banbutsu Courier - Data Privacy Policy

as of January 2021

As the provider of the banbutsu Courier service, we take great care to protect your personal data and will only process it in accordance with the principles described below and in compliance with applicable data protection laws.

1. Controller and Data Protection Officer
2. Personal data
3. Hosting
4. Functions
5. Passing on the data
6. Legal prosecution
7. Further development of the service
8. Data storage period
9. Your data subject rights
10. Objection and revocation against the processing of your data
11. Changes to this privacy policy

1. Controller and Data Protection Officer

Responsible for your data according to Art. 4 Para. 7 of the General Data Protection Regulation (GDPR) as well as other data protection provisions is:

banbutsu dcp GmbH
Wallstrasse 14a
10179 Berlin
Germany

We operate the service. For all questions, complaints and concerns about data protection regarding our service, you can reach our data protection officer as follows: datenschutz@banbutsu.com

2. Personal data

Personal data is generated when using the service. This is all data that relates in some form to the the user of the service. A few examples of personal data are name, address, email address, but also data about the use of the service, such as the IP address.

The following data are processed for the use of the service:

  • First name and surname of the customer
  • Delivery address
  • Mobile number
  • Individual delivery and drop-off instruction
  • Package size

3. Hosting

The service is hosted via Azure. We have chosen the Germany / Frankfurt a. Main region so that it is ensured that no personal data is processed outside the European Union. We have concluded an order processing agreement with Azure in accordance with Art. 28 GDPR. We secure our app and other systems through technical and organisational measures against loss, destruction, access and modification. Your data is only transmitted in encrypted form. We use the SSL coding system for this purpose. After processing is complete, the data is deleted on Azure. The billing data is stored on a server at Host Europe with RSA encryption.

4. Functions

Contact via SMS

In order to contact the customer via SMS or push message to pass on the status of the journey and to communicate the contact details of the driving service provider and driver and vehicle information, we use the Twilio service of the company Twilio Inc. (hereinafter "Twilio"), 645 Harrison St # 3rd Floor, San Francisco, CA 94107 USA.

Your mobile phone number is transmitted by us to Twilio, where it is stored for as long as it is needed to fulfil the service. The legal basis for the use of Twilio is Art. 6 para. 1 p. 1 lit. b GDPR.

The legal basis for this processing is the execution of a contract with you pursuant to Art. 6 para. 1 p. 1 lit. b GDPR. We have concluded an order processing agreement with Twilio pursuant to Art. 28 GDPR. Twilio processes personal data outside the European Economic Area, but follows its Binding Corporate Rules approved by the EU data protection authorities. Further information on data protection at Twilio can be found here.

Courier service

In order to be able to deliver the ordered goods to you, we use various courier services. The courier services only receive the following data:

  • First name and surname
  • Delivery address
  • Mobile number
  • Individual delivery and drop-off instruction
  • Package size

The legal basis for this processing is the execution of a contract with you pursuant to Art. 6 (1) sentence 1 lit. b GDPR. We have concluded an order processing contract with each of the courier services in accordance with Art. 28 GDPR.

5. Passing on the data

In addition to the cases explicitly mentioned in this data privacy policy, your personal data will only be passed on without your express prior consent if this is permitted or required by law. This may be the case, for example, if the processing is necessary to protect the vital interests of the user or another natural person.

6. Legal prosecution

If it is necessary to clarify illegal or abusive use of the platform or for legal prosecution, personal data will be forwarded to law enforcement agencies or other authorities and, if applicable, to injured third parties or legal advisors. However, this only happens if there are indications of unlawful or abusive behaviour. A transfer may also take place if this serves the enforcement of terms of use or other legal claims. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities.

Any disclosure of personal data is justified by the fact that (1) the processing is necessary for compliance with a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with national legal requirements to disclose data to law enforcement authorities, or (2) we have a legitimate interest in disclosing the data to the aforementioned third parties if there are indications of abusive behaviour or to enforce our terms of use, other conditions or legal claims and your rights and interests in the protection of your personal data within the meaning of Art. 6 para. 1 lit. f GDPR are not overridden.

7. Further development of the service

As our business evolves, we may change the structure of our business by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the business being transferred. In any transfer of personal data to third parties to the extent described above, we will ensure that this is done in accordance with this privacy policy and applicable data protection law.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as required and that your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) lit. f GDPR are not overridden.

8. Data storage period

We delete or anonymise your personal data as soon as it is no longer required for the purposes for which we have collected or used it in accordance with the above paragraphs. As a rule, we store your personal data for the duration of the usage of the service or contractual relationship plus a period of 48 hours, during which we keep backup copies after deletion, unless this data is required for longer for criminal prosecution or to secure, assert or enforce legal claims. We retain billing data for a period of 3 years from the end of the year in which the billing transaction took place.

Specific statements in this data protection declaration or legal requirements for the retention and deletion of personal data, in particular data that we must retain for tax law reasons, remain unaffected.

9. Your data subject rights

The European Union's General Data Protection Regulation gives you various important rights vis-à-vis us in connection with your personal data, which we would like to comply with. In detail, these are the:

  • Right to information,
  • Right to rectification or erasure,
  • Right to restriction of processing,
  • Right to object to processing,
  • Right to data portability,
  • Right to complain to a supervisory authority.

Asserting these rights is free of charge for you. If you wish to exercise your rights, simply contact us. We will do our utmost to ensure that you will not have cause to do so, but you also have the right to complain to a data protection supervisory authority about our processing of your personal data.

10. Objection and revocation against the processing of your data

If you have consented to the processing of your data in the context of using our service, you can of course revoke this consent at any time. Such a revocation affects the permissibility of the processing of your personal data after you have expressed it to us.

In some cases, we base the processing of your personal data on a balance of interests. This is particularly the case when we have good reasons to process the data but the processing is not strictly necessary to fulfil a contract with you. In these cases, you can object to the processing. When exercising such an objection, we will ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the merits of the case and either stop or adapt the data processing or show you our compelling legitimate grounds for continuing the processing.

11. Changes to this privacy policy

We always keep this privacy policy up to date. Therefore, we reserve the right to change it from time to time and to update any changes in the collection, processing or use of the data. The current version of the data privacy policy is always available here.