DB Navigator: Privacy Policy

It is possible to use our app without providing personal information. However, using the app to access certain DB services or book a journey can require personal data for our processes. If we need to process personal information and the relevant procedures are not based on existing legal provisions (i.e. a contractual agreement), we will request your consent.

The request for consent will contain information about what data we collect, how we use it and how you can object to your data's usage.

When you use the app, the DB companies DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data and are jointly responsible for doing so. The companies have agreed which of them is responsible for privacy-related obligations. The essential details of this agreement are described in the section "What data do we collect and how and why do we process your data?"
If you have any questions or suggestions regarding this privacy policy, simply contact one of the DB companies.

DB Vertrieb GmbH
Europa-Allee 78-84
60486 Frankfurt
Germany
E-mail: p.d-datenschutz@deutschebahn.com

DB Fernverkehr AG
Europa-Allee 78-84
60486 Frankfurt
Germany
E-mail: fv‐datenschutz@deutschebahn.com

DB Regio AG
Europa-Allee 70-76
60486 Frankfurt
Germany
E-mail: datenschutz.regio@deutschebahn.com

Dr Marein Müller is the designated privacy officer for all three companies.

The group of above-named companies is responsible for processing app-related data. They have formally agreed which of them performs a given task as part of this joint processing, what the purpose of this processing is, how it is organised and who complies with the obligations arising from GDPR, in particular with information-related obligations. The key features of this agreement are described below.

DB Vertrieb GmbH and DB Fernverkehr AG are responsible for the following:

  • Selling BahnCards and extending BahnCards as part of a subscription
  • Undertaking marketing communication and customer information activities as part of DB Vertrieb GmbH's campaign management processes (with the participation of DB Fernverkehr AG).

DB Vertrieb GmbH and DB Regio AG are responsible for the following:

  • Communicating with customers (e.g. those with subscriptions) and advertising.
  • Regional offers

DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are responsible for the following:

  • Using websites for marketing products and services, providing information and handling marketing communication.
  • Issuing vouchers and registering their redemption, providing information necessary for campaigns
  • Using customer database(s) for the holistic processing of customer transactions and exchanging customer data to prevent fraud, etc.
  • Processing and paying goodwill gestures and compensation (e.g. due to disruptions and unforeseen events)
  • Handling complaints management, service-related issues and customer dialogue, incl. providing contact forms

We process your data exclusively for specific purposes. These purposes may result from technical requirements, contractual obligations or express wishes of the user.

When you use the app, we must collect and store certain information for technical reasons. Such information includes the date and duration of your visit, any entries you make, the version and recognition data of the app and the operating system.

In order to comply with a contract, we require certain personal data from you. This data is required for ticket bookings, processing payments, for delivery by post to the specified address, where applicable, and for dealing with any cancellations and refunds.

In this case, the contract pursuant to Article 6(1)(b)) GDPR is the legal basis for the processing of your personal data. Article 6(1)(b) GDPR shall also apply to processing that is required in order to take steps prior to entering in to the contract, e.g. in cases of inquiries regarding our products or services.

Insofar as we obtain your consent for the processing of personal data (i.e. if you subscribe to our newsletter), this consent shall serve as the legal basis according to Article 6(1)(a)) GDPR.

If we are subject to a legal obligation that requires us to process personal data, for example to fulfil tax obligations, this processing shall be based on Article 6(1)(c)) GDPR.

We would like to use your previous and current usage patterns regarding the app to provide you with customised contents that will make our range of products more interesting to you as a user. For this we store and analyse pseudonymised usage data from online activities. We can then offer you special advantages such as ticket price reductions and free seat reservations the next time you book a ticket. The legal basis for this is Article 6 (1) (f) GDPR.

We also do this in order to maintain customer relations with you and to provide you with information and offers which we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Article 6(1)(f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.

You can object at any time to the future use of your data for such advertising purposes. Send your objection by e-mail to p.d-datenschutz@deutschebahn.com (Advertising Objection).

The following section contains a more detailed description of the data processing that can take place when booking a ticket on our app. Further information, for example on data processing at ticket machines or if you visit our pages on social networks, can be found at https://www.db-vertrieb.com/datenschutz.

List of specific examples:

  • Creating a customer account
    You can log in with your bahn.de account. Anyone who wants to create a customer account on bahn.de must register first (click here to register). Click the following link to read the privacy policy regarding customer accounts.
  • Booking a digital ticket
    When booking a digital ticket, our system saves address details as well as surname, given name and e-mail. When you book an international ticket via international-bahn.de or certain regional offerings, it also saves your date of birth. During ticket inspection on trains, the information on the ticket (given name and surname) is displayed on the scanner (mobile terminal).
  • Payment details
    To ensure that your payments are processed securely, payment-related data (amount, booking reference, booking description, payer) is forwarded to payment service providers. 

    Payment by credit card
    Our payment service provider for processing credit card payments is  PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, Germany. To learn how Payone processes your data, please read its privacy policy at https://www.payone.com/dsgvo/. The payment service provider performs the following: processing of credit card data in order to perform payments; application of security measures used by your card's issuer (such as 3D Secure and strong customer authentication). No other institution handles your data. We do not receive access to your full credit card data. Instead, we merely save a reference in the form of an abbreviated credit card number so that you can identify it.

    Payment via Paypal
    If you pay via PayPal, your payment data will be forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg (hereinafter called "PayPal"), as part of the payment process. Further information is available in the company's privacy policy.

    Payment via giropay
    If you pay via giropay, your payment data will be forwarded to paydirekt GmbH, Hamburger Allee 26-28, 60486 Frankfurt am Main, Germany, as part of the payment process. Further information is available in the company's privacy policy.

    Registration for payment by SEPA direct debit
    When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit if you have selected this payment option. 
  • Protecting payment transactions
    To prevent cases of fraud, a processor is used to process your device or browser fingerprint along with your payment-related data. This serves to protect you and us by preventing the misuse of your financial details when making payments via the app. The legal basis for this is Article 6 (1) (f) GDPR.
  • Buying BahnCards
    We collect contact details and identification information (e.g. date of birth) when users buy a BahnCard. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz
  • Offers relating to similar products or services
    We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products or services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6(1)(f) GDPR).

    You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to p.d-datenschutz@deutschebahn.com (Advertising Objection).
  • Adding a subscription
    When you add your subscription to our system, we save your last name, date of birth and subscription number. If your subscription requires a photo but your subscription contract data does not include one, our system will ask you to provide a photo when you add the subscription. You will have the option of either selecting a photo from the gallery or taking a new one. This requires specific kinds of access authorisation (see the section on access authorisation for details).
  • Customer feedback form
    When you send us an enquiry or comment regarding your booking using the contact form in ""Feedback & Support"", your details from the form, including the contact details you provide there, will be processed by us for the purpose of handling the enquiry and any follow-up queries that may arise. The legal basis for this is Article 6(1)(b) GDPR.
  • Newsletter registration
    If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.

    When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the bahn.de newsletter based on clicks and the display of content via customised links. 

    In this case, we may use your e-mail address for promotional purposes. The legal basis for this is Article 6(1)(a) GDPR.  You can unsubscribe from the newsletter at any time at p.d-datenschutz@deutschebahn.com or by clicking the relevant link at the bottom of the newsletter. If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.
  • Participating in competitions
    When we run competitions, we collect data for managing the process. The precise details, i.e. what data is collected and for what purpose, are available on the web page of the relevant competition. 
  • Virtual chat assistants
    The app uses virtual chat assistants (also known as chatbots). They are part of our sales channel and help you find information. They are familiar with our websites' contents and provide keyword-based answers to customers' questions, recommend links to relevant websites or suggest using a different channel if someone wants to contact us. 

    We are constantly upgrading our chatbots, which help website and app users to navigate our website and mobile services. At the moment, they cannot process queries about specific contract-related issues. Anyone who has questions of this type can continue to contact us via live chat, phone or e-mail. Users should not provide any personal information when interacting with chatbots. 

    Our chatbots store customers' queries for max. 34 days so their self-learning feature can optimise how they operate. They do not process personal data. Usage-related metrics like chat duration, information timestamps, number of dialogues and user's approximate location are stored only for statistical purposes. We process user information only in order to handle queries and for internal purposes, e.g. managing and improving processes related to our business and services  as per Article 6(1)(b) GDPR.

Access permissions

For technical reasons, specific kinds of authorisation to access data or operating system functions are necessary so the app can work.

Access authorisation for technical reasons: Android (up to and including version 5)

  • Accessing memory: Changing or deleting USB storage contents to cache card details that are required for displaying card information in the DB Navigator app.
  • Accessing user accounts: Reading Google service configuration data to search for accounts on the device and activate push notifications (e.g.  journey notification).
  • Access networks: Accessing internet data, calling up network connections, complete network access, calling up wifi connections to enable the app to access information.
  • Accessing device memory: Deactivating sleep mode, managing vibration signals to alert customer to arrival of push notifications (e.g. journey notification).
  • Camera/gallery: For adding the photo in connection with a transport association season ticket.

The legal basis for processing data is Article 6(1)(b) GDPR.

Access authorisation for technical reasons: Android (version 6 and higher)

  • Contacts: Searching for accounts on the device (to activate push notification, journey notification and delay notification).
  • Other: Accessing all networks, deactivating sleep mode, reading Google service configuration data, performing actions at start, accessing internet data, managing vibration signals, calling up network connections, calling up wifi connections.
  • Camera/gallery: for adding the photo for a transport association season ticket. Storage/memory access: when adding and saving photos for a transport association season ticket.

The legal basis for processing data is Article 6(1)(b) GDPR.

Access authorisation for technical reasons: iOS

  • Mobile data: Accessing internet data outside of a wifi area so customers can use the app to call up information when travelling.
  • Camera/gallery: for adding the photo for a transport association season ticket.

The legal basis for processing data is Article 6(1)(b) GDPR.

Access authorisation for technical reasons: Windows Mobile

  • Mobile data: Accessing internet data outside of a wifi area so customers can use the app to call up information when travelling.
  • Contacts: Our app gives you the option of sending/receiving information about connections to/from the contacts stored on your end device. It simply uses the contact details you have stored, doing away with the need to input this information manually. Our system does not transfer any other personal details. It accesses your contacts' details only if you have authorised this in your device's settings. If you want, you can use your device's settings to completely prevent the app from accessing your contacts' details.
  • Other app functions: Using your device's network services, using phone functions, accessing your browser.

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

Identifying your location

The app offers services and information regarding your current surroundings, in order to use your current position for a journey's start/end or identify stops in your vicinity. Your current location must be sent from the operating system to the app so you can use these functions.

The app identifies your location only if you have authorised this in your device's settings. If you are using an Android phone, authorisation takes place when you confirm that you want to download the app, or you can use your device's settings to provide authorisation. If you are using iOS, you provide authorisation either via a dialogue window when you first use the app or via your device's settings.

The legal basis for processing your location is your approval pursuant to Article 6(1)(a) GDPR.

Our system uses this data only to manage the information that you request. By deactivating the relevant settings, you can prevent your device from accessing your location and so revoke your consent whenever you wish.

Push notifications

We believe it is beneficial to provide you with information about important events and updates (e.g. journey notification) as part of our customer service, even if you are not using the app. We use push notifications to do this.

The legal basis for these data processing activities is Article 6(1)(b) GDPR.

The app sends you alerts only if you have provided your explicit consent. When you first open the app, we ask if you want us to send alerts to your mobile end device. For Android versions, approval takes place after confirmation and on downloading the app.  For iOS, a dialogue window appears the first time you access the app.

You can disable push notifications in the app settings or in the device settings and so withdraw your consent at any time.

Calendar

Our app provides you with the option of adding your connection's details to your device's calendar. The app needs access authorisation for this, and our system requests this authorisation when you start using it. Access is necessary so you can use the app to select the right calendar for storing your connection's details. The app does not store any other personal or usage-related data.

The legal basis for data processing is your consent, point (a) of Article 6(1) of the GDPR.

You can revoke your consent whenever you wish via your device's settings.

Maps

The app features the option of displaying a street map. This can be used for getting directions or information about your surroundings.

The app on the Android operating system uses the Google Maps service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), which receives your IP address to display the map.

The legal basis for this is Article 6(1)(b) GDPR.

The relevant privacy policy is available at https://www.google.com/intl/de_de/policies/privacy/. You can use https://www.google.com/intl/de_de/policies/technologies/product-privacy/ to select the privacy policy settings you want.

If you are using an iPhone, the app uses the map service from Apple Inc. (1 Infinite Loop, Cupertino, CA 95014, USA). Apple receives your IP address only after you have authorised the use of the map service.

The legal basis for this is Article 6(1)(b) GDPR.

You can use your device's settings to select the privacy settings you want.

Komfort Check-In

Komfort Check-In gives you an option for automatically validating your mobile phone ticket on certain DB long-distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:

  • Ticket ID / order number
  • Passenger's given and last names
  • Number of BahnCard
  • Name of BahnCard holder

Contract processing generally requires the involvement of order processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers or other agents involved in contractual performance. We also involve external service providers in market research activities.

External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. The service providers work in accordance with our instructions and this is verified by technical and organisational actions and supplementary checks.

In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation. Transmission to third countries outside the EU/EEA or to an international organisation, will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision by the EU Commission.

For example, we may be required to forward data in the following circumstances for the purpose of contract processing when users book services:

  • Travel insurance from our partner Europäische Reiseversicherung AG
  • Hotel services from our hotel reservations partner HRS
  • Use of DB's car hire offerings from leasing firms DB Rent, Europcar and Sixt
  • When making use of services for travellers with reduced mobility, your data is sent to the appropriate offices of the DB Group departments involved.
  • In the case of payment irregularities / payment default, details of the account receivable may be sent to a debt collection agency.

We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (as part of a contractual relationship, for example) and/or to comply with legal requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. Thereafter, the data will be stored for the statutory storage period.

We use cookies on our app for functional, measurement and analysis purposes. Cookies are small text files which can be used to store data on your end-user device. We distinguish between cookies that are necessary for the technical functioning of the website and cookies that are not essential for the technical functioning of the website, e.g. for range measurement activities. Some of these cookies (known as "session cookies") are automatically deleted or become invalid at the end of the browser session. If you want to access and change your device's cookie settings, go to "Settings", then "Privacy", and then select "Open cookie settings".

Cookies and similar technology that are necessary for the use of certain app functions:

The following tracking measures that we use are carried out on the basis of Article 6 (1) (f) GDPR. They enable us to design our app in line with requirements and to optimise it continuously.

In order to be able to assess the effectiveness of our measures for improving functions and your user experience, we continuously collect necessary KPIs regarding the usage of the app and bahn.de/bahn.com. For this, we use the analysis tools Tealium, Adobe Analytics, Optimizely, Qualtrics and m-pathy. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements.

Use of Tealium

In order to facilitate the dynamic modification of this app and the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 11095 Torreyana Road, San Diego, CA 92121, USA). This also includes processing your selected cookie settings. The cookies used for this purpose are stored on your end device for 12 months.

Use of Adobe Analytics

In order to manage our website and optimise its performance, we use the web analysis service of Adobe Systems Software Ireland Limited (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). The relevant cookies have a lifetime of 24 months. The information generated by the cookie is not personally identifiable or traceable to an individual. We use this information to measure and evaluate the use of the website and to create statistics. We can see what sections and texts are read and used, how often they are read and used, and whether our app's design influences the extent of its use. The statistics obtained enable us to improve our content and make it more interesting for you as a user.

Use of Optimizely

In order to be able to show you our website with slightly different content, we carry out so-called A/B testing using the web analysis service "Optimizely". For this purpose, cookies are stored on your end device with a lifetime of 24 months. The analysis service provider is Optimizely (631 Howard Street, Suite 100, San Francisco, CA 94105, United States). The anonymised data is usually processed on a server of Optimizely in the USA.

Use of Qualtrics

We invite our app's users to take part in surveys in order to continuously improve our offering and services. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA). Data is collected anonymously. The purpose of the cookies used by Qualtrics is to prevent users from participating multiple times within a certain period of time. It records your participation for 12 months so you can be excluded from multiple participation. Participation in the surveys is voluntary.

Use of m-pathy

This app uses m-pathy, a technology from Verint Systems GmbH (Ziegelteich 29, 24103 Kiel, Germany), to collect and store users' session and interaction data. This information is used for improving the content and usability of the app. Cookies are stored for this purpose and have a lifetime of 24 months.

Use of CrossEngage

If you have a customer account, personal offers and promotions can be displayed when you are logged in. To structure these contents, our system adds a cookie to your end device that lasts for 12 months when the app is used. The data collected via the cookie is processed pseudonymised on servers of our service provider CrossEngage GmbH (Gontardstr. 11, 10178 Berlin, Germany).

Use of hCaptcha

We use hCaptcha technology from Intuition Machines Inc. (350 Alabama St., San Francisco, CA 94110, USA, to protect our services from overloading caused by bots automatically entering information. Machine learning is predominantly used to automatically assess if data entries are made by a person. If necessary, the system displays an interactive task on pages containing forms so that the user can validate their entries. If you registered for the barrier-free service from this company, the system reads the relevant cookie. The legal basis for this is Article 6 (1) (f) GDPR.

Use of JSC tools

We use JSC tools technology from Risk.Ident GmbH (Am Sandtorkai 50, 20457 Hamburg, Germany) to prevent fraud. This serves to protect you and us by preventing the misuse of your financial details when making payments via within the app. This can entail the processing of a cookie with a lifetime of 24 months. The legal basis for this is Article 6 (1) (f) GDPR.

Easy marketing

We use technology from Easy Marketing GmbH (Asselner Hellweg 124, 44319 Dortmund, Germany) to ensure that partner companies receive payment following bookings on partner websites via DB affiliate advertising. This entails the evaluation of cookies to which you have consented on the partner websites in question.

Non-essential cookies and technology

The following cookies are not essential for using the app and will be processed only if you give your consent beforehand.

Use of Exactag

We use the analysis service from Exactag GmbH (Wanheimer Strasse 68, 40468 Düsseldorf, Germany) in our app. It processes data regarding your usage of DB Navigator and stores this information for up to 12 months. The legal basis for this is Article 6(1)(a) GDPR.

Use of AdForm

We use the services of AdForm A/S for placing interest-based advertising.

(Wildersgade 10B, 1, 1408 Copenhagen K, Denmark) are used for placing interest-based advertising. These cookies create pseudonymised usage profiles that can be used to store the following information for up to 12 months: users' operating systems, browser versions, anonymised IP addresses, geographic location, number of clicks and number of views. The data is used for the following purposes:

  • Recording the number of people using different app contents
  • Recording the sequence of content that people click on when visiting our app
  • Optimising the app

Working on our behalf, Adform uses this information to deliver more targeted, usage-based online advertisements. In order to be able to use the advertising space from other websites, cookies are synchronised with the following platforms: Google, Doubleclick, Appnexus, DataXu, Mediamath, TURN, TheTradeDesk, Active Agent, TheAdex. The legal basis for this is Article 6(1)(a) GDPR.

Use of Firebase Crashlytics (only in DB Navigator for Android)

Our app uses the Firebase Crashlytics, service from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). In the event of an app crash, this tool permits the anonymous transmission of information to us so we can quickly trace and remedy the fault. The data we receive is of a purely technical nature and contains no personal information.

  • You can request information as to what personal data is stored.
  • You can request that we correct, delete or restrict the processing (block) of your personal data, provided these actions are permitted by law and in compliance with existing contractual conditions.
  • You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany; e-mail: poststelle@datenschutz.hessen.de.
  • You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
  • If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.
  • You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests.
  • You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).

To exercise your rights, you may send a letter by post to:

DB Vertrieb GmbH
Europa-Allee 78-84
60486 Frankfurt am Main
Germany

Alternatively, you may send an e-mail to the following address: p.d-datenschutz@deutschebahn.com

We update our privacy notice to bring it into line with new functionalities or legal requirements. We therefore recommend that you review our privacy notice at regular intervals. Where your consent is required or where parts of our data protection notice contain provisions of the contract with you, the changes will take place only with your consent.

Last modified: May 2022