1. Subject of this data protection notice
In the following, we would like to inform you in detail about which personal data (hereinafter referred to as "data") is processed when you download and use our app and the services we offer there. In addition, we would like to inform you about the rights to which you are entitled and the technical and organisational protective measures we have taken with regard to the processing of your data.
2. Name and address of the data controller and service provider
The controller within the meaning of Art. 4 No. 7 of the General Data Protection Regulation ("GDPR") is IONITY GmbH, Moosacher Straße 84, 80809 Munich, see our legal notice.
If you have any questions or comments about this data protection notice or about data protection in general, please send them to the above address or by email to dataprotection@ionity.eu.
You can contact our data protection officer as follows:
IONITY GmbH
Data Protection Officer
Moosacher Straße 84
D-80809 Munich, Germany
3. Data processing, purposes, legal bases
When using our charging service and the IONITY app, it is necessary to process personal data. In the following, we explain which data is collected for which purposes and on which legal basis.
3.1. Charging process with charging card or app from another mobility service provider
If you use our charging stations with a charging card from or via the app of another mobility service provider, we collect the following data:
· Authentication token (a token assigned to you by your mobility service provider)
· Charging data (including start/stop time, amount of electricity charged, ID of the charging station with location, charging curve, vehicle model and ID)
The processing of the data serves the fulfilment of the contract in accordance with Art. 6 (1) (b) and (f) GDPR in order to be able to offer you the services of our charging service and to process invoicing and payment transactions and send them to your mobility service provider. We process the data on the basis of legal obligations in accordance with Art. 6 (1) (c) GDPR, which includes, for example, the creation, forwarding and retention obligations of invoices and contracts or transfers to authorities. The data is processed on the basis of the legitimate interest of our company pursuant to Art. 6 (1) (f) GDPR to ensure the security, availability and performance of our charging infrastructure and the associated processes and, if necessary, to adapt or improve them and to compile aggregated statistics for business management purposes.
3.2. Adhoc - Charging process
You can also use our charging stations without prior registration and initiate the charging process via https://payment.ionity.eu or the QR code attached to the charging station or pay via a payment terminal on site using NFC. Your payment data will be processed by the payment provider. We also process your charging data (including start/stop time, amount of electricity charged, ID of the charging station with location, charging curve, vehicle model and ID).
The processing of the data serves the fulfilment of the contract in accordance with Art. 6 (1) (b) GDPR in order to be able to offer you the services of our charging service and to process invoicing and payment transactions. We process the data on the basis of legal obligations in accordance with Art. 6 (1) (c) GDPR, which includes, for example, obligations to retain invoices and contracts or transfers to authorities. The data is processed on the basis of the legitimate interest of our company pursuant to Art. 6 (1) (f) GDPR to ensure the security, availability and performance of our charging infrastructure and the associated processes and, if necessary, to adapt or improve them and to compile aggregated statistics for business management.
3.3. Charging process IONITY customers via the IONITY app
3.3.1. Download the IONITY app
We offer the IONITY app exclusively via the Apple App Store (iOS) and the Google Play Store (Android).
When you download our IONITY App from an app store, the required information is sent to the app store, in particular your user name, email address and account ID, time of download, payment information and individual device ID are processed by the app store. We have no influence on this and it is not part of the IONITY app-related data processing, but is part of your user relationship with the respective app store. We have no influence on this data transfer. For more information, please contact the information centres or data protection notices of the app store operators.
3.3.2. IONITY customer account and app-based charging process
· Data for customer account: First name, last name, billing address (when booking a tariff), e-mail address, age verification (over 18 years), date of birth (optional), telephone number (optional), password (in encrypted form, not readable by us), credit card or other payment information (optional for registration, necessary for the loading process), tax information (if required by law, optional for registration, necessary for the loading process)
· Contract data: Information on booked tariffs, billing and payment data, bank details/credit card details (varies depending on the selected payment method), tax information (if required by law), contract/usage histories
· Service and IT (usage) data: Device identifiers, access data, identification data/IDs, telecommunication data/message content, usage and connection data/metadata
· Charging data: Including start/stop time, amount of electricity charged, ID of the charging station with location, charging curve, vehicle model and ID
We need this data for the fulfilment of the contract in order to be able to offer you the services of our charging service and to carry out invoicing (Art. 6 (1) (b) GDPR). You can change the above information yourself at any time in your IONITY app. We process the data on the basis of legal obligations in accordance with Art. 6 (1) (c) GDPR, which includes, for example, obligations to retain invoices and contracts or transfers to authorities. The data is processed on the basis of the legitimate interest of our company pursuant to Art. 6 (1) (f) GDPR to ensure the security, availability and performance of our charging infrastructure and the associated processes and, if necessary, to adapt or improve them and to compile aggregated statistics for business management purposes.
3.3.3. Technically necessary data and log files for the use of the IONITY app
When you install the IONITY app on your device and when you use it, the following data is transmitted to us:
· Device ID. (ID of the app (iOS vendor ID or Android advertising ID [GAID])
· App version (clientApplicationVersion)
· App operating system version (clientOsVersion)
· IP address
· Date and time of the enquiry
· Time zone difference to Greenwich Mean Time (GMT)
· Content of the request (specific page)
· Access status/HTTP status code
· Amount of data transferred in each case
· Device type and manufacturer
· UDID
This data is collected and processed to ensure the functionality of the IONITY app, to guarantee and improve stability and for security reasons. The legal basis for this processing is Art. 6 (1) (b) or (f) GDPR. The data is deleted as soon as it is no longer required for the aforementioned purposes. If an IP address is stored, it will be deleted or anonymised after 7 days at the latest. The collection of this data and the storage of the data in log files is absolutely necessary for the use of the app.
3.4. Feedback and ratings
3.4.1. App feedback
Users can voluntarily provide feedback on the app by selecting the appropriate button within the IONITY app. The feedback can be requested in various forms, such as star ratings, multiple choice questions or free text fields. The app feedback is submitted and analysed anonymously. No personal data is collected or analysed.
3.4.2. Evaluation dialogue after a loading process
Once a charging process has been completed, the option to rate the charging process may appear. The rating can take the form of a star rating, multiple choice questions or free text fields and is voluntary. If you submit a rating, the data will be aggregated in such a way that your rating is anonymous.
3.4.3. Technical data collection in connection with feedback and evaluations
Since feedback and ratings are transmitted via the internet and collected centrally, it is technically unavoidable that data such as IP addresses, time stamps and, if applicable, individual device information such as the operating system are processed from time to time. The legal basis for this is Art. 6 (1) (f) GDPR in conjunction with § 25 para. 2 no. 2 TDDDG, because we need this data for technical reasons, in particular to display the website. However, this data is discarded after transmission and is neither stored nor analysed.
3.5. Advertising communication
3.5.1. Newsletter
In the IONITY app, you have the option of subscribing to our newsletter. Your data is collected and stored for the purpose of sending and delivering the newsletter. For this purpose, we collect your e-mail address to which we should send the newsletter, the date and time of registration for the newsletter.
In the newsletter, we analyse whether and when a newsletter was opened and which content of the email was clicked on and when. Furthermore, it is determined which content will be sent to you in the future and at what times or days so that we can personalise the newsletter content based on your interests and usage habits.
The legal basis for the processing of your data for the newsletter dispatch and the behaviour-based evaluation is Art. 6 (1) (a) GDPR (consent). You must therefore also give your consent before sending the newsletter. The newsletter will only be sent after explicit confirmation (double opt-in). For this purpose, we use a tool from Braze Inc, 28 East 28th St., 12th Floor Mailroom, New York, NY 10016, USA.
Your data will be stored until you unsubscribe from the newsletter.
You have the right to revoke the consent you have given at any time for the future in order to unsubscribe from the newsletter. This can be done either by clicking on the unsubscribe link in a newsletter or by sending a message to marketing@ionity.eu.
3.5.2. Usage behaviour for advertising approach
Based on your explicit consent, we evaluate certain details of your usage behaviour of the app and interaction with advertising messages. The processing is therefore carried out on the legal basis of Art. 6 (1) (a) GDPR and you can revoke your consent at any time in the app's data protection settings. Data points that we collect are, for example, whether you start and then cancel a purchase or which advertising measures you are most likely to respond to, depending on the time and the message channel, such as push notification or email. For this purpose, we use a tool from Braze Inc, 28 East 28th St., 12th Floor Mailroom, New York, NY 10016, USA.
3.6. Authorisations on the end device
To fully utilise the functionality of the IONITY app, it is recommended that you switch on the location function of the IONITY app. This uses GPS data and locations of Wi-Fi hotspots and phone masts to determine your approximate location so that we can determine whether you are near an IONITY charging station. IONITY may store and process this location information in order to improve our service. If you want to scan a QR code on our charging stations, we will also ask you for permission to access your camera. We will ask you for specific access to your location or camera, which you can of course refuse in each case. You can also use the IONITY app without using the location and camera function.
3.7. Cookies and similar technologies in the IONITY app
When using the IONITY App (and our linked websites), we use cookies that are stored by your browser and/or the IONITY App on the device you are using for a short time ('session' cookies) or for a longer period ('persistent' cookies). Cookies are small files containing information that our server and/or third party servers send to your browser so that this information is sent back to our server and/or the third party server on your next visit.
3.7.1. Google Analytics for Firebase
For Google Analytics, device information, information on the IONITY app used, data on the use of the IONITY app, location data, user ID and information on individual requests within the IONITY app (events) are processed. The data is used to analyse the interaction with the app as well as the reactions and execution of the IONITY app and to make decisions based on the results regarding user-friendliness or functions in order to improve them. The data processing is based on Art. 6 (1) (a) GDPR. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. You can revoke your selection at any time in the privacy settings in the IONTIY app.
3.7.2. Firebase Crashlytics
Firebase Crashlytics processes data on the operation of the IONITY App, including the type of operating system used, information on malfunctions during operation (type of malfunction, time of malfunction, duration of malfunction, use of the IONITY App at the time of malfunction) and device information. This data enables us to obtain an overview of various malfunctions when malfunctions or problems occur during operation of the IONITY App and to prioritise them according to their relevance for use in order to ensure efficient troubleshooting and to ensure the stability of the IONITY App. The data processing is based on Art. 6 (1) (b) GDPR in conjunction with § 25 para. 2 no. 2 TDDDG. The data is deleted after 90 days.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information on data protection in Google Firebase can be found at the following link https://firebase.google.com/support/privacy.
3.7.3. E-mail and SMS notifications and push services
We can send you messages with different content via different channels. We differentiate between mandatory notifications and optional notifications.
Mandatory notifications are notifications that serve verification, security, transparency and performance fulfilment.
· to verify your account during registration
· Correspondence for support and clarification cases
· For sending digital invoices and receipts
Push notifications in the IONITY app
· Account, tariff, availability or security-related information as well as IONITY app related information about new or changed functions and updates
Optional notifications are notifications that increase the convenience of using our services or inform you about our general offers and publications. For example, to keep you up to date on the progress of your charging process, you have the option of receiving push notifications via the IONITY app. We will ask you for permission to do this when you install/initialise the IONITY app, which you can of course refuse at any time. You can also deactivate this setting at any time afterwards in the notification settings of your mobile device.
· News, updates, advertising approach
In addition, we also offer optional information in connection with the registration and use of our IONITY app, which informs you about relevant developments at IONITY (e.g. opening of new stations) or special offers, marketing campaigns and news beyond the use of the app. However, we will only send you this information if you give us your consent to do so. This information may be sent to you by e-mail, SMS or push notifications.
For emails, we use Amazon Simple Notification Service and Amazon Simple Email Service from Amazon Web Services (hereinafter referred to as AWS) to send automated emails to you. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg.
Firebase Cloud Messaging
We use Google Firebase Cloud Messaging for IONITY App internal notifications and push notifications. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Firebase Cloud Messaging enables us to inform you with targeted and contextualised messages and encourage you to use the IONITY app. Information on the subject, type of message and time the message was sent is processed, as well as data on whether and when a message was received and read. Some of this data is also used as part of the analysis.
The legal basis of our push notifications is based on the content of the notifications:
· on Art. 6 (1) (f) GDPR - We have a legitimate interest in verifying your e-mail address for the account and in providing our customers with information that is relevant for system and service such as availability, maintenance times, outages, changes and relevant changes in the function or appearance of the IONITY App as specifically and quickly as possible
· on Art. 6 (1) (a) GDPR - We would like to send you marketing information and advertising about our offers. However, we will only do this if you give us your consent. You can revoke your consent at any time in the app settings.
3.7.4. Map services
Apple Maps (iOS)
We use Apple Maps, a service provided by Apple Inc. (Infinite Loop, Cupertino, CA 95014, USA; "Apple"), for the purpose of displaying maps within our IONITY App and for displaying nearby IONITY charging stations (this requires access to your own position data via the GPS function in your mobile device). When you use our IONITY app, Apple receives the information that you are using our IONITY app as well as information about your use of the map functions. If you are logged in to Apple, this information is also assigned to your Apple user account. If you do not wish this to happen, you must log out of your Apple account before using our IONITY app. The legal basis for data processing is Art. 6 (1) (f) GDPR in conjunction with § 25 para. 2 no. 2 TDDDG. The legitimate interest lies in enabling the locating of and navigation to the charging stations.
We have no influence on data collection and processing by Apple. You can find more information about data processing by Apple in their privacy policy.
You can find these at https://www.apple.com/de/privacy/ .
Google Maps (Android)
We use Google Maps, a service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google") for the purpose of displaying maps within our IONITY App and for displaying nearby IONITY charging stations (this requires access to your own position data via the GPS function in your mobile device). When you use our IONITY app, Google receives the information that you are using our IONITY app as well as information about your use of the map functions. If you are logged in to Google, this information is also assigned to your Google user account. If you do not wish this to happen, you must log out of your Google account before using our IONITY app. The legal basis for data processing is Art. 6 (1) (f) GDPR in conjunction with § 25 para. 2 no. 2 TDDDG. The legitimate interest lies in enabling the locating of and navigation to the charging stations.
We have no influence on data collection and processing by Google. You can find more information about data processing by Google in their data protection information.
You can find these at https://policies.google.com/privacy .
3.8. Special categories of personal data and personal data of children
We do not collect or process special categories of personal data. According to Article 9 GDPR, this includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
The IONITY app is aimed at persons of legal age. Children should not transmit any personal data to us or use our apps without the consent of their parents or legal guardians. The duty of supervision lies with the respective legal guardian. We do not knowingly request personal data from children and do not knowingly process such data.
4. Service providers and data transfer to third parties
We are supported by processors and third parties. Processors have been carefully selected by us and integrated by means of contracts for commissioned data processing in accordance with Art. 28 GDPR.
If not already specified, we use the following recipients:
· Provider of payment and invoicing services
· Technical backend service provider
· Customer support
· Customer loyalty platform
· Service provider for customer communication
· IT service provider
· Advertising agencies
· Survey service provider
· Consultancy firm
· Software developer
· Billing e-mobility service provider
· For roaming: service provider of the associated/requesting roaming platform
· National tax authority (in case of obligation due to national legal requirements)
Otherwise, your data will only be passed on to other third parties if this is expressly stated in this data protection notice or if we are legally obliged to do so.
We also transfer your data to service providers and vicarious agents who are located in third countries (outside the EU) and carry out data processing there. Compliance with an appropriate level of data protection is ensured by various mechanisms.
· If the level of data protection in the third country is guaranteed by an adequacy decision, this serves as the basis for the data transfer (Art. 45 GDPR).
· If the service provider is certified under the Data Privacy Framework, the adequate level of data protection is ensured by the aforementioned adequacy decision pursuant to Art. 45 (1) GDPR.
· Otherwise, transfers to third countries only take place if the level of data protection is otherwise ensured, such as through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), express consent or in the case of contractual or legally required transfers (Art. 49 para. 1 GDPR). If the transfer is based on standard contractual clauses, the standard contractual clauses provided by the EU Commission are used for this purpose: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
5. Storage duration
Unless specified in the individual data processing operations, the following applies:
· In principle, data is only stored for as long as is necessary to fulfil the purposes for which it was collected or, if you have given your consent, until you withdraw your consent. After these periods have expired, the data will be deleted or anonymised unless there are statutory retention obligations that require longer storage.
· Commercial and tax documents are subject to a retention obligation of 10 years (§ 147 AO, § 257 HGB).
· Other business documents are subject to a retention obligation of 6 years (§ 147 AO, § 257 HGB).
· Data that is required due to potential warranty and compensation claims or similar contractual claims must be stored for 3 years (§§ 195, 199 BGB).
6. Your rights as a data subject and your right to lodge a complaint
6.1. Rights of data subjects
With regard to the processing of your personal data, you have the right to request information about your personal data processed by us in accordance with Art. 15 GDPR. You also have the right to have data rectified in accordance with Art. 16 GDPR or erased in accordance with Art. 17 GDPR and to restrict processing in accordance with Art. 18 GDPR. Furthermore, in accordance with Art. 20 GDPR, you have the right to demand that the personal data you have provided be returned to you in a structured, commonly used and machine-readable format. With regard to the right of access, the restrictions of Section 34 BDSG apply and with regard to the right to erasure, the exceptions of Section 35 BDSG apply.
If we process your data on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR or for the performance of a public task in accordance with Art. 6 (1) (e) GDPR and if there are reasons against this processing arising from your particular situation, you have the right to object to this processing in accordance with Art. 21 (1) GDPR. In the event of an objection, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.
You have the right to object - without restriction - to any type of processing for direct marketing purposes in accordance with Art. 21 (2) and (3) GDPR.
If we process your data on the basis of your consent, you have the right to withdraw your consent at any time. Your data will then no longer be processed for the purposes covered by your consent. Please note that the withdrawal of consent does not affect the lawfulness of data processing that took place prior to the withdrawal. Please refer to the above information or the information in the respective consent for details of how you can declare your cancellation or contact our Customer Service.
To exercise your rights, please contact: support@ionity.eu.
6.2. Complaint to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).
The competent supervisory authority in Bavaria is Bayerisches Landesamt für Datenschutzaufsicht, Postfach 606, 91511 Ansbach, www.lda.bayern.de.
7. Data security
We and our contractually bound processors use state-of-the-art technical and organisational security measures to protect the data you provide to us from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security measures are continuously improved in line with technological developments.
8. Version and update of the data protection information
As our data processing is subject to change, we will also amend our data protection information from time to time. You will find the current version of this privacy policy here. You can also request the current version from our data protection officer at dataprotection@ionity.eu.
Last update: November 2024