Privacy policy

I. Person responsible for data processing 
‍The controller pursuant to Art. 4 (7) GDPR is:
‍
‍Shiftmove GmbH
‍Warschauer Straße 57#
10243 Berlin
E-Mail: contact@shiftmove.com
‍Phone: +49 30 555 79 852

If you have any questions or concerns regarding the processing of your personal data or the exercise of your rights, you can contact us using the contact information provided here.

‍II. Data Protection Officer
‍You can contact our data protection officer at privacy@shiftmove.com or by post at the above address with the addition "Data Protection Officer".

‍III. Access to our website 
‍When you visit our website, we process personal data in order to guarantee the smooth, functional and secure operation of our website. The following data may be processed (so-called log files):  
- Operating system and current IP address (last octet shortened) of the end device with which you visit our website 
- Browser (type, version and language setting)
- the amount of data retrieved 
- Date and time of access the URL of the previously visited website (referrer) 
- the URL of the (sub)page that you call up on the website 
- the Internet service provider of the accessing system 

The collection of log files is technically necessary in order to display our website to you and to ensure the stability and security of the website. This is also our legitimate interest in data processing. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. This website is hosted by the service provider AMAZON WEB SERVICES, EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, with whom we have concluded a data processing agreement. Your data is processed in a European data centre and anonymised 24 hours after collection. 

‍IV. Contact 
‍You can use the form provided or the available contact information to send us sales and support enquiries and to contact us on other topics. When contacting us via one of our web forms, the data marked as mandatory fields must be provided. When you contact us, we may process your first and last name, email address, company, telephone number and other information relating to your enquiry. The mandatory information, without which it is not possible to contact you, is marked with an asterisk. The data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR in the context of the initiation or implementation of pre-contractual measures or the contract with you or on the basis of our legitimate interest in processing and responding to your other request in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Further information is not mandatory for establishing contact and is therefore provided voluntarily on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Your personal data will be deleted - subject to statutory retention periods - as soon as the purpose of storage no longer applies, i.e. your request has been fully processed and no further communication with you is required or requested by you. 

‍Sales enquiries are managed via our internal customer relations management system. We work together with the service provider salesforce.com Germany GmbH ("Salesfroce"), Erika-Mann-Straße 31-37, 80636 Munich, Germany. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Salesforce to the USA (third country). We have therefore concluded an order processing contract with Salesforce using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Salesforce is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Support requests are managed and processed via our internal customer support tool Zendesk. We work with Zendesk Inc ("Zendesk"), 181 S. Fremont St., San Francisco, CA 94105, USA. We have concluded an order processing contract with Zendesk using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Zendesk is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍V. Advertising and analysis software

1. Usercentrics
‍We use the Usercentrics Consent Management Platform as a consent management tool as part of the integration of marketing and analysis activities on our website. The Consent Management Platform collects log file and consent data using JavaScript. This JavaScript makes it possible to inform users about their consent to certain tags on our website and to obtain, manage and document this consent. We process the following data: Data on the consents you have given, device data such as your abbreviated IP address and user agent data (browser type, device type, operating system, software version data).The legal basis for the processing is our legitimate interest in the proper and legally compliant obtaining of consent on our website in accordance with Art. 6 para. 1 lit. c GDPR, § 25 TDDDG. The purpose of data processing is to analyse and manage the consents granted in order to comply with our obligation to manage consents in accordance with the GDPR. The use of Usercentrics serves the purpose of providing evidence of granted and non-granted consents and their management. Your data will generally be stored for one year and deleted subject to statutory retention periods. The provider is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. Your data is processed exclusively on European servers. We have concluded an order processing agreement with Usercentrics.

‍2. Plausible
‍We use the web analysis service Plausible Analytics ("Plausible") to continuously optimise our website, both technically and in terms of content. Plausible takes a particularly data protection-friendly approach to analysing your visit. For this purpose, Plausible only records the information that is transmitted to our web server by your browser when you access the website: Date and time of your visit, title and URL of the pages visited, incoming links, the country you are in and the user agent of your browser software. Plausible does not use or store "cookies" on your end device. All personal data (e.g. your IP address) is stored completely anonymised in the form of a so-called hash. Furthermore, Plausible only allows the aggregated analysis of visitor statistics. We cannot track your specific behaviour on our website individually. In this way, we can analyse your visit without storing personal data in a form that could be read by us, Plausible or third parties.The legal basis for the processing is our legitimate interest in the improvement and further development of our website in accordance with Art. 6 para. 1 lit. f) GDPR. Your personal data will be deleted or anonymised immediately after collection. Further information on data protection at Plausible can be found at https://plausible.io/data-policy.Plausible is a product of Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia. We have concluded an order processing agreement with Plausible. 

‍3. Google Tag Manager
‍We use the Google Tag Manager service provided by Google of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager enables us to integrate scripts and plug-ins into our website faster and more user-friendly. We have concluded an order processing contract with Google. Google Tag Manager is an auxiliary service and processes personal data itself only for technically necessary purposes. The Google Tag Manager ensures the loading of other components, which in turn may collect data. The Google Tag Manager does not access this data. The legal basis is your voluntary consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time via our consent management with effect for the future. The data is generally processed in the EU. However, since a data transfer to Google in the USA (third country) cannot be completely ruled out, we have concluded an order processing contract with Google using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Google is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data.

‍4. Google Analytics
‍Our website uses Google Analytics, a web analytics service provided by Google, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The cookie used for this purpose enables us to analyse the use of our website. Google uses this information on our behalf to analyse the use of our website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. The information generated by the cookie may also be transmitted to a Google LLC server in the USA and stored there. On our website, Google Analytics has therefore been extended by the code "anonymizeIp" to ensure anonymised collection of IP addresses (so-called IP masking). This means that the IP address of the user is first truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA (third country) and truncated there. The IP address transmitted by the browser used as part of Google Analytics is not merged with other Google data. We have concluded an order processing contract with Google using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Google is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data.The legal basis for the use of Google Analytics is your consent in accordance with Section 25 (1) sentence 1 TDDDG, Art. 6 (1) sentence 1 lit. a GDPR, which you can give via the cookie banner and also revoke at any time without giving reasons with effect for the future in cookie management. The personal data processed by Google Analytics is stored for 14 months and then automatically deleted.

‍5 Microsoft Clarity
‍We use the Microsoft Clarity service on our website to statistically analyse the use of our website. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Clarity offers functions such as heat maps, session replays and reports on website usage to help us better understand user behaviour and optimise our website.Microsoft Clarity uses cookies, which enable us to analyse the use of our website, as well as a so-called tracking code, which is executed when this service is called up. The information collected, such as IP address, location, time or frequency of visits to our website, is transmitted to Microsoft and stored there. The data is used to create anonymous usage statistics.  We use Microsoft Clarity with the so-called anonymisation function. This function allows Microsoft to truncate the IP address within the EU or EEA.The legal basis for the use of Microsoft Clarity is your consent in accordance with § 25 para. 1 sentence 1 TDDDG, Art. 6 para. 1 sentence 1 lit. a GDPR, which you can give via the cookie banner and also revoke at any time without giving reasons with effect for the future in cookie management.The data is generally processed in the EU. However, since a data transfer to Microsoft Inc. in the USA (third country) cannot be completely ruled out, we have concluded an order processing contract with Microsoft using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Microsoft is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data.

‍VI. Storage period
‍Unless otherwise stated in the descriptions of the individual processing activities, we generally process your data for as long as is necessary to fulfil the purpose of the processing. We delete your data in compliance with the statutory retention periods (retention for up to 10 years where applicable) as soon as the purpose of the processing no longer applies or this is required by law, such as when you withdraw your consent.

‍VII. International data transfers
‍Your data will only be transferred to recipients in countries outside the European Union or the European Economic Area as long as the legal requirements for guaranteeing an adequate level of data protection in accordance with Art. 45 et seq. GDPR are met. A transfer will only take place if either an adequacy decision of the European Commission exists for the third country in question, an adequate level of data protection can be guaranteed between the data importer and exporter through standard contractual clauses of the European Commission and corresponding additional security measures, or other legally recognised requirements for the international transfer of data to third countries exist. If a processing activity involves a transfer, access or even a potential possibility of disclosure, the recipients and relevant safeguards for the transfer are specifically named. 

‍VIII. Your rights
‍You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR) under the respective legal requirements. If the processing is based on your consent, you have the right to revoke this consent at any time (Art. 7 para. 3 GDPR); the legality of the processing carried out on the basis of the consent until revocation remains unaffected.  To exercise your rights as a data subject, please contact privacy@shiftmove.com .You also have the right to lodge a complaint with a competent supervisory authority at any time if you believe that the processing of your personal data violates data protection regulations (Art. 77 GDPR).

I. Person responsible for data processing 
The controller pursuant to Art. 4 (7) GDPR for the processing operations described here:

‍Shiftmove GmbH
‍Warschauer Straße 57
10243 Berlin
e-mail: contact@shiftmove.com
‍Phone: +49 30 555 79 852

In addition, Shiftmove regularly acts as a processor within the meaning of Art. 28 GDPR when providing its products to companies. Information on the data processed in this context is shown separately in this section.If you have any questions or concerns about the processing of your personal data to the extent described here and to exercise your rights, you can contact us using the contact information provided here.

‍II. Data Protection Officer
‍You can contact our data protection officer atprivacy@shiftmove.com or by post at the above address with the addition "Data Protection Officer".

‍III. Avrios
‍The Avrios fleet management software is only sold to business customers as a processor. You will find information on the processing of data on behalf of the Avrios SaaS application below under 2. processing as a processor. However, Shiftmove also processes data on its own responsibility. Information on this can be found under 1. processing as controller.
‍
‍1. Processing operations as controller

1.1 Connection data
‍When you use our products, we process personal data in order to guarantee the smooth, functional and secure operation of our website. The following data may be processed (so-called log files):  Operating system and current IP address (last octet shortened) of the end device with which you visit our websiteBrowser (type, version and language setting)the amount of data retrievedDate and time of accessURL of the previously visited website (referrer)URL of the (sub)page that you call up on the websiteInternet service provider of the accessing system The purpose of the processing is to ensure the stable and secure operation of our products. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. This website is hosted by the service provider AMAZON WEB SERVICES, EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, with whom we have concluded a data processing agreement. Your data is processed in a European data centre and anonymised 24 hours after collection.

‍1.2 Usercentrics consent management
‍We use the Usercentrics Consent Management Platform as a consent management tool as part of the integration of marketing and analysis activities within our products. The Consent Management Platform collects log file and consent data using JavaScript. This JavaScript enables users to use their consent to determine which services and data processing take place within our products, to inform them and to obtain, manage and document the corresponding consents. We process the following data: Data on the consents you have givenDevice data such as your truncated IP address and user agent data (browser type, device type, operating system, software version data).The purpose of data processing is to analyse and manage the consents granted in order to comply with our obligation to manage consents in accordance with the GDPR. The use of Usercentrics serves the purpose of providing evidence of granted and non-granted consents and their management.The legal basis for the processing is our legitimate interest in the proper and legally compliant obtaining of consent on our website in accordance with Art. 6 para. 1 lit. c GDPR, § 25 TDDDG.Your data will generally be stored for one year and deleted subject to statutory retention periods. The provider is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. Your data is processed exclusively on European servers. We have concluded an order processing agreement with Usercentrics.

‍1.3 Planhat
‍We use the customer relationship management system Planhat to process data to analyse user interactions with our application and user satisfaction with our platform. Planhat uses cookies to collect data for this purpose and stores it on your end device. We process the following data: User identification data (e.g. e-mail addresses, user IDs)Device and browser information (e.g. IP addresses, browser type, operating system),Behavioural and interaction data (e.g. pages visited, clicks, navigation paths)Session data (e.g. session duration, data traffic sources) In addition, pseudonymised and aggregated results on user-friendliness and satisfaction with our application are processed as part of so-called Net Promoter Score ("NPS") surveys.The purpose of the processing is to create aggregated metrics and analyses on the use of our platform and engagement with our application. The data collected is assigned to the customer listed with us within Planthats. The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. The raw data collected is processed for as long as the consent for processing the data exists. The raw personal data will be deleted after 36 months at the latest. However, aggregated analyses and anonymised reports may continue to be stored.For the provision of Planhat we work with Planthat A/B ("Planhat") Malmskillnadsgatan 13, 111 57 Stockholm, Sweden. Your data is processed exclusively on European servers. We have concluded an order processing agreement with Planhat
‍
‍1.4 Datadog
‍With the help of the Datadog tool, our developers can collect additional data on the use of our platform for faster troubleshooting and identification of bugs. Datadog uses cookies to collect data for this purpose and stores it on your end device. The following data is processed:  User identification data (pseudonymised session ID) Device and browser information (e.g. IP addresses, browser type and version, device type, operating system details)Behavioural and interaction data (e.g. mouse movements, clicks, keystrokes, scrolling behaviour, page visits)Session and performance data (e.g. session duration, timestamps, page load times, network requests and responses)Error and diagnostic data (e.g. JavaScript errors, crash reports, console logs, details on loading resources)Pseudonymised session recordingsThe purpose of the processing is to monitor the performance and stability of our web applications and to analyse user interactions. The aim is to identify errors, improve user-friendliness and diagnose technical problems by collecting session and behavioural data and performance metrics. When using the Session Recording Feeder, no data about your entries within the application is transmitted to Shiftmove. The data is pseudonymised directly on your end device.The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. Session recordings are stored for up to 30 days and then automatically deleted. The raw data collected is processed for as long as the consent for processing the data exists. The raw personal data is deleted after 36 months at the latest. However, aggregated analyses and anonymised reports may continue to be stored.For the provision of Datadog, we work with Datadog, Inc. 620 8th Ave Fl 45New York, NY 10018, USA. Data processing generally takes place on servers within the European Union. In the event that a transfer or access to the data, for example in the case of a support enquiry, cannot be ruled out, the following guarantees ensure an appropriate level of data protection in accordance with legal requirements. Datadog is certified under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission therefore applies to transfers of personal data. We have concluded an order processing agreement with Datadog using the necessary standard data protection clauses and have established an appropriate level of data protection through additional security measures. 

‍1.4 Segment
‍We use the Segment service to verify and monitor usage licences. We collect the following data for this purpose:Identification data such as e-mail address, User ID, Customer numberPseudonyms, such as session IDs or other device-specific identifiersTechnical data such as IP address, browser type and version, device type (e.g. smartphone, desktop), operating system and version, Interaction and usage data such as page views, interactions with functions such as adding vehicles or drivers with respective time stampsThe purpose of the processing is to ensure that customers comply with the agreement of the corresponding service contract and to start automated processes for contract adjustment in the event of under- or over-utilisation of our platform.The legal basis for processing is our legitimate interest in the contractual provision of our services and monitoring the use of our software in accordance with our terms and conditions.We work together with Twilio, 101 Spear St FL 5 San Francisco, CA 94105, USA, to provide Segment. Data processing generally takes place on servers within the European Union. In the event that transmission or access to the data, for example in the case of a support enquiry, cannot be ruled out, the following guarantees ensure an appropriate level of data protection in accordance with legal requirements. Twilio is certified under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission therefore applies to transfers of personal data. We have concluded an order processing contract with Datadog using the necessary standard data protection clauses and have established an appropriate level of data protection through additional security measures.

‍1.5 Bugsnag
‍Bugsnag is an error monitoring tool that identifies and analyses software errors (so-called bugs) in applications in order to improve stability and performance. It is used by developers to fix problems faster and ensure higher software quality.The following technical data is processed:IP addresses Device informationOperating systemBrowser typeSession details (website accessed, date and time of page views)Log files and information on user interactions that led to an error The purpose of processing is to detect software errors, analyse their causes and improve the stability of the application. In addition, performance problems are identified and usage patterns are analysed to ensure the user-friendliness of the software. Bugsnag thus contributes to the continuous improvement of the software and customer satisfaction.The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR (legitimate interest), as error monitoring represents a legitimate interest of the controller in order to ensure a stable and functional application. If Bugsnag is used in connection with contractual obligations, the processing is also based on Art. 6 para. 1 lit. b GDPR.The data is stored for as long as is necessary to analyse and rectify errors and then deleted or anonymised, depending on the contractual agreement with Smartbear Software, Inc.

‍1.6 Contact 
‍You can use the form provided or the available contact information to send us sales and support enquiries and to contact us on other topics. When contacting us via one of our web forms, the data marked as mandatory fields must be provided. We regularly process the following data when you contact us:First names and surnamesE-mail addressThe companyTelephone numberMessage content and further information about your requestConnection and device dataprocess. The mandatory information, without which contact is not possible, is marked with an asterisk. The data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR in the context of the initiation or implementation of pre-contractual measures or the contract with you or on the basis of our legitimate interest in processing and responding to your other concerns in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Further information is not mandatory for establishing contact and is therefore provided voluntarily on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Your personal data will be deleted - subject to statutory retention periods - as soon as the purpose of storage no longer applies, i.e. your request has been fully processed and no further communication with you is required or requested by you. 

‍Sales enquiries are managed via our internal customer relations management system. We work together with the service provider salesforce.com Germany GmbH ("Salesfroce"), Erika-Mann-Straße 31-37, 80636 Munich, Germany. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Salesforce to the USA (third country). We have therefore concluded an order processing contract with Salesforce using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Salesforce is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Support requests are managed and processed via our internal customer support tool Zendesk. We work with Zendesk Inc ("Zendesk"), 181 S. Fremont St., San Francisco, CA 94105, USA. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Zendesk to the USA (third country). We have concluded an order processing contract with Zendesk using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Zendesk is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Live chat within the application allows you to contact our employees directly via the chat window provided for questions. We work with Intercom Inc ("Intercom") 55 2nd Street, Suite 400, San Francisco, CA 94105, USA, to provide the chat function. The legal basis for the use of the live chat feature is your voluntarily given consent. The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with Art. 25 para. 1 TDDD. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Intercom to the USA (third country). We have therefore concluded an order processing contract with Intercom using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Intercom is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍1.7 Market research and surveys
‍As part of the use of our applications, we conduct quantitative and qualitative surveys and interviews from time to time. Your personal data is processed as part of these interviews. This includes Name, e-mail address, IP address, communication data and content, survey responses, video and audio recordingsThe processing serves the purpose of measuring the satisfaction of our customers and further developing our products. The legal basis for the processing of the data is your voluntarily granted consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future. As part of the surveys, you can also voluntarily consent to the recording of interviews. The data will be stored for as long as is necessary for the processing purpose or until you withdraw your consent. Recordings of interviews are stored for up to 3 years and then deleted if you do not withdraw your consent beforehand.To optimise appointment bookings, we use the Calendly tool provided by Calendly LLC, 115 E Main St., Ste A1B, Buford, GA 30518, USA. We have concluded an order processing contract with Calendly using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Calendly is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍2. Processing within the scope as a Processor
‍Shifftmove provides the Avrios product as a processor. A processor is anyone who processes data for external purposes in accordance with the instructions of the controller. The data controllers responsible for the use of the Avrios application under data protection law are our customers. They determine the purposes and legal bases of processing and are also responsible for fulfilling requests from data subjects. In the following, we would like to provide you with the information that can be determined with certainty about the processing from the position as processor.

‍2.1 Categories of data processed:
‍The following categories of personal data are processed as part of the provision and use of our software:
- Tasks and comments
- Fine notice information (addressee, amount, photos)
- Vehicle information (CO2 emissions, damage reports, licence plate number, chassis number, mileage)
- Photos (driving licence photos and portrait photos)
- Driving licence informationContact information (telephone number, fax number, mobile phone number, e-mail address)
- Communication histories (notifications, e-mail histories with suppliers, service providers, insurance companies, etc.)
- Personal master data (first name, surname, password, address, gender, date and place of birth, language, nationality, residence authorisation, marital status, information on relatives, date of entry and date of departure of employees, information collected in self-administered fields by customers)
- Company management data (internal ID, cost centre, organisation, department, location, sector and sub-sector, reporting structure)
- Information on salary planning (fringe benefits relating to company cars),
- service specifications and associated information (entitlement to company car and class of company car)
- Fuel card information (provider, costs, date, product)
- Accident prevention regulation test results
- Device data and IT usage data.
‍
‍2.2 Purposes of data processing:
‍Below you will find a list of the purposes of processing, insofar as they are determined by Shiftmove. Please note that the ultimate purposes of use are determined by the controller under data protection law:
‍
‍Provision of the Application: Shiftmove will regularly process the following data as part of the provision of the Application: Personal master data, communication data, device data and IT usage data.

‍Driving licence check: Shiftmove processes the following data to carry out the driving licence check: Personnel master data, communication data, photos (driving licence photos and portrait photos), driving licence information, device data and IT usage data. Drivers can be informed by email or text message when their driving licence is due to be checked. Driving licences are checked by digital visual inspection. All transmitted photos of the driving licence are deleted by the checking user immediately after the driving licence check has been completed. Only the information required for proof of the check is retained. For further information, please contact your responsible colleague at Shiftmove.

‍Fine management: Shiftmove processes the following data for the management of fines by the Avrios product: Personnel master data, communication data, fine notice information, device data and IT usage data. Customers can upload, document and delete fines themselves in the product. 

‍UVV checks: Shiftmove processes the following data in order to provide training on accident prevention regulations ("UVV"): Personnel master data, communication data, UVV test results, device data and IT usage data. Drivers can be informed of upcoming driving licence checks by email or text message. Fleet managers and authorised users can only see whether a test has been completed and whether it has been passed or failed. Individual results for questions can only be viewed by the drivers.

‍Task management: Shiftmove regularly processes the following data as part of mapping internal task management: Tasks and comments, personnel master data, communication data, device data and IT usage data. Please note that the task management forms are free text fields. It is therefore up to the user to control which data is processed within this function.

‍Fuel card management: Shiftmove processes the following data to provide the function for managing fuel cards and their costs: Personnel master data, communication data, fuel card information, device data and IT usage data. The information is loaded into the application with a delay and, due to the lack of information on the place of payment and use, does not allow the behaviour of drivers to be monitored.

‍Automated collection of vehicle data (High Mobility): Via Avrios, you can use the automated integration of vehicle data via our provider High Mobility. In this case, the mileage and other vehicle information is automatically synchronised in the Avrios system. 

‍Support: As part of the provision of the service, we regularly process support requests from our users. The following data is processed in this context: Personal master data, communication data, communication histories. 

‍2.3 Recipients of the data processing:
‍Shiftmove selects its processors with the utmost care and only uses processors that offer sufficient security guarantees.The recipients of the data processing in the context of the provision of the Avrios application as a processor are listed conclusively on the following page: https://www.avrios.com/legal/sub-processors.
‍
2.4 Use of cookies
‍In the following, we will inform you about the type and purpose of information that we store on your device to provide our software application:
‍
‍Cookies: Name (storage period): Description
Fusionauth.sso (12 months): Stores the information necessary to process single sign-on opti
Cache for correct display of the language in the login process.
Fusionauth.locale (session duration): Cache for correct display of the language in the login process.
Cache for correct display and storage of the session time in the login process.
‍Fusionauth.timezone (session duration): Cache for correct display and storage of the session time in the login process.
‍Fusionauth.remember-device (12 months): Stores the check of the device as a trusted device for login.
Federated.csrf (session duration): This cookie is used to protect against cross-site request forgery (CSRF) attacks during federated logins. CSRF attacks aim to trick users into performing unintended actions on a website they are currently logged in to.
app.at (Access Token) (12 months): Stores the user's access credentials for authentication to the server. Required for the correct assignment of rights within the Avrios system.
‍app.idt (ID Token) (12 months): ID token containing the necessary user information to display and identify the user on the client side.
app.at_exp (Access Token Expiration) (1 hour): Stores the duration until the automated expiration of the user session.
‍app.rt (Refresh Token) (12 months): This is a refresh token. It is used to obtain new access tokens without the user having to log in again.

Local Storage:
pagingLimits: Saves the selected display limits within the application.
‍Session.active: Saves the verification status of the session.
‍Account.secure: Stores user and company information to optimize loading times.
‍ucData: Saves the settings from the cookie banner.
‍ucString: Saves a unique ID to recognize the settings in the cookie banner.
upgradeBanner: Saves the display of a notice banner in the event of a license violation.

‍2.5 Storage period
‍Shiftmove will store the data that is processed as part of order processing for as long as our customers instruct it to do so. This instruction exists for the duration of the contractual relationship between Shiftmove and its customers. Shiftmove shall delete the processed data no later than 30 days after termination of the contract or at the instruction of the controller. 

‍2.6 Security of processing
‍Shiftmove attaches great importance to the security of the personal data entrusted to it. In accordance with data protection regulations, Shiftmove undertakes to take all necessary precautions to ensure the security of personal data and in particular to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access and against any other form of unlawful processing or disclosure to unauthorised persons. A comprehensive list of all technical and organisational measures taken can be found in Appendix 2 of our Data Processing Agreement. On request, our team will also provide you with our IT security white paper, which describes in detail all the IT security measures taken. 

‍2.7 Exercising rights as a data subject
‍The fulfilment and protection of data subject rights in accordance with Section 3 of the GDPR is generally the duty of the controller, i.e. the customers of Shiftmove. If you are a user or driver within the Avrios application, please contact the company that purchased your Avrios instance to exercise your data subject rights. You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR) under the respective legal requirements. If the processing is based on your consent, you have the right to revoke this consent at any time (Art. 7 para. 3 GDPR); the legality of the processing carried out on the basis of the consent until revocation remains unaffected.  Shift Move supports its customers in the fulfilment of requests to exercise data subject rights in accordance with the agreements in our Data Processing Agreement. Please get in touch with your responsible contact person at Shiftmove.

‍IV. Vimcar (Fleet) logbook
‍The Vimcar logbook is available as an app and web software and, in conjunction with the Vimcar hardware (OBD connector or box), enables journeys to be recorded and subsequently categorised and the trip data to be filed and stored in accordance with tax law. The Vimcar logbook is generally only sold to business customers as a processor. In some cases, however, customers may be directly affected by the Vimcar logbook. In these cases, Shiftmove is considered the controller and you will find the information relevant to you below under 1. Under 2. information, on the other hand, you will find information on processing in the context of order processing for the Vimcar logbook. 

‍1. Processing operations as controller

1.1 Connection data
‍When you use our products, we process personal data in order to guarantee the smooth, functional and secure operation of our website and app. The following data may be processed (so-called log files):  Operating system and current IP address (last octet shortened) of the end device with which you visit our website, browser (type, version and language setting), the amount of data retrieved, date and time of access, the URL of the previously visited website (referrer), the URL of the (sub)page that you access on the website, the Internet service provider of the accessing system The purpose of the processing is to ensure the stable and secure operation of our products. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. This website is hosted by the service provider AMAZON WEB SERVICES, EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, with whom we have concluded a data processing agreement. Your data is processed in a European data centre and anonymised 24 hours after collection.

‍1.2 Provision of the application
‍If Shiftmove is not the processor for the provision of the logbook, we also process your personal data for the provision of our product. We process the following data for this purpose - please note that not all data is relevant for the version or product variant you are using: First name, surnameE-mail address, telephone number, mobile phone numberLogbook dataPosition data during the tourStart and end point of toursKilometres drivenCategorisation of private and business tripsContact and address dataVIN (Vehicle Identification Number)Technical vehicle data (e.g. repair status), photos of vehicles (optional when using claims management)Device data and IT usage dataThe vehicle data is transmitted to Shiftmove in encrypted form via the OBD connector (or similar) provided, processed on our systems and prepared for display in the application. The legal basis for the processing is the fulfilment of the contract for the provision of our product in accordance with your order pursuant to Art. 6 para. 1 lit. b GDPR. We process your data for as long as the contractual relationship with you exists and delete it immediately after the end of the contract, subject to statutory retention periods. We transfer your personal data to various recipients for the provision of the Vimcar logbook. You can find a list of all recipients and the corresponding processing activities here. 

‍1.3 Usercentrics consent management
‍We use the Usercentrics Consent Management Platform as a consent management tool as part of the integration of marketing and analysis activities within our products. The Consent Management Platform collects log file and consent data using JavaScript. This JavaScript enables users to use their consent to determine which services and data processing take place within our products, to inform them and to obtain, manage and document the corresponding consents. We process the following data: Data relating to your consent, device data such as your abbreviated IP address and user agent data (browser type, device type, operating system, software version data).The purpose of data processing is to analyse and manage the consents granted in order to comply with our obligation to manage consents in accordance with the GDPR. The use of Usercentrics serves the purpose of providing evidence of granted and non-granted consents and their management.The legal basis for the processing is our legitimate interest in the proper and legally compliant obtaining of consent on our website in accordance with Art. 6 para. 1 lit. c GDPR, § 25 TDDDG.Your data will generally be stored for one year and deleted subject to statutory retention periods. The provider is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. Your data is processed exclusively on European servers. We have concluded an order processing agreement with Usercentrics.

‍1.4 Datadog
‍With the help of the Datadog tool, our developers can collect additional data on the use of our platform for faster troubleshooting and identification of bugs. Datadog uses cookies to collect data for this purpose and stores it on your end device. The following data is processed:  User identification data (pseudonymised session ID), device and browser information (e.g. IP addresses, browser type and version, device type, operating system details), behavioural and interaction data (e.g. mouse movements, clicks, keystrokes, scrolling behaviour, page visits), session and performance data (e.g. session duration, timestamps, page load times, network requests and responses), error and diagnostic data (e.g. JavaScript errors, crash reports, console logs, details of page load times, network requests and responses). session duration, timestamps, page load times, network requests and responses), error and diagnostic data (e.g. JavaScript errors, crash reports, console logs, resource loading details), geolocation data (e.g. approximate location derived from IP address)The purpose of the processing is to monitor the performance and stability of our web applications and to analyse user interactions. The aim is to identify errors, improve user-friendliness and diagnose technical problems by collecting session and behavioural data and performance metrics. When using the Session Recording Feeder, no data about your entries within the application is transmitted to Shiftmove. The data is pseudonymised directly on your end device.The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. Session recordings are stored for up to 30 days and then automatically deleted. The raw data collected is processed for as long as the consent for processing the data exists. The raw personal data is deleted after 36 months at the latest. However, aggregated analyses and anonymised reports may continue to be stored.For the provision of Datadog, we work with Datadog, Inc. 620 8th Ave Fl 45New York, NY 10018, USA. Data processing generally takes place on servers within the European Union. In the event that a transfer or access to the data, for example in the case of a support enquiry, cannot be ruled out, the following guarantees ensure an appropriate level of data protection in accordance with legal requirements. Datadog is certified under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission therefore applies to transfers of personal data. We have concluded an order processing contract with Datadog using the necessary standard data protection clauses and have established an appropriate level of data protection through additional security measures. 

‍1.5 Segment
‍We use the Segment service to verify and monitor usage licences. We collect the following data for this purpose:Identification data such as email address, user ID, customer number, pseudonyms such as session IDs or other device-specific identifiers, technical data such as IP address, browser type and version, device type (e.g. smartphone, desktop), operating system and version, interaction and behavioural data such as page views, interactions with functions such as adding vehicles or drivers with respective time stampsThe purpose of the processing is to ensure that customers comply with the agreement of the corresponding service contract and to start automated processes for contract adjustment in the event of under- or over-utilisation of our platform.The legal basis for processing is our legitimate interest in the contractual provision of our services and monitoring the use of our software in accordance with our terms and conditions.We work together with Twilio, 101 Spear St FL 5 San Francisco, CA 94105, USA, to provide Segment. Data processing generally takes place on servers within the European Union. In the event that transmission or access to the data, for example in the case of a support enquiry, cannot be ruled out, the following guarantees ensure an appropriate level of data protection in accordance with legal requirements. Twilio is certified under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission therefore applies to transfers of personal data. We have concluded an order processing contract with Datadog using the necessary standard data protection clauses and have established an appropriate level of data protection through additional security measures.

‍1.6 Contact You can use the form provided or the available contact information to send us sales and support enquiries and to contact us on other topics. When contacting us via one of our web forms, the data marked as mandatory fields must be provided. When you contact us, we may process your first and last name, email address, company, telephone number and other information relating to your enquiry. The mandatory information, without which it is not possible to contact you, is marked with an asterisk. The data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR in the context of the initiation or implementation of pre-contractual measures or the contract with you or on the basis of our legitimate interest in processing and responding to your other request in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Further information is not mandatory for establishing contact and is therefore provided voluntarily on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Your personal data will be deleted - subject to statutory retention periods - as soon as the purpose of storage no longer applies, i.e. your request has been fully processed and no further communication with you is required or requested by you. 

‍Sales enquiries are managed via our internal customer relations management system. We work together with the service provider salesforce.com Germany GmbH ("Salesfroce"), Erika-Mann-Straße 31-37, 80636 Munich, Germany. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Salesforce to the USA (third country). We have therefore concluded an order processing contract with Salesforce using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Salesforce is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Support requests are managed and processed via our internal customer support tool Zendesk. We work with Zendesk Inc ("Zendesk"), 181 S. Fremont St., San Francisco, CA 94105, USA. We have concluded an order processing contract with Zendesk using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Zendesk is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Live chat within the application allows you to contact our employees directly via the chat window provided for questions. We work with Intercom Inc ("Intercom") 55 2nd Street, Suite 400, San Francisco, CA 94105, USA, to provide the chat function. The legal basis for the use of the live chat feature is your voluntarily given consent. The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with Art. 25 para. 1 TDDD. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Intercom to the USA (third country). We have therefore concluded an order processing contract with Intercom using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Intercom is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍1.7 Market research and surveys
‍As part of the use of our applications, we conduct quantitative and qualitative surveys and interviews from time to time. Your personal data is processed as part of these interviews. This includes Name, e-mail address, IP address, communication data and content, survey responses, video and audio recordingsThe processing serves the purpose of measuring the satisfaction of our customers and further developing our products. In the context of contacting you for this purpose, we process your data based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR for the application of existing customers or based on your voluntarily given consent. You can object to being contacted for this purpose at any time and via any communication channel. The legal basis for conducting the surveys is your voluntarily granted consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future. As part of the surveys, you can also voluntarily consent to the recording of interviews. The data will be stored for as long as is necessary for the purpose of processing or until you withdraw your consent. Recordings of interviews are stored for up to 3 years and then deleted if you do not withdraw your consent beforehand.To optimise appointment bookings, we use the Calendly tool provided by Calendly LLC, 115 E Main St., Ste A1B, Buford, GA 30518, USA. We have concluded an order processing contract with Calendly using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Calendly is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍2. Processing within the scope as a Processor
‍‍‍In principle, Shifftmove provides the Vimcar (Fleet) logbook as a processor. A processor is anyone who processes data for external purposes in accordance with the instructions of the controller. The data controllers responsible for the use of the Vimcar (Fleet) logbook under data protection law are our customers. They determine the purposes and legal bases of processing and are also responsible for fulfilling requests from data subjects. In the following, we would like to provide you with the information that can be determined with certainty about the processing from the position as processor.
‍
‍2.1 Categories of data processed:
‍The following categories of personal data are processed as part of the provision and use of our software:
- First name, surname
- E-mail address,
- telephone number,
- mobile phone number
- Logbook data
- Tour data during the tour
- Start and end point of tours
Kilometres driven
- Categorisation of private and business trips
- Contact and address data
- VIN (Vehicle Identification Number)
- Test parameters for carrying out the automated driving licence check (optional when using the driving licence check)
- Technical vehicle data (e.g. repair status), photos of vehicles (optional when using claims management)
- Device data and IT usage data

‍2.2 Purposes of data processing:
‍Below you will find a list of the purposes of processing insofar as they are determined by Shiftmove. Please note that the ultimate purposes of use are determined by the data controller:

‍Provision of the Application: Shiftmove will regularly process the following data as part of the provision of the Application: Personal master data, communication data, device data and IT usage data. The information is stored for as long as Shiftmove provides the product to the customer and the user accounts are not deleted or their deletion is not requested by the customer.

‍Route documentation logbook for vehicles: Various vehicle-related data is processed to create the logbook: GPS location data (approx. 20 second interval) with time and date information, voltage data to the OBD connector (or box), vehicle identification number (VIN), classification as business or private journey.

‍Contact and address management: You can create and manage contacts and addresses within the Vimcar (Fleet) logbook to enable faster allocation within the logbook. The contact's name, address and company are processed for this purpose.

‍Driving licence check: Shiftmove processes the following data to carry out the driving licence check: Personnel master data, communication data, driving licence information, device data and IT usage data. Drivers can be informed by email about the upcoming driving licence check. Driving licences are checked by our service provider LapID. Only the information required to verify the check is stored. 

‍Support: As part of the provision of the service, we regularly process support requests from our users. The following data is processed in this context: Personal master data, communication data, communication histories. 

‍2.3 Recipients of the data processing:
‍Shiftmove selects its processors with the utmost care and only uses processors that offer sufficient security guarantees.The recipients of the data processing in the context of the provision of the Vimcar (Fleet) logbook as a processor are listed conclusively on the following page: https://www.vimcar.de/legal/datenschutz/subunternehmer.

‍2.4 Storage period
‍Shiftmove will store the data processed as part of the order processing for as long as our customer instructs us to do so. aThis instruction exists for the duration of the contractual relationship between Shiftmove and its customers. Shiftmove deletes the processed data no later than 30 days after termination of the contract or on the instruction of the controller. Please note that logbook data and all the raw data required for this are stored for up to 15 years in accordance with currently applicable statutory retention requirements.

‍2.5 Security of processing
‍Shiftmove attaches great importance to the security of the personal data entrusted to it. In accordance with data protection regulations, Shiftmove undertakes to take all necessary precautions to ensure the security of personal data and in particular to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access and against any other form of unlawful processing or disclosure to unauthorised persons. A comprehensive list of all technical and organisational measures taken can be found in Appendix 2 of our Data Processing Agreement. On request, our team will also provide you with our IT security white paper, which describes in detail all the IT security measures taken. 

‍2.6 Exercising your rights as a data subject
‍The fulfilment and protection of data subject rights in accordance with Section 3 of the GDPR is fundamentally the duty of the controller, i.e. the customers of Shiftmove. If you are a user or driver within the Avrios application, please contact the company that purchased your Avrios instance to exercise your data subject rights. You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR) under the respective legal requirements. If the processing is based on your consent, you have the right to revoke this consent at any time (Art. 7 para. 3 GDPR); the legality of the processing carried out on the basis of the consent until revocation remains unaffected.  Shiftnove supports its customers in the fulfilment of requests to exercise data subject rights in accordance with the agreements in our Data Processing Agreement. Please get in touch with your responsible contact person at Shiftmove.

‍V. Vimcar Fleet Geo
Vimcar Fleet and Fleet Geo is an application for managing vehicle fleets and live GPS tracking of vehicles via a provided box that is connected to the vehicle. When providing Vimcar Fleet Geo, Shiftmove processes data as an independent controller to improve our products. You will find the relevant information on this under 1. Vimcar Fleet Geo is only sold to business customers as a processor. Under 2. information you will therefore find information on the processing of personal data in the context of order processing for the provision of Vimcar Fleet Geo

‍1. Processing operations as controller

1.1 Connection data
‍When you use our products, we process personal data in order to guarantee the smooth, functional and secure operation of our website and app. The following data may be processed (so-called log files):  Operating system and current IP address (last octet shortened) of the end device with which you visit our website, browser (type, version and language setting), the amount of data retrieved, date and time of access, the URL of the previously visited website (referrer), the URL of the (sub)page that you access on the website, the Internet service provider of the accessing system The purpose of the processing is to ensure the stable and secure operation of our products. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. This website is hosted by the service provider AMAZON WEB SERVICES, EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, with whom we have concluded a data processing agreement. Your data is processed in a European data centre and anonymised 24 hours after collection.

‍1.2 Usercentrics consent management
‍We use the Usercentrics Consent Management Platform as a consent management tool as part of the integration of marketing and analysis activities within our products. The Consent Management Platform collects log file and consent data using JavaScript. This JavaScript enables users to use their consent to determine which services and data processing take place within our products, to inform them and to obtain, manage and document corresponding consents. We process the following data: Data relating to your consent, device data such as your abbreviated IP address and user agent data (browser type, device type, operating system, software version data).The purpose of data processing is to analyse and manage the consents granted in order to comply with our obligation to manage consents in accordance with the GDPR. The use of Usercentrics serves the purpose of providing evidence of granted and non-granted consents and their management.The legal basis for the processing is our legitimate interest in the proper and legally compliant obtaining of consent on our website in accordance with Art. 6 para. 1 lit. c GDPR, § 25 TDDDG.Your data will generally be stored for one year and deleted subject to statutory retention periods. The provider is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. Your data is processed exclusively on European servers. We have concluded an order processing agreement with Usercentrics.

‍1.3 Datadog
‍With the help of the Datadog tool, our developers can collect additional data on the use of our platform for faster troubleshooting and identification of bugs. Datadog uses cookies to collect data for this purpose and stores it on your end device. The following data is processed:  User identification data (pseudonymised session ID), device and browser information (e.g. IP addresses, browser type and version, device type, operating system details), behavioural and interaction data (e.g. mouse movements, clicks, keystrokes, scrolling behaviour, page visits), session and performance data (e.g. session duration, timestamps, page load times, network requests and responses), error and diagnostic data (e.g. JavaScript errors, crash reports, console logs, details of page load times, network requests and responses). session duration, timestamps, page load times, network requests and responses), error and diagnostic data (e.g. JavaScript errors, crash reports, console logs, resource loading details), geolocation data (e.g. approximate location derived from IP address)The purpose of the processing is to monitor the performance and stability of our web applications and to analyse user interactions. The aim is to identify errors, improve user-friendliness and diagnose technical problems by collecting session and behavioural data and performance metrics. When using the Session Recording Feeder, no data about your entries within the application is transmitted to Shiftmove. The data is pseudonymised directly on your end device.The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. Session recordings are stored for up to 30 days and then automatically deleted. The raw data collected is processed for as long as the consent for processing the data exists. The raw personal data is deleted after 36 months at the latest. However, aggregated analyses and anonymised reports may continue to be stored.For the provision of Datadog, we work with Datadog, Inc. 620 8th Ave Fl 45New York, NY 10018, USA. Data processing generally takes place on servers within the European Union. In the event that a transfer or access to the data, for example in the case of a support enquiry, cannot be ruled out, the following guarantees ensure an appropriate level of data protection in accordance with legal requirements. Datadog is certified under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission therefore applies to transfers of personal data. We have concluded an order processing contract with Datadog using the necessary standard data protection clauses and have established an appropriate level of data protection through additional security measures. 

‍1.4 Segment
‍We use the Segment service to verify and monitor usage licences. We collect the following data for this purpose:Identification data such as email address, user ID, customer number, pseudonyms such as session IDs or other device-specific identifiers, technical data such as IP address, browser type and version, device type (e.g. smartphone, desktop), operating system and version, interaction and behavioural data such as page views, interactions with functions such as adding vehicles or drivers with respective time stampsThe purpose of the processing is to ensure that customers comply with the agreement of the corresponding service contract and to start automated processes for contract adjustment in the event of under- or over-utilisation of our platform.The legal basis for processing is our legitimate interest in the contractual provision of our services and monitoring the use of our software in accordance with our terms and conditions.We work together with Twilio, 101 Spear St FL 5 San Francisco, CA 94105, USA, to provide Segment. Data processing generally takes place on servers within the European Union. In the event that transmission or access to the data, for example in the case of a support request, cannot be ruled out, the following guarantees ensure an appropriate level of data protection in accordance with legal requirements. Twilio is certified under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission therefore applies to transfers of personal data. We have concluded an order processing contract with Datadog using the necessary standard data protection clauses and have established an appropriate level of data protection through additional security measures.

‍1.5 Contact 
‍You can use the form provided or the available contact information to send us sales and support enquiries and to contact us on other topics. When contacting us via one of our web forms, the data marked as mandatory fields must be provided. When you contact us, we may process your first and last name, email address, company, telephone number and other information relating to your enquiry. The mandatory information, without which it is not possible to contact you, is marked with an asterisk. The data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR in the context of the initiation or implementation of pre-contractual measures or the contract with you or on the basis of our legitimate interest in processing and responding to your other request in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Further information is not mandatory for establishing contact and is therefore provided voluntarily on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Your personal data will be deleted - subject to statutory retention periods - as soon as the purpose of storage no longer applies, i.e. your request has been fully processed and no further communication with you is required or requested by you. 

‍Sales enquiries are managed via our internal customer relations management system. We work together with the service provider salesforce.com Germany GmbH ("Salesfroce"), Erika-Mann-Straße 31-37, 80636 Munich, Germany. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Salesforce to the USA (third country). We have therefore concluded an order processing contract with Salesforce using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Salesforce is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Support requests are managed and processed via our internal customer support tool Zendesk. We work with Zendesk Inc ("Zendesk"), 181 S. Fremont St., San Francisco, CA 94105, USA. We have concluded an order processing contract with Zendesk using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Zendesk is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Live chat within the application allows you to contact our employees directly via the chat window provided for questions. We work with Intercom Inc ("Intercom") 55 2nd Street, Suite 400, San Francisco, CA 94105, USA, to provide the chat function. The legal basis for the use of the live chat feature is your voluntarily given consent. The legal basis for the processing is your voluntarily granted consent via our consent management in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with Art. 25 para. 1 TDDD. § 25 para. 1 TDDDG. You can revoke your consent to this at any time and with effect for the future via the consent management within the application. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Intercom to the USA (third country). We have therefore concluded an order processing contract with Intercom using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Intercom is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍1.6 Market research and surveys
‍As part of the use of our applications, we conduct quantitative and qualitative surveys and interviews from time to time. Your personal data is processed as part of these interviews. This includes Name, e-mail address, IP address, communication data and content, survey responses, video and audio recordingsThe processing serves the purpose of measuring the satisfaction of our customers and further developing our products. In the context of contacting you for this purpose, we process your data based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR for the application of existing customers or based on your voluntarily given consent. You can object to being contacted for this purpose at any time and via any communication channel. The legal basis for conducting the surveys is your voluntarily granted consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future. As part of the surveys, you can also voluntarily consent to the recording of interviews. The data will be stored for as long as is necessary for the processing purpose or until you withdraw your consent. Recordings of interviews are stored for up to 3 years and then deleted if you do not withdraw your consent beforehand.To optimise appointment bookings, we use the Calendly tool provided by Calendly LLC, 115 E Main St., Ste A1B, Buford, GA 30518, USA. We have concluded an order processing contract with Calendly using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Calendly is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍2. Processing within the scope as a Processor
‍Shifftmove provides Vimcar Fleet Geo as a processor. A processor is anyone who processes data for external purposes in accordance with the instructions of the controller. The data controllers responsible for the use of Vimcar Fleet Geo under data protection law are our customers. They determine the purposes and legal bases of processing and are also responsible for fulfilling requests from data subjects. In the following, we would like to provide you with the information that can be determined with certainty about the processing from the position as processor.

‍2.1 Categories of data processed:
‍The following categories of personal data are processed as part of the provision and use of our software:
- First name, surname
- E-mail address,
- telephone number,
- mobile phone number
- Logbook data 
- Tour data during the tour
- Live localisation and tour documentation
- Vehicle information (VIN (Vehicle Identification Number), licence plate number, model, year of manufacture)
- Test parameters for carrying out the automated driving licence check (optional when using the driving licence check)
- Technical vehicle data (e.g. repair status), photos of vehicles (optional when using claims management)
- Fuel card information (provider, costs, date, product)
- Vehicle bookings (date, vehicle, duration, driver)
- Device data and IT usage data

‍2.2 Purposes of data processing:
‍Below you will find a list of the purposes of processing insofar as they are determined by Shiftmove. Please note that the ultimate purposes of use are determined by the controller under data protection law:

‍Provision of the Application: Shiftmove will regularly process the following data as part of the provision of the Application: Personal master data, communication data, device data and IT usage data. The information is stored for as long as Shiftmove provides the product to the customer and the user accounts are not deleted or their deletion is not requested by the customer.

‍Live GPS route documentation of vehicles: Various vehicle-related data is processed for the live GPS route documentation: GPS location data (approx. 20 second interval) with time and date, voltage data to the OBD connector (or box), vehicle identification number (VIN). Depending on the settings within the system, customers can automatically delete the recorded route documentation and GPS data at regular intervals.

‍Task management: Shiftmove regularly processes the following data as part of mapping internal task management: Tasks and comments, personnel master data, communication data, device data and IT usage data. Please note that the task management forms are free text fields. It is therefore up to the user to control which data is processed within this function.

‍Warning messages: You can set up alerts for vehicles within the applications. Alerts notify the fleet manager if a vehicle leaves or stays in a previously defined area. The alerts can also be defined for specific periods and days. GPS location data, vehicle data, areas and warning periods are processed for this purpose.

‍Fuel card management: Shiftmove processes the following data to provide the function for managing fuel cards and their costs: Personnel master data, communication data, fuel card information, device data and IT usage data. The information is loaded into the application with a delay and, due to the lack of information on the place of payment and use, does not allow the behaviour of drivers to be monitored.

‍Driving licence check: Shiftmove processes the following data to carry out the driving licence check: Personnel master data, communication data, driving licence information, device data and IT usage data. Drivers can be informed by email about the upcoming driving licence check. Driving licences are checked by our service provider LapID. Only the information required to verify the check is stored. 

‍Support: As part of the provision of the service, we regularly process support requests from our users. The following data is processed in this context: Personal master data, communication data, communication histories. 

‍2.3 Recipients of the data processing:
‍Shiftmove selects its processors with the utmost care and only uses processors that offer sufficient security guarantees.The recipients of the data processing in the context of the provision of Vimcar Fleet Geo as a processor are listed conclusively on the following page: https://www.vimcar.de/legal/datenschutz/subunternehmer.

‍2.4 Storage period
‍Shiftmove will store the data that is processed as part of order processing for as long as our customers instruct it to do so. This instruction exists for the duration of the contractual relationship between Shiftmove and its customers. Shiftmove shall delete the processed data no later than 30 days after termination of the contract or at the instruction of the controller. During the introduction of Fleet Geo, customers can specify the storage duration of the route documentation. This specifies after how many months the route documentation should be automatically deleted. The setting can be changed at any time by your contact person at Vimcar.

‍2.5 Security of processing
Shiftmove attaches great importance to the security of the personal data entrusted to it. In accordance with data protection regulations, Shiftmove undertakes to take all necessary precautions to ensure the security of personal data and in particular to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access and against any other form of unlawful processing or disclosure to unauthorised persons. A comprehensive list of all technical and organisational measures taken can be found in Appendix 2 of our Data Processing Agreement. On request, our team will also provide you with our IT security white paper, which describes in detail all the IT security measures taken. 

‍2.6 Exercising rights as a data subject
‍The fulfilment and protection of data subject rights in accordance with Section 3 of the GDPR is fundamentally the duty of the controller, i.e. the customers of Shiftmove. If you are a user or driver within the Avrios application, please contact the company that purchased your Avrios instance to exercise your data subject rights. You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR) under the respective legal requirements. If the processing is based on your consent, you have the right to revoke this consent at any time (Art. 7 para. 3 GDPR); the legality of the processing carried out on the basis of the consent until revocation remains unaffected.  Shift Move supports its customers in the fulfilment of requests to exercise data subject rights in accordance with the agreements in our Data Processing Agreement. Please get in touch with your responsible contact person at Shiftmove.

‍VI. AI Usage in our Products
‍Shiftmove holds itself accountable and is dedicated to a reasonable and secure usage of AI empowered tools and providers. Shiftmove has established a dedicated AI usage policy and with that only allows a restricted usage of AI reliant tools for the development and provisioning of our products. AI related tools used for the development of the product have no access to any customer personal data. No AI related functionality provided by Shiftmove to customers will establish an automated decision in the sense of Art. 22 GDPR.

Avrios Fines and Invoices Readout Automation
‍The Avrios fleet management system provides the option to manage fines and invoices within the product and automatically generate necessary document templates for further correspondence from the original invoice and fine files.We deploy an optic character recognition system (OCR) based on machine learning and provided by AWS to extract written text from the provided invoices and fines .pdf files. The files are locally processed on our AWS infrastructure where the OCR system is hosted. The OCR output is then reorganized via a locally trained LLM to extract relevant information, such as licence plate, invoice and billing related information, issuing authority, case number, violation and contact information. Users can then generate response templates using the extracted information from pdf. files, e.g. to forward a violation payment to a specific driver. The live customer data processed by this process is never used to train the AI and is not accessible  or in any form retrievable by other Avrios customers. Crucially, it is our strict policy that any user-uploaded PDF documents are not used as training data for the LLM and are retained for a limited time to provide the requested service. Also no data is shared outside of our AWS infrastructure or with other third parties.Our automations around invoices and fines are provided under the relevant package of Avrios and with that are subject to the data processing agreement between Shiftmove and clients.

VII. Storage period
‍Unless otherwise stated in the descriptions of the individual processing activities, we generally process your data for as long as is necessary to fulfil the purpose of the processing. We delete your data in compliance with the statutory retention periods (retention for up to 10 years where applicable) as soon as the purpose of the processing no longer applies or this is required by law, such as when you withdraw your consent.

‍VIII. International data transfers
‍Shiftmove only processes your data on servers within the European Union or the European Economic Area. If Shiftmove processes data outside the European Union, this is explicitly stated in this privacy policy. When transferring your personal data outside the European Union or the European Economic Area, Shiftmove has taken all necessary measures to ensure compliance with legal and regulatory requirements in connection with your personal data. This includes ensuring that there is a lawful basis for the data transfer and that appropriate safeguards are in place to ensure a high level of protection for your data. In addition, we implement measures to ensure the protection of your personal data in accordance with the applicable data protection regulations.Where we transfer your personal data outside the UK, EEA or Switzerland, we will ensure, to the extent required by relevant data protection laws, that at least one of the following safeguards is applied: (1) the transfer is to countries or organisations deemed adequate under data protection law by the European Commission, the UK Government or the Swiss authorities; or (2) we use contractual arrangements approved by those bodies, such as "Standard Contractual Clauses" (SCCs). For more information about the specific mechanisms we use to transfer your personal data, please contact us.

‍IX. Your rightsYou have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR) under the respective legal requirements. If the processing is based on your consent, you have the right to revoke this consent at any time (Art. 7 para. 3 GDPR); the legality of the processing carried out on the basis of the consent until revocation remains unaffected.  To exercise your rights as a data subject, please contactprivacy@shiftmove.com .You also have the right to lodge a complaint with a competent supervisory authority at any time if you believe that the processing of your personal data violates data protection regulations (Art. 77 GDPR).

The following information shows how we process your personal data when you contact us for the sale of our products or when we work with external service providers.

‍I. Person responsible for data processing 

‍The controller pursuant to Art. 4 (7) GDPR is:

‍Shiftmove GmbH
‍Warschauer Straße 57
10243 Berlin
E-Mail: contact@shiftmove.com
‍Phone: +49 30 555 79 852

If you have any questions or concerns regarding the processing of your personal data or the exercise of your rights, you can contact us using the contact information provided here.

‍II. Data Protection Officer
‍You can contact our data protection officer atprivacy@shiftmove.com or by post at the above address with the addition "Data Protection Officer".

‍III. Contact 
‍You can use the form provided or the available contact information to send us sales and support enquiries and to contact us on other topics. When contacting us via one of our web forms, the data marked as mandatory fields must be provided. When you contact us, we may process your first and last name, email address, company, telephone number and other information relating to your enquiry. The mandatory information, without which it is not possible to contact you, is marked with an asterisk. The data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR in the context of the initiation or implementation of pre-contractual measures or the contract with you or on the basis of our legitimate interest in processing and responding to your other request in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Further information is not mandatory for establishing contact and is therefore provided voluntarily on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Your personal data will be deleted - subject to statutory retention periods - as soon as the purpose of storage no longer applies, i.e. your request has been fully processed and no further communication with you is required or requested by you. 

‍Sales enquiries are managed via our internal customer relations management system. We work together with the service provider salesforce.com Germany GmbH ("Salesfroce"), Erika-Mann-Straße 31-37, 80636 Munich, Germany. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Salesforce to the USA (third country). We have therefore concluded an order processing contract with Salesforce using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Salesforce is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍Support requests are managed and processed via our internal customer support tool Zendesk. We work with Zendesk Inc ("Zendesk"), 181 S. Fremont St., San Francisco, CA 94105, USA. We have concluded an order processing contract with Zendesk using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Zendesk is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. 

‍IV. Advertising contact
‍We process the data of interested parties for the purpose of advertising contact (e-mail, telephone, post). We process the following information for this purpose:NameBusiness contact information (e-mail, telephone)Position and companyInformation on fleet sizeOther company-related data (address, size, field of activity)As part of the approach for this purpose, we process your data based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR for the application of existing customers or customers with presumed consent. You can object to being contacted for this purpose at any time and via any communication channel. You also have the option of consenting to advertising contact based on your voluntary consent. The legal basis is then your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by using the unsubscribe link in the email communication you received or by contacting us using the information provided above.The data will be stored for as long as is necessary for the purpose of processing, or until you withdraw your consent or object to the processing. If you request to no longer be contacted by Shiftmove for advertising purposes, we will store your data in a so-called blacklist for all advertising contacts for up to 3 years and then delete your information.We manage prospect and customer data via our customer relations management system. We work together with the service provider salesforce.com Germany GmbH ("Salesfroce"), Erika-Mann-Straße 31-37, 80636 Munich, Germany. Your data is processed exclusively in European data centres. However, in the case of support requests, data may also be transferred by Salesforce to the USA (third country). We have therefore concluded an order processing contract with Salesforce using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Salesforce is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. For advertising contact by e-mail, we work with the providers Braze, Inc. ("Braze")63 Madison Building 28 East 28th Street, Floor 12, New York, NY 10016, USA and Planhat A/B ("Planhat") Malmskillnadsgatan 13, 111 57 Stockholm, Sweden. We have concluded an order processing agreement with Braze using the EU standard contractual clauses. The EU standard contractual clauses are available on the European Commission's website. In addition, Braze is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data. Planhat processes data exclusively on European servers. We have concluded an order processing contract with Planhat

‍V. Webinars 
‍When you participate in webinars and online events or access on-demand webinars, we also process your name, email address, company, telephone number, IP address and other technically required data, as well as any audio, video and text content you send, your telephone number and your profile picture. The provision of this information is necessary for participation in the webinars. The legal basis for the processing is your voluntary consent pursuant to Art. 6 para. 1 lit. a GDPR. We store your data for as long as it is necessary for the realisation of the corresponding event and delete it, subject to relevant statutory retention obligations, as soon as processing is no longer necessary.We work with the video conferencing software Google Meet, provided by Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland, for the organisation of webinars and online events. The data is generally processed in the EU. However, as a data transfer to Microsoft Inc. in the USA (third country) cannot be completely ruled out, an order processing contract has been concluded with Google using the EU standard contractual clauses. The EU standard contractual clauses are available on the website of the European Commission. In addition, Microsoft Inc. is certified in accordance with the EU-US Data Privacy Framework. The adequacy decision of the European Commission therefore applies to transfers of personal data.

‍VI Storage period
‍Unless otherwise stated in the descriptions of the individual processing activities, we generally process your data for as long as is necessary to fulfil the purpose of the processing. We delete your data in compliance with the statutory retention periods (retention for up to 10 years where applicable) as soon as the purpose of the processing no longer applies or this is required by law, such as when you withdraw your consent.

‍VII. International data transfers
‍Shiftmove only processes your data on servers within the European Union or the European Economic Area. If Shiftmove processes data outside the European Union, this is explicitly stated in this privacy policy. When transferring your personal data outside the European Union or the European Economic Area, Shiftmove has taken all necessary measures to ensure compliance with legal and regulatory requirements in connection with your personal data. This includes ensuring that there is a lawful basis for the data transfer and that appropriate safeguards are in place to ensure a high level of protection for your data. In addition, we implement measures to ensure the protection of your personal data in accordance with the applicable data protection regulations.Where we transfer your personal data outside the UK, EEA or Switzerland, we will ensure, to the extent required by relevant data protection laws, that at least one of the following safeguards is applied: (1) the transfer is to countries or organisations deemed adequate under data protection law by the European Commission, the UK Government or the Swiss authorities; or (2) we use contractual arrangements approved by those bodies, such as "Standard Contractual Clauses" (SCCs). For more information about the specific mechanisms we use to transfer your personal data, please contact us.

‍VIII. Your rights
‍You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will be happy to provide you with information about this personal data and the information listed in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR) under the respective legal requirements. If the processing is based on your consent, you have the right to revoke this consent at any time (Art. 7 para. 3 GDPR); the legality of the processing carried out on the basis of the consent until revocation remains unaffected.  To exercise your rights as a data subject, please contact privacy@shiftmove.com .You also have the right to lodge a complaint with a competent supervisory authority at any time if you believe that the processing of your personal data violates data protection regulations (Art. 77 GDPR).

We are pleased that you are interested in us and that you are applying or have applied for a position at Shiftmove or its affiliated companies. We would like to provide you with the following information on the processing of your personal data in connection with your application.I. Controller and data protection officer:Responsible for the processing of your data is
Shiftmove GmbH 
Warschauer Str. 57 
10243 Berlin

e-mail: kontakt@shiftmove.com
‍Telephone number: +49 30 555 79 852

Shiftmove has also appointed a data protection officer. You can reach him at: .privacy@shiftmove.com

‍II. Application process

‍1. purpose of processing and data categories

‍To process your application, we process the data that you have sent us in connection with your application in order to check your suitability for the position (or any other open positions in our companies) and to carry out the application process. This data regularly includes 

‍Contact details: Name, address, telephone number, e-mail address.
‍Application documents: CV, cover letter, certificates, references.
‍Date and place of birth
Application photo (optional)
Education and qualification data: school-leaving qualifications, studies, training, further education
‍Professional experience: details of previous employers, positions, areas of activity
‍Language skills: Foreign language skills and their level
‍Special knowledge and skills: IT skills, certifications, specialised knowledge.
‍Social profiles: Links to professional profiles such as LinkedIn or Xing.
‍Other information: Interests, hobbies, voluntary work, memberships.

‍2. Legal basis of the processing
‍The legal basis for the processing of your data is the initiation of an employment contract with you in accordance with Art. 6 para. 1 lit. b GDPR. Should the data be required for legal prosecution after completion of the application process, data processing may be carried out on the basis of the requirements of Art. 6 GDPR, in particular to safeguard legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR. Our interest then lies in the assertion or defence of legal claims, for example under the General Equal Treatment Act (AGG).If you have consented to further storage of your data in our applicant pool, the legal basis for the storage of your data is your voluntary consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future. To do so, simply contact us using the contact options listed above.

‍3. Recipients

3.1 Service provider
‍To manage our applications, we work with the software Lever, provided by Lever, Inc. 1125 Mission Street, San Franciscio, CA 94103, USA. We have concluded an order processing agreement with the service provider. When using Lever, your data may be transferred to the USA. We have therefore concluded standard contractual clauses with Lever. Lever is also subject to the adequacy decision of the European Commission under the  EU-US Data Privacy Framework.To conduct online interviews, we also work with the video conferencing software Google Meet, provided by Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland. We have concluded an order processing agreement with the service provider. 

‍3.2 Group companies
‍Your application data will be reviewed by the HR department after receipt of your application. Suitable applications will then be forwarded internally to the department managers responsible for the respective open position. The next steps are then agreed. Within the company, only those persons have access to your data who require it for the proper conduct of our application process. In this context, your applicant data may be transferred to employees of our group companies.Vimcar GmbH, Warschauer Str. 57, 10243 Berlin, GermanyAvrios International AG, Weststrasse 50, 8003 Zurich, SwitzerlandAVRIOS POLAND Sp. z o.o., QUICKWORK - 5th floor, UL. FABRYCZNA 6, 53-609 WROCŁAW, PolandAvrios Germany GmbH, Warschauer Straße 57, 10243 Berlin, GermanyAvrios Italy S.r.l., Via Bernardino Telesio 2, CAP 20145, Milan, ItalyTransmission takes place insofar as it is necessary for the implementation of the application procedure. 

‍4. Storage duration
‍Applicant data will be deleted after 6 months in the event of rejection.Following the application process, you may receive an invitation to join our applicant pool. This allows us to consider you for suitable vacancies in our applicant selection process in the future. If we have your consent to do so, we will store your application data for two years.If you have been accepted for a position as part of the application process, the data from the applicant data system will be transferred to our personnel information system.

III. Applicant surveys
‍
‍1. Purpose of processing and data categories
‍To improve our application process, we send out feedback surveys at the beginning, during and after your application. The survey results are always aggregated and pseudonymised. However, if the feedback relates to specific issues, we may be able to establish a link to your person. We process the following categories of data as part of the applicant surveys: 
‍Contact details: Name, e-mail address.
‍Feedback: Comments and feedback texts
‍Technical data: IP address

‍2. Legal basis of the processing
‍The legal basis for the processing of your data is our legitimate interest in improving our application process in accordance with Art. 6 para. 1 lit. f GDPR.

‍3. Recipients 
‍We work together with Starred B.V., Singel 542, 1017 AZ, Amsterdam, Netherlands, to conduct our application surveys. We have concluded an order processing agreement with the service provider.

‍4. storage duration
‍The survey data is pseudonymised and aggregated immediately after collection. Individual responses to feedback questions are deleted after 6 months.

IV. Your rights
You have the following rights regarding your personal data and under the legal requirements: the right to information in accordance with Art. 15 GDPRthe right to rectification in accordance with Art. 16 GDPRthe right to erasure in accordance with Art. 17 GDPRthe right to restriction of processing in accordance with Art. 18 GDPRthe right to notification in accordance with Art. 19 GDPR the right to data portability in accordance with Art. 20 GDPRthe right to object in accordance with Art. 21 GDPR.In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. If the processing of data is based on your consent, you are entitled under Art. 7 GDPR to withdraw your consent to the use of your personal data at any time. Please note that the revocation only takes effect for the future. This does not affect processing that took place before consent was withdrawn. If you wish to withdraw your consent, please use the contact information provided above.