Privacy Statement for the IONITY App

Effective as of: August 2024

1. Subject of this privacy statement

The protection of your personal data (hereinafter referred to as "data") is a major and very important concern for us. In the following, we would therefore like to inform you in detail about which data is collected during your usage of our App and how these are processed or used by us in the following. Furthermore, we would like to inform you about the rights you are entitled to and the technical and organisational protective measures we have taken with regard to the processing of your data.

2. Name and address of the data controller and service provider

Responsible in terms of the basic data protection regulation (DSGVO) and at the same time service provider in terms of the German Digital Services Act (“Digitale-Dienste-Gesetz” -DDG) is IONITY GmbH, Moosacher Straße 84, 80809 Munich, Germany, see our imprint.

Please address any questions or comments about this privacy policy or about data protection in general to the above address or by e-mail to dataprotection@ionity.eu.

You can contact our data protection officer as follows:

IONITY GmbH
Data Protection Officer
Moosacher Strasse 84
D-80809 Munich, Germany

dataprotection@ionity.eu

3. General information about data processing

a. Legal basis for the processing of personal data

It is necessary to process personal data in line with the usage of our charging services through the IONITY App. We will only process your personal data in the context of:

  • the execution of the contract is subject to Article 6(1)(b) European General Data Protection Regulation (hereafter “GDPR”), in order to offer you our charging services and to provide invoices and payment processes.
  • the legal commitment is subject to Article 6(1)(c) GDPR, which for example includes the retention of invoices and contracts.
  • the legitimate interest of our company is subject to Article 6(1)(f) GDPR, in order to provide and where necessary improve or adjust the security, availability and capabilities of our charging infrastructure and the corresponding processes as well as creating anonymised statistical analyses.
  • your freely given consent is subject to Article 6(1)(a) GDPR covering activities and offers, which exceed the legal basis of data processing (e.g. direct marketing, customer satisfaction surveys).

b. Categories of personal data which will be processed whilst using the IONITY App

Generally, we will process the following personal data whilst using the IONITY App (Download, installation, login/registration, charging, invoicing). Details and process related data will be covered in section B: Details of individual data processing steps.

General data / personal contact information

  • Names
  • E-mail address
  • Personal address data / invoicing address
  • Date of birth / age
  • Phone number (optional)

Contractual data

  • Contractual data/ subscription
  • Invoicing and payment data
  • Bank account data / credit card data
  • If applicable, tax number / VAT ID or other tax information
  • Contractual history / Usage history

Services and IT (Usage) Data

  • Device Code
  • Access Data
  • Identification Data / IDs
  • Telecommunications data / Message content
  • Usage and access data / Meta data

c. Special categories of personal data and personal data of children

We will not collect or process any data which falls under the special category for personal data. This includes according to Article 9 GDPR data that specifies racial or ethnical origin, political opinion, religious or ideological beliefs or trade union membership, as well as genetical data, biometric data to clearly identify a natural person, health data or data relating to sexual life or sexual orientation.

Children should not transfer any personal data to us or use the IONITY App without parental or legal guardian consent. The obligatory supervision lies with the legal guardian. We do not knowingly ask for nor process personal data of children.

d. Service providers and data transfers to third parties

We utilise processors to help implement our services. Those processors have been carefully chosen and are embedded via contractual obligations for data processing according to Article 28 GDPR.

We will transfer your data to our payment providers (e.g. terminal provider) in order to process your payment. Payment service providers are also obligated to provide a certified PCI DSS Compliance (Payment Card Industry Data Security Standard), which we check on a yearly basis for data processing compliance.

Categories of recipients:

  • Payment Service Provider
  • Technical Backend Provider
  • Invoice service provider
  • Customer support
  • IT service provider
  • Publicity firm
  • Consulting firms
  • Software developer

Your data will otherwise only be passed on to other third parties if this data protection declaration expressly refers to this or if we are legally obliged to do so.

e. Data processing in third party countries outside of the European Union

We will transfer data for data processing to service providers and vicarious agents who are situated in third party countries. By closing Standard Data Protection clauses we are ensuring that all data protection levels are met. All our service providers in third party countries are processing the data as instructed by us and are bound by contract. We are transferring data to the following third party countries:

  • USA: Article 46(2)(c) GDPR covers the adequate data protection levels through Standard Data Protection Clauses (SDPC) for data transfers between EU and non-EU countries
  • USA: Article 45 (1) GDPR if the service provider is certified under th.

f. Security level for data processing

We as well as our contractually bound processors are utilising the most up to date technical and organisational security measures to protect your data from accidental or deliberate manipulation, loss, deletion or unauthorised access. Those security measures will be continuously improved upon in line with technological developments.

4. Details of individual data processing steps

a. Data processing when downloading the IONITY App

We only offer the IONITY App via Apple App Store (iOS) and Google Play Store (Android).

If you download the IONITY App using an app store the following data will be transferred to the app store: user name, email address, your account number, time of download, payment information and individual device ID. We cannot influence this, and this process is not part of the data processing for the IONITY App but remains with the usage requirements of the relevant app store. For further information please contact the information centre or data protection information of the app store providers:

b. Data processing whilst installing and using the IONITY App – technically necessary data and logfiles

The following data will be transferred to us when you install and use the IONITY App on your device:

  • Device ID (ID of App (iOS Vendor ID or Android Add-ID [GAID])
  • App version (clientApplicationVersion)
  • App operating system version (clientOsVersion)
  • IP Address
  • Date and time of request
  • Timezone difference from Greenwich Mean Time (GMT)
  • Contents of account (precise page)
  • Access status/HTTP status code
  • Respectively transferred data volume
  • Device type and manufacturer
  • UDID

We collect and process this data in order to ensure the functionality, stability, improvement and security of the IONITY App. The legal basis for the data processing is Article 6(1)(b) or (f) GDPR. We will delete the data as soon as it is not needed anymore for the afore mentioned process. Should we save an IP address, we will delete or anonymise this no later than 7 days. The collection of this data as well as the storage of this data in logfiles is essential for the usage of the IONITY App.  

c. Data processing when creating and using a customer account in the IONITY App

In order to use the IONITY App you require a customer account, which can be created in the IONITY App free of charge. The personal data which is required as part of the registration process are:

  • First Name
  • Last Name
  • Address
  • Email Address
  • Charging data
  • Birth date
  • Password (encrypted and not readable)
  • Optional credit cards or other payment information and, if applicable, tax informations; Those are needed for the charging process.

We require this data in order to execute the contract, to offer you the services of our charging service and to issue invoices (Article 6(1)(b) GDPR). You will be able to change the above information within the IONITY App at any time.

In order to meet the needs of customers and the emobility infrastructure we create statistics based on anonymized customer data. This data processing is based on Art. 6 (1) (f) GDPR.

If you want to delete your IONITY user account, you can request this by email to our customer support (support@ionity.eu) or delete the account in the app. We will delete your account without delay. If you have already charged at one of our chargers or if the charging process failed, this will cause documents which are relevant for billing. We are legally obliged to retain those documents for up to 10 years due to retention periods in commercial and tax law). In general, IONITY keeps personal data no longer than necessary for the purpose of how they were collected and processed.

It is also generally possible to access our services without registration and without the IONITY App. You can do so by visiting our mobile website on https://payment.ionity.eu .

d. Storage location of customer data

Your customer data will be stored within a cloud environment, which is provided through Amazon Web Services EMEA SARL (‘AWS’) within the European Union (region Frankfurt -Germany).

e. Data processing during a payment process

In order to settle the services (charges) through our IONITY App we require, in addition to your customer account information, your credit card or other payment information. The personal data required depends on the payment method chosen. You can provide this data when setting up your customer account or when you charge your vehicle. This information is mandatory for the payment and invoicing process. There cannot be a charge with the IONITY App with missing payment information.

  • Payments: We will securely pass on your credit card or other payment details of your charge to our payment service provider immediately after the conclusion of your charge together with the to be charged amount. We will solely send your payment details for one charge.
  • Invoicing: Additionally, we will pass your first name, last name, address, telephone number, email address and, if applicable, tax informations to our invoicing service provider in order to send you an invoice with the relevant legal requirements. The data processing is handled securely and only for one charge.

5. Details of technical data processing

a. Permissions for your device

In order to fully utilise the functionality of the IONITY App, we recommend that you enable the location function of the IONITY App. Through the usage of GPS data and location details from WIFI hotspots and telephone poles we can identify your approximate location to check if you are in the proximity of an IONITY charging station. IONITY can use this information to store and process locations and to improve our services. Should you wish to scan one of our QR-Codes available on our charging stations, we will ask you for permission to utilise your camera. We will ask you for specific permission to access your location or your camera, which you are able to reject. You will be able to utilise the IONITY App without the usage of the location or camera functionality.

b. Cookies and similar technologies

Whilst using the IONITY App and Website, we are using cookies which your device browser and/or the IONITY App have saved short-term (‘Session’-Cookies) or long-term (‘permanent’-Cookies). Cookies are small data sets with information which our server and/or third party servers send to your browser to send them again to our server and/or the third party server during your next visit.

We utilise Google Analytics Firebase (subsequently Google Firebase) to analyse the usage of the IONITY App. The provider is Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland.

We are using the following Google Firebase products for the IONITY App: Crashlytics, Google Analytics for Firebase and Cloud Messaging (described in detail under paragraph 5c. “Notifications and push services”). These products process different data categories for different intended purposes:

  • Google Analytics for Firebase: We process the following data for analytics: device information, information about the utilised IONITY App, data for the usage of the app, locations, user ID and information relating to individual enquiries within the app (events). We utilise the data in order to analyse the interaction of the IONITY App as well as the reactions and execution of the IONITY App and, based on the results, to improve the usability and functionality. The legal basis for processing the data is as per Article 6(1)(a) GDPR.
  • Firebase Crashlytics: For Firebase Crashlytics we are using data for the undertaking of the IONITY App, inclusive of the type of used operating system, information about disruption during operations (type of disruption, time of disruption, duration of disruption, utilisation of the IONITY App at the time of the disruption) and device information. On the basis of this data, we are able to efficiently correct errors and promote IONITY App stability when noting disruptions or problems with the operations of the IONITY App. The processing of the data is subject to Article 6(1)(f) GDPR. We have a legal basis to identify and rectify stability problems which impact the quality of the IONITY App. This results in increased usability for our customers. Data will be deleted after 90 days.

Information collected by Google Firebase may be transferred to and retained in the US. The adequate level of protection is safeguarded by and adequacy decision according to Art. 45 (1) GDPR and Standard Data Protection Clauses according to Art. 46 (2)(c) GDPR. Collected information is pseudonymised and transferred to Google Firebase. You can find more information regarding Privacy in Google Firebase here: https://firebase.google.com/support/privacy.

c. Email and SMS-Notifications as well as push services

We can provide you with different notifications types and content. We distinguish between mandatory and optional notifications.

Mandatory notifications are notifications, which are utilised for verification, security and transparency of service fulfilment.

Email

  • to verify your account during the registration process
  • to communicate with you during support and clarification cases.
  • to provide digital invoices and receipts.

Push notifications in the IONITY App

  • Account, tariff, availability and security information as well as IONITY App related information about new or changed functions as well as updates.

Optional notifications are notifications which improve the usage of our services or inform you about general offers and publications. In order to be notified about the progress of the charging process, you will have the option to receive push notifications through the IONITY App. We will ask for your consent as part of the installation / initialisation of the IONITY App, which you can refuse at any time. You will also be able to deactivate those settings within the notification settings of your device.

  • News, updates, marketing campaigns

Furthermore, we are offering as part of the registration and usage of our IONITY App optional notifications which will inform you outside of the usage of the IONITY App about relevant developments with IONITY (e.g. the opening of new stations) or special offers, marketing campaigns and news. We will only send you those optional notifications if you have given us your consent (marketing consent). This information can be sent via email, SMS and push notifications.

We are using Amazon Simple Notification Service and Amazon Simple Email Service for email services provided by Amazon Web Services (subsequently AWS). We will use this service to send automated emails to you. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg.

  • Firebase Cloud Messaging

App internal messages and push notifications are provided by Google Firebase Cloud Messaging. The provider is Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland.

Firebase Cloud Messaging allows us to send you targeted and context relevant message in order to keep you up to date and to encourage you to utilise the IONITY App. We process information for subject, type of message, time of sending the message and if and when the message was received and read. We partially use this data in the context of analysis.

The legal basis for our push notification depends on the content of the notifications:

  • Art. 6(1)(f) GDPR - We have a legitimate  interest to verify your account email address and deliver system and service-relevant information such as information regarding availability, maintenance, failures and changes as well as relevant functional changes or new releases of the IONITY app as fast and efficient as possible.
  • Art. 6 (1)(a) GDPR - We want to send you marketing information and other offers regarding our services. We will only send you these notifications if you have given consent to receiving such information. You can always withdraw consent in the app settings (Data protection - status of your consent - move the slider to deactivate).

d. Map services

Apple Maps (iOS)

For the purpose of displaying maps within our IONITY App as well as being able to show nearby IONITY charging stations (it is required to access your location data through the GPS function on your mobile device) we are using Apple Maps, a service of the Apple Inc. (Infinite Loop, Cupertino, CA 95014, USA, ‘Apple’). For the usage of our IONITY App we will send Apple information that you are using the IONITY App as well as information about the usage of the map functionality. Should you be logged in with Apple, this information will be allocated to your Apple user account. Should you not wish to utilise this functionality, you will need to log out of your Apple account before using the IONITY App. The legal basis for the processing of data is Article 6(1)(f) GDPR. We are not able to influence the data collection and processing of Apple.

You can find additional information about the data processing through Apple on their data privacy notice, which can be found here: https://www.apple.com/de/privacy. .

Google Maps (Android)

For the purpose of displaying maps within our IONITY App as well as being able to show nearby IONITY charging stations (it is required to access your location data through the GPS function on your mobile device) we are using Google Maps, a service of the Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ‘Google’). For the usage of our IONITY App we will send Google information that you are using the IONITY App as well as information about the usage of the map functionality. Should you be logged in with Google, this information will be allocated to your Google user account. Should you not wish to utilise this functionality, you will need to log out of your Google account before using the IONITY App. The legal basis for the processing of data is Article 6(1)(f) GDPR. We are not able to influence the data collection and processing of Google.

You can find additional information about the data processing through Google on their data privacy notice, which can be found here: https://policies.google.com/privacy .

e. Feedback and ratings

App Feedback

Users can voluntarily provide feedback on the app by selecting the appropriate button within the IONITY app. The feedback can be requested in various forms, such as star ratings, multiple choice questions or free text forms. The app feedback is submitted and evaluated anonymously. No personal data is collected or analyzed.

Evaluation dialog after a charging process

After completing a charging process, you may be asked to submit a rating. The rating can take the form of a star rating, multiple choice questions or free text forms and is voluntary. If you submit a rating, it will be saved together with the location of the charging station and a time stamp. The time stamp is shortened by the time of day. This means that only the day of a rating can be traced, not the exact time. This prevents a rating from being assigned to a specific charging process.

Technical data collection in connection with feedback and ratings

As feedback and ratings are transmitted via the Internet and collected centrally, it is technically unavoidable that data such as IP addresses, time stamps and possibly individual device information, such as the operating system, are processed temporarily. However, this data is discarded after transmission and is neither stored nor analyzed.

f. Recording user behavior for advertising purposes

Based on your explicit consent, we evaluate certain details of your usage behavior of the app and interaction with advertising messages. The processing is therefore carried out on the legal basis of Art. 6 Section 1 a) GDPR and you can revoke your consent at any time in the app's data protection settings. Data points that we collect are, for example, whether you start and then cancel a purchase or which advertising measures you are most likely to respond to, depending on the time and the messaging channel, such as push notification or email. For this purpose, we use the CRM tool from Braze. Inc based in the USA. We use Braze to derive the ideal marketing strategy from your previous behavior.

6. Rights of the data subject

6.1. Your rights

As per Article 15 GDPR you have the right to be informed with clear and concise information about what we do with your personal data and you have the right to ask us to access your personal data we process about you. As per Article 16 GDPR you have the right to ask us to rectify inaccurate personal data or complete them if they are incomplete. As per Article 17 GDPR you have the right in certain circumstances to ask us to erase your personal data (“Right to be forgotten”). As per Article 18 GDPR you have the right to ask us to restrict the processing of your data. As per Article 20 GDPR you have the right to ask to ask us to receive the personal data which you have provided to us in a structured, commonly used, and machine-readable format and you have the right to ask us to transmit those data to another controller without hindrance. With regards to the right of information the restrictions of § 34 of the German Federal Data Protection Act applies and for rights of data deletion § 35 of the German Federal Data Protection Act applies.

If we process your data because of legitimate interests according to Article 6(1)(f) GDPR or for the performance of a public task according to Article 6(1)(e) GDPR and there are legitimate reasons against this processing due to your particular situation, you have the right to object to this processing as per Article 21(1) GDPR. In the event of an objection, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

You have a right to object without restrictions to any form of processing your data for the purpose of direct marketing, according to Article 21(2) and (3) GDPR .

Provided we process your data on the basis of having received your consent, you have the right to revoke your consent at any time. Your data will then no longer be processed for the purpose of your consent. Please note, that the legal basis of data processing, which happens before the revocation, is not affected by the revocation. On how to explain the individual revocations, please refer to the aforementioned information or information of the individual consent.

To exercise your rights, please contact: support@ionity.eu.

6.2. Complaint with the data protection authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you is in breach of the GDPR (Art. 77 DPA).

In Bavaria the competent supervisory authority is Bavarian State Office for Data Protection Supervision, Postfach 606, 91511 Ansbach, www.lda.bayern.de.

7. Version and updates of this privacy statement

We will update our data privacy policy from time to time as our data processing is subject to changes. You will find the most up to date data privacy policy in our privacy information page www.ionity.eu/policies. You can also contact our data protection officer on dataprotection@ionity.eu to ask for the latest version.