DB Navigator: Privacy Policy

It is possible to use our app without providing personal information. However, using the app to access certain DB services or book a journey can require personal data for our processes. If we need to process personal information and the relevant procedures are not based on existing legal provisions (i.e. a contractual agreement), we will request your consent.

The request for consent will contain information about what data we collect, how we use it and how you can object to your data's usage.

Who is responsible for collecting and processing data?

DB Vertrieb GmbH (Stephensonstr. 1, 60326 Frankfurt am Main, Germany) is the company responsible for collecting and processing your data.

Chief Privacy Officer is Ms Chris Newiger.

If you have any questions or comments regarding our app's privacy policy, please contact us at the following e-mail address: ecommerce-datenschutz@deutschebahn.com

What data do we collect, and why do we process your data?

We collect and process your data only for certain purposes. These can be related to technological requirements, contractual requirements or requests explicitly stated by users.

When you use our app, we have to collect and store certain data (e.g. IP address) for technical reasons.

We require personal information from you when entering into a contract. This data is for DB processes: ticket bookings, payment processing, creditworthiness checks and, if necessary, cancellation and refund management. Your user name and password are collected only when you log in.

This happens in connection with the following.

Creating a customer account

You can use your bahn.de customer account to log in. You must provide the following information when creating an account:

  • User name and password
  • First and surname
  • E-mail address
  • Security question in case of forgotten password along with your corresponding answer

It is not possible to create a personal account without supplying this information. All other personal information and details pertaining to the user's travel profile are optional. We store your login data and booking details, which includes whether or not you own a BahnCard, in your customer account, and we use this information for internal analyses and marketing activities. We use this information to make constant improvements to our offering. We do not create a link between these activities and your personal data. We process pseudonymised usage data for statistical and marketing purposes only if you have provided consent.

Payment details

To ensure that your payments are processed securely, payment-related data (amount, booking reference, booking description, payer) is forwarded to payment service providers.

  • Payment by credit card

    Our payment service provider for processing credit card payments is PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, Germany. To learn how Payone processes your data, please read its privacy policy at https://www.payone.com/dsgvo/. The payment service provider performs the following: processing of credit card data in order to perform payments; application of security measures used by your card's issuer (such as 3D Secure and strong customer authentication). No other institution handles your data. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it. To prevent cases of fraud, a processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your financial details when making payments via bahn.de/bahn.com. The legal basis for this is Art. 6 (1) (f) GDPR.
  • Paying via PayPal

    When you pay via PayPal, your payment data is forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (hereinafter "PayPal") as part of processing. Please see the company's privacy policy for information relating to data protection (https://www.paypal.com/de/webapps/mpp/ua/privacy-full).
  • Paying via paydirekt

    When you pay via paydirekt, your payment data is forwarded to paydirekt GmbH, Hamburger Allee 26-28, 60486 Frankfurt am Main, Germany as part of processing. Please see the company's privacy policy for further information (https://www.paydirekt.de/agb/index.html).
  • Paying via Klarna Direct Bank Transfer

    When you pay by instalments or by means of Klarna Direct Bank Transfer, your payment data is forwarded to payment service provider Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden as part of processing. Please see the company's privacy policy for further information (https://www.klarna.com/de/datenschutz/).

Booking a digital ticket

When booking a digital ticket, address details as well as surname and first name are saved. During ticket inspections on trains, the information on the ticket (first name and surname) is displayed on the scanner (mobile terminal). The ticket is saved in the app.

Purchasing a BahnCard

When you buy a BahnCard, our system records your contact and identification data (e.g. date of birth).

Offers relating to similar products and services

We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products and services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6(1)(f) GDPR).
You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to ecommerce-datenschutz@bahn.de (Advertising Objection).

Ordering subscriptions online

Contact and payment details are collected when ordering a season ticket as a subscription. Depending on the offer, identification data such as date of birth or a photograph may also be required.

Enquiry/ feedback form

When you send us an enquiry regarding your booking using the contact form, your details from the enquiry form, including the contact details you provide there, will be processed by us for the purpose of handling the enquiry and any follow-up queries that may arise. The legal basis for this is Art. 6(1)(b) GDPR.

Participating in competitions

When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition.

Virtual chat assistants

The app makes use of virtual chat assistants (also known as chatbots). They are part of our sales channel and help you find information on bahn.com and in DB Navigator. They are familiar with our websites' contents and provide keyword-based answers to customers' questions, recommend links to relevant websites or suggest using a different channel if someone wants to contact us.

We are constantly upgrading our chatbots, which help website and app users to navigate our website and mobile services. At the moment, they cannot process queries about specific contract-related issues. Anyone who has questions of this type can continue to contact us via live chat, phone or e-mail. Users should not provide any personal information when interacting with chatbots.

Our chatbots store customers' queries for max. 34 days so their self-learning feature can optimise how they operate. They do not process personal data. Usage-related metrics like chat duration, information timestamps, number of dialogues and user's approximate location are stored only for statistical purposes. We process user information only in order to handle their queries and for internal purposes, e.g. managing and improving processes related to our business and services in accordance with Art. 6(1)(b) GDPR.

Access authorisation

Certain types of access authorisation are necessary to ensure that the app can function.

Access authorisation for technical reasons: Android (up to and including version 5)

Accessing memory: Changing or deleting USB storage contents to cache card details that are required for displaying card information in the DB Navigator app.

Accessing user accounts: Reading Google service configuration data to search for accounts on the device and activate push notifications (e.g. delay notification)

Accessing networks: Accessing internet data, calling up network connections, complete network access, calling up wifi connections to enable the app to access information

Accessing specific devices: Deactivating sleep mode, managing vibration signals to alert customer to arrival of push notifications (e.g. delay notification)

Camera/gallery: for adding a photo to a Verbund-Abo. The legal basis for processing data is Art. 6(1)(b) GDPR.

Access authorisation for technical reasons: Android (version 6 and higher)

Contacts: Searching for accounts on the device (to activate push notifications, e.g. delay notification)
Other: Accessing all networks, deactivating sleep mode, reading Google service configuration data, performing actions at start, accessing internet data, managing vibration signals, calling up network connections, calling up wifi connections

Camera/gallery: for adding the photo to a Verbund-Abo. Storage/memory access: when adding and saving photos for a transport association season ticket, the legal basis for processing data is Art. 6(1)(b) GDPR.

Access authorisation for technical reasons: iOS

Mobile data: Accessing internet data outside of a wifi area so that customers can use the app to call up information when travelling.

Camera/gallery: for adding the photo to a Verbund-Abo.. The legal basis for processing data is Art. 6(1)(b) GDPR.

Identifying your location

The app offers services and information regarding your current surroundings, in order to use your current position for a journey's start/end or identify stops in your vicinity. Your current location must be sent to the system so that you can use these functions.

The app identifies your location only if you have authorised this in your device's settings. If you are using an Android phone, authorisation takes place when you confirm that you want to download the app, or you can use your device's settings to provide authorisation. If you are using a Windows Mobile phone or iPhone, you provide authorisation either via a dialogue window when you first use the app or via your device's settings.

The legal basis for processing your location is your approval pursuant to Article 6(1)(a) GDPR.

Our system uses this data only to manage the information that you request. By deactivating the relevant settings, you can prevent your device from accessing your location and so revoke your consent whenever you wish.

Push notifications

We believe it is beneficial to provide you with information about important events and updates (e.g. delay notification) as part of our customer service, even if you are not using the app. This information is sent via push notifications.

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

The app sends you alerts only if you have provided your explicit consent. When you first open the app, we ask if you want us to send alerts to your mobile end device. If you are using an Android phone, authorisation takes place when you confirm and download the app. If you are using an iPhone, you provide authorisation via a dialogue window when you first use the app.

You can deactivate push notifications in the app's settings or your device's settings and so revoke your consent whenever you wish.

Calendar

Our app provides you with the option of adding your connection's details to your device's calendar. The app needs access authorisation for this, and our system requests this authorisation when you start using it. Access is necessary so you can use the app to select the right calendar for storing your connection's details. The app does not store any other personal or usage-related data.

The legal basis for these data processing activities is your consent pursuant to Article 6(1)(a) GDPR.

You can revoke your consent whenever you wish via your device's settings.

Maps

Our app can show you a map to provide you with directions or information about your surroundings.
If you are using an Android phone, the app uses the Google Maps service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). This service receives your IP address in order to display the map.

The legal basis for this is Article 6(1)(b) GDPR.

The relevant privacy policy is available at www.google.com/intl/en_en/policies/privacy/.
You can use www.google.com/intl/en_en/policies/technologies/product-privacy/ to select the privacy policy settings you want.

If you are using an iPhone, the app uses the map service from Apple Inc. (1 Infinite Loop, Cupertino, CA 95014, USA). Apple receives your IP address only after you have authorised the use of the map service.

The legal basis for this is Article 6(1)(b) GDPR.

You can use your device's settings to select the privacy settings you want.

Komfort Check-In

Komfort Check-In gives you an option for automatically validating your mobile phone ticket on certain DB Long-Distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:

  • Ticket ID / order number
  • Passenger's first and last names
  • BahnCard number
  • Name of BahnCard holder

Offers related to your booking

We reserve the right to contact you after you have made a booking and send you offers of similar products and services to the e-mail address you used in the booking. You can revoke your consent at any time by clicking the unsubscribe link in the e-mail.

Newsletter

If you sign up for one of our newsletters, providing us with your e-mail address is mandatory. In this situation, we may use your e-mail for commercial purposes.

During the subscription process, we save the IP address of the end device you are using at the time of registration, and we also save the date and time of registration. This information plays a part in our legal protection activities: we need it so that we can react to the (possible) misuse of someone's e-mail address at a later point in time.

You can unsubscribe from a newsletter whenever you want by clicking the unsubscribe link at the bottom of your newsletter. If you revoke your consent to the commercial usage of your data, it is only used for statistical purposes and is anonymised for this.

Legal basis of data processing

If you provide consent for your data to be processed, this serves as the legal basis pursuant to Article 6(1)(a) GDPR.

When processing personal data that is necessary to meet contractual obligations with you, the contract pursuant to Article 6(1)(b) GDPR serves as the legal basis. Article 6(1)(b) GDPR also applies to processing activities necessary for meeting pre-contractual measures, such as questions regarding our products and services.

If a legal obligation requires our company to process personal data, such as meeting tax-related obligations, such processing is based on Article 6(1)(c) GDPR.

To continuously improve our offering, we use cookies to store a pseudonymised ad ID/pseudonymised ad ID usage. The legal basis for this is Article 6(1)(f) GDPR.

We believe it is beneficial to maintain a relationship with you as a customer and provide you with information and offers which we think may match your travel needs and personal interests. We therefore process your data to send you information and offers. This processing is based on Article 6(1)(f) GDPR and may involve support from service providers. We use your contact details (name and e-mail address you provide us within the context of our business relationship) for advertising and market research activities if you do not explicitly revoke your consent to such usage.

You can revoke your consent to the future commercial processing of your data whenever you wish. Please send this revocation to ecommerce-datenschutz@deutschebahn.com.

Does DB AG forward data to other parties?

The work of processing contracts generally requires the involvement of processing parties issued with instructions. Such parties include computer centre operators, printing and delivery services, and other service providers tasked with roles relating to contract fulfilment. We also involve external service providers in market research activities. External service providers that process data on our behalf are carefully selected by us and subject to strict contractual obligations. These service providers follow our instructions, something which is guaranteed by means of strictly regulated contracts, technical and organisational measures, and supplementary checks.

We forward your data only if you have provided your explicit consent or if this is absolutely required due to legal obligations.
Your information will not be forwarded to third party states outside the EU/EEA or to international organisations in the absence of suitable guarantees. These include EU standard contract clauses and a suitability resolution from the EU Commission.

For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book our services:

  • Travel insurance from our partner Europ√§ische Reiseversicherung AG
  • Hotel services from our hotel reservations partner HRS
  • Use of DB's car hire offerings from leasing firms DB Rent, Europcar and Sixt
  • Credit rating checks by Infoscore Consumer Data GmbH when registering for direct debit services
  • When making use of services for travellers with reduced mobility, your data is sent to the appropriate offices of the DB Group departments involved.
  • When you purchase a BahnCard on bahn.de/bahn.com, you enter into a contract with DB Fernverkehr AG. To complete this process, we forward the data, which you provide, to DB Fernverkehr AG. Further information is available in the relevant General Terms and Conditions. We merely handle the payment process and store the data provided for this purpose.
  • In the case of payment irregularities / payment default, details of the account receivable may be sent to a debt collection agency.
  • When you use the contact form on bahn.de/bahn.com for communicating with DB Fernverkehr or DB Regio, the details you supply are forwarded to the customer dialogue units of the relevant transport companies. Bahn.de merely serves as the platform hosting these forms.

You purchase our partners' services on bahn.de/bahn.com directly from these partner companies. Further information on this is available under "Do you incorporate data from third parties?"

How long is your data stored?

We retain your data only as long as is necessary to meet the purpose for which it was collected (e.g. as part of a contractual relationship) or as long as retention is required by law. For example, as part of a contractual relationship, we retain your data at least until the complete fulfilment of the contract. Afterwards, we store your data for the duration of the legal retention period.

Are cookies used?

Certain functions save data on your end device for the purposes of ensuring functions operate, for performing measurements and for performing analyses. This corresponds to the behaviour of browser cookies. We distinguish between functions that are essential for using the app and functions that are not obligatory, such as reach measurement.

If you want to access and change cookie settings, go to the settings section of the app on your end device.

Data and technology that are required for certain app functions:

The following tracking measures that we use are carried out on the basis of Art. 6(1)(b) GDPR. They enable us to design our app in line with requirements and to optimise it continuously.

In order to be able to assess the effectiveness of our measures to improve the functionalities and your user experience, we continuously collect necessary figures on the usage of the app. For this, we use the analysis tools Tealium, Adobe Analytics, Optimizely, Qualtrics and m-pathy. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements.

  • Use of Tealium

    In order to facilitate the dynamic modification of this app and the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 11095 Torreyana Road, San Diego, CA 92121, USA). This also includes processing your selected cookie settings.
  • Use of Adobe Analytics

    In order to manage our app and optimise its performance, we use the web analysis service of Adobe Systems Software Ireland Limited (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). The information processed in this context is not personal in nature and cannot be linked to a specific individual. We forward them to the USA where they are stored on an Adobe server on our behalf. We use this information to measure and evaluate the use of the website and to create statistics. This enables us to assess how often different sections and texts on our website's pages are read, and whether or not our website design influences the extent of website usage. The statistics obtained enable us to improve our content and make it more interesting for you as a user.
  • Use of Optimizely

    In order to be able to show you our app with slightly different content, we carry out so-called A/B testing using the web analysis service Optimizely, and we save information necessary for this on your end device. The analysis service provider is Optimizely (631 Howard Street, Suite 100, San Francisco, CA 94105, United States). The anonymised data is usually processed on an Optimizely server in the USA.
  • Use of Qualtrics

    In order to ensure continual improvement of our content and services, we invite users of our website to take part in surveys. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). Data is collected anonymously. Your participation is noted for 12 months to prevent you from participating several times during this time period. Participation in the surveys is voluntary.
  • Use of m-pathy

    This website uses m-pathy, a technology of Verint Systems GmbH (Ziegelteich 29, 24103 Kiel, Germany), to collect and store session and interaction data of app users for up to 24 months. This information is used for improving the content and usability of the app.
  • Use of CrossEngage

    If you have a customer account, personal offers and promotions can be displayed when you are logged in. This entails saving information in the app and processing pseudonymised information on the servers of our service provider, CrossEngage GmbH (Gontardstr. 11, 10178 Berlin, Germany).
  • Use of hCaptcha

    We use hCaptcha technology from Intuition Machines Inc. (350 Alabama St., San Francisco, CA 94110, USA, to protect our website from overloading caused by bots automatically entering information. This largely automatic system uses machine-based learning to ascertain when a human visits our website to use it. If necessary, the system displays an interactive task on pages containing forms so that the user can validate their entries. If you registered for the barrier-free service from this company, the system reads the relevant cookie. The legal basis for this is Art. 6 (1) (f) GDPR.
  • Use of JSC tools

    We use JSC tools technology from Risk.Ident GmbH (Am Sandtorkai 50, 20457 Hamburg, Germany) to prevent fraud. This serves to protect you and us by preventing the misuse of your financial details when making payments via bahn.de. The legal basis for this is Art. 6 (1) (f) GDPR. This can entail the processing of a cookie with a lifetime of 24 months. The legal basis for this is Art. 6 (1) (f) GDPR.
  • Easy marketing

    We use technology from Easy Marketing GmbH (Asselner Hellweg 124, 44319 Dortmund, Germany) to ensure that partner companies receive payment following bookings on partner websites via DB affiliate advertising. This entails the evaluation of cookies to which you have consented on the partner websites in question.

Cookies and technology that are not essential for using the website

The following cookies are not essential for using the website and will be processed only if you give your consent beforehand.

  • Use of Exactag

    We use the analysis service from Exactag GmbH (Philosophenweg 17, 47051 Duisburg, Germany) in our app. It is used to process data about how you use DB Navigator, and this data is stored for up to 12 months. The legal basis for this is Article 6(1)(a) GDPR.
  • Use of AdForm

    We uses services from AdForm A/S(Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) for placing interest-based advertising. These cookies create pseudonymised usage profiles that are used for storing information about different features, such as users' operating systems, browser versions, anonymised IP addresses, geographic location, number of clicks and number of views for up to 12 months. The data is used for the following purposes:

    - Registering the number of users for different app content
    - Recording the sequence of content items people click when visiting our app
    - Optimising the app

    Working on our behalf, Adform uses this information to deliver more targeted, usage-based online advertisements. In order to be able to use the advertising space from other websites, cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex. The legal basis for this is Article 6(1)(a) GDPR.
  • Use of Firebase Crashlytics (only in DB Navigator for Android)

    Our app uses Firebase Crashlytics, a service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). This tool enables us to receive anonymised information in the event of the app crashing so that the cause can be identified and resolved more quickly. The data transferred is purely text-based and do not contain any personal identifiers.

What rights do DB Navigator users have?

  • You can submit a request to see what personal details of yours are stored in our system.
  • You can ask us to correct and delete your personal data or restrict its processing (block) provided this is legally permissible and is possible within the context of the current contractual relationship.
  • You have the right to submit a complaint to a supervisory body. The supervisor responsible for DB Vertrieb GmbH: Data Protection Officer for the State of Hesse (Der Hessische Datenschutzbeauftragte), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany. E-mail: poststelle@datenschutz.hessen.de
  • You have to right to the transferability of the data you have supplied us within the context of consent or a contract (data portability).
  • If you have provided us with consent to data processing, you can revoke it in the same manner as you supplied it. Revoking consent does not affect the legal standing of any processing which took place prior to the withdrawal of consent.
  • You can revoke your consent to data processing due to reasons relating to your specific situation if such processing is performed on grounds relating to our justified interests.
  • You can revoke your consent to receiving advertising whenever you wish and with future effect (right to object to advertising).

To make use of this right, you can send notification of your objection in writing to the following address:

DB Vertrieb GmbH
Stephensonstr. 1
60326 Frankfurt am Main
Germany

Or you can contact us via e-mail: ecommerce-datenschutz@deutschebahn.com

How up-to-date is this privacy policy?

We update our privacy policy to suit changes to technical functions or legal conditions. As a result, we recommend that you read the privacy policy at regular intervals. If your consent is necessary or elements of the privacy policy contain regulations concerning the contractual relationship with you, the changes are made only with your consent.

Last updated: Juli 2021