Privacy Policy Bahrain - TIER

Data Protection Declaration

1. Introduction

Our Data Protection Declaration informs you about the collection and processing of your data by TIER. It applies to the TIER app as well as to mobility services that can be booked via our app or via partner apps.

The data controller and service provider is:

Tier Bahrain W.L.L. ("TIER", "we"), Unit 5, Building 1994, Road 152 Bahrain Investment Wharf, Al Hidd 115 Manama, Bahrain, Contact privacy@tier.app or support@tier.app

together with Tier Mobility SE (“Tier Mobility Germany”), c/o WeWork Eichhornstr. 3, 10785 Berlin, Germany, Contact: privacy@tier.app or support@tier.app, pursuant to Article 26 GDPR.

2. Data collection and processing when using our app and services

In our app, we offer users the opportunity to register by providing personal data. Registration is mandatory for the use of TIER Services. It is also possible to book our services through third-party providers (see below).

2.1 Registration

When you register with TIER, we require the following information from you to create a customer account:

  • your name, email address and phone number;
  • depending on your country, your usage, and the particular services available; information about your driver's license and proof of age;
  • information about your payment method.

You enter this information yourself in our app when you register. If additional voluntary information can be provided, this will be marked accordingly.

You can also use a so-called “single sign on function” from Google or Apple ("SSO provider") to create an account with us. Your account with the SSO provider (e.g. your Google account) is then linked to our app. The master data you store with the SSO provider (name, email address, phone number) will be visible to us. The SSO providers inform you during the registration process about the data to be transferred; you can give explicit consent or refuse this. Please note that by linking the accounts, the SSO providers knows if and when you log in with us.

Registering and creating an account is a prerequisite for renting vehicles. The legal basis is Article 6(1)(b) GDPR.

2.2 Data collection and processing when using the TIER App

When you use the app or your end device, your current IP address and information about your end device (e.g. operating system used, version, language, device type/brand/model, device ID) as well as the date and time of access and the retrieved content or data are automatically transmitted to our servers ("access data").  This is technically necessary information and we collect it automatically when you use our app.

The legal basis is Article 6(1)(b) GDPR, insofar as the data processing serves to provide the app functionalities and our services. Furthermore, the data processing is carried out pursuant to Article 6(1)(f) GDPR based on our legitimate interest in sustained functionality and security as well as the further development of the app and our services.

2.2.1 App permissions

In order to use our services, we need access to certain functions of your device (so-called “permissions”). Depending on your operating system, you must explicitly grant permission or you can revoke it in each case.  Any data that we may access as part of the authorisations will only be used for the purposes stated in this Data Protection Declaration.

Camera Access to your camera function is required to scan the QR code placed on the vehicle before renting. The camera is also needed to verify your driver's license and identity (see below). In addition, in some cities we also offer a service to improve location preciseness and help with correct parking through visual location detection. For this purpose, we use the services of Fantasmo Studios, Inc.340 S Lemon Ave 7650, Walnut, CA 91789, USA, among others.

Location We need information about your location to show you if there are vehicles near you and how to get there. Furthermore, we process information about your location when you use the app or rent a vehicle to improve our services and personalise them for you.

The legal basis is Article 6(1)(b) GDPR, as the data processing serves to provide the app functionalities and our services.

2.2.2 TIER App analysis and further development

To continuously optimise our service, we want to understand how users use our app. For this purpose, we also collect and process the following technical data:  device information (e.g. device, operating system and app version information, language, time zone), the time you open the TIER app, your behaviour in the app (e.g. selecting vehicles or booking), duration of use or time spent in certain functionalities, and your device location.

In addition, we use a service to obtain diagnostic information such as device type, device ID, OS version, state of the app at the time of the crash, crash trace, internal app technical log data when the app crashes. This information does not contain any directly identifiable personal data. We use it to analyse errors in the app and thus improve stability and reliability.

For the crash reports, we use "Firebase", a service of Google Ireland Ltd, Google Building Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). We have concluded a data processing agreement with Google. In some cases, data are processed on a Google server in the United States. In the event personal data are transferred to the US or other third countries, we have concluded standard contractual clauses with Google pursuant to Article 46(2)(c) GDPR. Further information on these services can be found here:  https://policies.google.com/technologies/partner-sites

Our app uses Google Analytics, an analytics service provided by Google. When doing so, we analyse your usage behavior in our app in order to be able to improve our app and our offerings on this basis. 

We have chosen the following privacy settings for Google Analytics:
- IP anonymisation (shortening of the IP address before analysis so that no conclusions can be drawn about your identity);
- automatic deletion of old logs / limitation of the storage period;
- disabled advertising function (including target group remarketing by GA Audience);
- disabled personalised ads;
- disabled measurement protocol;
- disabled cross-page tracking (Google signals);
- disabled data sharing with other Google products and services.

The following data are processed by Google Analytics:
- anonymised IP address;
- functions used or pages viewed (date, time, function/URL, time spent);
- if applicable, technical information, including operating system, version and language; device type, brand, model;
- mobile ad ID (you can restrict this use in the settings of your end device; for Android under Settings/Google/Advertising/Reset Ad ID, for iOS under Settings/Privacy/Advertising/No Ad Tracking);
- approximate location (country and, if applicable, city, based on anonymised IP address).

The personal data linked to advertising ID collected by Google Analytics are automatically deleted after 14 months.  We have concluded a data processing agreement with Google. In some cases, data are processed on a Google server in the United States. In the event personal data are transferred to the US or other third countries, we have concluded standard contractual clauses with Google pursuant to Article 46(2)(c) GDPR.

The legal basis is Article 6(1)(f) GDPR, based on our legitimate interest in analysing errors in the app in order to fix them and improve the app, as well as in analysing the use of the app in pseudonymous form in order to improve the app and our offerings.

2.2.3 Adjust

To optimise our marketing activities, we use the service provider adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany (“Adjust”). The data collected via Adjust provide information, for example, about the downloading of the TIER app, the online advertising channel through which the download was generated, the time the app was opened, the duration of app use, and about app functions that were used (e.g. about successful logins and completed journeys). Adjust uses IP and Mac addresses of the users for the analysis, which, however, are hashed after the collection, as well as the respective AppID and, if available, the Mobile Advertising ID.  The data are processed exclusively pseudonymously, i.e. they are not used to individualise specific users or to assign them to a specific person.

These data are used to analyse and evaluate the performance of our marketing measures and marketing channels, to bill marketing measures to our marketing partners, and to detect attempted fraud in connection with marketing measures (e.g. "click fraud," in which billing systems behind ads are deliberately manipulated by simulating clicks on them). These data are also used to improve the app as well as to analyse the usage of the app in pseudonymous form in order to improve the app and our offerings. You can object to the collection of data by Adjust at any time here: https://www.adjust.com/forget-device/

The data processing is carried out pursuant to Article 6(1)f GDPR based on our aforementioned legitimate interests.

2.2.4 Google Maps

The TIER App uses Google Maps API applications, a service provided by Google. This allows us to show you interactive maps on our app, for example. This application is essential for the functionality and full provision of our content and services. You can view the Google Terms of Use here: https://www.google.com/intl/en/policies/terms/. The additional terms of use for Google Maps/Google Earth can be found here https://www.google.com/help/terms_maps.html. The Google privacy policy can be found at:  https://www.google.com/intl/en/policies/privacy/. In addition to displaying available vehicles, we also use Google Maps to translate geo-locations into addresses and show you the estimated walking distance to the selected vehicle.

The legal basis is Article 6(1)b GDPR, as the data processing serves to provide the app functionalities and our services.

2.2.5 Navigation

In some cities, we provide you a navigation service integrated into the app. For this Service, we use Beeline navigation software from Relish Technologies Ltd, A212 The Biscuit Factory, 100 Drummond Road, London, United Kingdom ("Beeline"). You voluntarily decide whether you want to use the navigation software. While you use Beeline, Beeline receives information about your location as well as your movement. Further information on data processing done by Beeline can be found here: https://beeline.co/pages/privacy.

The legal basis is Article 6(1)(b) GDPR, as the data processing serves to provide the app functionalities and our services.

2.3 Data collection and processing when renting a TIER vehicle

If you rent a vehicle, we collect and process additional data via the app and about our vehicles. The legal basis is Article 6(1)(b) GDPR, insofar as the data processing serves to perform the rental agreement, and otherwise Article 6(1)(f) GDPR based on our legitimate interest in the permanent functionality and security as well as the further development of the app and our services.

2.3.1 Data collection in our app

When you rent a vehicle, we record your device location at the start and end of the rental. Since a rental contract is concluded with every rental transaction, we also store the duration of your use and which vehicle you have rented. We use these data in particular to bill the rental.

2.3.2 Data collection by our vehicles

Our vehicles contain so-called “IoT boxes” or telematics units that send data (including the vehicle's location and diagnostic data, e.g. battery status) at regular short intervals. This permits us to determine where our vehicles are and at what speed they are moving. The IoT boxes send data regardless of whether a vehicle is currently rented or not.

We process data in connection with the rental in particular for the following purposes:

  • to determine whether a vehicle is located in the respective TIER area of operation or whether the end of the rental should take place outside the area of operation, as this is contrary to our General Terms and Conditions. In this case, our vehicles may trigger an alarm function ("geofencing").
  • in case of an unusually long period of use (especially if the vehicle is not moved), we may terminate the rental.
  • requests to our customer service (e.g. a booking cannot be completed, vehicle cannot be located, assistance in case of accident).
  • as proof in the event of an accident or damage.
  • for billing purposes. We note in your booking history the start and end points of your trips as well as parking locations, if applicable.
  • to improve our services by analysing the aggregated statistics of locations where users make bookings and end trips, as well as frequent routes, we can optimise the distribution of our vehicles.

2.4 Data collection during contact, communication and social media

2.4.1 Contacting us

If you contact us via a contact form, email or telephone, we will process the information you provide for the purpose of handling the request and for possible follow-up questions. The communication with you will be stored pursuant to the legal retention periods, but at least until your customer account is closed.

The legal basis is your and our legitimate interest in processing your requests pursuant to Article 6(1)(f) GDPR.

If you have expressly consented to this, we may record your telephone call with our customer service for internal training and quality control purposes. These recordsing are automatically deleted by us after 30 days. You have the right to revoke your declaration of consent at any time. In this case, the recording will be deleted immediately.

The legal basis is Article 6(1)(a) GDPR.

2.4.2 Our contractual communication with you

Furthermore, we will send you necessary information about our services, changes to our terms and conditions, prices and similar topics via email and/or push messages. More information on marketing communications can be found below.

To receive push messages, you must confirm or activate the option to send push messages through our app on your device. You have the option to disable the receipt of push messages at any time. This is done in iOS and Android under the app-specific settings in the menu item "Notifications".

The legal basis is Article 6(1)(b) GDPR, insofar as the information is relevant to the contractual relationship; otherwise, your and our legitimate interest in the information pursuant to Article 6(1)(f) GDPR.

2.4.3 Social media appearances

If you publish information relating or connected to our social media profiles on the respective platform (e.g. comments, public messages / postings, videos, images, likes), these data will be published by the respective platform provider. We do not use these data for any other purpose. We may share your content published on the respective platform via our own profile (e.g. via "retweets"), if this function is offered by the respective social media platform.

We reserve the right to delete content on our own profile to the extent this is possible and appears necessary to us. The content you publish will be deleted in accordance with the usual procedures and policies of the respective social media platform.

If you contact us via social media platforms, we may communicate with you via the social media platform to respond to your inquiries. We delete the data collected in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations, insofar as deletion or restriction of processing is possible with the respective social media platform. Communication via social media platforms is potentially insecure. You may also contact us at any time through other means as described in this Data Protection Declaration.

We do not use any enhanced advertising options in connection with our profiles (e.g. interest, behavior or location-based advertising) of the social media platforms. We only use aggregated, anonymised usage statistics normally provided by the social media platforms.

We have no control over the data collected by the social media platforms or the data processing operations, nor are we aware of the full scope of data collection, the purposes of processing or the storage periods. In particular, experience has shown that socla media platform providers store your data as usage profiles and use them for their own purposes of advertising, market research, and demand-oriented design of their platforms. If we are able to do so, e.g. through settings and configurations, we work to have the respective social media platform handle your personal data in compliance with data protection law.

More detailed information on the data processing of the social media platforms can be found in the data protection declarations of the respective providers.

Data processing in connection with our social media presences (e.g. on Facebook, LinkedIn, Twitter, TikTok) is based on our legitimate interest in public relations and communication pursuant to Article 6(1)(f) GDPR.

2.5 Payment processing

To process the payment, we use external service providers to whom we transmit the data required for payment processing (first and last name, email address, telephone number, start and end time of the trip, payment ID, payment method, any further data about the means of payment, invoice number, language, zone/region).

For the legal basis of the data processing carried out by the payment service providers under their own responsibility, please refer to the data protection policies of the respective payment service providers:

Depending on the country, the payment options and service providers offered may vary.

Unless you have given us your consent to do so pursuant to Article 6(1)(a) GDPR, the legal basis for forwarding the data to the payment service providers as part of the contract processing is Article 6(1)(b) GDPR, as the processing is necessary to settle the rental contract.

2.6 Damage and accidents

In the event of damage to our vehicles or accidents involving our vehicles, we will process your data (including master, contract, location and route data) for the purposes of customer care, claims settlement, processing and liquidation, to receive and process complaints, to secure and enforce our own claims and to avert further damage to you or us.

In this context, we may also transmit data to insurance companies for claims settlement and to competent authorities (e.g. in the context of hearings as a witness or accused in administrative offence or criminal proceedings).

The legal bases are Article 6(1)(b),(c),(f) GDPR and, if health data should be concerned in the context of an accident, Article 9(2)(f) GDPR. Our legitimate interest lies in particular in the settlement of claims and accidents in order to avert damage to our company.

2.7 Disclosure of data in case of criminal or administrative offences or contract violations

In connection with investigations into criminal or administrative offences, we may disclose data (e.g. master data, route/position data, communication and contract data) to the competent investigative authorities, e.g. in the context of hearings as a witness or accused. This can be done, in particular, for violations of traffic regulations, parking rules and similar laws. If, for example, a vehicle is parked incorrectly and contrary to our contractual arrangements or the road traffic regulations and TIER is threatened with a fine or penalty as a result, we can share data with the relevant authorities on who and when last rented and parked the vehicle. This also applies to accidents, speeding and similar offences. If in the aforementioned cases a third party raises legitimate claims against TIER, TIER may also share your data with the claimant.

If you are suspected by the relevant authorities of having committed a criminal or administrative offence with or in connection to our vehicles or services, we may also process the data provided to us by the relevant authorities in this context.

The legal basis is Article 6(1)(c) GDPR in the case of a statutory obligation to surrender; otherwise, our legitimate interest pursuant to Article 6(1)(f) GDPR in averting damage to our company as well as protecting our vehicles and exercising our contractual and non-contractual rights.

2.8 Sharing of anonymous MDS and GBFS data

We share data about the use of our vehicles in the Mobility Data Specification data format (MDS https://github.com/openmobilityfoundation/mobility-data-specification) and General Bike Feed Specification data format (GBFS https://github.com/NABSA/gbfs) with partners such as cities and research institutes.  These data do not contain any user-specific data (in particular, neither email addresses, names, telephone numbers nor any other user IDs or identifiers). 

Cities and municipalities use these data to better plan traffic and infrastructure measures, to investigate traffic safety, and to improve sustainability.

Even if these are not personal data, we oblige the recipients to use the data only for the aforementioned purposes and to protect the data appropriately.

2.9 Driver's license and age check

Depending on where and which of our services you wish to use, we may need to verify your driver's license and/or identity, as well as your age. For this purpose, we use an automated verification process that works as follows:

  • You take photos of the front and back of your driver's license with your smartphone camera. These photos contain the following information (photo, name, birthday, driver's license or ID card number, issuing country, expiration date, date of issue, driver's license classes).
  • An identity check is then performed to determine whether the person depicted on the driver's license or ID card corresponds to the respective user. For this purpose, you take pictures of your face (so-called “video selfie”) which are compared with the photo on the driver's license or ID card.
  • While you are taking pictures of your face, it also checked if your picture is of a live person. For this purpose, a 3D model of your face is created, which is also matched with the photo on your driver's license or ID card.

If any problems occur, the data may be verified manually within 24 hours. You will be notified about any necessary manual verification and about the result. If the verification fails for any reason, you can always contact our customer service.

The images of your driver's license and face will be automatically deleted no later than 7 days after successful completion, failure or cancellation of the verification process.
As part of the verification of your document, we store the following data:
your name, driver's license or ID card number, document type and driver's license class, issuing country, expiration date, status and time stamp of verification.

We use IDnow GmbH, Auenstraße 100, 80469 Munich, Germany, as a service provider for the verification process. IDnow GmbH receives personal data exclusively to perform its services for us.

Depending on your location and the vehicle to be rented, the verification is a prerequisite for the conclusion and fulfillment of the rental contract pursuant to Article 6(1)(b) GDPR. Insofar as images of your face are processed for the purpose of identity verification, the data processing is based on your consent pursuant to Article 6(1)(a) and Article 9(2) GDPR. You can revoke your consent at any time, in particular by stopping the verification procedure.

2.10 Perks for certain users

Depending on the location of the rental, we offer discounts to certain users; for example, if you have a subscription with local public transport, are a student or a pensioner. For this purpose, we require proof of your benefit status (such as a photo of your student ID) which you can upload to a website provided for this purpose. There you will also receive further information regarding processing and storage duration. The photo of your ID will normally be reviewed within 24 hours of your upload and will be deleted as soon as we can verify that it is valid. You will be kept informed about this by our customer service.

We do not use the data for other purposes and process the data on the basis of your consent pursuant to Articles 6(1)(a) and 9(2)(a) GDPR.

2.11 Other processing purposes

We also process your personal data for the following additional purposes:

Pursuant to Article 6(1)(f) GDPR based on our legitimate interests:

  • to continuously improve our offerings and services and to further adapt them to the needs of our users,
  • to carry out internal quality controls,
  • to detect, eliminate and prevent errors, malfunctions and possible misuse,
  • to ensure network and information security,
  • for fraud prevention,
  • to secure and enforce our legal claims,
  • to prevent the re-registration of users who have been blocked due to conduct in breach of contract, fraud or abuse,
  • for accounting and risk management purposes.

Pursuant to Article 6(1)(c) GDPR, to fulfill legal obligations, e.g. to comply with commercial and tax retention obligations or to fulfill obligations to provide data due to a legally binding court or administrative orders.

3. Booking our services through third party providers

Our mobility services can also be booked in some regions via third-party partner apps. In doing so, the partners broke vehicle rental agreements between you and us. The creation of a customer account with us and the use of our app is not required in this case.

For this purpose, we usually do not receive any personal identifying data from our partners, but only pseudonymous user IDs, information about the specific booking (what is booked where and at what rate) and, if necessary, information that a valid driver's license is available. On occasion, we may receive your name, email address and phone number from the partner. We may request these data if there is a legitimate interest, e.g. in connection with accidents, criminal acts, administrative offences, for billing purposes or to respond to support requests.

We process your data in connection with the implementation of the vehicle rental as explained above (with the exception of the data collected via the app), particularly the telematics data received from the vehicles.  The legal bases of these data processing are also explained above.

We have concluded joint controller agreements with our partners pursuant to Article 26 GDPR. The following applies:

  • The partner is responsible for data processing in connection with the partner app (including data collection and creation of customer accounts in the partner app, as well as driver's license and age verification and payment processing, if applicable).
  • We are responsible for data processing in connection with the implementation of the vehicle rental.

Since we usually have no further information about you as a customer when you make a booking via a partner app, the partner is the primary contact for data subject rights. However, you can assert your data protection rights both against us and the respective partner.

Our partners who enable the booking of our services (whereby the availability of the partner apps and services is partly regionally limited) are:

  • Berliner Verkehrsbetriebe (BVG) AöR, Holzmarktstrasse 15-17, 10179 Berlin, Germany ("Jelbi")
  • Intelligent Apps GmbH, Neumühlen 19, 22763 Hamburg, Germany ("FreeNow Germany")
  • mytaxi Network Ireland Ltd, 11 Upper Mount Street, Dublin 2, Ireland ("FreeNow Ireland")
  • Transcovo SAS and Transopco SAS, 4 Place du 8 Mai 1945, Immeuble Le Hub, 92300 Levallois-Perret, France ("FreeNow France")
  • mytaxi Polska Sp. z o.o., ul. Mlynarska 42, 01-205 Warsaw, Poland ("FreeNow Poland")
  • Hamburger Hochbahn AG, Steinstraße 20, 20095 Hamburg, Germany ("hvv switch")
  • Sixt GmbH & Co. Autovermietung KG, Zugspitzstr. 1, 82049 Pullach, Germany ("Sixt")
  • Nobina Travis AB, org.nr 559264-1756, Armégatan 38, 171 71 Solna, Sweden ("Travis")
  • moovel Group GmbH, Hauptstätter Straße 149, 70178 Stuttgart, Germany ("Reach Now")
  • Aachener Straßenbahn und Energieversorgungs-AG, Neuköllner Str. 1, 52068 Aachen, Germany ("movA")
  • Münchner Verkehrsgesellschaft mbH, Emmy-Noether Str. 2, 80992 Munich, Germany ("MVGO")
  • Rheinbahn AG, Lierenfelder Str. 42, 40231 Düsseldorf, Germany ("redy")
  • SBB AG, New Mobility Services, Bollwerk 10, Bern, Switzerland ("yumuv")
  • MaaS Global Ltd, Lönnrotinkatu 18, 00120 Helsinki, Finland ("Whim")
  • iMobility GmbH, Weyringergasse 5/B4, A-1040 Vienna, Austria ("Wayfinder")
  • Trafi GmbH, Chausseestrasse 6, 10115 Berlin, Germany ("Trafi")

4. Transmission of personal data

A transfer of the data collected by us takes place as explained above and otherwise in principle only if:

  • you have given your express consent to this in accordance with Article 6(1)a GDPR;
  • the disclosure is necessary for the assertion, exercise or defense of legal claims in accordance with Article 6(1)(f) GDPR and there is no reason to assume that you have an overriding legitimate interest in not having your data disclosed;
  • we are legally obliged to disclose the data in accordance with Article 6(1)(c) GDPR; or
  • this is legally permissible and necessary according to Article 6(1)(b) GDPR for the processing of contractual relationships with you or for the performance of pre-contractual measures, which takes place upon your request.

We use external service providers for data processing who act on our behalf and are not allowed to process personal data for their own purposes. In addition to the service providers expressly mentioned in this Data Protection Declaration, this may include in particular IT and data center service providers, technical service providers, agencies, market research companies, group companies and consulting companies.

We may use service providers domiciled or processing personal data in so-called “third countries” outside the European Union or the European Economic Area. If this is the case and there is no adequacy decision pursuant to Article 45 GDPR for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union (if applicable, including additional agreements in accordance with the recommendations of the data protection supervisory authorities) or binding internal data protection regulations.

5. Advertising

We also process your data to display or send you personalised advertising. For this purpose, we use the information provided by you during registration, your booking history as well as data collected during your use of our app or confirmations of receipt and information that messages have been read. In particular, we also process your location for this purpose, as some of our product and services are only available in certain areas and we therefore only target users in those areas. You can object to this processing at any time by contacting us or closing your account.

The processing of your data for advertising purposes, unless consent is required pursuant to Article 6(1)(a) GDPR, is based on our legitimate interest pursuant to Article 6(1)(f) GDPR in direct advertising.

5.1 Newsletter

You can sign up for a newsletter to receive periodic information about our services, special offers or surveys. We send these emails only if you have explicitly agreed to receive them. In order to log your consent, we collect the following information on the basis of our legitimate evidentiary interest pursuant to Article 6(1)(f) GDPR, which we retain until you unsubscribe from the newsletter or delete your account: IP address used; time of registration for the newsletter; time the confirmation email was sent; content of the confirmation email; time of activation of the confirmation link or archiving of the response mail.

You can unsubscribe from our newsletter at any time by clicking on the unsubscribe link available in each email or by sending an email to support@tier.app.

The legal basis is Article 6(1)(a) GDPR.

5.2 Product recommendation emails and push messages

Even if you have not subscribed to a newsletter, we will send you a limited number of product recommendations, surveys and product review requests. You will receive such emails only if you use our service. If you no longer wish to receive these emails from us, you may opt-out at any time, free of charge, by clicking on the unsubscribe link available in each email or by sending an email to support@tier.app.

You can change the settings for push notifications in your operating system at any time (see above).

The legal basis is Article 6(1)(f) GDPR (“marketing to existing customers”).

5.3 Online advertisements

We also show you ads within our app via so-called “in-app notifications” and outside our own services. You can object to us processing your data for these purposes in our app settings. Please note that you may continue to see advertisements from us outside our own services, even if you object to the use of your data for promotional purposes.

The legal basis is Article 6(1)(f) GDPR.

6. Market research

In order to continuously improve our products and better understand our users, we process your data for the purpose of market research. When doing so, we process information about your routes, your usage behaviour and the data you provided during registration.

Based on these data, we invite our users - depending on the type of invitation only with your consent - to voluntarily participate in market research initiatives, studies and surveys. If you participate in such initiatives, we will inform you separately about the associated data collection and processing. As TIER's service is a new kind of mobility service, our partners and especially cities, regions or ministries of transport are interested in our market research and the insights gained from it. Therefore, TIER shares aggregated and anonymised results with these partners.

The legal basis is our legitimate interest in market research and the optimisation and further development of our offerings pursunat to Article 6(1)(f) GDPR.

7. Erasure

In principle, we store personal data only as long as necessary to fulfill the purposes for which we collected the data. Thereafter, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidentiary purposes for claims under civil law or due to statutory retention obligations.

For evidentiary purposes, we may retain contract data for three years from the end of the year in which the business relationship with you ends. Any claims will expire on this date at the earliest in accordance with the standard statutory limitation period.

Even after that, we still have to store some of your data for accounting reasons. We are obliged to do so because of statutory documentation requirements that may arise from the Commercial Code, the Tax Code, the Banking Act, the Anti-Money Laundering Act and the Securities Trading Act. The time limits for storage and documentation specified therein are between two and ten years.

8. Data processing within the TIER Corporate Group

TIER Mobility Germany assumes the central operation of the IT systems, the technical operation of the app, customer support and the general management of contractual relationships with customers within the Tier Corporate Group.  You can reach the data protection officer of TIER Mobility Germany at the address below.

In this context, your personal data will be transmitted to TIER Mobility Germany or collected and processed directly by TIER Mobility Germany. The legal basis for this is our legitimate interest in effective corporate organisation pursuant to Article 6(1)(f) GDPR in conjunction with Recital 48 GDPR.  TIER Mobility Germany processes your data exclusively in accordance with this Data Protection Declaration for the purposes stated here. This Data Protection Declaration therefore applies accordingly to the data processing of TIER Mobility Germany.

We have concluded a joint responsibility agreement with TIER Mobility Germany in accordance with Article 26 GDPR which governs, among other things, the aforementioned items. You can assert your rights as a data subject with and against us and TIER Mobility Germany.

9. Rights of data subject

You are entitled to exercise the following rights as a data subject formulated in Articles 15 - 21 and 77 GDPR at any time if the legal requirements are met:

·       right to revoke consent;

·       right to object to the processing of your personal data (Article 21 GDPR);

·       right to information about your personal data processed by us (Article 15 GDPR);

·       right to rectification of your personal data stored by us incorrectly (Article 16 GDPR);

·       right to erasure of your personal data (Article 17 GDPR);

·       right to restrict the processing of your personal data (Article 18 GDPR);

·       right to portability of your personal data (Article 20 GDPR);

·       right to lodge a complaint with a supervisory authority (Article 77 GDPR).

You have the right to revoke a previously granted consent to us at any time with effect for the future. The withdrawal of your consent does not affect the legality of the processing carried out based on this consent until the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of an objection to data processing for direct marketing purposes, you have a general right of objection, which we will implement even without you specifying any reasons.

To assert your rights, you may contact us at any time using the contact details above or at privacy@tier.app or support@tier.app. In doing so, we may ask you for proof of identity, such as by submitting your request through the email address registed in your account.

Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in specific cases, even longer for the assertion, exercise or defense of legal claims.

The legal basis is Article 6(1)(f) GDPR, based on our interest in defending against any civil claims in accordance with Article 82 GDPR, avoiding fines in accordance with Article 83 GDPR, and fulfilling our accountability obligations under Article 5(2) GDPR.

You can reach our data protection officer at dpo@tier.app or at the above postal address ("Attn: Data Protection Officer").  We expressly point out that when using the email address, the content of your communication is not exclusively noted by our data protection officer. Therefore, if you wish to exchange confidential information, please first contact us directly via this email address.

You have the right to lodge a complaint with a data protection supervisory authority. Personal Data Protection Authority, P.O. Box 450, Manama, Kingdom of Bahrain, Tel: (+973)17513341, (+973)17513321, (+973) 17513314, Email: dp-team@moj.gov.bh

 10. Changes to this Data Protection Declaration

We will occasionally update this Data Protection Declaration to ensure that it always reflects current legal requirements and actual circumstances (e.g. when new services or features are introduced). We recommend that you check this Data Protection Declaration regularly for possible changes.

Last Update: 19.11.2021