Privacy policy
VIMpay App - as of 31 October 2024
Table of contents
- General notes and mandatory information
- Data protection officer
- Data processing in the app
- Order processing
- Analysis tools
- Data collection when contact is made
- HBCI error reports in the app
- Chat function
- Wallet services and other services
- Prepaid cell phone top-up
- Social media
- Push notifications
- Payment services
- Special information for parents
- Changes to the privacy policy
General notes and mandatory information
General information
This privacy policy is available both in a detailed version (black font) and (if necessary) in a simpler version (green font) that is easier to understand for children and young people.
Children and young people are welcome to contact us or their legal guardians if they have any questions about this privacy policy.
The following information provides a simple overview of what happens to your personal data when you use our app. Personal data is all data that can be used to identify you personally. Detailed information on the subject of data protection can be found in our data protection declaration listed below this text.
In this section, you will learn what happens to your personal information (name, email address, etc.) when you use our app.
Who is responsible for data collection in the app?
The controller is the legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.). Data processing in the app is carried out by:
PayCenter GmbH
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-300
eMail: info@PayCenter.de
The responsibility for the processing of your data (name, email address, etc.) is assumed by the company petaFuel GmbH together with PayCenter GmbH.
The responsibilities of the two companies:
The
PayCenter GmbH is the card-issuing e-money institution and offers registered users a prepaid Mastercard for use at all electronically connected Mastercard acceptance points.
The use of the VIMpay card is based on a contractual relationship between the user and PayCenter..
The Mastercard that you receive from VIMpay is provided by PayCenter.
The petaFuel GmbH is the publisher of the VIMpay app and is responsible for the technology, app development and account management. A contractual relationship regarding the use of the VIMpay card is established exclusively between the cardholder and PayCenter.
petaFuel is not an issuing office directly commissioned by Mastercard, but merely forwards the customer's data to the authorized offices and acts as an intermediary between the user and the licensed issuing office (card-issuing e-money institution).
The company petaFuel is responsible for the technical side of the card.
How we collect your data
On the one hand, your data is collected when you provide it to us. This may be data that you enter during the registration process. Other data is collected automatically by our IT systems when you use the app. This is primarily technical data (e.g. app version, operating system or timestamp of the app call). This data is collected automatically as soon as you start the app.
There is information that you give us yourself, e.g. through your registration. We collect some technical data (e.g. app version, time of app call) automatically as soon as you start the app.What do we process your data for?- If you have consented to data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, insofar as special categories of data are processed in accordance with Art. 9 para. 1 GDPR. In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or access to information in your end device (e.g. via device fingerprinting), the data processing is also carried out on the basis of Art. 25 para. 1 TDDDG. Consent can be revoked at any time.
If your data is required to fulfill a contract or to carry out pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b GDPR.
This applies in particular to the use of the VIMpay card and its functions, such as paying with your smartphone, paying with wearables, flash charging of the card, P2P chat, sending money in chat.
All functions of the VIMpay card can be found at www.vimpay.de/features.- We also process your data if this is necessary to fulfill a legal obligation on the basis of Art. 6 para. 1 lit. c GDPR.
As an e-money institution, we are subject to various legal obligations, i.e. statutory requirements (e.g. German Banking Act, Money Laundering Act, tax laws) and banking supervisory requirements (e.g. German Federal Financial Supervisory Authority). The purposes of processing include identity and age verification, fraud and money laundering prevention, compliance with tax control and reporting obligations and the assessment and management of risks within the company. - Data processing may also be carried out on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.
Examples:- protection of lightning charges (transmission of your IP address to the account-holding bank)
- error-free provision of the app
- Advertising, provided you have previously consented to the use of your data
- Enforcement of legal claims and defense in legal disputes
- ensuring IT security and IT operations
- Prevention of criminal offenses
The relevant legal bases in each individual case are set out in the following paragraphs of this privacy policy.
We use the information that we process from you for the following purposes:
- For contract performance (use of the VIMpay card)
- To improve our app
- For identity and age verification, fraud and money laundering prevention
- To analyze your user behavior
Who receives your data
Within the company, those departments that need your data to fulfill our contractual and legal obligations will have access to it. Service providers and vicarious agents employed by us may also receive data for these purposes if they comply with banking secrecy and our written instructions under data protection law. These are essentially companies from the categories listed below.
With regard to the transfer of data to recipients outside the e-money institution, it should first be noted that, as an e-money institution, we are obliged to maintain confidentiality about all customer-related facts and assessments of which we become aware.
We may only pass on information about you if this is required by law, if you have given your consent, if we are authorized to provide banking information and/or if processors commissioned by us guarantee compliance with banking secrecy and the provisions of the EU General Data Protection Regulation/Federal Data Protection Act. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions (e.g. Deutsche Bundesbank, Bundesanstalt für Finanzdienstleistungsaufsicht, Europäische Bankenaufsichtsbehörde, Europäische Zentralbank, Finanzbehörde, Bundeszentralamt für Steuern) if there is a legal or regulatory obligation.
- Other credit and financial services institutions, comparable institutions and processors (see point 5. Order processing) to whom we transmit personal data in order to conduct the business relationship with you.
In detail: Processing of bank statements, support/maintenance of EDP/IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, recovery, payment card processing, customer administration, telephony, video legitimation, website management, payment transactions.
Other data recipients may be those entities for which you have given your consent to data transfer or for which you have exempted us from banking secrecy in accordance with an agreement or consent.
We only pass on the data to those bodies or persons who absolutely need it or are authorized to do so
Will data be transferred to a third country or an international organization?
Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders (e.g. payment orders), is required by law (e.g. tax reporting obligations), if you have given us your consent or as part of commissioned data processing. If service providers are used in a third country, they are obliged to provide suitable guarantees in accordance with Art. 46 GDPR.
This also includes the automatic exchange of data as part of the Mastercard Automatic Billing Updater (ABU) database to minimize the rejection of card payments in the event of expiry or change of credit card data. The data is transmitted to:
- Mastercard Inc, 2000 Purchase Street, Purchase, NY 10577, USA.
Your data will be partially transferred to Mastercard in the USA
.
Note on data transfer to third countries that are not secure under data protection law and transfer to US companies that are not DPF-certified
We use tools from companies based in third countries that are not secure under data protection law and US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). If these tools are active, your personal data may be transferred to these countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in third countries that are unsafe under data protection law.
We would like to point out that the USA, as a safe third country, generally has a level of data protection comparable to that in the EU. Data transfer to the USA is therefore permitted if the recipient is certified under the EU-US Data Privacy Framework (DPF) or has suitable additional guarantees. Information on transfers to third countries, including the data recipients, can be found in this privacy policy.
Recipients of personal data
We work with various external bodies as part of our business activities. In some cases, it is also necessary to transfer personal data to these external bodies. We only pass on personal data to external bodies if this is necessary in the context of fulfilling a contract, if we are legally obliged to do so (e.g. passing on data to tax authorities), if we have a legitimate interest in passing on the data in accordance with Art. 6 Para. 1 lit. f GDPR or if another legal basis allows the data to be passed on. When using processors, we only pass on our customers' personal data on the basis of a valid contract for order processing. In the case of joint processing, a joint processing agreement is concluded.
Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke any consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)
If DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE LEGAL BASIS ON WHICH ANY PROCESSING IS BASED CAN BE DETECTED FROM THIS PRIVACY STATEMENT. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA, UNLESS WE CAN PROVE COMPULSORY PROTECTIVE REASONS FOR PROCESSING; R PROVING PROCESSING THAT CONFLICTS YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING IS FOR THE PURPOSE OF ENFORCEMENT, EXPLOITATION OR DEFENSE OF LEGAL CLAIMS (OBJECTION IN ACCORDANCE WITH ART. 21 PARA. 1 GDPR).
if your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; THIS ALSO APPLIES TO PROFILING IN AS FAR AS IT IS RELATED TO SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL CONCLUSIVELY NO LONGER BE USED FOR THE PURPOSE OF DIRECT ADVERTISING (OBJECTION PURSUANT TO ART. 21(2) GDPR).
Right to lodge a complaint with the competent supervisory authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work or place of the alleged violation. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.
The competent supervisory authority for data protection issues is:
Bayerisches Landesamt für Datenschutzaufsicht
Postfach 1349
91504 Ansbach
Tel.: 0981/180093-0
Fax: 0981/180093-800
poststelle@lda.bayern.de
https://www.lda.bayern.de
If you feel that your data is not being properly protected, you have the right to contact this authority.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
If you would like us to transfer your data to you or another company, please let us know.
Information, correction and deletion
You have the right to free information about your stored personal data, its origin and recipients and the purpose of the data processing and, if applicable, a right to correction or deletion of this data at any time within the framework of the applicable legal provisions. You can contact us at any time regarding this and other questions on the subject of personal data.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we usually need time to check this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data was/is carried out unlawfully, you can request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection pursuant to Art. 21 (1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data - apart from its storage - may only be used with your consent or for the establishment, exercise or defense of legal claims; or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
- If you wish, we will provide you with information at any time about where we have obtained your data and what we do with it.
- If you no longer want us to use your data, all you have to do is let us know.
SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from „http://“ to „https://“ and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.
Analysis tools and tools from third-party providers
When you use our app, your usage behavior may be statistically evaluated. This is done primarily with so-called analysis programs. The analysis of your usage behavior is anonymous; the usage behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. Details on this can be found in our privacy policy under the heading "Analysis tools".
Data protection officer
Data protection officer required by law
We have appointed a data protection officer for each of our companies. The following contact options are available to you for all questions on the subject of data protection:
petaFuel GmbH
Data Protection Officer
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-400
eMail: datenschutz@petaFuel.de
PayCenter GmbH
Data Protection Officer
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-300
eMail: datenschutz@PayCenter.de
Data processing in the app
Data processing during registration and subsequent card use
Users can register and create a user account. The data entered during registration will be used for the purposes of using the service.
We collect, process and use personal data only insofar as it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures, as well as on the basis of Art. 6 para. 1 lit. c GDPR, which makes processing necessary for compliance with a legal obligation to which the controller is subject. We collect, process and use personal data about the use of our website (usage data) only to the extent necessary to enable or charge the user for the use of the service.
The customer data collected will be deleted after completion of the order or termination of the business relationship. It is the responsibility of users to back up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract if this does not contradict the statutory retention periods. These include the retention obligations under commercial and tax law: German Commercial Code (HGB), German Banking Act (KWG) and the German Money Laundering Act (GwG). The periods specified there are two to ten years. If data is retained as evidence, it is subject to the limitation periods of the German Civil Code (BGB) §§195ff. and can be up to 30 years, whereby the regular limitation period is three years.
IP addresses are deleted after 90 days at the latest.
In principle, this data is not passed on to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with Art. 6 para. 1 lit. c GDPR.
It is also possible that your IP address will be transmitted to the account-holding bank for security and fraud prevention purposes when a payment is made (flash top-up). This is done on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.
If legitimization is required for registration in accordance with Art. 11 GWG, the personal data collected during identification will only be stored by the identifying company (Deutsche Post AG or IDnow GmbH) to the extent that this is necessary for the proper determination, billing and evaluation as well as proof of the correctness of service charges (charge data). Furthermore, we use the data provided as part of the Postident procedure to compare the personal master data stored with us in our database for the purposes of the legally required legitimation.
The data collected in your user account always belongs to you. We only use your data for the intended purpose and in confidence and only pass it on to third parties as part of the services you have requested.
If you have terminated your user account, your data will be completely deleted.
If you wish to terminate your contract, please save your data beforehand.
All data that we are not required to retain by law will otherwise be automatically deleted.
In order to be able to use the service, we may collect the following data from you:
- Company name
- First and last name
- Address
- Date of birth
- ID card data
- eMail address
- Account details
- Mobile phone number
- PEP status
- Direct debit mandates
- IP address at the time of registration
- IP address of the login
- HBCI access data
- Account numbers of addresses
- Account numbers
- Tax ID
- Communication data for managing your VIMpay card via the petaFuel GmbH interface
- Message texts when using the chat function
- Status of the user when using the chat function
Server log files
petaFuel GmbH automatically collects and stores information about the app in so-called server log files. The following information is transmitted to us by the app:
- App name and version
- Operating system used
- device model
- Referrer URL
- Host name of the mobile device
- Time of the server request
- IP address
- Language and region
This data is not merged with other data sources.
The basis for data processing is Art. 6 para. 1 lit. f GDPR, which permits the processing of data to safeguard legitimate interests. We use this data both to operate and improve the app and to prevent fraud.
The data is automatically deleted after 90 days at the latest.
We automatically store information from the app. This data is not merged with other data sources.
Access rights of the app
The app can request the following access rights, which are classified as critical. These access rights can be defined individually and separately by the customer.
iOS
- Network connections
Required so that the app is fully functional and can send and receive data .- Background update
Required by Apple Services, here in particular for push notifications. - Messages
Required to receive messages, in this case push notifications - Access to photos and camera
Required to set a profile picture for the app, to create card pictures (picture card and card variants), to use the QR scanner and for identification verification using Videoident. - Contacts
Is used to check whether a contact is also a VIMpay user in the chat and to top up credit for prepaid mobile phone contracts - Microphone
Used for communication for identification verification with Videoident
Android
- Read, edit or delete memory contents
Required to export PDFs (this is the case, for example, when exporting your sales as a PDF) - Access to all networks
Required for the app to be fully functional and to be able to send and receive data .- Disable sleep mode
Required to be able to receive push notifications. - Contacts
Required to check whether a contact is also a VIMpay user in the chat and to top up credit for prepaid mobile phone contracts - Notifications
Required to receive messages, in this case push notifications - Access to photos and camera
Required to set a profile picture for the app, create card pictures (picturecard and card avatars), use the QR scanner and for identification verification through Videoident. - Microphone
Used for communication for identification verification with Videoident
In order to enable the use of the app, the app can request additional, non-critical authorizations in addition to those listed here.
The app can request these access rights. You can set these access rights individually and separately.
Order processing
We occasionally commission other companies to provide limited services on our behalf and within the scope of the business purpose. These companies may only process the personal data that is necessary for the provision of the respective service. These companies undertake to treat the data confidentially. The companies are expressly prohibited from using the information for any other purpose. We have concluded an order processing contract with the following companies and pass on personal data where necessary:
Between petaFuel and Deutsche Post AG (PostIdent, Videoident, address verification): Deutsche Post AG, Charles-de-Gaules-Str. 20, 53113 BonnBetween PayCenter and Deutsche Post Direkt GmbH (address verification): Deutsche Post Direkt GmbH, Junkersring 57, 53844 TroisdorfBetween petaFuel and Melissa Data GmbH (address verification): Melissa Data GmbH, Cäcilienstr. 42-44, 50667 KölnBetween PayCenter and Infoscore Consumer Data GmbH (address verification): Infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-BadenBetween petaFuel and IDnow (Videoident): IDnow GmbH, Auenstr. 100, 80469 MunichBetween petaFuel and Authada GmbH (legitimization via eID): Authada GmbH, Julius-Reiber-Str. 15a, 64293 DarmstadtWe may need to share your data with third-party providers to provide our services. However, they are obliged to protect your data.
Analysis tools
Matomo
This app uses the open source web analysis service Matomo.
With the help of Matomo, we are able to collect and analyze data about the use of our app by app visitors. This allows us to find out, among other things, when which page views were made and from which region they came. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our app visitors perform certain actions (e.g. clicks, purchases, etc.).
The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The app operator has a legitimate interest in analyzing user behavior in order to optimize both its app and its advertising. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Art. 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
IP anonymization
We use IP anonymization for the analysis with Matomo. This means that your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.
Cookieless analysis
We have configured Matomo so that Matomo does not store cookies.
Matomo processes the following data:
- Anonymized IP addresses by removing the last 2 bytes (i.e. 192.68.0.0 instead of 192.68.100.54)
- Pseudo-anonymized location (based on the anonymized IP address)
Date and time- Title of the page accessed
- URL of the page accessed
- URL of the previous page (if this is permitted)
- Screen resolution
- Local time
- Files that were clicked and downloaded
- External links
- Duration of the page load
- Country, region, city (with low accuracy due to IP address)
- Main language of the device
- User agent of the device
You can object to the storage and analysis of this data by Matomo at any time (via Security --> Improve app).
Data collection when making contact
If you contact us by email, contact form, telephone or fax, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; the consent can be revoked at any time.
The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
Reasonable automatic deletion periods:
- Tickets from non-customers: 6 months
- Tickets from customers: 1 year
- Tickets with data protection reference: 3 years
When you contact us (e.g. via contact form, email, chat, telephone or social media), your contact details will be stored for the purpose of responding to your inquiry. However, this data is also regularly deleted by us.
HBCI error reports in the app
If you agree to the storage and transmission of the error report in the app, you agree that your HBCI data (e.g. account number and turnover) will be transmitted to petaFuel in encrypted form in order to be able to analyze and correct errors that occur in the app. To protect your login from unauthorized access, the banking password is removed before transmission. There is no automated transmission of error reports with corresponding HBCI data. The HBCI transactions are only stored locally in the app. When the app is deleted, the locally stored HBCI transactions are also deleted.
The transmission and storage takes place on the basis of Art. 6 para. 1 lit. a GDPR (consent of the data subject).
If you consent to the storage and transmission of the error report in the app, you agree that your data (e.g. account number and turnover) will be transmitted to petaFuel in encrypted form in order to determine the error.
Your sales data is stored locally in your app. If you decide to delete the app, your locally stored data will also be deleted.
Chat function
The VIMpay app offers a chat function that allows the user to get in touch with customer service as well as with other VIMpay users.
In addition, VIMpay card functions can be used via the chat (e.g. sending money).
A list of all VIMpay card and chat functions can be found at www.vimpay.de/features (see also Data protection at a glance - What we use your data for).
The chat function for communication with customer service is permanently activated. Deactivation is not possible.
The chat function for communicating with other VIMpay users is deactivated by default. It must first be activated in order to use it.
By activating and using this chat function, the user agrees that
- the other users will be shown their current online status
the name (first name and surname) stored with VIMpay will be displayed to other users- his profile picture is displayed to other users
- the messages sent and received are stored on the server for a limited period of time (this storage ensures that the messages can be restored after reinstalling the app).
Messages are automatically deleted by the server after a certain period of time:
- Messages from single or group chats after 30 days
- Messages from the support chat:
- Unauthenticated users: after 90 days
- Authenticated users: after 10 years
If a user wishes to deactivate the chat function again after activation, an opt-out option is available in the app (not possible for the chat function with customer service!).
By opting out, the user agrees that all messages will be deleted by the server after the above-mentioned periods:
A deletion of the messages on the user's smartphone does not take place, but must be carried out by the user themselves.
The chat messages are stored on the basis of Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
Use of chatbots
We use chatbots to communicate with you. Chatbots are able to respond to your questions and other input without human assistance. For this purpose, the chatbots analyze further data in addition to your input in order to provide suitable answers (e.g. names, e-mail addresses and other contact data, customer numbers and other identifiers, orders and chat history). Your IP address, log files, location information and other metadata may also be collected via the chatbot. This data is stored on the chatbot provider's servers.
User profiles can be created on the basis of the data collected. In addition, the data can be used to display interest-based advertising, provided that the other legal requirements (in particular consent) are met. For this purpose, the chatbots can be linked to analysis and advertising tools.The data collected may also be used to improve our chatbots and their response behavior (machine learning).
The data entered by you in the course of communication will remain with us or the chatbot operator until you request us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.
The legal basis for the use of chatbots is Art. 6 para. 1 lit. b GDPR, insofar as the chatbot is used to initiate a contract or in the context of contract fulfillment. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Art. 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time. In all other cases, the use is based on our legitimate interest in the most effective customer communication possible (Art. 6 para. 1 lit. f GDPR).
Google Dialogflow
For our chat, we use Dialogflow, a service provided by Google LLC (“Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Dialogflow is a dialog-oriented interface for websites, mobile applications, common communication platforms and IoT devices that enables interactions between users and companies. Google Dialogflow is part of the Google Cloud Platform offered by Google. Your input is processed by Google in accordance with Google's privacy policy before being forwarded to our servers.
„Dialogflow” uses machine learning to understand and respond to your input. Dialog questions or information entered are stored and used for learning and training purposes without personal reference and serve to improve the chat system.
We only use our own IP address to communicate with Google Dialogflow.
Accordingly, personal data is only transmitted to Google if you disclose personal data as part of the chat (= chat messages).
Data processing is carried out on the basis of both Art. 6 para. 1 lit. f GDPR (“legitimate interest”) and Art. 6 para. 1 lit. a GDPR (“consent”). Before starting the chat, you consent to the transfer of your data to Google.
Google relies on standard contractual clauses in accordance with Art. 28 GDPR for the transfer of data outside the EEA.
The Google terms of use for Dialogflow data logging can be found here: Terms of Use
You can find the Google privacy policy here: Privacy Policy
When you use the chat, other users will see your name, your profile picture, your online status and all messages will be stored by us. If you no longer want to use the chat, you can deactivate it, but all messages will then be deleted after a certain period of time.
ChatGPT
We use ChatGPT for our customer communication. The provider is OpenAI, 3180 18th St, San Francisco, CA 94110, USA, https://openai.com. We use ChatGPT for the following tools:
When you start a conversation with us via our app and ChatGPT is activated, your input, including metadata, is transmitted to ChatGPT's servers and processed there to generate a suitable response.
We have configured ChatGPT in such a way that the personal data entered is not used to train ChatGPT's algorithm.
The use of ChatGPT is based on Art. 6 para. 1 lit. f GDPR. The app operator has a legitimate interest in the most efficient customer communication possible using modern technical solutions. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.
Further information can be found here: https://openai.com/policies/privacy-policy.
Wallet services and other services
Use of Apple Pay
If you activate and use Apple Pay, you agree that we authorize Mastercard to transmit data to Apple for payment processing.
The following data will be transmitted:
- Username
- PAN
- Expiration date
This data is transmitted to Apple in encrypted form. Apple decrypts the data, determines the payment network of the card (Mastercard) and re-encrypts the data with a key that can only be decrypted by the payment network.
Apple retains anonymized transaction data, including the approximate purchase amount, the name of the app developer and the app, the approximate date and time, and whether the transaction was completed successfully.
The transmission of your data to Apple is based on Art. 6 para. 1 lit.b GDPR (processing for the performance of a contract).
If you decide to use Apple Pay, your data will be sent to Apple for payment processing.
Use of Google Pay
If you activate and use the widget for Google Pay, you agree that we authorize Mastercard to transmit data to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States) for payment processing.
The following data will be transmitted:
- Name
- Address
- Telephone number
- Sales data (e.g. merchant name, location, amount)
The transmission of your data to Google takes place on the basis of Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
If you decide to use Google Pay, your data will be sent to Google for payment processing.
Use of Samsung Pay
If you activate and use the widget for Samsung Pay, you agree that we authorize Mastercard to transmit data to Samsung (Samsung Electronics Co., Ltd., 416, Maetan 3-dong, Yeongtong-gu, Suwon-si, Gyeonggi-do 443-772, Korea) for payment processing.
The following data will be transmitted:
- Name
- card number
- CVC
- Sales data (e.g. merchant name, location, amount)
The transmission of your data to Samsung takes place on the basis of Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
If you decide to use Samsung Pay, your data will be sent to Samsung for payment processing.
Use of Swatch Pay
If you activate and use the widget for Swatch Pay, you agree that we authorize Mastercard to transmit data to Fidesmo AB (Regeringsgatan 111, 111 39 Stockholm, Sweden) for payment processing.
The following data will be transmitted:
- Name
- Address
- Telephone number
- Sales data (e.g. merchant name, location, amount)
The transmission of your data to G&D is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
If you choose Swatch Pay, your data will be sent to Fidesmo AB for payment processing.
Use of Fidesmo Pay
If you activate and use the widget for Fidesmo Pay, you agree that we authorize Mastercard to transmit data to Fidesmo AB (Regeringsgatan 111, 111 39 Stockholm, Sweden) for payment processing.
The following data will be transmitted:
- Name
- Address
- Telephone number
- Sales data (e.g. merchant name, location, amount)
The transmission of your data to Fidesmo AB is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
If you choose Fidesmo Pay, your data will be sent to Fidesmo AB for payment processing.
Use of Digiseq
If you activate and use the Digiseq widget, you agree that we authorize Mastercard to transmit data to Digiseq Ltd (International House, 64 Nile Street, London, N1 7SR, United Kingdom) for payment processing.
The following data will be transmitted:
- Name
- Address
- Telephone number
- Sales data (e.g. merchant name, location, amount)
The transmission of your data to Digiseq is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
If you choose Digiseq, your data will be sent to Digiseq for payment processing.
Use of Click to Pay
If you activate and use the Click to Pay widget, you agree to transmit data to Mastercard (Mastercard Inc., 2000 Purchase Street, Purchase, NY 10577, USA.) for payment processing.
The following data will be transmitted:
- Name
- Address
- Telephone number
- Card number (encrypted)
The transmission of your data to Mastercard is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
For more information on data protection, please refer to Mastercard's privacy policy at https://www.mastercard.com/global/click-to-pay/de-de/privacy-notice.html#dataTransfer.
If you choose Click to Pay, your data will be sent to Mastercard for payment processing.
Use of Garmin Pay
If you activate and use the widget for Garmin Pay, you agree to transmit data to Garmin (Garmin Deutschland GmbH, Parkring 35, 85748 Garching, Germany) for payment processing.
The following data will be transmitted:
- Name
- Address
- Telephone number
- Card number (encrypted)
The transmission of your data to Garmin is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
For more information on data protection, please refer to Garmin's privacy policy at https://www.garmin.com/de-DE/privacy/garminpay/.
If you choose Garmin Pay, your data will be sent to Garmin for payment processing.
Use of digital receipts (ReceiptHero)
If you activate and use digital receipts (ReceiptHero), we will transmit data to Mastercard (Mastercard Inc., 2000 Purchase Street, Purchase, NY 10577, USA) for the provision of digital receipts.
The following data is transmitted:
- Name
- Card number (encrypted)
- Expiry date
- CVC
The transmission of your data to Mastercard takes place on the basis of Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
For more information on data protection, please refer to Mastercard's privacy policy at https://mea.mastercard.com/en-region-mea/vision/privacy.html.
If you opt for digital receipts (ReceiptHero), your data will be sent to Mastercard for payment processing.
Prepaid mobile top-up
We use the service of our contractual partner transact Elektronische Zahlungssysteme GmbH, Fraunhoferstr. 10, 82152 Martinsried for prepaid cell phone top-ups. If you wish to use this service, we will transmit your mobile phone number to transact Elektronische Zahlungssysteme GmbH. The legal basis for this is Article 6(1)(b) GDPR (processing for the purpose of contract performance).
Social media
We maintain publicly accessible profiles on social networks. The individual social networks we use are listed below.
Social networks such as Facebook, X etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). When you visit our social media presences, numerous data protection-relevant processing operations are triggered. In detail:
If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your end device or by recording your IP address.
With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.
Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.
Legal basis
Our social media presences are intended to ensure as comprehensive a presence as possible on the internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).
Controller and assertion of rights
If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. Facebook).
Please note that, despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options depend to a large extent on the company policy of the respective provider.
Storage duration
The data collected directly by us via the social media presence will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions - in particular retention periods - remain unaffected.
We have no influence on the storage period of your data that is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).
Your rights
You have the right to receive information free of charge at any time about the origin, recipient and purpose of your stored personal data. You also have the right to object, the right to data portability and the right to lodge a complaint with the competent supervisory authority. You can also request the rectification, blocking, erasure and, under certain circumstances, restriction of the processing of your personal data.
Social networks in detail
Facebook
We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as Meta). According to Meta, the data collected is also transferred to the USA and other third countries.
We have concluded an agreement with Meta on joint processing (Controller Addendum). This agreement specifies the data processing operations for which we or Meta are responsible when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.
You can adjust your advertising settings yourself in your user account. To do this, click on the following link and log in: https://www.facebook.com/settings?tab=ads.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
For details, please refer to the Facebook privacy policy: https://www.facebook.com/about/privacy/.
The company is certified according to the „EU-US Data Privacy Framework“ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452
X (formerly Twitter)
We use the short message service X (formerly Twitter). The provider is the parent company X Corp, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, is responsible for the data processing of persons living outside the USA.
You can adjust your X privacy settings yourself in your user account. To do this, click on the following link and log in: https://x.com/settings/account/personalization.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://gdpr.x.com/en/controller-to-controller-transfers.html.
Details can be found in the privacy policy of X (formerly Twitter): https://x.com/de/privacy.
Instagram
We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
The transfer of data to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
Details on how they handle your personal data can be found in Instagram's privacy policy: https://privacycenter.instagram.com/policy/.
The company is certified according to the „EU-US Data Privacy Framework“ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452
YouTube
We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in YouTube's privacy policy: https://policies.google.com/privacy?hl=de.
The company is certified in accordance with the „EU-US Data Privacy Framework“ (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780
TikTok
We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Details on how they handle your personal data can be found in TikTok's privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=de.
The transfer of data to non-secure third countries is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.tiktok.com/legal/privacy-policy?lang=de.
Push notification
When you use our app, we may contact you with push notifications about new promotions, vouchers and personal offers from VIMpay. For the further development of our offer and for statistical purposes, we record when and how often a push notification is opened. We collect this information in pseudonymized form. Of course, you can unsubscribe from push notifications at any time in the app settings. Push notifications are sent on the basis of our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f) GDPR.
Payment services
PayCenter
The card-issuing e-money institution PayCenter GmbH, Clemensänger Ring 24, 85356 Freising
takes care of payment processing for VIMpay.If you use the credit card function, the payment data you enter will be transmitted to PayCenter for payment processing.
The transmission of your data to PayCenter is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract). You have the option of withdrawing your consent to data processing at any time. A revocation does not affect the effectiveness of data processing operations carried out in the past.
Payment processing for VIMpay is carried out by the card-issuing electronic money institution PayCenter GmbH.
Styx Customer Frontend
PayCenter provides the Styx Customer Frontend in the VIMpay app so that customers whose bank does not offer a web interface can log in (with two-factor authentication if necessary) and enter/retrieve transactions or account information.
The customer enters the login details of their bank. PayCenter processes this data and forwards it to the customer's bank. The data is not stored by PayCenter at any time.
The transfer of your data to the bank takes place on the basis of Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).
Special information for parents
While our app is not generally directed at children under the age of 16, we strictly adhere to applicable laws for obtaining parental or guardian consent before collecting, using or disclosing information from children. We strongly recommend that parents take an active role in monitoring their children's online activities. If you believe that we have collected personal information from a person under the age of 16, please let us know via datenschutz@petafuel.de.
Changes to the privacy policy
We reserve the right to amend this privacy policy at any time to the extent permitted by law. The current version can be found on the website under the link „Privacy Policy“.
We are constantly working on improvements that may also have an impact on the privacy policy. However, we will never change it without informing you of this.