Content:

- General data protection regulations
- Additional information especially for the online shop
- Additional information especially for the app

General data protection regulations

We take the protection of the personal data of our users particularly seriously and adhere strictly to the rules of the data protection laws (DSGVO, TKG 2003). Your data will not be passed on to third parties. Exceptions to this only apply in the event of a legal or statutory obligation or if you have consented to or wish such a transfer.

This declaration is intended to give you an overview of how we guarantee this protection and what kind of data is collected for what purpose.

Data protection

We declare compliance with the legal provisions on data protection. In particular, data is used exclusively within the scope of the orders and measures are taken to ensure data security by ensuring that data is used properly and is not made accessible to unauthorised persons. Client, service providers and their employees are obliged to maintain secrecy and confidentiality of the data disclosed by users, unless there is a legally permissible reason for the transmission or disclosure of the entrusted or accessible data.

They are basically entitled to the rights of information, correction, deletion, restriction, data transferability, revocation and objection. If you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way, you can contact the supervisory authority directly or contact us directly. In Austria this is the data protection authority - https://www.dsb.gv.at. You can find our contact details in the imprint.

Server-Log-Files

We automatically collect and store information in so-called server log files, which your browser sends to us. These are:

- the page called up (URL)
- the browser or the browser version
- the operating system used
- the referrer URL (the previously visited page)
- Host name and IP address of the accessing computer
- the time of the server request

These data cannot be assigned to specific persons. A consolidation of this data with other data sources is not carried out. The data will be deleted after 14 days. The provider is Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, with whom we have concluded a contract for data processing.

Personal data

Through our websites, we will not collect any personal data about you (e.g. your name, address, telephone number or e-mail address), unless you voluntarily choose to provide us with it (e.g. by contacting us via e-mail or contact form), respectively, provide your consent, or unless otherwise permitted by applicable laws and regulations for the protection of your personal data.

Blog

With your consent, you can subscribe to our blog, which we use to inform you about new and current blog posts.

Exchange of personal data

Carployee may disclose personal data to third parties if required to do so by law, upon a legal or court order, and as necessary to protect the rights, property, or safety of us or our affiliates, business relationships, customers, or others.

Security

Technical and organizational security measures are taken to protect your personal data against accidental or unlawful destruction, alteration or loss and against unauthorized disclosure or access.

Links to other websites

The website contains links to other websites. Carployee is not responsible for the data protection policies or the content of these other websites and has no influence on them.

Contact us

If you contact us by form on the website, by e-mail or by Drift Messenger extension, your data will be stored exclusively for the purpose of processing your request and in case of follow-up questions. We will not pass on this data without your consent.

Cookies

Our website uses so-called cookies. These are small text files that are stored on your end device with the help of the browser. They do not cause any damage.

A distinction is made between cookies that are absolutely necessary to ensure basic website functions, functional cookies to ensure the performance of the website and targeted cookies to improve the user experience

We use cookies to make our offer user-friendly. Some cookies remain stored on your end device until you delete them. The procedure for this varies according to browser, please refer to your browser instructions (under "Help" in the browser menu). Cookies enable us to recognize your browser the next time you visit us.

If you do not wish this, you can set up your browser so that it informs you about the setting of cookies and you only allow this in individual cases.

If you deactivate cookies, the functionality of our website may be limited.

Web analysis

Our website uses functions of the web analysis service Google Analytics. The provider is Google Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

Google Analytics uses such target-oriented cookies.

More information on how Google Analytics handles user data can be found in the Google privacy policy: https://support.google.com/analytics/answer/6004245?hl=en

You can prevent the collection of data generated by the cookie and related to your use of the website to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Alternatively, you can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie will be set to prevent the collection of your information on future visits to this site.

Sign out from Google Analytics here

We have concluded a contract with Google for data processing for commissioned data processing.

We use the function "Activation of IP anonymisation" on this website. This means that your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on the website activities and to provide further services to the website operator in connection with the use of the website and the Internet. The IP address transmitted by your browser within the scope of Google Analytics is not merged with other Google data.

The data processing is based on the legal provisions of § 96 para. 3 TKG and Art 6 para. 1 lit a (consent) and/or f (legitimate interest) of the DSGVO.

Our site also uses the so-called "Facebook pixel" of the social network Facebook, which is operated by Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA) or Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

With the help of the Facebook pixel, Facebook is able to identify Carployee visitors as a target group for the display of Facebook ads. This feature allows Carployee to target website visitors with advertisements by displaying personalized, interest-based Facebook ads for visitors to the website. When visiting this website, a direct connection to a Facebook server is established. In the process, the Facebook server is informed which of our websites you have visited. Facebook assigns this information to your personal Facebook user account. Further information on the collection and use of data by Facebook, on your rights in this regard and on ways to protect your privacy can be found in the Facebook data protection information.

Facebook has submitted to the privacy shield agreement concluded between the European Union and the USA and has certified itself accordingly. As a result, Facebook has committed itself to comply with the standards and regulations of European data protection law.

Sign out pixels here from Facebook

LinkedIn Analytics

We use LinkedIn's conversion tracking technology on our website. For this purpose the LinkedIn Insight tag is included.

You can disable the LinkedIn Insight conversion tool and interest-based advertising by using the following link to unsubscribe: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Please see LinkedIn's privacy policy at https://www.linkedin.com/legal/privacy-policy for more information about data collection and use, and the choices and rights you have to protect your privacy.

SSL Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If the SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.

Objection to (further) data processing and use

You can revoke your consent to the storage of your personal data and its use for the provision of the respective services at any time.

Please note that even after your objection to the use and/or storage of your data, we may still process your data for billing purposes to the extent necessary.

In addition, your objection to any further use of your data will of course result in the fact that you may no longer be able to obtain the services you have obtained and the provision of the respective service will be discontinued immediately. In this context, your personal data will be deleted immediately and no longer held in our database.

Right of access to information

You have the right at any time to information about the type and extent of the data stored with regard to your person, its origin and its recipient as well as the purpose of the storage.

The necessary contact data can be found in the imprint (menu and footer).

Additional information especially for the online shop

Personal data

If you would like to place an order in our online shop, we process and require certain data, such as the details of the order you have selected or placed, your address (company address), contact address (contact details incl. e-mail address) and the selected method of payment.
In addition, the service providers we use (such as payment intermediaries) receive the necessary data about you or your order.

The following user data is stored by the online shop:

-Company name
-VAT
-Country
-Town/city
-Postcode
-Street
-First name, last name
-Email
-Phone number

In addition, the following details about the purchase process are stored:

-Time of purchase
-Date, time
-Paymentmethod
-Purchased products

Additional information especially for the app

Right to information

According to Art. 15 DSGVO, the data subject has the right to obtain confirmation from the persons responsible as to whether personal data relating to him/her is being processed by the person in charge. If this is the case, the data subject has the right to be informed of this personal data and, in addition, to receive the following information:

a) the purposes of the processing;
b) the categories of personal data processed;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
d) if possible, the envisaged duration for which the personal data will be stored or, if that is not possible, the criteria for determining that duration;
e) the existence of a right of rectification or erasure of personal data relating to him or her or of a restriction on processing by the controller or a right to object to such processing;
f) the existence of a right of appeal to a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision making, including profiling, and, in such cases, relevant information about the logic involved and the scope and intended impact of such processing on the data subject.

If personal data are transferred to a third country or to an international organisation, the data subject also has the right to be informed of the appropriate safeguards pursuant to Art. 46 DPA in connection with the transfer. Should the data subject so request, the controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For each additional copy requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. However, the controller shall have this right only on the basis of unjustified or excessive exercise of the right of access. The data subject has the right to make the request electronically. In this case, the information shall be provided in a standard electronic format, unless the data subject indicates otherwise.

In accordance with these obligations, the data controller will handle the data subject's right of access as follows:

As soon as the data subject submits a request for information to the controller, the controller's contact person will use all reasonable means to verify the identity of the data subject. The data subject's request does not require any special form and may also be made electronically. However, the request must enable the controller to find out the information he or she is supposed to obtain. If the data subject requests oral information, the person responsible will establish the identity of the data subject in a suitable manner and provide the information orally. The person responsible will search all data files for information concerning the data subject and compile this information. The Data Protection Officer shall compile all data files in which personal data concerning the data subject can be found and - if the content of such data is unclear - briefly explain it.

The information will include the following:

Processed data: The data controller will inform the data subject of the information he or she processes about the person concerned.

Information: In addition, the controller will provide the data subject with the following Information on the data processing: the purposes of the processing, categories of data, recipients and categories of recipients, duration of data retention, origin of the data, if automated decision making and profiling has been used, the methods and criteria used and the scope and effects of the data processing.

Rights concerned: The data controller will inform the data subject of the following: "The data subject has the right to obtain information on the data stored in accordance with Art. 15 DSGVO, to correct inaccurate data in accordance with Art. 16 DSGVO, to have data deleted in accordance with Art. 17 DSGVO, to restrict the processing of data in accordance with Art. 18 DSGVO, to object to unreasonable processing of data in accordance with Art. 21 DSGVO, and to transfer data in accordance with Art. 20 DSGVO. The data subject has the right to complain to the supervisory authority - in Austria, the competent authority is the data protection authority".

At the same time as the information is provided, the data controller will make available to the data subject the information obligations in accordance with Art. 13 and Art. 14 DSGVO. The controller will - if the data subject so wishes - make the personal data relating to the data subject available to the data subject in such a way that it is available in a structured, common and machine-readable format. The data subject shall thus have the opportunity to transfer the data to another responsible person without hindrance.

Deadline: the data controller will provide the information without delay, and in any event within one month of receipt by the data controller. In the event of extensive and complex information, the data controller may, in individual cases, extend the deadline for providing information once for a further two months; the data controller shall inform the data subject of this within one month, stating the reasons.

Negative information: If the responsible person does not provide the information, he will also inform the person concerned within one month, stating the reasons. If the data controller does not process any data relating to the data subject, the data controller will provide the data subject with negative information (a confirmation that he/she is not processing data relating to the data subject)

Right of rectification

Should the data subject inform the controller that the latter is processing incorrect or (for the purpose of the data processing) incomplete data, the data subject has the right to contact the contact person at the controller. The data controller will immediately check the content and complete or correct the data disclosed by the data subject. Should the correctness of the data be disputed, the data controller will restrict the processing. Furthermore, the data controller will inform any recipients of the (incorrect) data of the corrected data.

The right of cancellation

The data subject shall have the right to obtain from the controller the immediate erasure of personal data relating to him/her. The controller shall be obliged to delete personal data without delay if one of the following reasons applies:

- the personal data are no longer necessary for the purposes for which they were collected;
- the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no overriding legitimate reasons for processing;
- the personal data have been processed unlawfully;
- the deletion of the personal data is necessary to comply with a legal obligation;
- the personal data is the data of a child (or young person under 16 years of age) in relation to Internet services provided.

The person responsible will immediately examine each request for deletion and will make reasonable efforts to verify the conditions of the claim. In any event, the data controller will inform the person concerned of the measures taken or the reasons for the refusal within one month of receipt of the request. If necessary, the responsible person will inform the person concerned - if the request is complex - about the extension of the examination of the request for cancellation by two months, also within one month. If the data subject has raised an objection and the data subject has requested the controller to limit the processing, the controller will limit the processing.

Right to limitation

The controller will process the personal data of a data subject only to a limited extent, provided that:

- the data subject has disputed the accuracy of the personal data (for the duration of the controller's verification of the accuracy of the personal data)
- the processing is unlawful and the data subject refuses to delete the personal data and instead requests the restriction of the use of the personal data;
- the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the purpose of asserting, exercising or defending legal claims;
- he data subject has lodged an objection to the processing as long as it is not established that the controller's legitimate reasons outweigh those of the data subject.

If the processing has been restricted, such personal data, apart from being stored, may be processed only with the consent of the data subjects or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural person or on grounds of substantial public interest. The data controller shall inform the data subject in writing of the measures taken. The controller shall notify all recipients to whom personal data have been disclosed of the restriction on processing, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the controller shall inform the data subject of the recipients of such notification.

Right of objection

The data subject shall have the right to object at any time, on the grounds relating to his particular situation, to the processing of personal data concerning him where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or where the processing is necessary to protect the legitimate interests of the controller or of a third party. The controller will verify the identity of the data subject and subsequently, if the identity has been properly established, the content of the objection. The controller will then inform the data subject of the decision.

Reporting to the authority

In the event of a violation of the protection of personal data, the controller shall notify the Austrian data protection authority without delay and, if possible, within 72 hours of becoming aware of the violation, unless the violation of the protection of personal data is not expected to lead to a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. The notification to the Authority shall contain at least the following information:

a) a description of the nature of the breach of the protection of personal data, indicating, as far as possible, the categories and approximate number of persons concerned, the categories and approximate number of personal data sets concerned;
b) the name and contact details of the Data Protection Officer or other contact point for further information;
c) a description of the likely consequences of the breach of the protection of personal data;
d) a description of the measures taken or proposed by the controller to remedy the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

Notification to the data subject

Where the breach of the protection of personal data is likely to lead to a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay.

Data storage of the Carployee App

Only those data are stored which are necessary for the smooth operation of the functions. The following data is stored:

User data during registration:
- Employer
- Email
- Phone number
- Password (encrypted)
- First name
- Last name
- Address
- Profile Picture
- Phone number

Additional user data when trips are searched:
- Search requests (time, origin address, destination address, user who triggered the search)

Additional user data when trips are created:
- Car (seats, brand, colour, license plate number)
- Departure time
- Waypoints along the route
- Arrival time
- Passenger names
- Telephone numbers of the participants
- Passengers' points of embarkation
- In-App messages from all passengers and comments on boarding points

Additional user data, if trips are carried out:

- Way to work in lat/long points Number of Leaves (points) earned for the trip
- driven KM
- Calculation of the saved CO2 values, leaves and Euro savings based on the number of KM

Depending on the reward model used by the employer, the following data on the reward (benefits) is generated:
- Validity period
- Description
- Required number of leaves
- Indication whether User Benefit has already received
- Time of purchase, quantity and user who has purchased a benefit

Stored company data:
- Name
- Addresses
- Registration code for employees
- Benefits of the company

App-internal data transfer of the users

The following data is stored and passed on to drivers and/or passengers:

From drivers to passengers:
Before carpooling is confirmed, passengers receive the following information from drivers:
- Name of the driver
- Car (seats, brand, colour, registration number)
- Arrival time in the company
- Departure time from the company
- Waypoints of the journey
- Passengers already booked
- Information whether only outward journey, return journey or both are planned

After confirmation of a carpool, passengers will receive the following information about the trip:
- Names of the passengers
- Driver's telephone number
- Passengers' points of embarkation
- In-App messages of all passengers and the driver

From passengers to drivers

Drivers receive the following data from passengers before a journey is confirmed:
- Name of the passenger
- Entry point (lat/long point along the driver's route)

After confirmation of a carpool, drivers receive the following data:

- In-App messages from all passengers
- Telephone numbers of passengers
- Pictures and names of the passengers

Data deletion

Upon request, personal data of individual persons can be deleted, as well as all personal user data that can be assigned to a company.

Storage location of the data
Hetzner Online GmbH - Datastorage in germany. More information at https://www.hetzner.com/de/rechtliches/datenschutz

Service Partner

By using the Carployee App, services of the Google Maps platform are used. The relevant data protection regulations can be viewed via the following link: https://policies.google.com/privacy

By using the Carployee App, personal data is stored by our service partner Sendgrid (https://sendgrid.com/) for the purpose of e-mail communication. The relevant regulations are available at https://www.twilio.com/legal/privacy.

By using the Carployee App, services from Firebase are used. Firebase is a processor of Carployee. The relevant provisions can be accessed at https://firebase.google.com/terms/crashlytics and https://firebase.google.com/terms/data-processing-terms. A general description can be found at: https://firebase.google.com/support/privacy.

Duty to inform according to Art 13 and Art 14 DSGVO

The name and contact details of the person responsible and, where applicable, his representative shall be:
- Name: Carployee GmbH
- Postal address: Peter-Behrens-Platz 9, 4020 Linz
- Phone number: +43 680 23 81 701
- E-mail address: team@carployee.com
- Website: https://www.carployee.com

We process personal data of customers as follows:

Within the scope of the business relationship, the following data provided by you will be processed:

Master data including contact information (such as address, phone, mail, fax, UID no.),
Bank details.

In addition, the following data, which are incurred due to the business relationship, are processed:
- Communication data, data on accounting and controlling, order and contract data, financing and payment conditions, creditworthiness information, object of delivery or service, data on terms and conditions of delivery and service, purchase history, purchasing behaviour, product and demand interests, data on customer satisfaction, survey data, organisational data (such as dates), object and reference, business case documents, product/service data, enquiries.

General data processing within the business relationship:

The processing of data is carried out for the fulfilment of a contractual relationship or is based on a legal basis within the framework of a business relationship (or for the processing of this). The processing of your data is carried out for the formal treatment of the business cases to be procured by us, for the examination and evaluation whether customer satisfaction is given and for the evaluation of the quality of the used services as well as for the completion of the sales of goods and services. In addition, the data is transmitted to the following categories of recipients:

- Banks
- Legal representative
- Chartered accountants, auditors and tax consultants
- Courts
- Competent administrative authorities
- Collection agency
- Debt financier
- Contract and business partner
- Insurance
- Statistics Austria
- Transport company
- Suppliers

Data processing for the purpose of direct marketing:
The processing of the data is based on your consent and on a legitimate interest in the initiation of business with regard to our own range of products or services. The legitimate interest results from the interest of the person responsible to send you messages in order to advertise his own range of services. The transmission of the relevant data in each individual case is based on your consent and on a legitimate interest. In addition, the data is transmitted to the following categories of recipients:
- Group Executive Board

Data processing for the handling of events:

The processing of the data is based on your consent and for the fulfilment of a contractual relationship if you participate in our events, for the organisation and implementation of the respective event.

The processing of data is based on our legitimate interest in optimizing customer-specific communication with our customers. We therefore operate a customer relationship management system and thus process your data in order to document and improve our customer relations with you (documentation of the content of the communication between our employees and you). The transmission of the data relevant in each individual case is based on a legitimate interest. In addition, the data is transmitted to the following categories of recipients:
- Legal representative
- Chartered accountants, auditors and tax consultants
- Group Management

We store the data for the duration of the (business) relationship or one year beyond that.

Image recordings are processed on the basis of an overriding legitimate interest in the sense of § 12 DSG (video surveillance) as a preventive measure and to ensure the traceability of criminal acts and to enable the clarification of criminal offences. Changes

Changes

Since technology and procedures on the Internet are developing very quickly, these data protection regulations are also changing. We therefore reserve the right to send you, as a registered user, notifications of the applicable provisions during certain periods. You should nevertheless visit our website regularly and take note of any changes. Unless otherwise regulated, the use of all information that we have about you and your user accounts is subject to this data protection regulation. We assure you that significant changes to this data protection regulation, which lead to a weaker protection of already received user data, will only be made with your consent.

Further Information:

The person concerned has the right to information about the stored data in accordance with Art 15 DSGVO, to correction of incorrect data in accordance with Art 16 DSGVO, to deletion of data in accordance with Art 17 DSGVO, to restriction of the processing of data in accordance with Art 18 DSGVO, to objection to unreasonable data processing in accordance with Art 21 DSGVO as well as to data transferability in accordance with Art 20 DSGVO. If the processing is based on a declaration of consent, the data subject has the possibility of revoking this at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. The data subject has the right to complain to the supervisory authority - in Austria the data protection authority is responsible. The address is

Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
Phone: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

In the course of collecting the data, we will disclose if the provision of personal data to the data subject is required by law or contract or is necessary for the conclusion of a contract. At the same time, we will announce whether the data subject is obliged to provide the personal data and what the possible consequences would be if the data were not provided. No automated decision making, including profiling, takes place. If personal data are processed for a purpose other than that for which the personal data were collected, we have disclosed this information about this other purpose to the data subject.