It is possible to use our app without providing personal information. However, using the app to access certain DB services or book a journey can require personal data for our processes. If we need to process personal information and the relevant procedures are not based on existing legal provisions (i.e. a contractual agreement), we will request your consent.
The request for consent will contain information about what data we collect, how we use it and how you can object to your data's usage.
When you use the app, the DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data and are jointly responsible for doing so. The companies have agreed which of them is responsible for privacy-related obligations.
DB Vertrieb GmbH
DB Fernverkehr AG
DB Regio AG
Dr Marein Müller is the designated privacy officer for all three companies.
The companies listed above are jointly responsible for various data processing operations in connection with a ticket purchase or other services that we provide. They have formally agreed which of them performs a given task as part of this joint processing, what the purpose of this processing is, how it is organised and who complies with the obligations arising from GDPR, in particular with information-related obligations. The key features of this agreement are described below.
DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are responsible for the following:
- Using websites and apps to sell products and services and provide information for marketing communications
- Processes in the train (e.g. ticket sales and control, subsequent fare collection)
- Processing and paying of ex-gratia settlements and compensation (e.g. due to disruptions and unforeseen events)
- Implementation of the rights of those affected, complaint management, service issues and customer dialogue
We process your data exclusively for specific purposes. These purposes may result from technical requirements, contractual obligations or express wishes of the user.
We have implemented protective measures for the security and availability of our IT systems. These include web application firewall, rate limiting and DOS protection based on technologies from the service providers Akamai Technologies Inc. and F5 Inc. All requests to our systems are checked to see whether they meet defined technical rules. Deviating requests can be blocked or temporarily stored for further analysis, including the IP address.
When you use the app, we must collect and store certain information for technical reasons. Such information includes the date and duration of your visit, any entries you make, the version and recognition data of the app and the operating system.
In order to comply with a contract, we require certain personal data from you. This data is required for ticket bookings, processing payments, for delivery by post to the specified address, where applicable, and for dealing with any cancellations and refunds.
In this case, the contract pursuant to Article 6(1)(b)) GDPR is the legal basis for the processing of your personal data. Article 6(1)(b) GDPR shall also apply to processing that is required in order to take steps prior to entering in to the contract, e.g. in cases of inquiries regarding our products or services.
Insofar as we obtain your consent for the processing of personal data (i.e. if you subscribe to our newsletter), this consent shall serve as the legal basis according to Article 6(1)(a)) GDPR.
If we are subject to a legal obligation that requires us to process personal data, e.g. to fulfil tax obligations, this processing shall be based on Art. 6 (1) (c) GDPR.
We would like to use your previous and current usage patterns regarding the app to provide you with customised contents that will make our range of products more interesting to you as a user. For this we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Article 6 (1) (f) GDPR.
We also do this in order to maintain relations with you as a customer, and to provide you with information and offers that we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Art. 6 (1) (f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.
You can object at any time to the future use of your data for such advertising purposes. Send your objection by e-mail to firstname.lastname@example.org (Advertising Objection).
The following section contains a more detailed description of the data processing that can take place when booking a ticket on our app. Further information, for example on data processing at ticket machines or if you visit our pages on social networks, can be found at https://www.db-vertrieb.com/datenschutz.
List of specific examples:
Creating a customer account
You need a bahn.business customer account in the Business DB Navigator. To create an account, please contact your company's travel manager.
Booking a digital ticket
When booking a digital ticket, our system saves address details as well as surname, given name and e-mail. When you book an international ticket via international-bahn.de or certain regional offerings, it also saves your date of birth. During ticket inspection on trains, the information on the ticket (given name and surname) is displayed on the scanner (mobile terminal).
To ensure that your payments are processed securely, payment-related data (amount, booking reference, booking description, payer) is forwarded to payment service providers.
- Payment by credit card
- Payment via Paypal
- Payment via giropay
- Registration for payment by SEPA direct debit
When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit.
- Online activation of the SEPA Direct Debit Scheme
For secure payment with the SEPA Direct Debit Scheme, we provide you with methods for online verification of account access via OpenBanking through Tink Germany GmbH (Gottfried-Keller-Straße 33, 81245 Munich) or Verimi GmbH (Oranienstraße 91, 10969 Berlin) or for online identity verification through Verimi GmbH. Depending on which verification method you choose, your personal data (the bank details, name and email address you provided) will be transmitted to the service provider under your instructions. In the automatically opening dialogue of the service provider you will be guided through the selected function and informed about every single step of the data processing. As soon as you have successfully completed the check, you can pay by direct debit. Both service providers act independently as responsible parties. Verimi GmbH will offer you the use of your Verimi customer account, if available, or the creation of a new customer account that will later also assist you with other identity verification procedures. Tink Germany GmbH and Verimi GmbH are authorised account information services that also work for banks and only process your data for the few minutes of the account access check.
You can also find more information in the privacy statement in the dialogue window of the respective provider.
We collect contact details and identification information (e.g. date of birth) when users buy a BahnCard. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz
Offers relating to similar products or services
We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products or services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6(1)(f) GDPR).
You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to email@example.com (Advertising Objection).
Adding a subscription
When you add your subscription to our system, we save your last name, date of birth and subscription number. If your subscription requires a photo but your subscription contract data does not include one, our system will ask you to provide a photo when you add the subscription. You will have the option of either selecting a photo from the gallery or taking a new one. This requires specific kinds of access authorisation (see the section on access authorisation for details).
When you send us an enquiry or comment regarding your booking using the contact form in ""Feedback & Support"", your details from the form, including the contact details you provide there, will be processed by us for the purpose of handling the enquiry and any follow-up queries that may arise. The legal basis for this is Article 6(1)(b) GDPR.
If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.
When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the bahn.de newsletter based on clicks and the display of content via customised links.
In this case, we may use your e-mail address for promotional purposes. The legal basis for this is Article 6(1)(a) GDPR. You can unsubscribe from the newsletter at any time at firstname.lastname@example.org or by clicking the relevant link at the bottom of the newsletter. If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.
Participating in competitions
When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition.
Virtual chat assistants
The app uses the virtual assistant (also known as a chatbot) DB Smile. The chatbot serves as an information and customer contact channel for matters relating to DB passenger transport. Communication with the chatbot is easy. You customers can obtain information and receive answers to your questions quickly. DB Smile responds to a large number of requests automatically with the help of artificial intelligence and keyword recognition, offers suggestions and assistance for communication with the chatbot or refers you to other customer service channels (hotline or contact form). At this stage it is unable to answer complex or individual customer enquiries. If a request cannot be answered automatically by our bot, you have the option of chatting live with a staff member.
In principle, no personal details are required to use the chatbot (e.g. because there is no need to log in).Contract-specific enquiries are not processed or resolved automatically. In the live chat with a staff member, it may be necessary to enter personal data such as a booking number, depending on your enquiry. It is also possible for personal data to be requested by a staff member in the live chat for authentication purposes.
Your enquiries are stored in the chatbot for a maximum of 30 days, in order to train the chatbot and optimise response recognition and accuracy. The chatbot can thus be continuously developed in terms of content and functionality. The chatbot does not evaluate personal data. Usage data such as chat duration, timestamp of messages, number of messages or operating system used are only stored for statistical purposes. We process user information only in order to handle their queries and for internal purposes, e.g. managing and improving processes related to our business and services (Art. 6 (1) (b) GDPR).
For technical reasons, specific kinds of authorisation to access data or operating system functions are necessary so the app can work.
Access authorisation for technical reasons: Android (up to and including version 5)
- Accessing memory: Changing or deleting USB storage contents to cache card details that are required for displaying card information in the DB Navigator app.
- Accessing user accounts: Reading Google service configuration data to search for accounts on the device and activate push notifications (e.g. journey notification).
- Access networks: Accessing internet data, calling up network connections, complete network access, calling up wifi connections to enable the app to access information.
- Accessing device memory: Deactivating sleep mode, managing vibration signals to alert customer to arrival of push notifications (e.g. journey notification).
- Camera/gallery: For adding the photo in connection with a transport association season ticket.
The legal basis for processing data is Article 6(1)(b) GDPR.
Access authorisation for technical reasons: Android (version 6 and higher)
- Contacts: Searching for accounts on the device (to activate push notification, journey notification and delay notification).
- Other: Accessing all networks, deactivating sleep mode, reading Google service configuration data, performing actions at start, accessing internet data, managing vibration signals, calling up network connections, calling up wifi connections.
- Camera/gallery: for adding the photo for a transport association season ticket. Storage/memory access: when adding and saving photos for a transport association season ticket.
The legal basis for processing data is Article 6(1)(b) GDPR.
Access authorisation for technical reasons: iOS
- Mobile data: Accessing internet data outside of a wifi area so customers can use the app to call up information when travelling.
- Camera/gallery: for adding the photo for a transport association season ticket.
The legal basis for processing data is Article 6(1)(b) GDPR.
Identifying your location
The app offers services and information regarding your current surroundings, in order to use your current position for a journey's start/end or identify stops in your vicinity. Your current location must be sent from the operating system to the app so you can use these functions.
The app identifies your location only if you have authorised this in your device's settings. If you are using an Android phone, authorisation takes place when you confirm that you want to download the app, or you can use your device's settings to provide authorisation. If you are using iOS, you provide authorisation either via a dialogue window when you first use the app or via your device's settings.
The legal basis for processing your location is your approval pursuant to Article 6(1)(a) GDPR.
Our system uses this data only to manage the information that you request. By deactivating the relevant settings, you can prevent your device from accessing your location and so revoke your consent whenever you wish.
We believe it is beneficial to provide you with information about important events and updates (e.g. journey notification) as part of our customer service, even if you are not using the app. We use push notifications to do this. The app sends you alerts only if you have provided your explicit consent. When you first open the app, we ask if you want us to send alerts to your mobile end device. For Android versions, approval takes place after confirmation and on downloading the app. For iOS, a dialogue window appears the first time you access the app. The legal basis for these data processing activities is Article 6(1)(b) GDPR. You can disable push notifications in the app settings or in the device settings and so withdraw your consent at any time.
Our app provides you with the option of adding your connection's details to your device's calendar. The app needs access authorisation for this, and our system requests this authorisation when you start using it. Access is necessary so you can use the app to select the right calendar for storing your connection's details. The app does not store any other personal or usage-related data. The legal basis for data processing is your consent, point (a) of Article 6(1) of the GDPR. You can revoke your consent whenever you wish via your device's settings.
The app features the option of displaying a street map. This can be used for getting directions or information about your surroundings. The app on the Android operating system uses the Google Maps service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), which receives your IP address to display the map. The legal basis for this is Article 6(1)(b) GDPR. If you are using an iPhone, the app uses the map service from Apple Inc. (1 Infinite Loop, Cupertino, CA 95014, USA). Apple receives your IP address only after you have authorised the use of the map service. The legal basis for this is Article 6(1)(b) GDPR. You can use your device's settings to select the privacy settings you want.
Komfort Check-In gives you an option for automatically validating your mobile phone ticket on certain DB long-distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:
- Ticket ID / order number
- Passenger's given and last names
- Number of BahnCard
- Name of BahnCard holder
Contract processing generally requires the involvement of order processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers or other agents involved in contractual performance. We also involve external service providers in market research activities.
External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. The service providers work in accordance with our instructions and this is verified by technical and organisational actions and supplementary checks.
In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation. Transmission to third countries outside the EU/EEA or to an international organisation, will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision by the EU Commission.
For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services:
- Taking out travel insurance
- Purchase of hotel services
- Use of car hire offerings
- When making use of services for travellers with reduced mobility, your data is sent to the appropriate offices of the DB Group departments involved.
- In the case of payment irregularities / payment default, details of the account receivable may be sent to a debt collection agency.
We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (as part of a contractual relationship, for example) and/or to comply with legal requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. Thereafter, the data will be stored for the statutory storage period.
Cookies and similar technology that are necessary for the use of certain app functions:
We use the measures listed below to make our app more user friendly and improve its usability.
In order to be able to assess the effectiveness of our measures for improving functions and your user experience, we continuously collect necessary KPIs regarding the usage of the app and bahn.de/bahn.com. For this, we use the analysis tools Tealium, Adobe Analytics, Optimizely, Qualtrics and m-pathy. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements. Where required, we have concluded EU standard contractual clauses. With the chosen technical integration and the contractual measures, we ensure that only we have access to the data.
In order to manage our app and optimise its performance, we use the web analysis service of Adobe Systems Software Ireland Limited (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). The relevant cookies have a lifetime of 24 months. The information processed by means of the cookie is not personal or traceable to an individual. We use this information to measure and evaluate the use of the app and to create statistics. We can see what sections and texts are read and used, how often they are read and used, and whether our app's design influences the extent of its use. We can use the statistics obtained to improve our offer for you. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (b) GDPR.
If you are the holder of a bahn.de/bahn.com customer account, personal offers and promotions may be displayed to you after you have logged in or activated the "stay logged in" function. To structure these contents, our system adds a cookie to your end device that lasts for 12 months when the app is used. The data collected via the cookie is pseudonymised and processed on servers of our service provider CrossEngage GmbH (Bertha-Benz-Str. 5, 10557 Berlin, Germany). The legal basis for the use of the technology is Art. 25 (2) (2) of the German Telecommunication and Telemedia Data and Privacy Protection Act (Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei Telemedien, “TTDSG”) in conjunction with Art. 6 (1) (b) GDPR.
We use technology from Easy Marketing GmbH (Asselner Hellweg 124, 44319 Dortmund, Germany) to ensure the remuneration of partner companies after users search for a train service on a partner site and subsequently book on bahn.de with the help of a DB affiliate link or advertising medium. This entails the evaluation of cookies to which you have consented on the partner websites in question. The legal basis for the use of the technology is Art. 25 (2) (2) of the TTDSG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest here is the remuneration of the affiliate agreement for the resulting ticket purchase.
hCaptcha von Intuition Machines Inc.
In order to protect the privacy of our customers and the availability of our services from automated and abusive access attempts even more reliably, we use the hCaptcha technology from Intuition Machines Inc. (350 Alabama St, San Francisco, CA 94110, USA). This uses bot detection and risk assessments trained through machine learning to determine whether app users are humans. If necessary, the system displays an interactive task on pages containing forms so that the user can validate their entries. If you registered for the barrier-free service from this company, the system reads the relevant cookie. The legal basis for the use of the technology is Art. 25 (2) (2) of the TTDSG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest is to protect the data of the data subjects and the infrastructure from automated and abusive access attempts.
In order to be able to show you our app with slightly different content, we carry out so-called A/B testing using the service Optimizely. For this purpose, cookies are stored on your end device with a lifetime of 24 months. The analysis service provider is Optimizely (119 5th Ave 7th floor, New York, NY 10003, USA). Only anonymised data is processed on Optimizely's servers. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (b) GDPR.
We may invite you to take part in surveys in order to continuously improve our offering and services. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). The information is collected anonymously. The purpose of the cookies used by Qualtrics is to prevent users from participating multiple times within a certain period of time. The relevant cookies have a lifetime of 12 months. Participation in the surveys is voluntary. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG. If personal data is entered in free text fields, the legal basis is Art. 6 (1) (b) GDPR.
JSC-Tools von Risk.Ident
We use JSC tools technology from Risk.Ident GmbH (Am Sandtorkai 50, 20457 Hamburg, Germany) to prevent fraud. This serves to protect you and us by preventing the misuse of your financial details when making payments via within the app. This can entail the processing of a cookie with a lifetime of 24 months. The legal basis for this is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (f) GDPR. The legitimate interest is to enable simple and low-threshold access to booking and payment services while ensuring a high level of payment security.
In order to facilitate the dynamic modification of this app and the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 9605 Scranton Rd., Ste. 600 San Diego, CA 92121, USA). This also includes processing your selected cookie settings. The relevant cookies have a lifetime of 12 months. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG. The legal basis for the recording of your consent is Art. 6 (1) (b) GDPR.
m-pathy von Verint Systems GmbH
This app uses m-pathy, a product of Verint Systems GmbH (Ziegelteich 29, 24103 Kiel, Germany), to collect and store app users' session and interaction data. This information is used for improving the content and usability of the app. Cookies are stored for this purpose and have a lifetime of 24 months. The legal basis for the use of the technology is Art. 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (b) GDPR.
Firebase Crashlytics (only in DB Navigator for Android)
Our app uses the Firebase Crashlytics, service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). In the event of an app crash, this tool permits the anonymous transmission of information to us so we can quickly trace and remedy the fault. The data we receive is of a purely technical nature and contains no personal information. The legal basis for this is Article 6 (1) (f) GDPR. The legitimate interest is to quickly identify the causes of crashes.
Non-essential cookies and technology
The following cookies are not essential for using the app and will be processed only if you give your consent beforehand. The legal basis for this is Art. 25 (1) TTDSG in conjunction with Art. 6 (1) (a) GDPR. You can withdraw your consent at any time in the cookie settings.
We use the analysis service from Exactag GmbH (Wanheimer Strasse 68, 40468 Düsseldorf, Germany) in our app. It processes data regarding your usage of DB Navigator. The relevant cookie remains in place for 6 months.
We use the services of AdForm A/S (Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) for generating interest-based advertisements. These cookies create pseudonymised usage profiles containing information about different features, such as users' operating systems, browser versions, anonymised IP addresses, geographic location, number of clicks and number of views. The cookie set by AdForm has a lifetime of 12 months.
The data is used for the following purposes:
- Recording the number of people using different app contents
- Recording the sequence of content that people click on when visiting our app
- Optimising the app
Working on our behalf, Adform uses this information to deliver more targeted, usage-based online advertisements. In order to be able to use the advertising space from other websites, cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex. The legal basis for this is Article 6(1)(a) GDPR.
Adjust (only in the DB Navigator for Android)
We use the analytics and marketing technology of Adjust GmbH (Saarbrücker Str. 37a, 10405 Berlin) to collect data on the performance of our mobile app and to measure the success of advertising measures on the internet. This creates pseudonymised usage profiles containing information about different features, such as users' operating systems, browser versions, geographic location, number of clicks and number of views. The IDFA (advertising ID of the device) and their anonymised IP address are also used for this purpose. This means that when you install our app, Adjust stores installation and event data from it. This allows us to better understand interactions within our app. At no point is it possible to identify you through this. The data is used for the following purposes:
- Optimising the app
- Market research through analyses of interaction within the app
- Measuring the success of advertising campaigns
- Generation of interest-based advertising
The Adjust service is carried out on our behalf and exclusively with your consent in accordance with Art. 6 (1) (a) GDPR. You can change or withdraw your consent in the privacy settings.
Cookies for personalised offers
- You can request information as to what personal data is stored.
- You can request that we correct, delete or restrict the processing (block) of your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.
- You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
- You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
- If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.
- You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests.
- You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).
To exercise your rights, you may send a letter by post to:
DB Vertrieb GmbH
60486 Frankfurt am Main
Alternatively, you may send an e-mail to the following address: email@example.com
We update our privacy notice to bring it into line with new functionalities or legal requirements. We therefore recommend that you review our privacy notice at regular intervals.
Last modified: August 2023