Privacy Policy for users of the "MyAutoData" platform

The most important at a glance

MAUD (MyAutoData) is a neutral, independent online platform for the private storage and management of your car-related data.

If you intend to derive an economic benefit from your data, you must give us a data protection consent which can be revoked at any time and which allows us to activate the data explicitly released by you for access by the companies registered on the platform. On request, they can then submit to you interest-related offers or use the released data anonymously for statistical purposes.

In return for the data you release, you will receive a fee from the respective company for each access.

We take precautions to ensure that your personal data remains on our platform even if it is accessed by participating companies. However, you give your consent for your released data to be downloaded anonymously and displayed individually as part of statistical analysis. If you accept the offer of a company, it may be that this company also stores or processes the data required for the creation of the invoice or delivery of the product or service outside the platform in its own system. In this respect, the companies are then responsible for this data.

You have a statutory right to information, correction, deletion, restriction of processing, data transmission, complaint to a supervisory authority, revocation of consent and objection. In addition, you can also delete your data on the MAUD platform yourself at any time.

You can reach our data protection officer at dsb@myautodata.com

Content

1. Contents of this information
2. About MAUD (MyAutoData)
3. Responsible and Data Protection Office r
4. Registration
5. Data storage
6. Release of data for participating companies
7. Google analytics
8. Log data of the web server
9. Supplementary information
10. Your rights

1. Contents of this information

This data protection notice explains how we handle your personal data when you as a user use the "MAUD (MyAutoData)"platform, available at www.myautodata.com. We also inform you about your rights under the General Data Protection Regulation (GDPR). If you use the MAUD-Premium service, the "Special Data Protection Notice for MAUD-Premium" also applies.

2. About MAUD (MyAutoData)

MAUD (MyAutoData) is a website (platform) on which registered users can store various data in connection with the ownership and movement of their vehicle (e.g. vehicle data, insurance, memberships or distances travelled) and evaluate them (e.g. vehicle costs).

In addition, users have the option of releasing their data in whole or in part to the participating companies from the automotive sector. However, the data always remains within the MAUD (MyAutoData) platform.

In return for the released data, users receive remuneration from the respective company for each access. Of course, users have full transparency at all times as to which companies have accessed their data and what compensation they receive for doing so.

3. Responsible and Data Protection Officer

The person responsible in the sense of the GDPR for the processing of your data is us, the:

MyAutoData GmbH

Forstenrieder Allee 61, 81476 Munich

Phone: +49 89 74 51 56 - 0

Email: info@myautodata.com

The contact details of our data protection officer are:

LITC – Jasmin Lieffering

Bärenmarsch 3

31623 Drakenburg

Email: dsb@myautodata.com

The participating companies are responsible for the processing of your data that may arise within the framework of a purchase contract with one of the participating companies (invoice, delivery) (see section 6).

4. Registration

To be able to use MyAutoData, you must create a user account and enter your:

Email Address
Password
Name
First name
Country

We will send you an e-mail with an individual activation link to your e-mail address. We use your e-mail address to communicate about contractual and technical matters related to our platform.

5. Data storage

In the "My Details" area of MAUD (MyAutoData) you can store a variety of information on the following categories:

Contact data, master data, legitimation data
Offences
Relatives
Household data
Memberships
Health data
Vehicle data
Interests

All information provided there is voluntary. If you do not wish to release the data to the participating companies (see item 6), only you yourself can access it.

We process your data in order to provide you with these online and partly to create certain evaluations for you (e.g. on vehicle costs). If you release data for participating companies, we check a) the accuracy of your personal details and the vehicle(s) you have registered, and b) the plausibility of the data provided, in order to prevent misuse through false statements.

6. Release of data for participating companies

While entering the individual data, you can determine whether you allow the participating companies access to it or not. These settings may also be done at a later time and can be revoked immediately and at any time by you. By default, no data is released.

If you release individual data, you grant MAUD (MyAutoData) and the participating companies the following data protection consent:

Data protection consent

Passing on data to participating companies for bidding purposes

I hereby agree that MyAutoData GmbH, headquartered at Forstenrieder Allee 61, 81476 Munich, Germany, provides the data released by me on www.myautotdata.com in the "My Details" and "My Vehicle Data" sections together with the information provided in the "My Interests" section to participating companies in the automotive sector (e.g. manufacturers, insurance companies, garages).

Participating Companies may also be located in countries outside the European Economic Area (EEA) that do not provide a level of data protection equivalent to that in the EEA. I hereby consent to my data also being transferred to companies in such countries.

The participating companies may use my data to make me offers on the topics I have requested in the "I am interested in:" section. The offers are made primarily via the function "Show offers", as well as the chat function of myautodata.com. If I have released my address and telephone number, the participating companies may also contact me by post or telephone.

MyAutoData may also make my data available to the participating companies for anonymous (non-personal) evaluations.

Note: Your consent is voluntary. You can revoke your consent at any time with effect for the future. You can give the revocation via the platform by cancelling your data release. Alternatively, you can contact MyAutoData GmbH (for contact details, see section 3 of the data protection information). Without your consent, we will no longer make your data available to the participating companies. A list of the participating companies will be available at a later stage.

We encourage participating companies to process the released data only within the MAUD platform. However, for the preparation of quotations and the possible preparation and execution of orders, it may be necessary for the companies to transfer their data to their own systems (e.g. invoice, delivery). For the data processing of the participating companies in the context of the initiation, preparation and execution of contracts between you and the companies, the respective companies are responsible within the meaning of the GDPR.

If you release data for the participating companies, you will receive compensation for this.

Amounts are paid out via the payment service provider "Stripe", which records the information required for the payment (e.g. bank details). The data protection regulations of Stripe apply: https://stripe.com/en-de/privacy

In order to check the plausibility of your details and to prevent misuse (e.g. false user profiles, false car details), we require an electronic copy of your vehicle registration certificate. This is deleted immediately after the check.

The release of data and the withdrawal of releases are logged by us with date and time.

We also log whether, when and to what extent the data fields you have released were accessed by a participating company. We use this information to settle accounts with these companies and with you. We also make this data available to you in your user account for reasons of transparency.

7. Google analytics (analysis of website usage)

If you give us your Consent to data processing for statistical purposes, we use the Google Analytics service to record, in pseudonymised form, how users use our website in order to create anonymous analysis and to design our website accordingly.

You can view the status of your consent here and change it at any time.

Google Analytics is an analytical tool provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This may also involve a transfer to Google's parent company, Google LLC in the USA. Google LLC has a Privacy Shield certification to ensure a level of data protection appropriate to the EU.

Google acts as our processor when providing Google Analytics.

Additional information on data protection at Google can be found in the Google data protection information.

By means of Google Analytics we record when you call up which pages of our website, your rough location as well as data on the end device used by you (e.g. device type, operating system or screen resolution). This data is processed pseudonymously, i.e. it is used in such a way that the data is not linked to information that directly identifies you (e.g. name, e-mail address).

Google Analytics uses cookies for this purpose (details in section 9.4). These data is stored on your device and enables an analysis of your use of the website. The information generated by the cookie about your use of our website is usually transferred to a Google server in the USA and stored there. The cookie has a lifetime of 3 months. Details on the use of cookies can be found in section D).

IP anonymization has been activated on our website so that your IP address will be truncated by Google within member states of the European Union or in other states which are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.

On our behalf, Google will use this information to evaluate your use of the website in order to compile reports on website activity.

Your data collected within the scope of Google Analytics will be deleted after 14 months.

The processing of your data is based on your consent.

8. Log data of the web server

If you call up a single page, our web servers record the address (URL) of the called up page, date and time of the call, possible error messages and if necessary the operating system and the browser software of your terminal device as well as the web page from which you visit us and the incoming IP address in a protocol file.

The log file data is used by us exclusively to ensure the functionality of our services (e.g. error analysis, guarantee of system security and protection against misuse) and deleted or anonymized after 7 days.

Insofar as log file data can be qualified as personal data in individual cases, the legal basis for the processing of log file data is our legitimate interest (error analysis, guarantee of system security and protection against misuse).

9. Supplementary information

9.1. Mandatory information

All mandatory fields on our website are marked with an asterisk ("*").

9.2. Data recipients and third party service providers

If you have released data, it will be made available to all participating companies. You can see which companies have retrieved their data under "Participation in the Marketplace > "My income".

In addition to the data recipients already listed above, we can use other service providers for the technical operation or the provision of individual functionalities:

For the technical operation of the website we can use contract processors. We currently use Amazon Web Services, Inc., USA (AWS) for web hosting and technical provision of the website. The processing takes place primarily in a computer center of AWS in Frankfurt am Main. AWS participates in the Privacy Shield Program.

For two-factor authentication we use the "Authy" service from Twilio, Inc. in the USA. Twilio participates in the Privacy Shield program.

9.3. Storage period

We measure the storage period for your data on the basis of the specific purposes for which you use the data.

As a matter of principle, we delete your data when you delete your user account, unless we are legally obliged to store it for a longer period. You can delete your user account under "My account".

We delete invoice-relevant data after expiry of the statutory retention periods, which result in particular from the German Commercial Code (HGB) and the German Fiscal Code (AO) and often amount to six or ten years.

Finally, the storage period is also assessed in individual cases (e.g. in the event of specific disputes) according to the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code (BGB) are usually three years (from the end of the calendar year).

9.4. Legal and technical terms

In the following, we explain some legal and technical terms used in this privacy statement.

Personal Data: Personal data is any information relating to an identified or identifiable natural person, such as information associated with your e-mail address.

Processing: A processing of personal data is any process in connection with personal data, e.g. collection via an online form, storage on our servers or use to contact.

Cookie: A cookie is a small text file that is stored on your computer. The content of this file is transferred to our server or the server that has set the cookie each time a website is accessed.

A list of cookies used on our website:

Name	Type	Duration	Purpose
Name PHPSESSID	Type Internal	Duration Session	Purpose User authentication
Name cookiebanner-accepted	Type Internal	Duration Forever	Purpose Cookie acceptance pop-up
Name _gid	Type Third party	Duration 24 hours	Purpose Google Analytics
Name _ga	Type Third party	Duration 2 years	Purpose Google Analytics
Name _gat_gtag_UA_	Type Third party	Duration 1 minute	Purpose Google Analytics
Name _fbp	Type Third party	Duration 90 days	Purpose Facebook Pixel
Name sb	Type Third party	Duration 419 days	Purpose Facebook Pixel
Name datr	Type Third party	Duration 443 days	Purpose Facebook Pixel
Name fr	Type Third party	Duration 449 days	Purpose Facebook Pixel
Name _fbp	Type Third party	Duration 455 days	Purpose Facebook Pixel
Name wd	Type Third party	Duration 7 days	Purpose Facebook Pixel

IP address: The IP address is a number that your Internet service provider temporarily or permanently assigns to your terminal device. With a complete IP address, it is possible in individual cases to identify the subscriber, e.g. on the basis of additional information from your Internet service provider.

Privacy Shield: Privacy Shield certification is a measure taken by US companies to legitimize the transfer of personal data from the EU to the US, as the US does not have adequate data protection legislation comparable to EU law. The underlying EU-U.S. Privacy Shield Agreement is a data protection agreement that ensures an adequate level of data protection for data transfers to certified U.S. companies. The EU Commission has determined the adequacy of the guaranteed data protection level according to the EU-U.S. Privacy Shield Agreement by decision of 12.07.2016 (Ref. C(2016) 4176) (retrieve decision of the EU Commission). You can view the current status of certification of companies according to the EU-U.S. Privacy Shield Agreement online here.

Contract processors: These are technical service providers who process personal data for our purposes and according to our specifications. In accordance with the requirements of the GDPR, we have entered into contractual agreements with contract processors to ensure data protection.

9.5. Legal basis

GDPR permits the processing of personal data only if a legal basis permits this. We are legally obliged to inform you of the legal basis for the processing of your data.

Unless otherwise stated in these data protection notices, we process your data to provide the MAUD (MyAutoData) platform (fulfillment of contract). Insofar as we store and use data to combat misuse, this is done on the basis of our legitimate interest in preventing misuse. The provision of data to partner companies takes place on the basis of your consent. If we store data for the fulfilment of legal storage obligations, the legal basis is the fulfilment of legal obligations.

In the following, we will explain the terms used when naming the legal bases.

Legal basis	Designation	Explanation
Legal basis Art. 6 para. 1 lit. a) GDPR	Designation Consent	Explanation This legal basis permits processing if and insofar as you have given us your consent.
Legal basis Art. 6 para. 1 lit. b) GDPR	Designation Contract fulfilment	Explanation This legal basis permits processing to the extent necessary to fulfil a contract with you, including pre-contractual measures (e.g. preparation of the conclusion of a contract
Legal basis Art. 6 para. 1 lit. c) GDPR	Designation Fulfilment of legal obligations	Explanation On the basis of this legal basis, we may process your data insofar as this is necessary to fulfil a legal obligation to which we are subject.
Legal basis Art. 6 para. 1 lit. f) GDPR	Designation Legitimate interests	Explanation In accordance with this legal basis, we are permitted to process data insofar as this is necessary to safeguard our legitimate interests (or those of third parties) and your conflicting interests do not prevail.

10. Your rights

By law, we are obliged to inform you of your rights under the GDPR. In the following we explain these rights, i.e. your right to information, correction, deletion, restriction of processing, data transmission, complaint to a supervisory authority, revocation of consent and objection.

You are entitled to these rights under the conditions of the respective data protection regulations. No further rights are granted to you by the following representation.

10.1. Information

You have the right to request confirmation from us as to whether we are processing personal data concerning you; if this is the case, you have the right to be informed of this personal data and of the information specified in Art. 15 GDPR.

10.2. Corrigendum

You have the right to demand from us immediately the correction of incorrect personal data concerning you and, if necessary, the completion of incomplete personal data, Art. 16 GDPR.

10.3. Deletion

You have the right to demand that we delete personal data relating to you immediately if one of the reasons listed in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued.

10.4. Restriction of processing

You have the right to demand that we restrict the processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection against the processing for the duration of the examination by us.

10.5. Data transferability

You have the right, under certain conditions, to receive, transmit and - as far as technically feasible - have transmitted data concerning you which you have provided to us in a structured, common and machine-readable format, Art. 20 GDPR.

10.6. Grievance

Irrespective of any other administrative or judicial remedies, you have the right to complain to a supervisory authority if you are of the opinion that the processing of your personal data by us violates the GDPR, Art. 77 GDPR. You may exercise this right with a supervisory authority in the Member State where you are staying, at your place of work or at the place where the alleged infringement occurred. The contact details of the supervisory authorities in Germany can be found at https://www.bfdi.bund.de/DE/Infothek/ Anschriften_Links/anschriften_links-node.html

10.7. Revocation (of consents)

If you have given us your data protection consent, you have the right to revoke it at any time with effect for the future. This also applies to data protection consents which you have given us before the GDPR became effective.

10.8. Dissension

You also have the right to object to the processing of your personal data at any time for reasons arising from your particular situation, provided that we base the processing on Art. 6 para. 1 lit e. or f GDPR. We will then no longer process this data unless we can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims (Art. 21 GDPR).

If we use your personal data for direct advertising (e.g. by e-mail), you have the right to object to the use of your data for these purposes at any time. This also applies to profiling in so far as it is related to direct mail. Profiling means the use of personal data to analyze or predict certain personal aspects (e.g. interests).

Supplemental Privacy Policy for Users of MAUD Premium (including MAUD App

The most important facts at a glance

With this document we explain the data processing within MAUD-Premium, a service for the collection, analysis and provision of trip data by means of a device to be attached to the vehicle and an app to be installed on your mobile phone.

This data protection information supplements the "General data protection information for users of the MyAutoData platform".

The data collected by MAUD-Premium include in particular information about the trip (e.g. mileage, driver), continuous location data of the vehicle and the VIN number. The raw data collected in this way is transferred to our server at the end of the trip and processed there into event data (e.g. heavy braking).

The result data is only visible to you, unless you release it for participating companies. You can restrict the scope of the released event data individually. The regulations of the General Data Protection Notice apply to the use of the released data (see in particular section 6).

1. Contents of these notes
2. Functionality of MAUD-Premium
3. Subscription and payment of MAUD-Premium
4. Recorded trip data (raw data)
5. Purposes of use and legal basis
6. Receiver (data release)
7. Storage duration
8. Authorizations of the MAUD app

1. Contents of these notes

This special privacy policy explains our handling of your personal data when you use the "MAUD-Premium" service, including the associated MAUD-App.

This data protection information supplements our general data protection information for users of the "MyAutoData" platform.

2. Functionality of MAUD-Premium

MAUD-Premium allows the collection, analysis and provision of trip data by means of a device to be attached to the vehicle ("MAUD-Dongle") and an app to be installed on your mobile phone ("MAUD Connect-App").

You must login to the MAUD app with the access data of the corresponding MAUD user account. At the beginning of each trip, you or the respective driver enter data for the upcoming trip in the MAUD app, in particular the vehicle's mileage, reason for the journey (private/business) and driver (vehicle owner, partner, child) ("trip data"). The MAUD dongle also reads certain data of the vehicle, in particular the VIN number and CO2 values ("vehicle data") and connects to your mobile phone via a radio connection (Bluetooth) and sends the vehicle data to it. The MAUD dongle itself does not store any data. During the trip, the MAUD app continuously records your location, the data of the acceleration sensor as well as environmental data (e.g. weather data via an external service) ("trip data") and temporarily stores all that data. At the end of the trip, the MAUD app transmits the trip, driving and vehicle data (together "raw data") via an internet connection to the MAUD server of the MAUD platform.

On the MAUD server, events are determined from the raw data ("event data"). The raw data itself is not stored permanently. Only the event data is provided in the MAUD platform. Events in this sense are in particular: Start and end of a trip, change of road type (e.g. local road, highway), heavy braking or acceleration, fast cornering, change of weather situation or exceeding the posted speed limit. The location, as well as date and time are stored for all events.

The MAUD platform allows you to view the event data and provides you with analyses of this data (e.g. on trip costs, trip statistics, potential insurance premiums). In addition, you can make the event data available in whole or in part to participating companies and thereby generate income or receive customized offers. The provisions of the General Data Protection Notice apply in this respect. Important note: Some data are calculated by us using mathematical algorithms and may deviate from the real values depending on the driving style. We therefore assume no liability for the accuracy of the determined data and the results provided.

3. Subscription and payment of MAUD-Premium

To use MAUD-Premium, you must have a MAUD user account (MAUD Basic) and subscribe to the service MAUD-Premium there. In the course of the purchase we need the following data, which we will - as far as possible - use from your MAUD-Basic user account:

Name (required)
E-mail address (required)
Postal address, if necessary different delivery address

We also record the date and duration of the MAUD premium. We use this data for contract initiation and execution (e.g. dispatch of MAUD dongle) as well as for the fulfilment of legal storage obligations.

Payment of the subscription fee for MAUD-Premium is processed by the service provider Stripe, Inc. 510 Townsend Street, San Francisco, CA 94103, USA ("Stripe"). Your credit card details are recorded by Stripe. We do not have access to your credit card details, but only receive information as to whether the subscription fee has been successfully paid. Stripe is responsible for the processing of your payment data in accordance with data protection law. The data protection information of Stripe applies, available at: https://stripe.com/en-de/privacy.

4. Recorded trip data (raw data)

At the beginning of each trip, you or the respective driver must enter the following trip data via the MAUD app

If there is a deviation from the display in the MAUD app, the real mileage of the vehicle
Reason for the trip: private or business
Driver: vehicle owner, partner, child (not: name)

All information on the trip data is required. If the information is not provided, MAUD-Premium cannot record data for the trip.

The MAUD dongle reads out the following vehicle data via the ODB2 interface of the vehicle during the trip

VIN number (for allocation to your vehicle stored in MAUD-Basic)
CO2 levels (if available, otherwise calculated)
Speed (if available, otherwise calculated)
Outdoor temperature
Fuel or energy consumption (if available, otherwise calculated)

The MAUD app collects these trip data during the trip:

Location (every two seconds)
Accelerometer data
Weather data (via external service)
Direction of travel
Street type (via external service)
Speed limit (via external service)

5. Purposes of use and legal basis

We use the raw data to determine relevant events ("event data"). Event data are in particular:

Start and end of the journey
Change of road type (e.g. local road, highway)
Strong braking or acceleration
Fast cornering
Exceeding the posted speed limit.

The location as well as date and time are stored for all events.

We provide the result data on the MAUD platform for your own purposes. We also provide you with evaluations of the event data (e.g. statistics, cost calculations, options for telematics insurance, logbook).

If you release results data, you give us and participating companies your consent in accordance with Section 6 of the General Data Protection Notice. You can determine which events are released and restrict the events to be released according to date, driver and reason for the trip.

6. Receiver (data release)

If you have released data, it will be made available to all participating companies.

7. Storage duration

The raw data will be deleted on your mobile device as soon as the trip is finished and the raw data has been transferred to the MAUD server via internet connection. On the MAUD server, the raw data is deleted as soon as the event data has been calculated from it.

The event data is deleted on a rolling basis after 365 days.

8. Authorizations of the MAUD app

The MAUD app requires the following system authorizations:

Access to location: Required during the trip to determine the location of the vehicle and thus the trip data.
Access to Bluetooth: To receive vehicle data from the MAUD dongle
Internet access: To transmit the raw data to the MAUD server