Data Protection Statement KRAVAG Truck Parking

(Last amended: 19.10.2022)

“KRAVAG Truck Parking” (hereinafter in short “KTP”) is a software program for a compatible device that you use. This Data Protection Statement explains what data and in which form is processed by KTP when you use KTP in the mobile smartphone application (hereinafter referred to as “App”) or via the web application, available at https://web.kravag-truck-parking.de. Some data processed during the use of KTP is personal data. Personal data means individual details of the personal or material circumstances of an identified or identifiable natural person. We take the protection of personal data very seriously and comply with all applicable data protection provisions.

I. Name and contact details of the controller

R+V Allgemeine Versicherung AG

Raiffeisenplatz 1
65189 Wiesbaden
Telephone: 0611 533-0

Email: datenschutz@kravag-truck-parking.de

II. Contact details of the data protection officer

R+V Versicherung
Datenschutzbeauftragter
65189 Wiesbaden

Telephone: 0611 533-5074

Email: datenschutz@ruv.de

III. Purposes for which data is processed

KTP offers users the technically supported possibility to make reservations for parking spaces (hereinafter referred to as “Service”). You can find and reserve parking spaces along your route. Users also receive further services and/or information about these services from the areas of logistics, commercial vehicles and personal services related to the profession of the long-distance truck driver. The Service can be used via a web application or a mobile smartphone app. As a parking operator or dispatcher, you can also use the web application to view and edit details of the parking space made available for rental (e.g. who made a reservation there and when), approve drivers for your forwarding agency, make or cancel reservations for your employees or manage incoming rental transactions.

IV. Legal basis for the data processing

The legal basis for the data processing is the contract concluded with you on the terms of use, Article 6 (1)(b) GDPR.

V. Technical requirements for use

The prerequisite for using KTP is that you use a suitable end device. This must be a smartphone with an iOS operating system  or Android operating system which permits the installation and use of the app and/or a device with a current Internet browser to access and use the web application. In your own interest we recommend that you always keep the software on your end device up to date, regularly install updates to the operating system and any protection programs that may be installed and protect your end device from unauthorised access.

VI. Download and installation of the mobile App

To use the App, you must install it on your end device. In order to download and install the App, you may first need to conclude an agreement with a third-party provider (e.g. Google Ireland Limited, iTunes SARL, hereinafter referred to as “Third-Party Provider”) regarding access to a portal or online store of the respective Third-Party Provider (e.g. Google Play Store, iTunes App Store, hereinafter referred to as “Third-Party Portal”). KRAVAG Truck Parking has no influence on the collection, processing and use of data in connection with the agreement on access to the portal or online shop of the respective Third-Party Provider. The operator of the respective app store is responsible for this. For further details please contact the respective app store provider directly.

VII. Permissions for the mobile App

To be able to use the App on your device to its full extent, the following services must be allowed on the end device:

• Use of Bluetooth
• Location determination via GPS and BLE iBeacons (see section XII for details)
• Push messages (see section VIII for details)

VIII. Data processing in the mobile App

As soon as you use the mobile App or attempt to do so, your end device establishes an online connection to the provider’s server, with data being exchanged between the App and the server. Which data this involves specifically is explained below.

You have to register with KTP to use all functions of the App, in particular to be able to make binding reservations. If you use the smartphone App, registration is carried out using a mobile phone number and password as well as an optional email address. When using the web application, registration is carried out via email address and password as well as optionally via mobile phone number.

The data you enter during registration is transmitted in encrypted form to the KTP server and stored there. The data required for registration, such as first name and surname and the user ID in the form of the mobile phone number, is stored on the end device, as is the language selected by the user.

Use of the App for its intended purpose involves the storage and processing of the following user data which the user communicates/enters himself and/or which is transmitted by the device used:

• First name and surname
• Mobile phone number and/or email address
• Password
• Language setting
• Unique identification of the device for receiving push messages
• Profile picture, if applicable
• Reservation data
  • Location of reservation (parking space)
  • Booking period (start and end of the reservation)
  • Registration number of the driver’s truck tractor unit
• Log entries about activities in the App
  • Registration
  • Booking of parking spaces
  • Cancellation of bookings made for parking spaces
  • Access to locking devices

IX. Use of the KRAVAG Truck Parking web application (Web Application)

You do not need to install any additional software on your end device in order to use the KTP Web Application. Access is gained by entering the Internet address (URL) https://web.kravag-truck- parking.de into a third-party Internet browser you use (e.g. Safari, Google Chrome, Microsoft Edge, Firefox, etc.). KRAVAG Truck Parking has no influence on the collection, processing and use of data in connection with the agreement on access to the browser of the respective Third-Party Provider. The operator of the respective browser is responsible for this. For further details please contact the relevant provider directly.

You must register with KTP to be able to use the functions of the Web Application. When using the Web Application, the registration is done via your email address and self-assigned password and optionally your mobile phone number.

X. Permissions KTP Web Application

• None

XI. Data processing KTP Web Application

For use of the Web Application as intended and within the scope of offering your parking spaces in the parking area as the parking operator, we process and store the following data:

• For all user groups:
  Browser, operating system and IP address of the end device used

In addition to the data specified for all user groups, specifically for parking operators:

• Name and address of the forwarding agency
• Geographical data of the forwarding agency (longitude, latitude)
• Public contact details of the forwarding agency (email address and telephone number)

In addition to the above-mentioned data, for parking operators and dispatchers:

• First name and surname of the user
• Email address and optional mobile number of the use
• Password
• Language setting
• Reservation data during the processing of bookings
  o Location of reservation (parking space)
  o Booking period (start and end of the reservation)
  o Registration number of the driver’s truck/ tractor unit
• Log entries about activities in the App
  o Registration
  o Booking of parking spaces
  o Cancellation of bookings made for parking spaces

XII. Location determination of the App

KTP uses the location data partly to give you the option of displaying your location on the map as well as nearby “points of interest (POIs)” such as KTP car parks. In addition, KTP uses the location of fixed Bluetooth low energy iBeacons on locking devices. This ensures that only authorised drivers who are physically close to the locking device can open or close it via the App. KTP uses the location service of the respective operating system to determine your location. To do this, GPS data is identified in your smartphone and transmitted to the location service provider (Google Maps), which uses this information to determine the location of your smartphone in order to display it on the map or use it to grant permission to open nearby locking devices. KTP does not log motion profiles. If you do not want KTP to determine your location, you can deny KTP the right to do so when it asks you to grant this or you can withdraw it later in the App settings. In this case, KTP will not collect any location data. The function “Go to my location” on the map will then no longer be usable. In addition, once the right to determine the location or the right to use Bluetooth is withdrawn or the Bluetooth function is switched off, it is no longer possible to open doors and gates by clicking the button in the App. Instead, opening will now only be possible by scanning the QR code displayed in the App at the external QR code reader.

The legal basis for the location determination is your declared consent in accordance with Article 6 (1)(a) GDPR.

XIII. Duration of data storage

We store your data until you delete your user account. Exceptions to this and details can be found under section XIX. Rights of data subjects, see section “Delete user account”.

1. User account

Your personal data that we process within the scope of your user account (first name, surname, mobile phone number, email, password, language setting, unique identification of the device for receiving push messages, and profile picture) will be stored until the user account is deleted.

2. Reservations

Your reservation data will be stored until the purpose of the data storage no longer applies.

XIV. Contact form

If you contact us by email or the contact form, the information you provide will be stored for the purposes of processing the request and for possible follow-on questions.

The legal basis for the processing of personal data described here is Article 6 (1)(f) GDPR. Our legitimate interest in this case lies in offering you the possibility to contact us easily and quickly in order to answer your questions and concerns.

XV. Transfer of data to third parties

KRAVAG Truck Parking does not disclose personal information to third parties unless the user has consented to the disclosure of such information for the purpose of making parking reservations. In

this case, the transfer is made to the IT service provider responsible for the reservation system and to the relevant parking operator for whom the specific reservation is to be made. KRAVAG Truck Parking concludes an order processing contract pursuant to Article 28 GDPR with the IT service providers hosting the reservation system.

XVI. Transfer of data to third countries

Google Maps

Map material from Google Maps is integrated in KTP. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; in short “Google”. In order to effectively integrate the service, appropriate program libraries or map contents are accessed from Google servers. This requires Google, as the provider of the service, to receive your IP address and possibly other address information provided by you. Without the IP address, Google would not be able to send the content back to your browser or smartphone App. The IP address is therefore required for displaying Google Maps content. In this context, we would like to point out that this use can involve calling up external Google servers in the USA.

The purpose of using Google Maps is to present KTP in an attractive and convenient way and to make it easier for you to locate the places indicated in KTP. This represents a legitimate interest in the sense of Article 6 (1)(f) GDPR.

You are not obliged to provide personal data, but you will not be able to use the relevant parts of KTP without providing this.

The terms of use for Google Maps can be found at Terms of Use for Google Maps.

You can find further details in the privacy policy of Google.

Firebase

KTP uses Firebase in the App, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; in short “Google”. Firebase offers the option of so-called dynamic links. We also use Google Analytics for Firebase to analyse the user behavior, to get a better understanding of how our applications are used, to improve our services and to analyse the success of marketing campaigns. To inform our users bv push notifications, we also use Firebase Cloud Messaging (see also section “push notifications”).

With Dynamic Links it possible to link users to the download page of the respective app store to download the KTP App or to the KTP homepage via a single universal link, depending on your end device.

Firebase Analytics for Firebase also enables us to record which functions of the App you use and which screens you open in the App. Additionally we can analyse how often the App is opened and when the App is installed or uninstalled.

For the data we collect with Firebase SDK your IP address will be anonymized automatically. Google will use the collected data to evaluate the use of our App and to provide us with further services related to the use of the App. Therefore, Firebase collect the following data: age, gender, interests, language as well as information regarding your app store, app version device, operating system and your usage behavior. To identify your device, firebase uses different identifiers (i.a. Android Advertising ID or Advertising Identifier for iOs (IDFA).

By using the Firebase SDK, we can not guarantee that the collected data will be transmitted and saved on Google servers of the holding company in the USA.

We agreed on the Google privacy clauses for the data transmission on servers in the USA which are approved by the European Comission. The data transmission on Google servers in the USA is therefore based on article 46 (2) (c) GDPR.

You can restrict the collection of data regarding your app usage by Google analytics for Firebase as well as you can restrict the transmission of these data in the privacy settings of your mobile phone.

Firebase uses the Android Advertising ID or the Advertising Identifier for iOS to allow personalized advertising and to measure their success.  You can restrict the usage of Android Advertising ID or Advertising Identifier for iOS in the settings of your device:

–  Android: Settings/Google/Advertising

–   iOS: Settings/Privacy/Tracking

Data will be saved for 14 months.

As defined in Article 6 (1) (a) GDPR, the processing of your data is based on the prior consent you declare before using the App. Firebase will be deactivated when the App is installed and will only be activated after your declaration of consent. You can revoke consent to collect data by Google Analytics for Firebase at “Cookies & Tracking” using the menu item “Info”.

The Firebase data protection statement can be found at https://www.firebase.com/terms/privacy- policy.html

Push messages

Push messages are messages that appear on the home screen of your phone and which link to the App. This makes it possible, for example, to display a welcome message when driving through a KTP area and to jump directly to the App by clicking or swiping the message. Push messages are also used to inform you with news about our Service, such as the availability of a new App version, or other interesting offers regarding our services or those of third parties. To be able to send you push messages, we use Firebase Cloud messaging which use the services provided for this purpose on the operating system installed on your smartphone. When KTP starts up for the first time, a registration is automatically performed with the push service that supports the operating software and application installed on your end device. When you register for the push service, your device and App data will be transferred to the push service (which may be located in a third country outside the EU/EEA). Your device will be assigned a push reference by the respective operating system manufacturer. This is the destination for push messages and is used in order to display push messages on your phone.

The first time you start KTP, you will be asked if you want to receive and display push messages. You will only receive the push messages if you have explicitly agreed to them.

You can stop the transmission of push messages at any time by applying the appropriate device setting.

The legal basis for sending push messages is your consent declared in accordance with Article 6 (1)(a) GDPR.

XVII. Data security

KTP uses up-to-date procedures and standards for data security. Only strong passwords (minimum 8 characters with at least 1 special character) are permitted and these are generally stored in the database in encrypted form only. In order to guarantee the confidentiality of your data also during the communication between the App you use and the server, we use what is known as TLS encryption according to the current state of the art. According to the current state of knowledge, the 256 bits encryption that is possible with this method is considered secure. This security level is also achieved by all current browsers. If necessary, you should update the browser on the end devices you use. In order to ensure the best possible protection at all times, you should always keep the operating system and mobile App used on the respective end device up to date.

XVIII. Rights of data subjects Your rights

You can assert your statutory rights to access, rectification, erasure, restriction of processing and data portability to our data protection officer. If the data processing is based on a general balancing of interests you have a right to object to this data processing if there are grounds relating to your particular situation which oppose this data processing.

You have a right of appeal to a competent data protection supervisory authority (Article 77 GDPR).

Information

Should the present data protection information have to be changed, you will be informed of the corresponding changes in the context of updates.

Delete user account

If you no longer wish to use KTP, please select the link to delete your user account in the user profile. Please then confirm the warning message to complete the deletion process. Deletion of the user account will not change any contractual relationship relating to any contracts existing from a separate legal relationship with one of the clients of the provider mentioned in section I. Personal data is deleted if the collection or processing was inadmissible from the start, the processing or use proves to be inadmissible due to circumstances that occurred subsequently, or the knowledge of the data is no longer necessary for the provider to fulfil the purpose of the processing or use.

Excluded from deletion is data which the controller requires to carry out outstanding tasks or to enforce its own rights and claims, as well as data which the controller is obliged to keep in accordance with legal, contractual, statutory or official requirements. Personal data is also excluded from deletion if there is reason to believe that your protectable interests would be impaired by a deletion thereof or that the deletion is not possible or only possible with disproportionate effort due to the special type of storage. A blockage is then applied instead of a deletion. Also excluded from deletion is anonymised data which the controller and/or its contractual partner uses for statistical purposes.