Privacy Policy for users of the "MyAutoData" platform

The most important at a glance

MAUD (MyAutoData) is a neutral, independent online platform for the private storage and management of your car-related data.

If you intend to derive an economic benefit from your data, you must give us a data protection consent which can be revoked at any time and which allows us to activate the data explicitly released by you for access by the companies registered on the platform. On request, they can then submit to you interest-related offers or use the released data anonymously for statistical purposes.

In return for the data you release, you will receive a fee from the respective company for each access.

We take precautions to ensure that your personal data remains on our platform even if it is accessed by participating companies. However, you give your consent for your released data to be downloaded anonymously and displayed individually as part of statistical analysis. If you accept the offer of a company, it may be that this company also stores or processes the data required for the creation of the invoice or delivery of the product or service outside the platform in its own system. In this respect, the companies are then responsible for this data.

You have a statutory right to information, correction, deletion, restriction of processing, data transmission, complaint to a supervisory authority, revocation of consent and objection. In addition, you can also delete your data on the MAUD platform yourself at any time.

You can reach our data protection officer at dsb@myautodata.com

Content

1. Contents of this information

With these data protection notes we explain to you our handling of your personal data when you as a user use the platform "MAUD (MyAutoData)", which can be accessed at www.myautodata.com. In addition, we inform you about your rights according to the data protection basic regulation (GDPR).

2. About MAUD (MyAutoData)

MAUD (MyAutoData) is a website (platform) on which registered users may store, manage and evaluate (e.g. vehicle costs) various data related to the ownership and driving of their vehicle (e.g. data about the vehicle, insurance, memberships or routes driven).

In addition, users have the option of releasing their data in whole or in part to participating automotive companies. However, the data will always remain within the MAUD (MyAutoData) platform.

In return for the released data, users receive a fee from the respective company for each access. Of course, users always have full transparency about which companies have accessed their data and what compensation they receive for doing so.

3. Responsible and Data Protection Officer

The person responsible in the sense of the GDPR for the processing of your data is us, the:

MyAutoData GmbH

Forstenrieder Allee 61, 81476 Munich

Phone: +49 89 74 51 56 - 0

Email: info@myautodata.com

The contact details of our data protection officer are:

LITC – Jasmin Lieffering

Bärenmarsch 3

31623 Drakenburg

Email: dsb@myautodata.com

The participating companies are responsible for the processing of your data that may arise within the framework of a purchase contract with one of the participating companies (invoice, delivery) (see section 6).

4. Registration

To be able to use MyAutoData, you must create a user account and enter your:

  • Email Address
  • password
  • name
  • first name
  • country

We will send you an e-mail with an individual activation link to your e-mail address. We use your e-mail address to communicate about contractual and technical matters related to our platform.

5. Data storage

In the "My Details" area of MAUD (MyAutoData) you can store a variety of information on the following categories:

  • contact data, master data, legitimation data
  • offences
  • relatives
  • household data
  • memberships
  • health data
  • vehicle data
  • interests

All information given there is voluntary. If you do not wish to release data to the participating companies (see point 6), only you can see it yourself.

We process your data in order to make it available to you online and, in some cases, in order to create certain calculations for you (e.g. vehicle costs). When you release data to participating companies, we will a) verify the accuracy of your personal information and the vehicle(s) you have captured, and b) verify the plausibility of the data provided to prevent misuse through false entries.

6. Release of data for the participating companies

While entering the individual data, you can determine whether you allow the participating companies access to it or not. These settings may also be done at a later time and can be revoked immediately and at any time by you. By default, no data is released.

If you release individual data, you grant MAUD (MyAutoData) and the participating companies the following data protection consent:

We encourage participating companies to process the released data only within the MAUD platform. However, for the preparation of quotations and the possible preparation and execution of orders, it may be necessary for the companies to transfer their data to their own systems (e.g. invoice, delivery). For the data processing of the participating companies in the context of the initiation, preparation and execution of contracts between you and the companies, the respective companies are responsible within the meaning of the GDPR.

If you release data for the participating companies, you will receive compensation for it. In this case we need the following information from you:

Amounts are paid out via the payment service provider "Stripe", which records the information required for the payment (e.g. bank details). The data protection provisions of Stripe apply: https://stripe.com/en-de/guides/general-data-protection-regulation

In order to check the plausibility of your details and to prevent misuse (e.g. false user profiles, false car details), we require an electronic copy of your vehicle registration certificate. This is deleted immediately after the check.

The release of data and the withdrawal of releases are logged by us with date and time.

In addition, we record whether, when and to what extent the data fields released by you were accessed by a participating company. We use this information to settle accounts with these companies and with you. We also make this data available to you for reasons of transparency in your user account.

7. Log data of the web server

If you call up a single page, our web servers record the address (URL) of the called up page, date and time of the call, possible error messages and if necessary the operating system and the browser software of your terminal device as well as the web page from which you visit us and the incoming IP address in a protocol file.

The log file data is used by us exclusively to ensure the functionality of our services (e.g. error analysis, guarantee of system security and protection against misuse) and deleted or anonymized after 7 days.

Insofar as log file data can be qualified as personal data in individual cases, the legal basis for the processing of log file data is our legitimate interest (error analysis, guarantee of system security and protection against misuse).

8. Supplementary information

8.1. Mandatory information

All mandatory fields on our website are marked with an asterisk ("*").

8.2. Data recipients and third party service providers

If you have released data, it will be made available to all participating companies. You can see which companies have retrieved their data under "Participation in the Marketplace > "My earnings" (function may not yet be available).

In addition to the data recipients already listed above, we can use other service providers for the technical operation or the provision of individual functionalities:

We can use contract processors for the technical operation of the website. We currently use Amazon Web Services, Inc. for web hosting and the technical provision of the website., USA (AWS). Theprocessing takes place primarily in a data center of AWS in Frankfurt am Main, Germany. AWS participates in the Privacy Shield Program.

We use the "Authy" service of Twilio, Inc. in the USA for the two-factor-authentication. Twilio participates in the Privacy Shield program.

8.3. Storage period

We measure the storage period for your data on the basis of the specific purposes for which you use the data.

We will always delete your data if you delete your user account, unless we are required by law to store it for a longer period. You can delete your user account under "My Account".

We delete data relevant to invoicing after the expiry of the statutory retention periods, which result in particular from the German Commercial Code (HGB) and the German Tax Code (AO) and often amount to six or ten years.

Finally, in individual cases (e.g. in the event of specific disputes), the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB) generally amount to three years (from the end of the calendar year).

8.4. Legal and technical terms

In the following, we explain some legal and technical terms used in this privacy statement.

Personal Data: Personal data is any information relating to an identified or identifiable natural person, such as information associated with your e-mail address.

Processing: A processing of personal data is any process in connection with personal data, e.g. collection via an online form, storage on our servers or use to contact.

Cookie: A cookie is a small text file that is stored on your computer. The content of this file is transferred to our server or the server that has set the cookie each time a website is accessed.

A list of cookies used on our website:

Name Type Duration Purpose
Name
PHPSESSID
Type
Internal
Duration
Session
Purpose
User authentication
Name
cookiebanner-accepted
Type
Internal
Duration
Forever
Purpose
Cookie acceptance pop-up
Name
_gid
Type
Third party
Duration
24 hours
Purpose
Google Analytics
Name
_ga
Type
Third party
Duration
2 years
Purpose
Google Analytics

 

IP address: The IP address is a number that your Internet service provider temporarily or permanently assigns to your terminal device. With a complete IP address, it is possible in individual cases to identify the subscriber, e.g. on the basis of additional information from your Internet service provider.

Privacy Shield: Privacy Shield certification is a measure taken by US companies to legitimize the transfer of personal data from the EU to the US, as the US does not have adequate data protection legislation comparable to EU law. The underlying EU-U.S. Privacy Shield Agreement is a data protection agreement that ensures an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has determined the adequacy of the guaranteed data protection level according to the EU-U.S. Privacy Shield Agreement by decision of 12.07.2016 (Ref. C(2016) 4176) (retrieve decision of the EU Commission). You can view the current status of certification of companies according to the EU-U.S. Privacy Shield Agreement online here.

Contract processors: These are technical service providers who process personal data for our purposes and according to our specifications. In accordance with the requirements of the GDPR, we have entered into contractual agreements with contract processors to ensure data protection.

8.5. Legal basis

GDPR permits the processing of personal data only if a legal basis permits this. We are legally obliged to inform you of the legal basis for the processing of your data.

Unless otherwise stated in these data protection notices, we process your data to provide the MAUD (MyAutoData) platform (fulfillment of contract). Insofar as we store and use data to combat misuse, this is done on the basis of our legitimate interest in preventing misuse. The provision of data to partner companies takes place on the basis of your consent. If we store data for the fulfilment of legal storage obligations, the legal basis is the fulfilment of legal obligations.

In the following, we will explain the terms used when naming the legal bases.

Legal basis Designation Explanation
Legal basis
Art. 6 para. 1 lit. a) GDPR
Designation
Consent
Explanation
This legal basis permits processing if and insofar as you have given us your consent.
Legal basis
Art. 6 para. 1 lit. b) GDPR
Designation
Contract fulfilment
Explanation
This legal basis permits processing to the extent necessary to fulfil a contract with you, including pre-contractual measures (e.g. preparation of the conclusion of a contract
Legal basis
Art. 6 para. 1 lit. c) GDPR
Designation
Fulfilment of legal obligations
Explanation
On the basis of this legal basis, we may process your data insofar as this is necessary to fulfil a legal obligation to which we are subject.
Legal basis
Art. 6 para. 1 lit. f) GDPR
Designation
Legitimate interests
Explanation
In accordance with this legal basis, we are permitted to process data insofar as this is necessary to safeguard our legitimate interests (or those of third parties) and your conflicting interests do not prevail.

9. Your rights

By law, we are obliged to inform you of your rights under the GDPR. In the following we explain these rights, i.e. your right to information, correction, deletion, restriction of processing, data transmission, complaint to a supervisory authority, revocation of consent and objection.

You are entitled to these rights under the conditions of the respective data protection regulations. No further rights are granted to you by the following representation.

In the following, we will explain the terms used when naming the legal bases.

9.1. Information

You have the right to request confirmation from us as to whether we are processing personal data concerning you; if this is the case, you have the right to be informed of this personal data and of the information specified in Art. 15 GDPR.

9.2. Corrigendum

You have the right to demand from us immediately the correction of incorrect personal data concerning you and, if necessary, the completion of incomplete personal data, Art. 16 GDPR.

9.3. Deletion

You have the right to demand that we delete personal data relating to you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued.

9.4. Restriction of processing

You have the right to demand that we restrict the processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection against the processing for the duration of the examination by us.

9.5. Data transferability

You have the right, under certain conditions, to receive, transmit and - as far as technically feasible - have transmitted data concerning you which you have provided to us in a structured, common and machine-readable format, Art. 20 GDPR.

9.6. Grievance

Irrespective of any other administrative or judicial remedies, you have the right to complain to a supervisory authority if you are of the opinion that the processing of your personal data by us violates the GDPR, Art. 77 GDPR. You may exercise this right with a supervisory authority in the Member State where you are staying, at your place of work or at the place where the alleged infringement occurred. The contact details of the supervisory authorities in Germany can be found at https://www.bfdi.bund.de/DE/Infothek/ Anschriften_Links/anschriften_links-node.html

9.7. Revocation (of consents)

If you have given us your data protection consent, you have the right to revoke it at any time with effect for the future. This also applies to data protection consents which you have given us before the GDPR became effective.

9.8. Dissension

You also have the right to object to the processing of your personal data at any time for reasons arising from your particular situation, provided that we base the processing on Art. 6 para. 1 lit e. or f GDPR. We will then no longer process this data unless we can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims (Art. 21 GDPR).

If we use your personal data for direct advertising (e.g. by e-mail), you have the right to object to the use of your data for these purposes at any time. This also applies to profiling in so far as it is related to direct mail. Profiling means the use of personal data to analyze or predict certain personal aspects (e.g. interests).