PRIVACY POLICY

PayWithCharlie – Status 20 May 2020

A mobile app of ZIIB Zahlungssysteme GmbH, Otto-Suhr-Allee 144, 10585 Berlin, Germany.

 

General information

ZIIB Zahlungssysteme GmbH (hereinafter referred to as ZIIB) takes users’ right to privacy very seriously. This privacy policy explains how ZIIB collects, stores, shares and uses personal data and how the user of the app can perceive their privacy rights. This Privacy Policy applies only to personal data that ZIIB processes in cooperation with the PayWithCharlie App and Wallet Services. ZIIB operates the PayWithCharlie App and Wallet Services in accordance with the provisions of the European Data Protection Regulation 2016/679 (“GDPR”) and all other relevant data protection regulations.

ZIIB provides a mobile app – PayWithCharlie, which can be downloaded to a smartphone via the Apple App Store or the Google Play Store.

ZIIB is the publisher of the PayWithCharlie app and it is responsible for the technology and app development. A contractual relationship when purchasing a good/service is established exclusively between the cardholder and the seller of the good/service.

The data are collected by the user who provides them. This could be data which are entered during the registration process. In addition, other data are automatically collected by ZIIB’s IT systems during the purchase process via the app. These are mainly technical data (e.g. payment type, vending machine or timestamp of the app call). These data are collected automatically as soon as the user initiates the purchase process. The data are collected and processed for the performance of the contract.

This privacy policy describes how ZIIB ensures data protection and what it means when the user uses PayWithCharlie or ZIIB’s handling of personal data.

Personal data is any data with which you can be personally identified, such as name, title, address, email address, IP address, etc.

Personal data are only collected and used only after you have given your consent or the processing of the data is permitted by legal regulations.

The following regulations provide information on the type, scope and purpose of the collection and processing of personal data.

Relevant personal data (collectively referred to as “Data”) may include: Full name, date of birth, residential address, telephone and/or mobile phone number, email address. Encrypted account data, in particular password and security question with security response, technical data of the mobile device with which the PayWithCharlie App is used and which identifies this mobile device as uniquely as possible (“Device Data”). The device data include, in particular, device manufacturer, device type, device properties such as storage space or display resolution, IP address, mobile network operator, network information, operating system and version information and other information on the settings of the mobile device.

This privacy policy applies exclusively to the PayWithCharlie app.

 

1. Collection of personal data

ZIIB collects, processes and uses personal data only to the extent that is necessary for the purchase process. This is done on the basis of Art. 6 para. 1 lit. b DSGVO, which permits the processing of data for the fulfilment of a contract or pre-contractual measures, as well as on the basis of Art. 6 para. 1 lit. c DSGVO, which makes processing necessary for the fulfilment of a legal obligation to which the controller is subject. We collect, process and use personal data about the use of our website (usage data) only to the extent that is necessary to enable the user to use the service or to charge for it.

 

2. Person responsible for data collection (data protection officer) and contact

 

2.1 Data protection officer

The entity responsible for the user’s personal data is ZIIB Zahlungssysteme GmbH.

The data protection officer on site is:

The data protection officer can be contacted at the above address or by email at: nicole@paywithcharlie.com

 

2.1 Contact

When contacting ZIIB by e-mail, the user’s details are processed for the purpose of processing the contact request and its completion Art. 6 para. 1 lit. a DSGVO (consent of the data subject) and Art. 6 para. 1 lit. b DSGVO).

The user’s details may be stored in a ticket system or comparable request organization. The user has the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. The user also has the right to object, to data portability and the right to complain to the competent supervisory authority. Furthermore, the user may request the correction, deletion and, under certain circumstances, the restriction of the processing of his/her personal data. Personal data remains with ZIIB until the user requests deletion, revokes consent to storage or the purpose for storing the data no longer applies (e.g. after the request has been processed).

Mandatory legal regulations – in particular, retention periods under tax and commercial law – remain unaffected.

ZIIB reviews this necessity every two years.

 

3. Data storage and explanation of the legal basis and storage period

If ZIIB has no legal basis for processing the personal data, it will be deleted. ZIIB only stores the collected personal data if there is a continuing business interest in doing so, in order to provide a service ordered by the user or to be able to fulfil statutory retention obligations, e.g. tax law or accounting obligations.

 

3.1. Legal basis for the processing of personal data

According to Art 6 (1) a) DSGVO, the consent of the user is required in order to process personal data. Any consent can be revoked by the user with effect for the future.

When processing personal data that is required to fulfil a contract with the user, Art. 6 (1) b) DSGVO is the corresponding legal basis. This also applies to processing operations that are already relevant pre-contractually.

Insofar as processing of personal data is necessary for compliance with a legal obligation of ZIIB, Art. 6 (1) c) DSGVO serves as the legal basis.

If the processing is necessary to protect a legitimate interest of ZIIB or a third party, Art. 6 (1) f) DSGVO serves as the legal basis for the processing, unless the legitimate interests of the user prevail.

 

3.2. Duration of storage and deletion of data

The personal data collected, processed and stored by ZIIB are generally only stored for as long as the specific purpose of the storage requires. If the purpose of storage no longer applies, the data will be deleted or its processing restricted.

In addition, however, it may be that European regulations, applicable national laws or other regulations require longer storage of the data processed by ZIIB. If these storage periods expire, ZIIB will delete the data or restrict the processing thereof.

If the user deletes the PayWithCharlie app, the data will also be deleted completely.

Legal retention periods remain unaffected. These include the retention obligations under commercial and tax law: German Commercial Code (HGB), German Banking Act (KWG) and the Money Laundering Act (GwG). The periods specified there are two to ten years. If data are withheld as evidence, it is subject to the limitation periods of the German Civil Code (BGB) §§195ff and can last up to 30 years, with the regular limitation period being three years.

IP addresses are deleted after 90 days at the latest.

 

4. User rights

If the user wishes to view, correct, update or delete their personal data, he/she may do so at any time by contacting the data protection officer named in section 2.

 

4.1 Right of objection

The user may object to the processing of personal data, request ZIIB to restrict the processing of his/her personal data or request the portability of his/her personal data. Here, too, the user can use his/her rights by contacting the data protection officer named in section 2.

 

4.2 Right of revocation

In addition, the user may revoke his consent at any time if we have collected and processed his personal data with his consent. The revocation of consent does not affect the legality of any processing carried out by ZIIB prior to the revocation, nor does it affect the legality of the processing of his personal data carried out on the basis of other lawful legal grounds.

 

4.3 Right of appeal

The user also has the right to lodge a complaint with a supervisory authority regarding the collection and use of his/her personal data. The supervisory authority responsible for this is: Berlin Commissioner for Data Protection and Freedom of Information Friedrichstraße 219, 10969 Berlin

5. What data is collected when downloading the PayWithCharlie app

When downloading the PayWithCharlie app, the necessary information is first transferred to the “Apple App Store” or “Google Play Store”. This includes in particular the user name, the e-mail address and the time of downloading the PayWithCharlie app, the payment information and the individual device identification number.

At this point, ZIIB does not collect any data. ZIIB has no influence on the processing of this data by the respective app store. Further information on this at:

https://www.apple.com/legal/privacy https://policies.google.com/privacy

6. What data is collected when using the PayWithCharlie app

After downloading the app and initiating the purchase/payment process to acquire the goods/service, details of the machine, time stamp, means of payment, purchase price are collected anonymously. Since the process is anonymized, this data cannot be assigned to the respective user of the PayWithCharlie app. In case of a malfunction, cancellation or other error during the payment process/purchase, the data is stored in the log file at ZIIB. The data will be deleted immediately after the malfunction or error has been rectified, at the latest after one month from the malfunction/error report.

 

7. Passing personal data to third parties

 

7.1.General information

The personal data are only used for the purposes mentioned and to the extent necessary to achieve these purposes. Passing to third parties takes place – if it takes place at all – only within the framework of the legal requirements.

ZIIB will generally pass personal information to service providers, business partners and other third parties only as necessary to provide its services and in accordance with applicable data protection laws.

ZIIB can disclose personal data to service providers commissioned by it and oblige them to carry out data processing on your behalf (order processing). In doing so, ZIIB observes the strict applicable national and European data protection regulations.

ZIIB can also disclose personal data to other third parties if this is necessary due to a law or legal process or in order to be able to offer and manage PayWithCharlie App if ZIIB has a corresponding legal basis for this. Furthermore, ZIIB is obliged to provide information to a law enforcement agency or another authority. If it is necessary to pass on information for the provision of PayWithCharlie App services to the user or if the user gives his consent, ZIIB is also authorized to disclose data.

 

7.2.Data transferred to third parties

ZIIB transmits personal data to:

a) Computop Wirtschaftsinformatik GmbH, Schwarzenbergstraße 4, 96050 Bamberg in order to offer the PayWithCharlie services. The transmitted data are the data entered by the user during the purchase / payment process and these are stored by Computop Wirtschaftsinformatik GmbH. A token issued by Computop Wirtschaftsinformatik GmbH is stored in the Secure Store on the user’s device. Deleting the PayWithCharlie app, the token will also be deleted and thus the data.

Further information on Computop’s data protection at: https://www.computop.com/de/datenschutz.

b) E-wallet providers, such as Apple Pay, Google Pay. When the user adds the card to a third-party wallet, the card data and name are transferred to the third-party provider manually or automatically, at the user’s choice. When adding the Card to the third-party provider, the user must accept the provider’s terms and conditions, which explain to what extent the user data will be shared and processed.

7.3 Wallet services

When using Apple/Google Pay, data is transmitted to Apple/Google for payment processing.

The following data is transmitted:

– Username

– PAN

– Expiry date

This data is transmitted to Apple/Google in encrypted form. Apple /Google decrypts the data, identifies the card’s payment network (American, Visa, MasterCard) and re-encrypts the data with a key that can only be decrypted by the payment network.

Apple/Google retains anonymized transaction data, including the approximate amount of the purchase, the name of the app developer and the app, the approximate date and time, and whether the transaction was completed successfully.

The transfer of your data to Apple/Google is based on Art. 6 (1) a DSGVO (consent) and Art. 6 (1) b DSGVO (processing for the performance of a contract). The user has the option to revoke his/her consent to data processing at any time. A revocation does not affect the validity of past data processing operations.

If the user opts for Apple/Google Pay, his/her data will be sent to Apple/Google for payment processing.

 

8. Required app permissions

In order for PayWithCharlie to function properly, it is necessary to grant access to certain smartphone functions and personal data stored on the device. The user is requested once at the beginning or only when using the respective function to grant the appropriate access authorization.

Network Access & Network Connections Network access (via mobile data connection or WLAN network) is required as the PayWithCharlie app can only be used in online mode. This access is necessary for the functionality of the PayWithCharlie app and cannot be deactivated.

Receive data from the Internet (“receive data from Internet”). This authorization is necessary because the PayWithCharlie app is only functional when there is an existing connection to the internet. Offline operation of the PayWithCharlie app is not possible.

Show network connections (“view network connections”) This access is necessary so that the PayWithCharlie app can determine whether there is an active internet connection. This access is necessary for the functionality of the app and cannot be deactivated.

 

9.Analysis of usage behavior/tools

PayWithCharlie App does not use any analytics tools or any other tools.

 

10. Security standards

In order to protect personal data in particular against accidental or intentional manipulation, destruction, access by unauthorized persons or loss, we maintain up-to-date technical measures. These security measures are adapted to the current state of the art in each case.

The connection established between the user’s mobile device and the ZIIB server is based on the SSL process (Secure Sockets Layer), which means that data are exchanged between the devices in encrypted form.

In addition, PayWithCharlie App uses TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the app operator. For security purposes, this page uses encryption.

Within the framework of the applicable legal provisions, the user has the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if applicable, a right to correction, restriction or deletion of this data. The user can contact ZIIB at any time for this purpose and for further questions on the subject of personal data.

In addition, PayWithCharlie App is subjected to an annual audit that checks it for errors, vulnerabilities and also the security standards used. This audit is conducted by an independent, external service provider.

11. Miscellaneous

This privacy policy is updated regularly. Therefore, it is recommended that you review this privacy statement regularly to stay informed about ZIIB’s privacy practices.

This Privacy Policy was last updated on 20 May 2020.