be found by other users. To use these services, you must also actively confirm access to your location via the operating system of the mobile device you are using. We do not record any movement profiles and only record the location when the app is actively used.

   
   

   System permissions of our apps

   In order to provide you with all the functions of our apps, our apps must access various interfaces on the mobile device you are using. In order to ensure these interfaces, you must allow them actively in some cases, depending on the operating system of your end device. You can adjust or withdraw these settings at any time in the system settings of your end device.

   
   

   • Location services: In order for our apps to be able to determine your location, you must allow our app to access the location services on the mobile device you are using. You can activate or deactivate this setting at any time via the system settings of your end device.

   • Mobile data or network access: In order to use our apps, an internet connection of your mobile device is necessary. To do this, you must activate the mobile data or network access of your end device. You can activate or deactivate this setting at any time via the system settings of your end device.

     
     

6. Registration and tariff options

   During or after registration, we offer you options to decide on the collection and use of your data in certain areas. You can exercise your choices and options via your user account.

   Registration/login area of the websites and apps

   If you want to use the password-protected area on our websites and in our apps, you generally have to register using the following information:

   • Address

   • E-mail address

   • First/last name

   • Phone Number

   • Location / City / Postcode

   • Means of payment

     When registering for the use of MICycle in different cities and countries, different data is requested that is required for the registration in the respective cities/countries. Furthermore, at the time of registration, your IP address and the date and time of registration are processed. After you have submitted the data required for registration, you will receive an SMS with a personalized PIN code to activate your customer account. Only after successful activation by entering the PIN code is access to the customer account created and registration successfully completed. For subsequent registrations (logins), the access data (user ID, password) selected by you during the first registration must be entered. If confirmation by entering the transmitted PIN code is not received within 24 hours, we will block the information transmitted to us and automatically delete it after one month at the latest. Otherwise, your data will be deleted as soon as they are no longer required to achieve the purpose of their processing. This is the case for the data collected during the registration process when the registration on the website or in the apps is cancelled or modified and your customer account is balanced.

     The following functions are available in the login area of the websites and the apps: You can…

   • Check your MICycle account balance

   • Edit your profile data (enter and change name, contact details)

   • Change payment methods

   • Cancel your customer account

   • View and manage tariff options

     If you use the password-protected area of the websites or apps, e.g. to edit your profile data, we also process the personal data required to initiate or fulfill the contract, in particular address data and infor- mation on the method of payment. The legal basis for the processing is Art. 6 para. 1 (1) point b) GDPR. The provision of your data is necessary and mandatory for the conclusion or performance of the con- tract. If you do not provide your data, you can neither register nor use the login area, i.e. a contract conclusion and / or execution is not possible. The data will be deleted as soon as they are no longer required to achieve the purpose of their processing, or processing will be restricted if legal retention periods exist. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for a period of ten years. 6 months after termination of the contract, we re- strict the processing and reduce the processing to compliance with existing legal obligations.

     
     

7. Collection and processing of location data

   Collecting in the course of the rental process

   For the purpose of faster traceability and billing, we locate the location (coordinate-based) of the respec- tive bicycles within our business areas when renting and returning each bicycle. We do not track the distance traveled during the time the bicycle is borrowed. Insofar as we use the location data (GPS data) for billing purposes, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. Otherwise, we base the processing of location data on the legal basis of Art. 6 (1) (f) GDPR, as we pursue the purpose of improving the service for our customers by being able to distribute the bicycles evenly in the city area. In addition, the GPS tracking serves the prevention and detectability of criminal offenses in connection

   
   

   with the use of the bicycles. After the purpose has been achieved (e. g. after the bicycle has been re- turned), the GPS data is blocked for further processing or deleted, unless we are entitled to further stor- age and processing required in the respective context on the basis of a consent granted by you, a con- tractual agreement, a legal authorization or on the basis of legitimate interests (e. g. storage for the enforcement of claims). Due to mandatory commercial and tax regulations, we are obliged to store GPS data that serve as a basis for accounting in accordance with §§ 257 HGB, 147 para. 1 No. 4, para. 3 AO for a period of ten years.

   
   

   You may object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details mentioned in the section "Controller".

   
   

8. Payment / Payment provider

   
   

   Credit card payments

   For the purpose of payment processing, the customer provides the payment data required for the credit card payment to the credit institution commissioned with the payment. MICycče subsequently only stores an ID created by the payment service provider as well as a token in order to process future pay- ments.

   Payment service providers used by us are:

   • Stripe (Stripe Payments Europe, Limited, www.stripe.com)

The processing is carried out on the basis of Art. 6 para. 1 s. 1 point b) GDPR. The provision of your payment data is necessary and mandatory for the conclusion or execution of the contract. If the payment data is not provided, a conclusion of the contract and / or the execution by means of a credit card pay- ment is impossible. The data required for payment processing are transmitted securely via the "SSL" procedure and processed exclusively for payment processing. We delete the data accruing in this context after the storage is no longer necessary, or restrict the processing if there are legal obligations to retain data. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment

and order data for a period of up to ten years. Two years after termination of the contract, we restrict processing and reduce processing to compliance with existing legal obligations.

Purposes of enforcement or rights/address enquiry

In the event of failure to pay, we reserve the right to forward the data disclosed upon ordering/booking to a solicitor for the purposes of address enquiry and/or enforcement of rights. The legal basis for this processing is Art. 6(1)(1) point f) GDPR. We have a legitimate interest in preventing fraud and avoiding default risks. Furthermore, we will forward your data, where necessary, in order to protect our rights and the rights of our affiliated companies, our cooperation partners, our employees, and/or those of the users of our websites or our apps, and to the extent that processing is necessary. We will never sell or lease your data to third parties. The legal basis for processing is Art. 6(1)(1) point f) GDPR. We have a legitimate interest in this processing for the purposes of enforcing rights. We erase the data collected as soon as storage is no longer necessary, or alternatively we restrict processing in the event that there exist legal retention periods.

You may object to this processing. You have a right to object where there exists grounds related to your particular situation. You can communicate your objection to us using the contact details provided under the section “ Controller” .