DATA PROTECTION (PRIVACY POLICY)

(The German version is always the authoritative text.)

Data protection declaration

1 INFORMATION ON THE COLLECTION OF PERSONAL DATA

(1) We inform you below regarding the collection of personal data when using our services. In addition to our online offering over the website, we also provide a mobile app and an option to use SMS, e.g., via your mobile device. Controller pursuant to Section 4, Subpara. 7 EU General Data Protection Regulation (GDPR)

sunhill technologies GmbH
Allee am Röthelheimpark 15
91052 Erlangen
info@sunhill-technologies.com

Legal information

(2) You can reach our data protection officer at dpo@sunhill-technologies.com or at our postal address with the addition “the data protection officer”.

(3) As a service provider in many cities with respect to public parking spaces, we offer you the possibility to pay for parking passes by SMS (text message). If you do so, the respective city functions as the data controller for purposes of the GDPR, and we process the data based on the instructions of the respective city.

However if you use our additional services simultaneously (through our app or our websites), we function as responsible entity with respect to the collection of the additional data.

Irrespective of this, you may send all inquiries to us and we will forward them to the responsible entity.

In addition, the responsible entity exchanges your data with the companies of the Volkswagen Finanzdienstleistungsgruppe* (e.g. companies from the sectors: bank, leasing, insurance, mobility and fuel / service cards – in the following only: “VW Finanzdienstleistungsgruppe”).

2 YOUR RIGHTS

(1) You have the following rights with respect to your personal data:

– Right to information

– Right to rectification or erasure

– Right to restriction of processing

– Right to object to processing

– Right to data portability

(2) You also have the right to express your objections against the processing of your personal data to a data protection supervisory authority.

3 DUTY TO PROVIDE DATA

As part of our business relationship, you must provide us with personal data, which are necessary to establish, conduct and terminate a business relationship, or information which we are legally obliged to collect. Without these data we cannot conclude a contract or must terminate any existing contract.

4 OBJECTION AGAINST OR CANCELLATION OF PROCESSING OF YOUR DATA

(1) If you have given your consent to the processing of your data, you can revoke this consent at any time. Such revocation affects the legitimacy of the processing done to your personal data after you have shared these data with us.

(2) If we perform processing of your personal data based on a balancing of interests, you may object to such processing. This is the case, if the processing is, in particular, not required to perform a contract with you, the details thereof we will illustrate in the description of the functions below. If you raise such an objection, we ask that you explain the reasons why we should not process your personal data in the manner that we have processed it to date. If your objection is justified, we will examine the facts and situation and will either discontinue or modify the data processing or indicate to you our compelling and legitimate reasons for why we must continue to perform the processing as such.

(3) You may, of course, object to the processing of your personal data for advertising and data analysis purposes at any time. You may express your objection to such uses via the contact details above.

5 COLLECTION OF PERSONAL DATA WHEN VISITING OUR WEBSITES

(1) If you are using the website for mere informational purposes, i.e. if you do not register or otherwise provide us with information, we collect the personal data that your browser transmits to our server. We collect the following data, as these are technically necessary for us to display our website to you, ensure the stability and security of our system and improve our website and offering (legal basis: Section 6, Subpara. 1, sent. 1 (f) GDPR):

– IP address

– Date and time of the request

– Time zone difference to Greenwich Mean Time (GMT)

– Content of the request (specific page)

– Access status / HTTP status code

– Amount of data transferred per request

– Website from which the request originates

– Browser

– Operating system and interface

– Language and version of the browser

Our legitimate interest in the data collection results from the stated purpose.

(2) Further recipients of the data:

a) The data are forwarded to our IT service providers.

b) We use Google Analytics and Google Adwords on our websites. To enable us to do so, your data are forwarded to third parties who are located outside the EU. Detailed information can be found in the section “Google Analytics”, “Google Adwords” and “Remarketing with Google Adwords.” Cookies are also used as part of this function. Detailed information in this regard can be found in the section “Cookies”

c) We use Google Maps on our web pages. To enable us to do so, your data are forwarded to third parties who are located outside the EU. Detailed information can be found in the “Google Maps” section. Cookies are also used as part of this function. Detailed information can be found in the “Cookies” section.

d) The controller also uses contract processors and other contractors (for example from the following sectors: information and communication technology) located outside the European Economic Area (EEA) as part of this business relationship. The transmission of your data takes place in compliance with the special requirements of Sections 44–49 GDPR, whereby the adequate level of protection either by an adequacy decision of the European Commission according to Section 45 GDPR or concluded EU standard contractual clauses according to Section 46 Subpara. 2 lit. c and d GDPR. The EU standard contractual clauses can be downloaded and viewed on the European Commission’s website, or requested directly from the controller and copied.

(3) The data will be kept for a maximum of one year and then deleted.

6 … ADDITIONAL DATA COLLECTED WHEN USING THE SERVICE PORTAL

(1) An account may be created if you want to use our service portal or a form on our website to obtain support with problems or questions. Moreover, contact details are collected in order to process the request (legal prerequisites result from Section 6, Subpara. 1, sent. 1 (b), (c) and (f) GDPR) and differs depending on the type of problem for which the service portal is being used. If the legal prerequisites result from Article 6, Subpara. (1), sent. 1 (f) GDPR, the legitimate interest in collecting the data arises from the goal of processing all inquiries and using them to solve a related problem.

(2) Further recipients of the data:

– IT services

– Service and call centers

(3) In order to facilitate processing of your request and resolve any problems that may have arisen, the data will be saved until the end of the processing period of the problem and kept for a period of one year thereafter. Insofar as an ongoing contractual relationship exists, data processing will be restricted after termination of the contract and fulfillment of all contractual obligations of its parties, i.e. your data will be used to comply with legal obligations only.

7 … ADDITIONAL DATA COLLECTED WHEN USING THE SERVICE PORTAL

(1) In order to receive services via our websites, a corresponding contract must be concluded. In order to enable the contract to be concluded and to facilitate the upcoming exchange of services as part of this contract, the following data are also collected. Beyond that, we use the data to analyze and optimize our offering, for statistical analyzes and marketing measures (legal prerequisites: Section 6. Subpara. 1, sent. 1 (b), (c) , and (f) GDPR):

– Contact information

– Payment information

– Smartphone number (MSISDN)

– License plate number

– Position data

– Selected parking zone

– Start and end of the parking event

Our legitimate interest in the data collection results from the stated purpose.

(2) Further recipients of the data:

a) Recipients of the data are

– IT service providers

– Logistics service providers

– Telecommunication service providers

– Service and call centers

– Printing services

– Collection services

– Sales and marketing service providers

b) Data associated with payment transactions are forwarded to our bank for the purpose of payment processing (e.g. when using SEPA direct debits).

c) Data for external payment providers (e.g., for credit cards or PayPal) are not collected or stored by us, but rather transferred directly from you to the payment service provider. We will only receive a notification that the payment was made and, if necessary, additional data resulting from your agreement with the external payment provider.

d) If you use PayPal as payment for our service, you expressly acknowledge that Volkswagen Payments S.A. exchanges personal data (like email address, name, address and the amount of payment) with PayPal (Europe) S.à.r.l. et Cie, S.C.A. in their capacity as a payment service provider. Disclosure of personal information is in accordance with the Volkswagen Payments S.A privacy statement (http://www.vwfsag.com/de/home/datenschutz.html) and European and national data protection policies.

(3) Due to commercial and tax regulations, we are obligated to store your address, payment and order data for a period of ten years. We will make the data available to you for your own use (e.g., tax return, billing with the employer) at any time during an ongoing contractual relationship. Upon termination of the contract and fulfillment of all contractual obligations of its parties, the data become restricted in their processing, i.e. your data will only be used to comply with legal obligations.

8 USE OF OUR MOBILE APP WITHOUT REGISTRATION

(1) In order to use the mobile app, we collect the personal data described below to enable convenient use of its functions. If you wish to use our mobile app, we must collect the following data, as these data are technically necessary for us to provide the functions of our mobile app, in particular, provide the payment function and ensure stability and security. In addition, we use the data to check and optimize our offer, for statistical analyzes as well as marketing measures (legal prerequisites: Section 6, Subpara. 1, sent. 1 (b), (f) GDPR):

– IP address

– Date and time of the request

– Time zone difference to Greenwich Mean Time (GMT)

– Content of the request

– Access status / status code

– Amount of data transferred per request

– Website from which the request originates

– Browser

– Operating system and its interface

– Language and version of the browser software

– Device type

– Smartphone number (MSISDN)

– Mobile communication providers

– License plate number

– Position data

– Parking event data (start, end, parking zone, ticket price)

Our legitimate interest in the data collection results from the stated purpose.

(2) Further recipients of the data:

a) Recipients of the data are

– IT service providers

– Logistics service providers

– Telecommunication service providers

– Service and call centers

– Printing services

– Collection services

– Sales and marketing service providers

b) When the mobile app is downloaded, the required information is transferred to the app store of your choice, in particular, user name, e-mail address and customer account number, time of the download, payment information as well as the individual device code. We have no influence over the collection of these data and are not responsible for this. We only process the data insofar as necessary for downloading the mobile app to your mobile device.

c) We use “IDFA / android ID” in our app. Detailed information regarding this can be found in the section “IDFA / android ID.”

d) We use Google Maps in our app. To do so, your data are forwarded to third parties who are located outside the EU. Detailed information can be found in the “Google Maps” section. Cookies are also used as part of this function. Detailed information can be found in the “Cookies” section.

e) We also utilize our app Braze. To do so, your data are forwarded to third parties who are located outside the EU. Detailed information can be found in the section “Braze.“

(3) Due to commercial and tax regulations, we are obligated to store your address, payment and order data for a period of ten years. After all contractual obligations of the contract`s parties are fulfilled (i.e., normally after successful settlement of outstanding accounts), the data becomes restricted in processing after 36 months, i.e. your data will be used to comply with legal obligations only.

(4) At the beginning or during the use of our mobile app, we will ask for permission to use the following functions via e.g. pop-up window:

– GPS functionality to identify relevant offers, even when the app is closed

– Access to incoming SMS (text) messages to activate the smartphone number

– Your photos to photograph your parking space

– Your reminders to inform you about booked periods of use

If you do not provide consent, we will not use these data. In this case, however, you may not be able to use all the functions of our app. You can later grant or revoke consent via the settings of the operating system.

(5) If the app on one of our websites is accessed directly, you will find the applicable information in the sections about the use of the website.

9 … ADDITIONAL DATA COLLECTED WHEN YOU USE THE SUPPORT FUNCTION OR WHEN THE APP CRASHES

(1) If you would like to use our support function from the app to provide feedback or receive assistance with problems, or if the app shows an error and crashes, the following additional data will be collected to correct the error and improve our product (legal prerequisites differ depending on the type of problem for which the service portal is being used; it results from Section 6, Subpara. 1, sent. 1 (b), (c), and (f) GDPR):

– Smartphone model designation

– Operating system version

– Which version of our app have you installed

– Contact information

Our legitimate interest in the data collection results from the stated purpose.

(2) Other recipients of the data

– IT services

– Service and call centers

(3) In order to ease the processing of your request and resolve any issues raised, the data will be stored until the end of the processing period and will be kept for a further 12 months thereafter. If an ongoing contractual relationship exists, the data will be stored until the contractual relationship is terminated.

10 … ADDITIONAL DATA COLLECTED BY USING OUR MOBILE APP WITH HAVING REGISTERED

(1) In addition to the data that is collected as part of using the app without registration, information required to conclude contracts and for the subsequent exchange of services is collected if one is using the app having already registered. Beyond that, we use the data to analyze and optimize our offering, for statistical analyzes and marketing measures (legal prerequisites: Section 6. Subpara. 1, sent. 1 (b), (c) , and (f) GDPR):

– Contact information

– Payment information

– Date of birth

Our legitimate interest in the data collection results from the stated purpose.

(2) Further recipients of the data:

a) Recipients of the data are

– IT service providers

– Logistics service providers

– Telecommunication service providers

– Service and call centers

– Printing services

– Collection services

– Sales and marketing service providers

b) These payment transaction data are forwarded to our bank for purposes of payment processing (e.g., when using SEPA direct debits).

c) Data for external payment providers (e.g. for credit cards or PayPal) are not collected or stored by us, but rather transferred directly from you to the payment service provider. We will only receive a notification that the payment was made and, as necessary, additional data resulting from your agreement with the external payment provider.

(3) Due to commercial and tax regulations, we are obligated to store your address, payment and order data for a period of ten years. We will make the data available to you for your own use (e.g. tax return, billing with the employer) at any time during an ongoing contractual relationship. Upon termination of the contract and fulfillment of all contractual obligations of its parties, the data become restricted in their processing, i.e. your data will only be used to comply with legal obligations.

11 TECHNOLOGIES USED:

(1) IDFA / android ID

For advertising purposes we use the so-called “Advertising Identifier” (IDFA) and the android ID. This is a unique but non-personalized and non-permanent identification number for a particular device that is provided by the iOS or android operating systems. The data collected through the IDFA and the android ID are not linked to any other device-related information. We use the IDFA and the android ID to provide personalized advertising and to evaluate usage. We use it to collect the following data: Measure your interaction with banners by counting the number of advertisements on a banner that were not clicked on (“frequency capping”), click rate, unique user detection, security measures, anti-fraud, and troubleshooting. You may delete the IDFA or the android ID in the device settings at any time; a new one will then be created, which is not merged with the previously collected data. We indicate expressly that you may not be able to use all the functions of our app if you restrict the use of the IDFA or android ID.

(2) Use of Braze

Braze provides us with the functionality to send e-mails or other messages, for instance via push or in-app, to inform you of nearby parking zones, changes in the terms of data protection or to send advertising (as long as you have separately consented to that). The legal prerequisites for this are found in Section 6, Subpara. 1, sent. 1 (f) GDPR. Because your personal data are being processed in the United States, we have concluded an agreement containing standard data protection clauses. The contact details of the provider are: Braze Inc., 318 West 39th Street, 5th Floor, New York, NY 10018 Overview of data protection (Privacy Policy): https://www.braze.com/privacy/

The collected data will be deleted on termination of the contract.

Additionally, cumulated reports on usage are created, which are anonymized and will be used indefinitely.

(3) Use of Google Analytics

a) We use Google Analytics, a web analytics service provided of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are stored on your computer and that allow an analysis of your use of the website. The information about your use of this website generated by the cookie is usually transmitted to a Google server in the USA and stored there. However, in the event that IP anonymization is activated on this website, your IP address will be truncated in advance by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and truncated there. Google uses this information on behalf of this website’s operator to evaluate your use of the website, compile reports on website activity and provide other services related to website usage and Internet usage to the website operator.

b) The IP address transmitted by your browser as part of Google Analytics will not be merged with other data provided by Google.

c) You can prevent the storage of cookies by setting your browser software accordingly; however, we indicate expressly that if you do so, you may not be able to use the full functionality of this website. You may also prevent Google from collecting the data generated by the cookie that is related to your use of the website (incl. your IP address) and prevent Google’s processing of these data by means of the browser plug-in available under the following link. Download and install: http://tools.google.com/dlpage/gaoptout?hl=de.

d) This website uses Google Analytics with the extension “_anonymizeIp().“ As a result, IP addresses are processed in truncated form, thus excluding the possibility of personal references. If the data collected about you are related to a person, this is excluded immediately and the personal data are deleted immediately.

e) We use Google Analytics to be able to analyze and regularly improve the use of our website. With the statistics thereby obtained, we can improve our offering and make it more interesting for you as a user. Google has subjected itself to the EU-US Privacy Shield with respect to the exceptional cases in which personal data are transferred to the USA; https://www.privacyshield.gov/EU-US-Framework. The legal prerequisites for the use of Google Analytics are found in Section 6 Subpara. 1, sent. 1 (f) GDPR.

f) Third party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001.

Terms of use: http://www.google.com/analytics/terms/de.html

Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, and the privacy policy: http://www.google.com/intl/de/policies/privacy

(4) Integration of Google Maps

a) We use the product Google Maps. This allows us to show interactive maps directly in the website and lets you conveniently use the map function.

b) By visiting the website, Google receives information that you have accessed the specific subpage of our website. Additionally, the data mentioned under § 3 of this declaration are transmitted. This occurs regardless of whether Google makes a user account available with which you are logged in, or if there is no user account. When you are logged into Google, your data will be assigned directly to your account. If you do not want Google to make this assignment to your profile, you must log out before activating this button. Google stores your data as a usage profile and uses that data for purposes of advertising, market research and/or user need-based design of its website. This analysis is particularly done (even for users who are not logged in) in order to provide user need-based advertising and inform other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, where such objections must be directed to YouTube.

c) Further information on the purpose and scope of the data collection and its processing by the plug-in provider can be found in the data protection statement (privacy policy) of the provider. You can also find more information on your rights as to that and the possibility to adjust your settings to protect your privacy here: http://www.google.com/intl/de/policies/privacy. In addition, Google processes your personal data in the United States and has subjected itself to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(5) Use of Google Adwords Conversion

We use the product Google Adwords to draw attention to our attractive offerings with the assistance of advertising materials (so-called Google Adwords) on external websites. In relation to the data of the advertising campaigns, we are able determine the extent of success of individual advertising measures. In doing so, we are pursuing our interest in showing you advertisements that are of interest to you, making our website more interesting to you and achieving a fair calculation of advertising costs.

These advertising materials are supplied by Google via so-called “ad servers.” To enable this, we use ad server cookies, which measure certain performance metrics such as ad placement or user clicks. If you access our website via a Google advertisement, Google Adwords stores a cookie on your PC. These cookies usually lose their validity after 30 days and are not intended to identify you personally. Generally, unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant to post-view conversions), and opt-out information (noting that the user does not wish to be contacting any longer) will be saved to this cookie as analysis values.

These cookies allow Google to recognize your Internet browser. If a user visits certain pages of an Adwords customer’s website and the cookie stored on that user`s computer has not expired, Google and the customer will be able to detect that the user clicked on the ad and was redirected to that page. Each Adwords customer is assigned a different cookie. Cookies cannot be traced via the websites of Adwords customers. We ourselves do not collect and process any personal data as part of the aforementioned advertising measures. We receive only statistical analyses from Google. On the basis of these analyses, we are able to identify which of the advertising measures being used is particularly effective. We do not receive any further data from using the advertising material; in particular, we cannot identify the users on the basis of this information.

Due to the marketing tools used, your browser will automatically establish a direct connection to the Google server. We have no control over the extent and the further use of the data, which are collected by Google’s use of this tool and are informing you therefore based on our current level of knowledge: By incorporating AdWords conversion Google receives information that you have accessed the corresponding portion of our Internet appearance or clicked on an ad from us. If you are registered with a service provided by Google, Google may associate the visit with your account. Even if you are not registered with Google or have not logged in, there is a chance that the provider will determine and store your IP address.

You can prevent participation in this tracking process in several ways: a) by adjusting your browser software accordingly, in particular, the suppression of third-party cookies will prevent you from receiving third-party advertisements; b) by disabling the cookies for conversion tracking by setting your browser to block cookies from the domain “www.googleadservices.com”, https://www.google.de/settings/ads, whereby this setting is deleted when you delete your cookies; c) by deactivating the interest-based advertisements of the providers that are part of the “About Ads” self-regulation campaign via the link http://www.aboutads.info/choices, whereby this setting is deleted when you delete your cookies; d) by permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome under the link http://www.google.com/settings/ads/plugin. We would like to point out that in this case you may not be able to use the full functions of this offer.

The legal basis for the processing of your data is Section 6, Subpara. 1, sent. 1 (f) GDPR. For more information on data protection at Google, see http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html. Alternatively, you can visit the Network Advertising Initiative (NAI) website at http://www.networkadvertising.org. Google has subjected itself to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(6) Remarketing with Google Adwords

In addition to Adwords Conversion, we use the Google Remarketing application. This is a procedure about which we would like to contact you again in the future. This application allows you to have our advertisements displayed as you continue to use the Internet after visiting our website. This is done by means of cookies stored in your browser, through which your usage behavior is recorded and analyzed by Google you’re your visiting various websites. This is how Google determines your previous visit to our website. According to its own statements, Google does not combine the data collected in the course of remarketing with your personal data, which may be stored by Google. In particular, pseudonymization is used in remarketing according to Google.

(7) YouTube

We have included YouTube videos in our online offering, which are stored on http://www.YouTube.com and are directly playable from our website. These are all integrated in the “Advanced data protection mode”, i.e. no data about you as a user will be transferred to YouTube if you do not play the videos. Only when you play the videos, will the data mentioned in § 5 (1) be transmitted. We have no influence on this data transfer.

By visiting the website, YouTube receives information indicating that you have accessed the specific subpage of our website. This occurs regardless of whether YouTube provides a user account with which you are logged in, or if there is no user account. When you are logged into Google, your data will be assigned directly to your account. If you do not want Google to make that assignment to your profile on YouTube, you must log out of Google. YouTube stores your data as usage profiles and uses that data for purposes of advertising, market research and/or user need-based design of its website. This analysis is particularly done (even for users who are not logged in) in order to provide user need-based advertising and inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby such objections must be addressed to YouTube.

For more information on the purpose and scope of data collection and processing by YouTube, please read the privacy policy. You can also get more information on your rights and your ability to alter privacy settings here: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has made itself subject to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.

12 COOKIES

Cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive and assigned to the browser you are using and by which the party that places the cookie (in this case, us) receives certain information. They serve to make the Internet offering more user-friendly and effective as a whole.

a) This website uses the following types of cookies, the extent and function of which are explained below:

– Transient cookies (see b)

– Persistent cookies (see c)

b) Transient cookies are automatically deleted when you close the browser. These include in particular the so-called session cookies. These store a session ID, with which various requests from your browser can be assigned to a common session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.

c) Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie. You may delete the cookies in the security settings of your browser at any time.

d) You may configure your browser settings according to your wishes and e.g. decline to accept third-party cookies or all cookies. Please be aware that in such an instance you may not be able to use all functions of this website.

* Volkswagen Financial Services AG, Volkswagen Bank GmbH, Volkswagen Leasing GmbH, Volkswagen Versicherungsdienst GmbH, Volkswagen Versicherung AG, Volkswagen Autoversicherung AG, carmobility GmbH, MAN Financial Services GmbH, Mobility Trader GmbH, Euromobil Autovermietung GmbH, sunhill technologies GmbH, LogPay Transport Services GmbH