Privacy Policy DB Navigator

When you use the app, DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG process your data and are jointly responsible for doing so. The companies have agreed which of them is responsible for privacy-related obligations.

If you have any questions or suggestions regarding this privacy policy, simply contact one of the DB companies.

DB Vertrieb GmbH
Europa-Allee 78- 84 
60486 Frankfurt 
E-Mail: p.d-datenschutz@deutschebahn.com 

DB Fernverkehr AG
Europa-Allee 78- 84 
60486 Frankfurt 
E-Mail: fv‐datenschutz@deutschebahn.com 

DB Regio AG
Europa-Allee 70-76 
60486 Frankfurt 
E-Mail: datenschutz.regio@deutschebahn.com 

Dr Marein Müller is the designated privacy officer for all three companies.

The companies listed above are jointly responsible for various data processing operations in connection with a ticket purchase or other services that we provide. They have formally agreed which of them performs a given task as part of this joint processing, what the purpose of this processing is, how it is organised and who complies with the obligations arising from GDPR, in particular with information-related obligations. The key features of this agreement are described below.

DB Vertrieb GmbH, DB Fernverkehr AG and DB Regio AG are joint controllers for the following purposes:

• Use of websites and apps for the sale of products and services, and the provision of information for marketing communications
• Processes on the train (e.g. ticket sales and inspection, penalty fares)
• Processing and paying ex-gratia settlement and compensation (e.g. due to disruptions and unforeseen events)
• Implementation of data subject rights, complaint management, service concerns and customer dialogue

We collect and process your data exclusively for specific purposes. These may arise due to technical necessity, contractual obligations or express requests on the part of users.

In order to be able to provide the desired contents and functions of the app correctly and in line with requirements, certain data must be processed for technical reasons when the app is used, such as the IP address, the app version and associated app-relevant settings of your smartphone operating system. We have implemented protective measures for the security and availability of our IT systems. If necessary, security and error messages are stored in LOG data for up to 30 days.

We have implemented protective measures for the security and availability of our IT systems. These include web application firewall, rate limiting and DOS protection based on technologies from the service providers Akamai Technologies Inc (Parkring 22, 85748 Garching) and F5 Inc (Lehrer-Wirth-Straße 2, 81829 Munich). All requests to our systems are checked to ensure that they comply with defined technical rules. Deviating requests may be blocked or temporarily stored for further analysis, including the IP address.

In order to fulfil a contract, we require certain personal data from you. This data is required for booking tickets, processing payments, checking credit ratings, and for dealing with any cancellations and refunds if necessary.

In this case, the contract pursuant to Art. 6 (1) (b) GDPR is the legal basis for the processing of your personal data. Art. 6 (1) (b) GDPR shall also apply to processing that is required in order to take steps prior to entering into the contract, e.g. in cases of enquiries regarding our products or services.

Insofar as we obtain your consent for the processing of personal data (e.g. if you subscribe to our newsletter) this consent shall serve as the legal basis according to Art. 6 (1) (a) GDPR.

If we are subject to a legal obligation that requires us to process personal data, e.g. to fulfil tax obligations, this processing shall be based on Art. 6 (1) (c) GDPR.

We also do this in order to maintain relations with you as a customer, and to provide you with information and offers that we think will correspond to your travel preferences and interests. We therefore process your data on the basis of Art. 6 (1) (f) GDPR (including with the help of service providers) in order to send you information and offers. We use your contact data (name, address and e-mail address which we have received as a result of our business relationship with you) for advertising by post and for similar goods or services by e-mail, in particular for market research, unless you object to such use.

You can object at any time to the future use of your data for such advertising purposes. Send your objection by e-mail to p.d-datenschutz@deutschebahn.com (Keyword: "Advertising objection").

The following section contains a more detailed description of the data processing that can take place when booking a ticket on our app.

List of specific examples:

Customer account
To create a customer account for booking tickets in the Next DB Navigator app, we collect the following mandatory information during the registration process:

• E-mail address
• Password (assigned by yourself)

It is not possible to create a personal account without supplying this information. All other personal information and details pertaining to the user's travel profile are optional. We save your booking and login data in your customer account, and use it for internal analyses.

Booking a digital ticket
When booking digital tickets, first name, surname and email address are processed. When booking international tickets and some regional offers, the date of birth may also be required. On the train, the information on the ticket will be displayed on the control device during the inspection and processed in accordance with the conditions of carriage of the respective railway company.

Login service
To log in or register a customer account, the login service of the DB customer account is displayed in a browser window. Protective measures are implemented for the security and availability of the login service. These include web application firewall, rate limiting and DOS protection based on technologies from the service providers Akamai Technologies GmbH (Parkring 22, 85748 Garching, Germany) and F5 Networks GmbH (Lehrer-Wirth-Strasse 2, 81829 Munich, Germany) as well as a captcha from the service provider Intuition Machines Inc (350 Alabama St, San Francisco, CA 94110, USA).

Other DB web pages
The DB Navigator also provides access to a number of other DB web pages such as the ABO portal, FAQ and help pages. These web pages are loaded in browser windows and have their own privacy statements and specific cookie settings if required.

Payment details
To ensure that your payments are processed securely, the necessary payment details (amount, booking reference, booking description, payer) are forwarded to the relevant payment service providers.

• Payment via Paypal
  PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. You can find out how PayPal processes your data in the company's privacy policy. 
• Payment by Apple Pay (iOS-versions only)
  Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Irland. You can find out how Apple processes your data in Apple's privacy statement.
• Payment by credit card
  PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main. You can find out how PAYONE processes your data in the privacy policy at https://www.payone.com/dsgvo/. The collection of credit card data for payment or for deposit in your own customer account as well as any security measures such as 3D-Secure and strong customer:internal authentication are carried out directly by the payment service provider. We do not have access to your full credit card details and only store a reference in the form of a shortened credit card number so that you can recognise it. 
• Payment via giropay
  paydirekt GmbH, Stephanstr. 14-16, 60313 Frankfurt am Main. For more information, please see the giropay privacy statement.
   
• Registration for payment by SEPA direct debit 
  When you register to use the SEPA direct debit process, you provide us with a SEPA mandate that we can use to deduct payments from your bank account by means of a SEPA direct debit.
   
• Online activation of the SEPA Direct Debit Scheme
  For secure payment with the SEPA Direct Debit Scheme, we provide you with methods for online verification of account access via OpenBanking through Tink Germany GmbH (Gottfried-Keller-Straße 33, 81245 Munich) or Verimi GmbH (Oranienstraße 91, 10969 Berlin) or for online identity verification through Verimi GmbH. ADepending on which verification method you choose, your personal data (the bank details, name and email address you provided) will be transmitted to the service provider under your guidance. In the automatically opening dialogue of the service provider you will be guided through the selected function and informed about every single step of the data processing. As soon as you have successfully completed the check, you can pay by direct debit. Both service providers act independently as responsible parties. Verimi GmbH will offer you the use of your Verimi customer account, if available, or the creation of a new customer account that will later also assist you with other identity verification procedures. Tink Germany GmbH and Verimi GmbH are authorised account information services that also work for banks and only process your data for the few minutes of the account access check.
  You can also obtain further information in the privacy statement in the dialogue window of the respective provider.
   
• Default means of payment and preferred means of payment
  If you have not stored any means of payment in your customer account, you will be offered "Pay with Paypal" or, if activated, “Pay with Apple Pay” when purchasing in the app. You can always specify another means of payment and use it for payment. If you have stored a means of payment in your customer account and marked it as "preferred", this means of payment will be preset and used for the purchase.

To prevent cases of fraud, a processor is used to process your device or browser fingerprint along with your payment data. This serves to protect you and us by preventing the misuse of your financial details when making payments via bahn.de. The legal basis for this is Art. 6 (1) (f) GDPR.

Komfort Check-In
Komfort Check-In gives you an option for automatically validating your mobile phone ticket on certain DB long-distance trains. If you use this service, we process the relevant mobile phone ticket's data, including its identification details and possible discounts, to identify and validate the ticket. Our system uses the following data for this:

• Ticket ID / order number
• First and last name of the passenger
• BahnCard number
• Name of the BahnCard holder

Booking a BahnCard
We collect contact details and identification information (e.g. date of birth) when users buy a BahnCard. Further information on data processing in connection with the BahnCard can be found at: www.db-vertrieb.com/datenschutz 

Offers relating to similar products or services
We also use your e-mail address collected during registration or due to contractual commitments (e.g. booking a digital ticket) to inform you by e-mail about our own similar products or services. In this case, the e-mail address will be processed on the basis of our overriding legitimate interest in advertising our products and services (Article 6 (1) (f) GDPR).
You can object at any time to the future use of your data for such advertising purposes. You can submit your objection via the objection link in any e-mail received for this purpose or by sending an e-mail to p.d-datenschutz@deutschebahn.com (Keyword: "Advertising objection").

Booking a digital ticket after visiting a partner site (affiliate marketing)
When you click on a DB affiliate advertising material on an external partner site, you will be redirected to our booking. A process identifier is also sent, which we process in order to provide the partner with remuneration for the initiated booking. We do not transmit any personal data. The remuneration is processed via the affiliate network of AWIN AG, Otto-Ostrowski-Straße 1A, 10249 Berlin.

Adding a subscription
When you add your subscription to our system, we save your last name, date of birth and subscription number. If your subscription requires a photo but your subscription contract data does not include one, our system will ask you to provide a photo when you add the subscription. You will have the option of either selecting a photo from the gallery or taking a new one. This requires specific kinds of access permission (see the section on access permission for details).

Feedback form
The provision of personal data in the feedback form is voluntary. When you send us an enquiry or comment regarding your booking using the contact form in "Feedback & News", we will process your details from the form, including the contact details you provide there, to handle the enquiry and any follow-up queries that may arise. The legal basis for this is Article 6 (1) (b) GDPR.

Newsletter registration
If you sign up for one of our newsletters, the e-mail address will be collected as mandatory information.

When you register for a newsletter, we also store the IP address assigned by the Internet Service Provider (ISP) to your end-user device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to trace (possible) subsequent misuse of the e-mail address of the person concerned and it therefore serves our legal protection. We want to be able to provide you with information that is relevant to you, so we analyse your interest in the contents of the bahn.de newsletter based on clicks and the display of content via customised links.

In this case, we may use your e-mail address for promotional purposes. The legal basis for this is Art. 6 (1) (a) GDPR. You may unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of the newsletter. If you object to your data being used for promotional purposes, your data will only be used anonymously for statistical purposes.

For technical reasons, we require your permission to access certain data or operating system functions so the app can work.

Access permissions for technical reasons: Android (version 6 and higher)
Other: Accessing all networks, deactivating sleep mode, reading Google service functions, performing actions at start, accessing internet data, managing vibration signals, calling up network connections, calling up wifi connections.

Access permissions for technical reasons: iOS
Mobile data: Accessing internet data outside of a wifi area so customers can use the app to access information when travelling.
The legal basis for this data processing is Art. 6 para. 1 lit. b) DSGVO.

Download
When you download the app, your user name, e-mail address and customer number, along with the time of the download, the payment information and the individual device number, are transmitted to the app store. We have no influence on this data processing and are not responsible for it.

Basic functions
This app must be able to store and transmit data in order to work. To do so, it needs the permissions to change or delete the content of the memory, and to retrieve data from the internet.
The legal basis for this is Article 6 (1) (b) GDPR.

Identifying your location
The app offers services and information related to your current surroundings, in order to use your current position for a journey's start/destination or identify stops in your vicinity. Your current location must be sent so you can use these functions.

The app identifies your location only if you have authorised this in your device's settings. If you are using an Android phone, authorisation takes place when you confirm that you want to download the app, or you can use your device's settings to provide authorisation. If you are using iOS, you provide authorisation either via a dialogue window when you first use the app or via your device's settings.

The legal basis for the location processing is your consent declared with the release according to Art. 6 para. 1 lit. a) DSGVO.

Our system uses this data only to manage the information that you request. By deactivating the relevant settings, you can prevent your device from accessing your location and therefore withdraw your consent at any time.

Using the map functionality
The app offers the option of displaying a street map. This can be used for directions or for neighbourhood information.
The Google Maps service from Google Inc (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) is used on the Android operating system and the map service from Apple Inc (1 Infinite Loop, Cupertino, CA 95014, USA) is used on the iOS operating system.
To display the map, your IP address and position data (if enabled) are processed by the map service after you have agreed to the activation in the app and until you have deactivated the "Show map" switch in the app settings. The legal basis for this is Art. 6 para. 1 lit. b) GDPR.

If necessary, you can also make specific data protection settings in the device settings of your end user device independently of our app.

Push notifications
We believe it is beneficial to provide you with information about important events and updates (e.g. journey notifications) as part of our customer service, even if you do not have the app open. We only use push notifications for this purpose if you have expressly consented to them on your device and have given the authorisation requested by the operating system.

For Android phones, approval takes place after confirmation and on downloading the app. For iOS, a dialogue window appears the first time you access the app.

The legal basis for these data processing activities is Article 6 (1) (b) GDPR.

You can disable push notifications in the app settings or in the device settings and therefore withdraw your consent at any time.

Smartwatch
Functions are available for the smartwatches listed below to display certain information:

• Current travel information (travel assistance)

This is activated via the settings on the smartphone to which your smartwatch is connected. Data is transferred via the operating system of the smartphone or smartwatch. Additional access rights, e.g. to sensors or location data of the smartwatch, are not required.

iOS (Apple Watch):
The Apple Watch connects to the Deutsche Bahn servers via the iPhone or via its own network access. Communication between the Apple Watch and the iPhone or our servers is encrypted. The notification settings are taken from the paired iPhone.

Android (Watch with Wear OS):
No direct connections are established between the Deutsche Bahn servers and the Wear OS smartwatch. The data to be transmitted and the data exchange are managed exclusively via the "DB Navigator" app on the smartphone to which the smartwatch is connected. Communication is encrypted using the services of the operating system (Google Cloud if necessary).

Contract processing generally requires the involvement of data processors who are subject to our instructions, such as e.g. computer centre operators, printing or mail-order service providers, or other agents involved in contractual performance. We also involve external service providers in market research activities.

External service providers who process data on our behalf are carefully selected and placed under strict contractual obligations. The service providers work in accordance with our instructions. This compliance is verified by technical and organisational measures and supplementary checks.

In addition, we only disclose your data when you have given us your express consent or where we are under a statutory obligation to do so. Transmission to third countries outside the EU/EEA or to an international organisation will not take place unless we have been given reasonable guarantees. These include the EU standard contractual clauses and an adequacy decision by the EU Commission.

When registering online for the direct debit procedure, a credit check is carried out via Experian Solutions GmbH. In the case of payment irregularities or payment default, details of the account receivable may be sent to a debt collection agency. The legal basis for this is Art. 6 (1) (f) GDPR.

We store your data only for as long as is necessary to fulfil the purpose for which the data was collected (as part of a contractual relationship, for example) and/or to comply with legal requirements. Thus, in the context of a contractual relationship, we will store your data at least until full and final completion of the contract. Thereafter, the data will be stored for the statutory storage period.

We process usage data for measurement and analysis purposes in our app. Information is stored for this purpose on your end device for as long as the app is installed there. When using the app, you can deactivate all processing that does not serve necessary purposes.

The following tracking measures that we use are carried out on the basis of Article 6 (1) (f) GDPR. They enable us to design our app in line with requirements and to optimise it continuously.

We continuously collect necessary statistics on the usage of our app, in order to measure the effectiveness of our improvements to the functions and your user experience. We use the analysis tools Adobe Analytics and Optimizely for this purpose. If your IP address needs to be processed, it will be made anonymous. All service providers are contractually obliged to handle your data in accordance with privacy requirements. Where required, we have concluded EU standard contractual clauses. With the chosen technical integration and the contractual measures, we ensure that only we have access to the data.

Tealium
For the purposes of dynamic customisability of our app and for the management of dynamic content, we use the tag management service Tealium iQ (Tealium Inc., 9605 Scranton Rd., Ste. 600 San Diego, CA 92121) and store required information on your end user device. The legal basis for this is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b) GDPR.

Adobe Analytics
Our app uses the analytics service Adobe Analytics (Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland). This allows us to store information on your mobile end user device that enables us to measure and analyse the use of the app. This allows us to see which sections and texts in our app are read and used how often and what influence the design of our app has on the type and extent of use as well as resource consumption. The legal basis for this is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b) GDPR.

Optimizely
In order for us to determine the best possible design of our app, we show you slightly varied content as part of so-called A/B testing and measure the reaction to it. The web analytics service Optimizely (119 5th Ave 7th floor, New York, NY 10003, USA) used for this purpose stores the required information on your end user device. The information is processed on Optimizely servers in the USA for the duration of the individual test run without any personal reference. The legal basis for this is § 25 para. 2 no. 2 TDDDG in conjunction with Art. 6 para. 1 lit. b) GPDR.

JSC-Tools from Risk.Ident GmbH
For fraud prevention purposes, we use the technology JSC-Tools from Risk.Ident GmbH (Am Sandtorkai 50, 20457 Hamburg). This serves your and our protection in order to be able to prevent the misuse of your means of payment for payment within the app. The legal basis for this is Art. 6 para. 1 lit. f) DSGVO.

Qualtrics
We may invite you to take part in surveys in order to continuously improve our offering and services. For these we use technology from Qualtrics LLC (333 W. River Park Drive, Provo UT 84604, USA) on the legal basis of Art. 25 (2) (2) TDDDG. The information is collected anonymously for the purpose to prevent users from participating multiple times within a certain period. Participation in the surveys is voluntary. If personal data is entered in textboxes, the legal basis is Art. 6 (1) (b) GDPR. 

Firebase Crashlytics (Android versions only)
Firebase Crashlytics, a service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), is used in our app. With the help of this tool, information is transmitted to us anonymously in the event of an app crash in order to be able to trace the cause of the respective crash and remedy it more quickly. The legal basis for this is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the rapid detection of crash causes.

The following technologies are not mandatory for the use of the app and are only used if you have given your prior consent. The legal basis for this is § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. a) GPDR. You can revoke your consent at any time by calling up the data protection settings again and changing your selection there.

Adjust
We use the analytics and marketing technology of Adjust GmbH (Saarbrücker Str. 37a, 10405 Berlin) to collect data on the performance of our mobile app and to measure the success of advertising measures on the Internet. For this purpose, information on the operating system, browser version, geolocation and number of clicks or views, for example, is stored in pseudonymous usage profiles. The IDFA (advertising ID of the device) and your anonymised IP address are also used for this purpose. This means that when you install our app, Adjust stores installation and event data from your app. This allows us to better understand interactions within our app. At no time is it possible to identify you through this. This data is used to optimise the app and to serve and measure interest-based advertising. The Adjust service works on our behalf.

• You can request information as to what personal data is stored.
• You can request the correction, deletion and restriction of the processing (blocking) of your personal data, as long as this is legally permissible and possible within the framework of an existing contractual relationship.
• You have the right to file complaints with the supervisory authority. The supervisory authority responsible for DB Vertrieb GmbH is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
• You have the right to the portability of data you have made available to us on the basis of consent or a contract (data portability).
• If you have given us your consent to data processing, you can withdraw it at any time by the same means by which it was given. Any processing of your personal data that took place from the time at which you granted your consent until the time at which you withdrew it will be considered to have been lawful.
• You can object to data processing for reasons arising from your particular circumstances if the data processing is based on our legitimate interests.
• You can opt out of targeted advertising at any time. This takes effect for the future (advertising opt-out).

To exercise your rights, you may send a letter by post to:

DB Vertrieb GmbH
Europa-Allee 78 - 84
60486 Frankfurt am Main

Alternatively, you may send an e-mail to the following address: p.d-datenschutz@deutschebahn.com.

We update our privacy notice to bring it into line with new functionalities or legal requirements. We therefore recommend that you review our privacy notice at regular intervals.

Last modified: July 2024