Privacy policy

Introduction

Should you choose to trust your personal data to us either by interacting with us through our website or our mobile app, we will take good care of it for you. Here is how we do it.

The protection of your personal data is as important for Greencent as it is to you. Please bear with us as we explain to you the type, scope and purpose of the processing of your personal data (hereinafter referred to as “data”) within our services (hereinafter referred to as “online offer”).

Who we are (Data controller)

Greencent UG

c/o Factory Works

Lohmühlenstraße 65

12435 Berlin

E-mail: privacy@greencent.io

I. Data processing overview

1. Description of our services

1.1. Greencent Measurement Service

[For companies] The Greencent Measurement Service measures user (employee) journeys to and from work by bicycle, public transport, carpooling and electric two-wheelers on behalf of the employer in accordance with Greencent’s terms and conditions (T&C).

1.2. Greencent Loyalty program

[For individuals] The user can participate in the Greencent Loyalty program to obtain greencents according to the savings in CO2 emissions they generated through their activities, according to the following principle: 1 kg of non-emitted CO2 = 1 greencent. Greencents are managed through the Greencent app and can be redeemed by the user for rewards from our partners in accordance with Greencent’s terms and conditions; Greencent issues vouchers or proofs of purchase to be used online or in physical locations to obtain benefits such as products, services, or discounts. Under the Greencent Loyalty Program we need to work with some of your data to be able to give you the greencents you earned for each of your journeys.

2. Types of data collected

2.1. Website

The website serves to provide information about our services, book a demo of our services or otherwise get in touch with us. If you use the contact form on our website or get in touch with us via e-mail, we will process your contact data, so that we may get back to you to answer your question or offer you a demo of our services. When you visit our website, we will collect the following personal data:

User Interactions
- Pageviews: Views of pages on our website.
- Screenviews: Views of screens in a mobile app.
- Event tracking: Custom interactions or actions users take on our site or app (e.g., clicks, form submissions).
User Engagement
- Average engagement time: The average amount of time users spend on our site or app.
- Bounce rate: The percentage of single-page visits or visits with no interaction.
User Information
- User demographics: Age, gender, interests, and other demographic information.
- User technology: Information about users' devices, browsers, and operating systems.
Acquisition
- Source/Medium: Where our users come from (e.g., organic search, paid search, referral).
- Channels: Categorizes users based on how they found our site (e.g., organic search, direct, social).
User Journey Analysis
- Cohort analysis: Groups users based on common characteristics.
Real-Time Reporting
- Real-time data: Provides insights into what's happening on our site or app at a given moment in time.
Audience Reports
- Audiences: Groups of users based on shared characteristics.

2.2. Mobile App

In order for you to be able to collect greencents, we need to process the following types of personal data:

Civil status
Optional personal information
- First name
- Last name
- Avatar / photo
Contact details (e.g., email address)
Location data (e.g., route information) – only when function is activated by the user

3. Categories of recipients (general)

We respect the principles of data protection, and will only share your personal data, if under the GDPR (General Data Protection Regulation of the European Union) we are allowed to do so, for example to:

provide you with reward options under the Greencent Loyalty Program: business partners, such as restaurants, cafes, bars, shops, municipal services etc;
provide your employer with information on your CO2 savings: employer company;
be compliant and transparent: e.g., auditors, authorities;
provide you with seamless user experience: mail provider, cloud provider;
improve your user experience and develop our services.

Any special categories of personal data (e.g., health data from Apple or Android)) will only be processed based on your request and express permission.

II. Your rights, relevant regulation, and general information on data processing

1. Rights of data subjects

Your data protection rights are regulated in the GDPR, which gives you the right to:

find out what personal information we have on you, why we have it and what we do with it, where we keep it and where we send it;
receive extracts or copies of the personal data we have on you;
revoke your consent at any time with immediate effect for data processing based on your consent;
object to the future processing of data concerning your person, if there is no legitimate purpose for us to process that data;
ask us to correct, delete or limit the processing of your data.

If you have any questions about your rights and how to exercise them, please do not hesitate to contact us at: privacy@greencent.io.

You also have the right, to lodge a complaint with the competent supervisory authority:

Bavarian State Office for Data Protection Supervision

Promenade 18

91522 Ansbach

Telephone: +49 (0) 981 180093-0

Fax: +49 (0) 981 180093-800

Email: poststelle@lda.bayern.de

2. Cookies

We might install temporary and permanent cookies, i.e., small files stored on the user’s devices. Some of the cookies are used for security or are necessary for the proper functioning of our online offer (e.g., for the presentation of the website) or to support user decisions, (e.g., save changes with the user’s consent). Additionally, we or our technology partners use cookies for reach measurement.

If you do not want cookies to be stored on your computer, you will be asked to disable the corresponding option in your browser’s system settings. Saved cookies can be deleted in the system settings of the browser.

3. Deletion of data

The data we process about you will be deleted or its processing can be restricted. Unless expressly stated in this data protection declaration, all stored personal data will be deleted as soon as it is no longer necessary for its original purpose, and there is no legal obligation to keep the data (e.g., for commercial or tax reasons).

4. Relevant legal basis

When we process personal data about you, we make sure that we have an appropriate legal ground for it. Unless the legal basis is expressly indicated for a specific processing, we process your data based on one of the following grounds:

you gave us your consent (e.g., when you sign up for our newsletter);
the data is necessary to fulfill the contract (T&C) between you and us;
the data is necessary to fulfill our legal obligations (e.g., when we store tax related data in line with relevant laws and regulations);
the data is necessary to safeguard our legitimate interests (e.g., for the tools we use for the development of our services).

5. Security of data processing

To protect the data we process, we already consider the security of personal data when developing and selecting hardware, software, and processes, and we implement appropriate technical and organizational measures. The measures we take include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical access to data, as well as access, input, transfer, securing availability and their separation. We also implement procedures that ensure the exercise of your rights, the deletion of data and the reaction to threats of loss or theft of data. Our security measures include the encrypted transmission of data between your browser and our server.

Regarding data protection, our employees are trained in privacy, bound to secrecy, and are informed of the possible consequences of data leakage.

6. Data disclosure and transfer

We do not share your data with anyone unnecessarily. If, during our data processing, we need to disclose data to other persons or companies (processors or third parties), this is always based on a proper legal ground and backed up by additional necessary measures (e.g., Data Processing Agreements).

7. Transfers to third countries

A transfer of data to third countries only takes place if there is sufficient security for the data in accordance with the GDPR. Sufficient security could mean the existence of a so-called ‘adequacy decision’ (e.g., the EU-US Data Privacy Framework) regarding the other country where the data is transferred to, or the conclusion of Standard Contractual Clauses to ensure the security of the data transfer outside of the European Economic Area.

III. Specific processing activities

This part gives you an overview of the processing activities we carry out, which we have divided into several business areas. Please note that the business areas are for guidance only and processing activities may overlap (e.g., the same data may be processed in multiple processes).

1. Core area of data processing

1.1. Administration of home-to-office journeys as part of the Greencent Measurement Service

We process employee data on behalf of the employer for administrative purposes, including home-to-office trips as part of the administration of the Greencent Measurement Service. In the framework of this Service, we carry out our processing obligations on the instructions of the employer.

1.2. Greencent Loyalty Program

We process the data transmitted by users within the framework of the Greencent Loyalty Program. The user data is passed on to the respective Greencent Loyalty Program Partner within the scope of the user mediation. This service is free of charge for the user. The services of the Partners are invoiced directly to the user.

For the services of Greencent’s Loyalty Program, users are invited to use the greencents they have collected for their journeys to obtain rewards from our Loyalty Program Partners.

We process your personal data to fulfill the contract (T&C) between you and us.

The details of data processing for the Greencent Loyalty Program:

Processed data: civil status, communication data, contract data, usage/metadata;
Data subjects: interested parties, online users;
Purpose of the processing: provision of contractual services, customer service;
Legal basis of processing: GDPR Art. 6 (1) b) (contract performance);
Necessity/interest of the processing: the data is necessary to justify and perform the contractual services, to fulfill the legal obligations and to provide evidence;
Data transfer outside the European Economic Area: none;
Data deletion: data is stored and deleted in accordance with legal requirements and contractual agreements. Personal data will only be kept for the time necessary to achieve the contractual purposes. The need to store and delete data is implemented in continuous processes and is checked regularly.

2. Client area

We offer a specific user area that requires verified registration and allows users to manage their own data within the technical functions available.

The details of data processing for the Client area:

Processed data: civil status, communication data, contract data, content data, usage data, metadata;
Data subjects: interested parties, existing customers;
Purpose of the processing: provision of contractual services, customer service;
Legal basis of processing: GDPR Art. 6 (1) a) (consent), b) (contract performance);
Necessity/interest of the processing: the data is necessary to justify and perform the contractual services and to obtain rewards;
External disclosure and purpose: partners to offer rewards for greencents;
Data transfer outside the European Economic Area: none;
Data deletion: data is stored and deleted in accordance with legal requirements and contractual agreements. Personal data will only be kept for the time necessary to achieve the contractual purposes. The need to store and delete data is implemented in continuous processes and is checked regularly.

3. Responses to inquiries

Information contained in inquiries we receive via our contact form and by other means, e.g., by e-mail, are processed in order to respond to requests for information. For these purposes, requests may be stored in our customer relationship management system (CRM system) or similar processes that we use to manage requests.

The details of data processing for responses to inquiries:

Processed data: civil status, communication data, contract data, content data, usage data, metadata;
Data subjects: interested parties, online users, website visitors, business partners;
Purpose of the processing: to respond to requests for information;
Legal basis of processing: GDPR Art. 6 (1) a) (consent), b) (contract performance);
Necessity/interest for processing: necessary to respond to inquiries;
External disclosure and objective: n.a.;o
Data transfer outside the European Economic Area: none.

4. Business analysis

In order to operate our business economically, to be able to recognize market trends, interested parties and user requests, we analyze the data available to us on business transactions, inquiries, etc.

4.1. Google Analytics

We use Google Analytics for the purpose of measuring reach and creating target groups.

The details of data processing for Google Analytics:

Processed data: usage data, metadata, customer ID from us (Google only receives the customer ID as pseudonymous data without the associated civil data, such as name, address, or customer’s email address);
Type, scope, functionality of processing: persistent cookies, third-party cookies, tracking, interest-based marketing;
Special protective measures: pseudonymization, IP masking, conclusion of an order processing contract;
Legal basis of processing: GDPR Art. 6 (1) f) legitimate interest;
Opt-out: https://tools.google.com/dlpage/gaoptout?hl=de (Google Analytics browser add-on), https://adssettings.google.com/, https://adssettings.google.com/authenticated (ad parameter);
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Privacy policy: https://www.google.com/policies/privacy/;
Processing in third countries: yes (USA), under the EU-US Data Privacy Framework;
Data deletion: within 14 months.

5. External online presence

In this area, you will obtain information about our data processing activities in the context of user visits to third-party sites and applications, for example on social networks.

5.1. Online presence on social networks

We have channels in several social networks in order to have several means of communication with users, interested parties and others, and to be able to inform them about our services through these channels. When visiting networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply. Unless otherwise stated in our data protection declaration, we process user data if the user communicates with us within social networks and platforms, e.g., writes messages/comments to our social media account.

The links/buttons used within our online offer to social networks and platforms (hereinafter referred to as “social media”) establish contact between social networks and users, only when users click on the links/buttons allowing access to these social networks or platforms. This procedure corresponds to the operation of a classic online link. We draw your attention to the fact that when interacting with social media services though the respective links/buttons, user data may be processed outside the European Union, where the level of protection to personal data may not correspond to that of the European Union.

Social networks we use:

Facebook, Controller details: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy policy: https://www.facebook.com/about/privacy/;
LinkedIn, Controller details: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, Privacy policy https://www.linkedin.com/legal/privacy-policy.

5.2. Web server and security hosting

The hosting services we use serve to provide infrastructure and platform services, measurement and computing capacity, storage space and database services, security services and technical maintenance.

The details of data processing for the web server and security hosting:

Processed data: civil status, contact data, content data, contract data, usage data, meta/communication data;
Data subjects: interested parties, visitors to the online offer;
Purpose of processing: provision of infrastructure, measurement and computing capacity, storage space, database services, security services, technical maintenance;
Legal basis of processing: GDPR Art. 6 (1) f) (legitimate interest);
Necessity/interest of processing: security, commercial interests, provision of contractual services;
External disclosure and purpose: yes (web host).

5.3. Server temporary files

The server on which this online offer is located collects so-called temporary files in which user data is stored each time the online offer is accessed. The data is used both for statistical analysis, to maintain and optimize the operation of the server and for security purposes, for example to detect possible unauthorized access attempts.

The details of data processing for the web server and security hosting:

Processed data: usage data and metadata: name of the website visited, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, operating system of the user, referring URL (the previously visited page), IP address;
Data subjects: interested parties, users, visitors to the online offer;
Purpose of processing: optimization of server operation and security monitoring;
Legal basis of processing: GDPR Art. 6 (1) f) (legitimate interest);
Necessity/interest for processing: security, commercial interests;
Processing in third countries: n.a;
Data deletion: 30 (thirty) days.

6. Integrated content and features

In this section we inform you about content, software or functions (in short “content”) of other providers that we integrate (so-called “integration”) within our online offer. The integration takes place to make our online offer more interesting for our users, for example to be able to present videos or social media posts as part of our online offer. The integration can also be used to improve the speed or security of the online offer, for example if software elements or fonts are obtained from other sources. In any case, the processed data includes the use and metadata of the users as well as the IP address which is necessarily transmitted to the provider for the integration of the content. Data subjects are visitors to our online offer. The categories of data subjects include users of our online offer, customers and interested parties. Deletion of data is determined by the data protection terms of the provider of the embedded content.

6.1. Google services and content

We use the following services and content from the provider Google: Google Maps – maps, Google Fonts – fonts.

The details of data processing for Google services and content:

Processed data: usage data, metadata, movement data;
Data subjects: website / mobile application visitors;
Purpose of processing: user friendliness of website / mobile application;
Legal basis of processing: GDPR Art. 6 (1) f) (legitimate interest);
Special protection measures: pseudonymization, opt-out;
Deactivation: https://tools.google.com/dlpage/gaoptout?, https://adssettings.google.com/authenticated;
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Privacy policy: https://www.google.com/policies/privacy/;
Processing in third countries: yes (USA), under the EU-US Data Privacy Framework;
Data deletion: in accordance with Google regulations.

6.2. Facebook (Meta) features and content

Functions and content of the Facebook service can be integrated into our online offer. For content such as images, videos or text and buttons that allow users to like, subscribe to content creators or our posts.

The details of data processing for Facebook (Meta) services and content:

Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status);
Data subjects: website / mobile application visitors;
Purpose of processing: user friendliness of website / mobile application;
Legal basis of processing: GDPR Art. 6 (1) f) (legitimate interest);
Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies Opt-out: https://www.facebook.com/settings?tab=ads, https://www.youronlinechoices.com/uk/your-ad-choices/ (EU);
External disclosure: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
Privacy policy: https://www.facebook.com/policy.php;
Processing in third countries: yes (USA), under the EU-US Data Privacy Framework;o
Data deletion: data will be deleted in accordance with Facebook regulations.

6.3. LinkedIn features and content

Functions and content of the LinkedIn service can be integrated into our online offer. For content such as images, videos or text, and buttons that allow users to like content, subscribe to content creators or our posts.

The details of data processing for LinkedIn services and content:

Processed data: usage data, metadata; if users are registered with the service, the above data may be linked to their profiles and to the data stored on the service (including their civil status);
Type, scope, functionality of processing: social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking, re-marketing;
Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out;
External disclosure: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland;
Privacy policy: https://www.linkedin.com/legal/privacy-policy;
Processing in third countries: yes (USA);
Data deletion: data will be deleted in accordance with the provisions of LinkedIn.

7. Marketing

In this section you will find information about the data processing we carry out with the aim of optimizing our marketing and market research services.

7.1. Sending information via personalized newsletters

We only send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “newsletter”), if we have your consent to do so.

The details of data processing for the newsletter:

Processed data: civil status (e-mail address), usage data (registration time, double opt-in confirmation time, IP address, opening of the e-mail, time and place, time and click on a link in the newsletter);
Data subjects: newsletter recipients;
Purpose of the processing: informing interested data subject about our company and business via a periodic message;
Legal basis of processing: GDPR Art. 6 (1) a (consent);
Necessity/interest of processing: only the e-mail address is necessary for sending; other information is voluntary and is used to personalize and optimize the content according to the interests of the user. The obligation to prove the consent is the reason for the archiving of the corresponding data;
Special protective measures: pseudonymization, IP masking, conclusion of an order processing contract, ‘unsubscribe’ link;
Data deletion: personal data related to newsletters will be deleted in maximum 30 days from the date of un-subscription from the newsletter service.

Please note that notifications sent within the framework of contractual or commercial relations are not part of advertising information. This includes, for example, the sending of service emails, technical or organizational information within the scope of our service provision, information on technical and legal changes, inquiries about orders, etc.

The details of data processing for communication by post, e-mail, fax or telephone

7.2. Impact of the use of personal data via the telephone / post

The details of data processing for communication by post, e-mail, fax or telephone

Processed data: civil status, contact data, contract data, content data;
Data subjects: interested parties, business partners;
Purpose of processing: communication;
Legal basis of processing: GDPR Art. 6 (1) a) (consent), b) (contract performance);
Type, scope, functionality of processing: contact is only established with the consent of the contact partner or within the scope of legal permissions;
Necessity/interest for processing: information and business interests;
Processing in third countries: n.a.

8. Partners for measuring distances, times, and means of transport

In this section, we inform you about the services of technological partners that we use to measure distances, times and means of transport and for online marketing purposes. Our interest lies in improving user-friendliness and optimizing our offer. In all cases, the data to be processed includes usage and metadata. Unless otherwise specified, the deletion of data is determined in accordance with the data protection declarations of the respective providers.

The details of data processing for measuring distances, times and means of transport:

Processed data: movement data;
Data subjects: users;
Purpose of processing: measuring distance and means of transport for allocating greencents;
Legal basis of processing: GDPR Art. 6 (1) a) (consent), b) (contract performance);
Type, scope, functionality of processing: contact is only established with the consent of the user or within the scope of legal permissions;
Processing in third countries: n.a;
Data deletion: personal data related to measuring distances, times and means of transport will be deleted according to privacy policies of the partners.

IV. Additional information

This data protection declaration applies to the provision of our range of services, in particular the modules “Greencent Measurement Service” and “Greencent Loyalty Program”. Insofar as we refer to third-party websites via links, our data protection declaration does not apply to these. Please inform yourself on the respective pages about the data protection regulations applicable there.

Due to the further development of our website and our offers as well as due to changed legal or official requirements, it may become necessary to amend this data protection declaration. You can view and print out the currently valid data protection declaration at any time on the app or on our website https://greencent.io.

We are always at your disposal for any questions, suggestions and/or additions, for example by sending an e-mail to info@greencent.io.

Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed privacy@greencent.io with subject line “enquiry”.

Last updated on: 04.01.2024