DB Navigator: Privacy Policy

It is possible to use our app without providing personal information. However, using the app to access certain DB services or book a journey can require personal data for our processes. If we need to process personal information and the relevant procedures are not based on existing legal provisions (i.e. a contractual agreement), we will request your consent.

The request for consent will contain information about what data we collect, how we use it and how you can object to your data's usage.

Who is responsible for collecting and processing data?

DB Vertrieb GmbH (Stephensonstr. 1, 60326 Frankfurt am Main, Germany) is the company responsible for collecting and processing your data.

Chief Privacy Officer is Ms Chris Newiger.

If you have any questions or comments regarding our app's privacy policy, please contact us at the following e-mail address: ecommerce-datenschutz@deutschebahn.com

What data do we collect, and why do we process your data?

We collect and process your data only for certain purposes. These can be related to technological requirements, contractual requirements or requests explicitly stated by users.
When you use our app, we have to collect and store certain data (e.g. IP address) for technical reasons.
We require personal information from you when entering into a contract. This data is for DB processes: ticket bookings, payment processing, creditworthiness checks and, if necessary, cancellation and refund management. Your user name and password are collected only when you log in. This happens in connection with the following.

Customer account
You can use your bahn.de customer account to log in.
You must provide the following information when creating an account:

  • Mr/Ms
  • First and last name
  • E-mail address

Our system cannot create a personal account for you without this information. All other personal and travel information is voluntary.
We store your booking data, which also includes information about whether you have a BahnCard, your login data and, if you subscribe to a newsletter as a registered customer, the information in your customer account about your interests. We use this information for internal analysis and market research purposes. Our general goal is to gain insights from this in order to continuously improve our offering. Storing and analysing pseudonymised usage data from online activities serves this purpose as well, and we do not link it to your personal data. Whenever you want, you can object to the pseudonymised processing of data generated by your usage of DB's online services.

Payment details
We store payment details such as information about bank accounts, credit cards, addresses and user IDs to process payments made in connection with ticket and BahnCard bookings.
As our system does not store CVV numbers, it requests this number as authorisation every time someone pays by credit card.
The data is not stored in the app on your phone but in your customer account. Every time you use the app, it accesses this data anew.

Booking tickets
When you book a ticket, our system records contact and identification data for the later inspection of online and mobile phone tickets during travel. The inspector's mobile terminal displays the information on your ticket when it is scanned. The mobile phone ticket is stored on the app.

Buying BahnCards
When you buy a BahnCard, our system records your contact and identification data (e.g. date of birth).

Access authorisation

Certain types of access authorisation are necessary to ensure that the app can function.

Access authorisation for technical reasons: Android (up to and including version 5)
Accessing memory: Changing or deleting USB storage contents to cache card details that are required for displaying card information in the DB Navigator app.
Accessing user accounts: Reading Google service configuration data to search for accounts on the device and activate push notifications (e.g. delay notification)
Accessing networks: Accessing internet data, calling up network connections, complete network access, calling up wifi connections to enable the app to access information
Accessing specific devices: Deactivating sleep mode, managing vibration signals to alert customer to arrival of push notifications (e.g. delay notification)

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

Access authorisation for technical reasons: Android (version 6 and higher)
Contacts: Searching for accounts on the device (to activate push notifications, e.g. delay notification)
Other: Accessing all networks, deactivating sleep mode, reading Google service configuration data, performing actions at start, accessing internet data, managing vibration signals, calling up network connections, calling up wifi connections

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

Access authorisation for technical reasons: iOS
Mobile data: Accessing internet data outside of a wifi area so that customers can use the app to call up information when travelling

Contacts: Searching for accounts on the device to activate push notifications (e.g. delay notification)

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

Access authorisation for technical reasons: Windows Mobile
Mobile data: Accessing internet data outside of a wifi area so that customers can use the app to call up information when travelling

Contacts: Our app gives you the option of sending/receiving information about connections to/from the contacts stored on your end device. It simply uses the contact details you have stored, doing away with the need to input this information manually. Our system does not transfer any other personal details. It accesses your contacts' details only if you have authorised this in your device's settings. If you want, you can use your device's settings to completely prevent the app from accessing your contacts' details.
Other app functions: Using your device's network services, using phone functions, accessing your browser

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

Identifying your location
The app offers services and information regarding your current surroundings, in order to use your current position for a journey's start/end or identify stops in your vicinity. Your current location must be sent to the system so that you can use these functions.

The app identifies your location only if you have authorised this in your device's settings. If you are using an Android phone, authorisation takes place when you confirm that you want to download the app, or you can use your device's settings to provide authorisation. If you are using a Windows Mobile phone or iPhone, you provide authorisation either via a dialogue window when you first use the app or via your device's settings.

The legal basis for processing your location is your approval pursuant to Article 6(1)(a) GDPR.

Our system uses this data only to manage the information that you request. By deactivating the relevant settings, you can prevent your device from accessing your location and so revoke your consent whenever you wish.

Push notifications
We believe it is beneficial to provide you with information about important events and updates (e.g. delay notification) as part of our customer service, even if you are not using the app. This information is sent via push notifications.

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

The app sends you alerts only if you have provided your explicit consent. When you first open the app, we ask if you want us to send alerts to your mobile end device. If you are using an Android phone, authorisation takes place when you confirm and download the app. If you are using an iPhone, you provide authorisation via a dialogue window when you first use the app.

You can deactivate push notifications in the app's settings or your device's settings and so revoke your consent whenever you wish.

Push notifications are currently not available for Windows Mobile devices.

Calendar
Our app provides you with the option of adding your connection's details to your device's calendar. The app needs access authorisation for this, and our system requests this authorisation when you start using it. Access is necessary so you can use the app to select the right calendar for storing your connection's details. The app does not store any other personal or usage-related data.

The legal basis for these data processing activities is your consent pursuant to Article 6(1)(a) GDPR.

You can revoke your consent whenever you wish via your device's settings.

Maps
Our app can show you a map to provide you with directions or information about your surroundings.
If you are using an Android phone, the app uses the Google Maps service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). This service receives your IP address in order to display the map.

The legal basis for this is Article 6(1)(b) GDPR.

The relevant privacy policy is available at https://www.google.com/intl/en_en/policies/privacy/.
You can use https://www.google.com/intl/en_en/policies/technologies/product-privacy/ to select the privacy policy settings you want.

If you are using an iPhone, the app uses the map service from Apple Inc. (1 Infinite Loop, Cupertino, CA 95014, USA). Apple receives your IP address only after you have authorised the use of the map service.

The legal basis for this is Article 6(1)(b) GDPR.

You can use your device's settings to select the privacy settings you want.

Komfort Check-In
Komfort Check-In gives you an option for automatically validating your mobile phone ticket on certain DB Long-Distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:

  • Ticket ID / order number
  • Passenger's first and last names
  • BahnCard number
  • Name of BahnCard holder

Offers related to your booking
We reserve the right to contact you after you have made a booking and send you offers of similar products and services to the e-mail address you used in the booking. You can revoke your consent at any time by clicking the unsubscribe link in the e-mail.

Newsletter
When you subscribe to one of our newsletters, we store the following information:

  • E-mail address

In this situation, we may use your e-mail for commercial purposes.
During the subscription process, we save the IP address of the end device you are using at the time of registration, and we also save the date and time of registration. This information plays a part in our legal protection activities: we need it so that we can react to the (possible) misuse of someone's e-mail address at a later point in time.
You can unsubscribe from a newsletter whenever you want by clicking the unsubscribe link at the bottom of your newsletter.
If you revoke your consent to the commercial usage of your data, it is only used for statistical purposes and is anonymised for this.

Legal basis of data processing
If you provide consent for your data to be processed, this serves as the legal basis pursuant to Article 6(1)(a) GDPR.

When processing personal data that is necessary to meet contractual obligations with you, the contract pursuant to Article 6(1)(b) GDPR serves as the legal basis. Article 6(1)(b) GDPR also applies to processing activities necessary for meeting pre-contractual measures, such as questions regarding our products and services.

If a legal obligation requires our company to process personal data, such as meeting tax-related obligations, such processing is based on Article 6(1)(c) GDPR.

To continuously improve our offering, we use cookies to store a pseudonymised ad ID/pseudonymised ad ID usage. The legal basis for this is Article 6(1)(f) GDPR.

We believe it is beneficial to maintain a relationship with you as a customer and provide you with information and offers which we think may match your travel needs and personal interests. We therefore process your data to send you information and offers. This processing is based on Article 6(1)(f) GDPR and may involve support from service providers. We use your contact details (name and e-mail address you provide us within the context of our business relationship) for advertising and market research activities if you do not explicitly revoke your consent to such usage.
You can revoke your consent to the future commercial processing of your data whenever you wish. Please send this revocation to ecommerce-datenschutz@deutschebahn.com

Does DB AG forward data to other parties?

The work of processing contracts generally requires the involvement of processing parties issued with instructions. Such parties include computer centre operators, printing and delivery services, and other service providers tasked with roles relating to contract fulfilment. We also involve external service providers in market research activities.
External service providers that process data on our behalf are carefully selected by us and subject to strict contractual obligations. These service providers follow our instructions, something which is guaranteed by means of strictly regulated contracts, technical and organisational measures, and supplementary checks.
We forward your data only if you have provided your explicit consent or if this is absolutely required due to legal obligations.
Your information will not be forwarded to third party states outside the EU/EEA or to international organisations in the absence of suitable guarantees. These include EU standard contract clauses and a suitability resolution from the EU Commission.
When buying a BahnCard, you conclude a contract with DB Fernverkehr AG. We forward your submitted data to this company to this end. Details are available in the relevant General Terms and Conditions (GTC). We merely process the payment and save your submitted data to this end.
It may be necessary to forward information for contract processing purposes if there are irregularities in the payment procedure or if payment fails to take place. In such a situation, we forward payment-related data to a debt collection company.
The legal basis for this is Article 6(1)(b) GDPR.

How long is your data stored?

We retain your data only as long as is necessary to meet the purpose for which it was collected (e.g. as part of a contractual relationship) or as long as retention is required by law. For example, as part of a contractual relationship, we retain your data at least until the complete fulfilment of the contract. Afterwards, we store your data for the duration of the legal retention period.

Are cookies used?

We use cookies on our app for analytical purposes. Cookies are small text files that can store data on your end device. It is also possible to use the app without cookies.

Improving the user experience

We produce statistics about our app's usage in order to continuously improve the experience for our users. As part of this, we use the analysis tools Adobe Analytics, Optimizely and Qualtrics.
The tracking measures which we use and which are named below are based on Article 6(1)(f) GDPR. By using the relevant tracking measures, we hope to ensure that the app's design is fit for purpose and that the app can be optimised on an ongoing basis. Similarly, we use tracking measures to compile statistics regarding our app's usage and evaluate these figures in order to optimise our offering for you. These interests are legitimate in line with the above-named regulation.

We make use of the tag management service Tealium IQ (Mindspace, Viktualienmarkt 8, 80331 Munich, Germany) for the purpose of dynamically adapting the Navigator and managing dynamic contents.
We evaluate your data without linking it to your person. This entails anonymising your IP address.
Our service providers are contractually obliged to handle your data in line with privacy requirements.
Your right to object: You can revoke your consent to the storage of your data for analytical purposes by deactivating the option for using app data in statistics in the section "Right to object". This deactivates the following analytic tools.

Adobe Analytics
Our app uses the analysis service Adobe Analytics (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). This service uses cookies stored on your mobile end device that permit the generation of statistics regarding the app's usage, enabling us to see how often which app sections and texts are read and used, and whether our app's design has an impact on how much it is used.

The information generated by the cookie is transferred to an Adobe server in the USA, where it is stored. Your IP address is anonymised before this takes place. Adobe's cookie lasts for 24 months.

Optimizely
Our app uses Optimizely, a web analysis service from Optimizely Inc. (631 Howard Street, Suite 100, San Francisco, CA 94105, USA), to simplify the handling of A/B tests and personalisation campaigns for the app's further development. The information stored by the cookie about your usage of our app is generally transferred to an Optimizely server in the USA, where it is stored.

Optimizely's cookies last for 24 months.
Optimizely's abbreviates the IP address beforehand within EU member states or other member states party to the European Economic Area treaty. Only in exceptional circumstances, such as a server outage, can the full IP address be transferred to an Optimizely server in the USA and abbreviated there. Optimizely does not merge the IP address forwarded by your browser with other data it stores.

Qualtrics
We invite our app's users to take part in surveys in order to continuously improve our offering and services. To this end, we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA).

Qualtrics's cookies prevent users from participating in a survey multiple times within a specific period. Qualtrics's cookies last for 12 months. Participating in surveys is voluntary.

Use of m-pathy
Technology from m-pathy GmbH (Königsbrücker Str. 34, 01099 Dresden, Germany) in the form of the product m-pathy is deployed in our app to collect and save session- and interaction-related data in connection with the app's usage. This information is used to improve the content and user-friendliness of the app. To this end, cookies are also deployed and remain active for a period of 24 months.

Use of Firebase Crashlytics (only DB Navigator Beta for Android)
Firebase Crashlytics, a technology from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), is deployed in our app. In the event of an app crash information is transmitted to us anonymously via Firebase Crashlytics, in order to find the cause of the respective crash and fix it faster. The transmitted data is purely technical and does not relate data to individuals.

Interest-related online advertising

Exactag
We use the analytics service of Exactag GmbH (Philosophenweg 17, 47051 Duisburg, Germany) in our app. Cookies store information about how you use the app, and this information includes your IP address. It is anonymised beforehand. Exactag's cookie lasts for 12 months.
The legal basis for this is Article 6(1)(f) GDPR.

Your right to object: You can change the app's settings via the usage data option in the "Right to object" section.

Adform
To facilitate interest-related ads, we use technology from Adform A/S (Wildersgade 10B, 1, 1408 Copenhagen K, Denmark). Our app uses cookies and/or ad identifiers (IDFA for IOS devices, Google Advertising ID for Android devices, Windows Advertising ID for Microsoft) to this end. Pseudonymised usage profiles are used for storing information such as operating system, browser version, anonymised IP addresses, geographical location, GPS, wifi access points and the number of clicks or views. The cookie lasts for 12 months. The data is used for the following:

  • Recording the number of people visiting our app
  • Recording the sequence of pages people click on when visiting our app
  • Optimising the app

The legal basis for this is Article 6(1)(f) GDPR.

Your right to object: You can change the app's settings via the usage data option in the "Permissions" section.

Personal offers and special-offer campaigns

In order to make our offering more interesting to you as a user, we would like to provide you with customised contents based on your previous and current usage behaviour. The legal basis for these data processing activities is Article 6(1)(f) GDPR.
If you have a bahn.de customer account, you can see personal offers and special-offer campaigns when using the app if you are logged in on your account at the same time. To structure and output these contents, our system adds a cookie that lasts for 12 months when the app is used. We forward the data generated by the cookie as anonymised information to our analysis service provider CrossEngage GmbH (Gontardstr. 11, 10178 Berlin, Germany).
We have concluded a processing contract with CrossEngage to this end.

You can revoke your consent to seeing personal offers and special-offer campaigns in the app by deactivating the relevant option in the "Right to object" section. This prevents a cookie being added, which means our system does not collect data.

What rights do DB Navigator users have?

  • You can submit a request to see what personal details of yours are stored in our system.
  • You can ask us to correct and delete your personal data or restrict its processing (block) provided this is legally permissible and is possible within the context of the current contractual relationship.
  • You have the right to submit a complaint to a supervisory body. The supervisor responsible for DB Vertrieb GmbH: Data Protection Officer for the State of Hesse (Der Hessische Datenschutzbeauftragte), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany. E-mail: poststelle@datenschutz.hessen.de
  • You have to right to the transferability of the data you have supplied us within the context of consent or a contract (data portability).
  • If you have provided us with consent to data processing, you can revoke it in the same manner as you supplied it. Revoking consent does not affect the legal standing of any processing which took place prior to the withdrawal of consent.
  • You can revoke your consent to data processing due to reasons relating to your specific situation if such processing is performed on grounds relating to our justified interests.
  • You can revoke your consent to receiving advertising whenever you wish and with future effect (right to object to advertising).

To make use of this right, you can send notification of your objection in writing to the following address:

DB Vertrieb GmbH
Stephensonstr. 1
60326 Frankfurt am Main
Germany

Or you can contact us via e-mail: ecommerce-datenschutz@deutschebahn.com

How up-to-date is this privacy policy?

We update our privacy policy to suit changes to technical functions or legal conditions. As a result, we recommend that you read the privacy policy at regular intervals. If your consent is necessary or elements of the privacy policy contain regulations concerning the contractual relationship with you, the changes are made only with your consent.

Status: November 2019

Changes to the version dated November 2018:

  • Removal of Appsee

Changes to the version dated July 2018:

  • Addition of Firebase Crashlytics
  • Addition of Appsee

Changes to the version dated June 2018:

  • Addition of m-pathy

Changes to the version dated December 2017:

  • Addition of section "Personal offers and special-offer campaigns"
  • Addition of information about slider buttons in DB Navigator and about modifications to the texts concerning Adobe Analytics, Optimizely, Tealium and Adform
  • Modification of regulations in the EU GDPR

Changes to the version dated July 2017:

  • Modifications regarding analysis with Adobe Analytics
  • Addition of information about interest-related online advertising from Adform
  • Inclusion of Exactag and Optimizely in web analysis activities
  • Description of Tealium tag management

Changes to the version dated April 2017:

  • Inclusion of Komfort Check-In service
  • Addition of information about interest-related online advertising from Adform