Privacy Policy
for Website, Shop and Web-App 'BikePass'
leap42 UG (limited liability)
Wacholderstraße 42, 40489 Düsseldorf

As of January 2025

1. Controller
   The controller in terms of the General Data Protection Regulation (GDPR) is:
   leap42 UG (limited liability)
   Managing Director: J. Noll
   Wacholderstraße 42
   40489 Düsseldorf
   Germany
   E-Mail: support@bikepass.eu
2. General Information on Data Processing
   (1) We process personal data only to the extent necessary for providing our services, fulfilling a contract, or due to legal requirements, or if consent has been given.
   (2) Personal data refers to all information relating to an identified or identifiable natural person.
   (3) Processing is carried out in compliance with the GDPR, the BDSG (Federal Data Protection Act), and other relevant data protection regulations.
3. Categories of Personal Data Processed
   Specifically, we process the following categories of data:

(1) Order Data (Shop)
– Name, address, email address
– Billing and payment data (via payment service providers)
– Products ordered, order history

(2) Usage Data (Web-App)
– Registration data (email address, name if applicable)
– Bicycle and component information
– Images, documents, invoices
– Ownership and serial number details
– Optional: Information on the location or last known location of the bicycle (e.g., for theft reports)
– Log files (IP address, date/time of request, browser type, operating system)

(3) Device and Tracking Data
– Cookies and similar technologies
– Analytics and statistics data (e.g., via Google Analytics)

4. Purposes of Data Processing and Legal Bases
   We process personal data for the following purposes and based on the respective legal grounds mentioned:

(1) Contract Fulfillment and Pre-contractual Measures (Art. 6 para. 1 lit. b GDPR)
– Processing orders in the online shop
– Providing a user account for the web app
– Using the functions of the digital bicycle register
– Communication in the context of support inquiries

(2) Fulfillment of Legal Obligations (Art. 6 para. 1 lit. c GDPR)
– Tax-related retention obligations
– Commercial law documentation obligations

(3) Legitimate Interest (Art. 6 para. 1 lit. f GDPR)
– Ensuring IT security
– Abuse and fraud detection
– Improving our services
– Statistical evaluations in pseudonymized form

(4) Consent (Art. 6 para. 1 lit. a GDPR)
– Use of analytics and marketing cookies
– Use of certain tracking tools (e.g., Google Analytics)
– Sending newsletters or product information (via Brevo)

5. Disclosure of Personal Data
   (1) In principle, we do not disclose personal data to third parties unless it is necessary for contract fulfillment, legally required, or covered by consent.
   (2) Possible recipients include, but are not limited to:
   – Payment service providers (e.g., PayPal, credit card providers)
   – Shipping service providers (DHL) for the delivery of physical products
   – Technical service providers (hosting, automation, email dispatch)
   – In individual cases, authorities if there is a legal obligation
   (3) There is a possibility that a finder of a bicycle may anonymously contact the registered owner via BikePass. In this process, we do not disclose the owner's personal contact details to third parties, but merely forward the inquiry through our system.
   (4) We conclude data processing agreements (DPAs) in accordance with Art. 28 GDPR with all service providers who process data on our behalf (processors).
6. Services and Tools Used

6.1 Google Analytics
(1) We use Google Analytics for audience measurement and analysis of user behavior, provided you have consented to its use in the cookie banner.
(2) The provider is Google Ireland Limited.
(3) We use Google Analytics with IP anonymization activated, so your IP address is shortened before storage.
(4) The legal basis is your consent (Art. 6 para. 1 lit. a GDPR).
(5) You can withdraw your consent at any time via the cookie settings.

6.2 Brevo (Email Dispatch)
(1) We use the Brevo service for sending system, service, and, if applicable, marketing emails.
(2) Brevo processes data exclusively on our behalf.
(3) The legal basis is Art. 6 para. 1 lit. b GDPR (contract performance) or Art. 6 para. 1 lit. a GDPR (consent for marketing emails).

6.3 Make.com
(1) We use Make.com for the technical automation of processes (e.g., sending confirmation emails, synchronizing systems).
(2) Only the data necessary for the respective automation is processed.
(3) The legal basis is Art. 6 para. 1 lit. b and lit. f GDPR.

6.4 Hosting via AWS Germany
(1) Our systems are operated on servers located in Germany.
(2) The provider is Amazon Web Services (AWS).
(3) A data processing agreement exists with AWS. Data processing is carried out based on Art. 28 GDPR.
(4) Data transmission is exclusively encrypted (TLS/HTTPS).

7. Cookies
   (1) We use cookies and similar technologies to provide and improve our website and web app.
   (2) We distinguish between:
   – Technically necessary cookies (e.g., session cookies, login cookies),
   – Statistics and analytics cookies (e.g., Google Analytics),
   – Marketing cookies.
   (3) Technically necessary cookies are used based on Art. 6 para. 1 lit. f GDPR.
   (4) Statistics and marketing cookies are only set with your consent (Art. 6 para. 1 lit. a GDPR).
   (5) You can withdraw or adjust your consent at any time via the cookie consent tool.
8. Storage Duration
   (1) We store personal data only for as long as necessary for the respective purposes.
   (2) Criteria for storage duration include, but are not limited to:
   – Legal retention periods (e.g., 6–10 years for tax-relevant data),
   – Duration of user account usage,
   – Necessity for providing our services.
   (3) After the purpose ceases or legal deadlines expire, the data is deleted or anonymized.
9. User Account and App Data
   (1) A user account is required to use BikePass.
   (2) The data stored in the account (e.g., bicycle data, documents, images) is retained as long as the account exists.
   (3) Users can delete their content independently.
   (4) Upon deletion of the account, personal data is deleted or anonymized, provided no legal retention obligations prevent this.
10. Rights of Data Subjects
    Under the GDPR, you have the following rights:

– Right of Access (Art. 15 GDPR)
– Right to Rectification (Art. 16 GDPR)
– Right to Erasure (Art. 17 GDPR)
– Right to Restriction of Processing (Art. 18 GDPR)
– Right to Data Portability (Art. 20 GDPR)
– Right to Object (Art. 21 GDPR)
– Right to Withdraw Consent (Art. 7 para. 3 GDPR)

To exercise these rights, you can contact us at any time by email at support@bikepass.eu.

11. Right to Object under Article 21 GDPR
    (1) You have the right to object at any time to the processing of your personal data, based on your specific situation, if the processing is based on Article 6(1)(e) or (f) of the GDPR.
    (2) If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests.
12. Data Security
    (1) We implement technical and organizational security measures to protect your data against loss, manipulation, and unauthorized access.
    (2) These include, in particular:
    – TLS/SSL encryption during transmission,
    – Access restrictions,
    – Regular backups,
    – Logging of access.
    (3) Our security measures are continuously improved in line with technological developments.
13. Right to Lodge a Complaint with a Supervisory Authority
    You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data if you believe that the processing violates the GDPR.
14. Changes to this Privacy Policy
    (1) We reserve the right to adapt this Privacy Policy if the legal situation, our services, or data processing changes.
    (2) The most current version is available on our website.