Privacy Notice for pay33 App and Website ("Platform")

Last updated October 2023

  1. General

    This Privacy Notice describes how pay33 direct GmbH ("pay33") collects, stores, shares and uses personal data about you, and how you can exercise your privacy rights. We operate the pay33 App ("the App") and the pay33 website www.pay33direct.de ("Web", both the App and Web referred as "the Platform") in accordance with the provisions of the European General Data Protection Regulation 2016/679 ("GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG") and other provisions with relevance in the area of data protection law.
  2. How to contact us

    The controller of your personal data is pay33 direct GmbH at Südliche Münchner Straße 55, 82031 Grünwald near Munich. If you have any questions about how we collect, store and use your personal information or would like a copy of the information we hold about you, then please contact us. You can either write to us at the above address or e-mail us at: info@pay33direct.de
  3. What is the pay33 App and Platform about and when is pay33 a controller?

    pay33 offers a mobility and payment platform to its users. The Platform combines banking and payment services with other services such as benefits, cashback, maps and navigation (e.g., fuelling and charging stations), charging with respect to e-mobility ("the Services").

    The Services are described in more detail on the Platform. To participate in the Services, prior registration is required. For further contractual details please see the [General Terms and Conditions].

    From a data protection perspective, pay33 is a controller when pay33 determines the purposes and means of the data processing. This means, pay33 is considered a controller with respect to access to the Platform (technical infrastructure including software and electronic telecommunication services) and for its own Services offered on the Platform. In comparison, where third parties determine the purposes and means of the data processing, such as banking and payment partners, cashback partners, charging and fuelling partners (in particular, THG bonus providers as part of the benefits) offering their own services, generally the third party is considered an independent and sole controller for those respective services. In this case, the respective privacy information provided by the third party applies. For specific services or parts thereof, pay33 also processes personal data on behalf of a controller (in particulart. if pay33 only caches/records personal data on behalf of a payment/banking partner).
  4. Collection and processing of personal data

    1. Information you provide by setting up your account and using the pay33 App:
      2. Users (depending upon the respective service used):

      Master data to set up your account, in particular:
      • Full name;
      • Date of birth;
      • gender
      • invoice address
      • E-mail address and mobile phone number
      • user verification to set up the bank account
      • device token to provide the Services
      • e-mail ID
      • Country of location
      • Customer ID
      • Bank Owner Name, IBAN, BIC
      • Location data
      • Information about how you use and manage your pay33 account e.g. information with respect to push notifications);
      • During use, data about access to the offered content, so-called server log files, are created. The access data includes the name of the retrieved web resource, date and time of retrieval, , notification of successful retrieval, the operating system of the user, IP address and thereby the requesting provider. Proper use of the App requires access to certain features of your mobile device and access to your personal data, including for security reasons.
      • Furthermore, we collect device specific data such as device type and manufacturer, Android or iOS version, Pay33 App version and screen resolution to offer an in-app feedback form which Pay33 users can use to send direct feedback to the app development team.
      • To be able to fully use our Services comprehensively, certain system permissions are required, in particular, but without limitation the system permission “location” (in particular to use our Mobility Services (charging and fuelling services)). At the beginning of the use of the App and/or only when using the respective function, you will be requested to grant the corresponding authorisations.
      • Data related to car registration certificate for THG application and combustion bonus
      • Data required to open a bank account: first name, last name, email, mobile number, date of birth, residency address, delivery address for physical cards, salary range, occupation, Tax ID, salary range, occupation and taxID are not stored within pay33 data base but forwarded to our banking partner Swan
      • Data related to the pay33 wallet/ account
      • Invoice data: subscription fee, debit card, charging process invoices
      • Transaction data
      • Available account balance
      • Source bank data if added by client for top up purposes
      • Charging history data
      • Cashback transaction data and history
    2. Purposes of processing
      3. We use your personal data for the following purposes:
      • To provide you with the pay33 services in the App and on the Platform
      • To enhance our products and services used in the App and on the Platform
      • To detect and prevent illegal activities on the Platform
      • For marketing purposes
    3. Who do we share your personal data with?
      4. pay33 shares your personal data with the following third parties:
      • Payment and Banking partners (in particular, Swan SAS, 95 Avenue du Président Wilson, 93100 Montreuil, FRANCE and finAPI GmbH, Adams-Lehmann-Straße 44, 80797 München )

        If the user uses these services for banking or payment processing, some informations will be prepared at pay33 and the user will be forwarded via pay33 user interface to the payment process of the payment/ banking provider for payment of the service. pay33 points out that further personal data are collected, processed and used here in accordance with the privacy notice of the controller linked above.
      • Cashback partners (in particular, Mehrwerk GmbH) information can be found in the privacy notice of the respective service provider. To use all cashback deals, pay33 uses a Partner, Mehrwerk GmbH. pay33 forwards the user from its app to the various cashback deals of the individual shops. Mehrwerk sets a cookie to later forward information about the deal with the individual shop, the amount and quantity of the cashback to pay33, so that the user can see this in the app. In the event of a complaint, the user can contact Mehrwerk directly via email using the pay33 app to report the complaint. In doing so, the user also submits his or her contact details.
      • Benefit partners: Mint future GmbH. Further information can be found in the privacy notice of the respective service provider.
      • Processors that we use with respect to our services (in particular technical vendors, communication and telecommunications service providers), service providers for marketing purposes, e-mail service providers (e-mail automation and communication, ticket support/customer support systems, office suite ).
      • Service Providers whose services are integrated in our Services, such as map services to display directions (in particular, to fuelling stations or charging stations). In particular, our own map system redirects to the map service provider installed on your device, particularly to mention: Google Maps (offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, please see Google's privacy notice that can be found here for more information) and Apple Maps (offered by Apple Inc., One Apple Park Way, Cupertino, California, USA, Apple's privacy notice can be found here).
      • App Stores operated by third parties (in particular, Google Play Store (offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Google's privacy notice can be found here, Apple's App Store (offered by Apple Inc., One Apple Park Way, Cupertino, California, USA, Apple's privacy notice can be found here)). The download of the App usually requires prior registration at the respective App store. We have no influence on the personal data processed in this context. The responsible body is in this context solely the operator of the respective App store. Further information can be found in the Privacy Policy on your respective App store.
      • Government authorities, courts or third parties when disclosure is required by applicable law, is necessary to prepare, implement or enforce legal claims, or to protect vital interests of the data subject or another natural person.
    4. Cookies and related tools

      5. Cookies:

      Cookies are small text files which are stored on your computer by your web browser. There are two types of cookies known as session cookies and persistent cookies. A session cookie is a temporary file which is stored in your computer for the duration of your visit to a website. The cookie is deleted when you leave the site. A persistent cookie is saved to your computer and will remain there for the duration set within the cookie. We generally only use session cookies to store user's session data. This will help us to enhance our system security.

      We also use Software Development Kit (SDK) tools for app development.
      • iOS and android SDK
      • (Google) Maps SDK and (Apple) MapKit

      Google services:

      These services are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"); parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in order to optimize this website and our services. Google Analytics on the website uses cookies to enable an analysis of the use of the website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. The same applies in the app by using an SDK instead of a cookie.

      We use the function "anonymizeIP", a masking of the IP address on this website and in the app, so that your IP address is shortened beforehand by Google within member states of the European Union or in other states in the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

      You have the option to opt-out of Google Analytics services by using the following link: Opt-Out- Plugin: https://tools.google.com/dlpage/gaoptout?hl=de

      For more information about Google's use of data, settings and opt-out options, please see Google's privacy policy (https://policies.google.com/privacy ).

      All data is stored within Amazon Web Services (AWS): Location: EU Central 1, Frankfurt. User notifications are handled by Customer.io, where Firebase Cloud Messaging is used solely as a proxy. No data is stored within Google servers.

      Details for AWS services and security measures:
      • Postgres database, hosted on AWS as a managed service
      • Data at rest, which includes the stored data on disk, is encrypted using AWS-managed encryption keys (SSE - Server-Side Encryption)
      • For data transmissions between AWS services several security measures are in place:
        • Encryption (TLS/SSL)
        • Private Network Communication
        • Identity and access Management
        • Virtual private cloud
        • Network Security Groups and Security groups
      • Similar for data transmissions between AWS and mobile applications, additionally:
        • API Security
        • Encryption
        • Mobile application-level security
        • Token-based access
    5. Marketing communications
      6. We use the provided e-mail address to send e-mail marketing messages. Users may opt out from e-mail messages within pay33 App settings or by using the opt-out link in the e-mail footer area.

      We send in App or push notifications. Users may opt out from in App notifications within pay33 App settings. Push notifications have to be enabled by the user via the operating system settings
  5. Legal basis for processing personal data
    6. Our legal basis for collecting and using the personal data described above will depend upon the personal data concerned and the specific context in which we collect it. We will collect personal data from you where we need it to perform a contract with you. That is to provide you with the pay33 Platform and account and to deal with any issues occurring related to these services. We also process your personal data based on our legitimate interests, in particular to provide you with our Services and to continuously enhance the quality of our Services (e.g., providing updates) and to promote and sell our services (marketing). Furthermore, we process your personal data if required to comply with statutory obligations or court or governmental orders or if we have your consent for the processing which relates to marketing communication and the use of analysis tools.
  6. International data transfers (including to outsourced service providers)
    7. In some cases, pay33 will transfer your personal information to business partners and service providers that are located in territories outside of the European Economic Area ("EEA"). If we process your personal data outside the EEA, we have in place appropriate measures such as Standard Contractual Clauses published by the European Commission (available here) and supplementary measures, where required, providing for an adequate level of protection. Please contact us (see No. 2 above) if you like to receive further information.
  7. Data retention
    8. We store your data only as long as they are required to fulfill the stated purposes. For example, we keep the personal data as long as you keep an active account on the platform. After termination of the contract, we store only the data that is required to fulfill statutory retention obligations.
  8. Your data protection rights
    9. If you wish to access, correct, update or request deletion of your personal data, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading above.

    You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading above.

    Similarly, if we have collected and process your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

    You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact us at the above e-mail address. You can find an overview of the German and European data protection authorities here.