data protection information

The controller within the meaning of Art. 4 No. 7 is the:

1. Nahverkehrsservice Sachsen-Anhalt GmbH (NASA GmbH)
2. represented by the managing director Mr. Peter Panitz
3. Am Alten Theater 4
4. 39104 Magdeburg
5. Deutschland
6.  
7. Phone.: +49 (0)391 53631-0
8. Fax: +49 (0)391 53631-99
9.  
10. E-Mail: info@nasa.de
11. Website: www.nasa.de

We have appointed an external data protection officer. You can contact our data protection officer using the following contact details:

1. Mrs. Meggie Dachner
2. DATA 4.0 Gesellschaft für Datenschutz und Datensicherheit mbH
3. Dornbergsweg 2
4. 38855 Wernigerode
5. Deutschland
6.  
7. E-Mail: m.dachner@data40.de
8. Phone.: +49 (0)3943 509949-0

1. Description and scope of data processing

Each time our app is accessed, our system automatically collects data and information from the operating system of the accessing end device.

This data record consists of:

• IP address of the user and
• the date and time of access.

The requests are stored in the log files of our systems for sixty days. No further storage of this data together with other personal data of the user takes place.

2. Purpose of data processing

Temporary storage of your IP address is necessary to enable delivery of our apps to the user's device. For this purpose, the IP address must remain stored for the duration of the session.

The data is stored in log files to ensure the functionality of our apps. We also use the data to ensure the security of our information technology systems. The data is not analyzed for marketing purposes in this context.

3. Legal basis for data processing

The legal basis for the temporary storage of your IP address and the log files is our legitimate interest pursuant to art. 6 para. 1 sentence 1 lit . f GDPR.

1. Description and scope of data processing

Basically, our apps can be used without further information on you.

Additional functions can be activated by individual authorizations.

Depending on the operating system, maps from Google Maps (Google LLC) for Android and Apple cards (Apple Inc.) for iOS are integrated for the use of our apps and the associated primary services. By using these cards, information about your use (in particular the IP address of your end device) can be transferred to a server of the respective third-party company in the USA and stored there. We have no influence on the further processing of data by the respective third -party companies. Please also read the usage provisions of Google Maps or Apple Maps, if you want to use the service. If you do not agree to data processing by the respective third -party company, please refrain from using the app.

2. Purposes and legal bases of data processing

Data processing in connection with the use of the map services provided is legitimized for the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR.

The following app functions are always voluntary and are based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR:

1. a) The app requires access to your location so that you can find connections from your current location or in your vicinity e.g. bus stops, car and bike sharing locations, etc.
2.  
3. b) The app needs access to your contacts contacts in order to be able to use the function "Use contact addresses as start or destination".
4.  
5. c) The app requires access to the data servicesso that it can establish a connection to our server and calculate a travel connection.
6.  
7. d) The app requires access to the calendar so that you can save connections there.
8.  
9. e) If you use the push notifications ("alarm") function, an anonymized device ID will be stored on our servers. This makes it possible to notify you of the current traffic situation of the connections you have subscribed to in the event of a delay or disruption. To provide these push services, a product from Google LLC (USA) "Firebase Cloud Messaging" is used for Android and a product from Apple Inc.(USA) "Apple Push Notification service" is used for iOS to send a message to your device when new traffic reports are available. By using these services, information about your use may be transmitted to a Google or Apple server in the USA and stored there. We have no influence on the further processing of data by third parties. Please also read the terms of use of Google or Apple if you wish to use the service. If you do not agree to this data processing, please refrain from using the push notifications.

We will not use your access permissions for purposes other than those specified here.

3. Duration of storage and revocation of consents granted

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Storage beyond this is possible if statutory retention periods make this necessary.
Data processing that is subject to your consent can be prevented at any time with your revocation. You can revoke your consent in the settings of the apps or the operating system of your device.

4. Privacy notice regarding anonymous data collection and processing in the cloud

As part of our local transport services, we collect certain data in order to continuously improve our transport services and adapt them to the needs of our passengers. This data is collected and anonymized exclusively on the basis of our legitimate interests pursuant (art. 6 para. 1 lit. b GDPR). No personal data or IP addresses are stored or passed on to third parties.

Only aggregated information, such as start and destination stops and approximate geographical locations, is used for statistical evaluations. This data is used exclusively for the analysis of usage flows and the needs-based planning of our services. This anonymized data is stored and processed in a specially secured cloud environment that complies with modern data protection and security standards.

Due to the anonymization and aggregation of the data, it is not possible to draw conclusions about individual persons.

IP addresses or other personal information are expressly not stored in the cloud. This means that your privacy is protected at all times.

In cooperation with the participating transport companies (customer contract partners), NASA GmbH operates a cell phone ticket system for the sale of cell phone tickets by the individual transport companies in the state of Saxony-Anhalt. For this reason, the following parties have jointly decided on the means and purposes of processing personal data within the INSA app. The parties have entered into a joint controllership agreement in accordance with art. 26 GDPR, which regulates the existing data protection obligations between them.

When booking a mobile ticket via the app, we also refer to the validity of our General Terms and Conditions. You can access these under the following link: General Terms and Conditions

In addition to NASA GmbH, the controller for the processing of personal data is:

1. DB Regio Region Südost (DB)
2. Richard-Wagner-Straße 1
3. 04109 Leipzig
4. Deutschland
5.  
6. E-Mail: kundendialog.suedost@deutschebahn.com

NASA GmbH has been appointed as the central data protection office for the cell phone ticket system under the aforementioned parties. In this role, it primarily accepts inquiries, complaints, information and requests to comply with your data subject rights on behalf of the other parties. You are also free to contact any other responsible body listed directly.

You can reach the Data Protection Officer of DB Regio at the following contact details:

1. DB Regio AG Datenschutz
2. Richard-Wagner-Straße 1
3. 04109 Leipzig
4. Deutschland
5.  
6. E-Mail: datenschutz.regio@deutschebahn.com

1. Description and scope of data processing

The following applies to the registration and purchase of a mobile ticket:

To register as a user, all you need to do is enter your e-mail address and a password. To protect your customer account from third parties, we recommend that you assign a secure password. This means that your password should have a minimum length of 8 characters and contain upper- and lower-case letters, numbers and special characters.

In principle, registration is not mandatory for the purchase of cell phone tickets. If you do not wish to create a customer account for the purchase of mobile tickets, please use the guest order function.

The following information is required from both registered users and guest purchasers to purchase tickets:

• title
• first name
• surname
• date of birth
• address
• E-Mail-address.

The following applies to payment processing:

In addition to your personal master data, the following additional data must be entered for payment processing, depending on the payment method selected:

• IBAN (account details),
• credit card details.

The following applies to ensure security:

If errors have occurred in the ordering process or if there is suspicion of misuse of the cell phone ticket system. the system creates log files (so-called error logs). The personal data contained in the log files are:

• IP-addresses.

2. Purpose of data processing

The following applies to registration:

Your personal master data is processed for the purpose of generating a user account. This user account can be used to perform services such as canceling or refunding cell phone tickets. Furthermore, registration allows you to view purchase receipts online after the journey. In addition, your cell phone tickets (both those that have not yet been used and those that have already expired) are retained after a change of device or after the app cache has been emptied. If you do not register, your data will be irretrievably deleted if you uninstall the app or empty the app cache.

The following applies to the purchase of a mobile ticket:

Your personal master data is processed for the purpose of carrying out the ticket purchase. This includes the booking, payment processing, any refunds, the sending or retrieval of the purchase receipt and the personalization of your cell phone ticket for checking by the control staff in the vehicles.

The following applies to payment processing:

Your personal master data and information regarding account details or credit card details will be passed on to LogPay Financial Services GmbH for the purpose of payment processing and the assignment of claims against you that arise in connection with your purchase of a cell phone ticket. Furthermore, our legitimate interest lies in the outsourcing of payment processing and receivables management. LogPay Financial Services GmbH has a legitimate interest in collecting your data for the purpose of processing payments, managing receivables, assessing the admissibility of payment methods and avoiding payment defaults.

The following applies to ensure security:

The log files created in the event of errors help us to understand and rectify the errors that have occurred. Furthermore, the collection and processing of your personal data serves to prevent so-called brute force attacks. These are attempts by unauthorized persons or algorithms to gain access to a user's account by randomly entering email addresses and passwords. If this is the case, the IP address of the suspected external attacker is processed after several failed log-in attempts and temporarily blocked to prevent further attack attempts.

3. Legal basis for data processing

The following applies to registration:

The legal basis for this is a contractual relationship (art. 6 para. 1 lit. b GDPR) or your consent (art. 6 para. 1 lit. a GDPR) when entering optional data. There is no legal or contractual obligation to provide optional data or to create a user account.

The following applies to the purchase of a mobile ticket:

The legal basis for this is the concluded purchase contract between you and the customer contract partner (art. 6 para. 1 lit. b GDPR) by consenting to the General Terms and Conditions (GTC). A further legal basis is our interest in fraud prevention (art. 6 para. 1 lit. f GDPR). You are obliged to provide your personal data truthfully, otherwise you would not be able to purchase the desired cell phone ticket.

The following applies to payment processing:

The transfer of your personal data to the payment service provider is carried out for the purpose of executing the contract on the basis of art. 6 para. 1 sentence 1 lit. b GDPR.

The following applies to ensuring security:

The IP address of your end device contained in the error logs is processed for the purpose of error analysis and troubleshooting. Our legitimate interest lies in the error-free functioning of the mobile ticket system and the provision of all functions without problems with regard to your use (art. 6 para. 1 lit. f GDPR). It is also in our and your interest to prevent misuse and the penetration of security measures (art. 6 para. 1 lit. f GDPR).

4. Recipient of the personal data

The following applies to registration:

The user account is stored by the contracted service provider for the ticket store (eos.uptrade GmbH). This service provider is contractually bound by an order processing agreement in accordance with art. 28 GDPR.

The following applies to the purchase of a cell phone ticket:

The following recipients process your personal data when you purchase a cell phone ticket:

• • the customer contract partner (your business partner in the GTC),
• • the processor and operator of the applications (apps) Hacon Ingenieurgesellschaft mbH,
• • the processor and operator of the ticket store eos.uptrade GmbH,
• • the independent service provider for payment processing LogPay Financial Services GmbH.
• • In the case of the purchase of cell phone tickets from the Deutschlandtarif or the long-distance tariff of Deutschen Bahn, the DB companies (DB Vertrieb GmbH, DB Fernverkehr AG, and DB Regio AG) process personal data as joint controllers. The data protection regulations apply, which are listed under the following link: https://www.bahn.de/datenschutz

The following applies to payment processing:

Your personal information about the selected payment method will be forwarded directly to LogPay Financial Services GmbH. You can view and retrieve the data protection information of LogPay Financial Services GmbH under the link https://documents.logpay.de/de/datenschutzinformationen.pdf LogPay Financial Services GmbH is responsible for the processing of your personal data for the purpose of payment processing from the time the claim is assigned to LogPay Financial Services GmbH.

The following applies to the guarantee of security:

Your personal data will be passed on to our developers of the cell phone ticket system and processors, Hacon Ingenieurgesellschaft mbH and eos.uptrade GmbH.

5. Duration of storage

The following applies to registration:

Your personal master data will be stored for as long as your user account exists. You can delete your user account in your profile settings. Your deletion request will then be automatically forwarded to our processors for enforcement. If statutory retention periods (art. 6 para. 1 lit. c GDPR) exist, these will be taken into account.

The following applies to the purchase of a mobile ticket:

Your data will be stored until the purpose has been fulfilled and beyond that due to possible statutory retention obligations. If your personal data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons. According to legal requirements, data is stored for 6 years in accordance with section 257 (1) CC (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with section 147 (1) FC (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.). If the statutory retention obligations have expired or cease to apply for other reasons, your data will be deleted immediately.

The following applies to payment processing:

LogPay Financial Services GmbH is responsible for the duration of the storage of your personal data.

The following applies to ensuring security:

The IP addresses collected in the event of incorrect login entries are stored to detect attack patterns.

6. Possibility of objection and removal

The following applies to payment processing:

You can disagree to the transfer of your personal data to LogPay Financial Services GmbH at any time. As a result, you will no longer be able to place orders via the mobile ticket system.

The following applies to ensuring security:

Your personal data will be deleted as soon as the retention of error logs is no longer required for the analysis and resolution of error causes and error effects as well as stability problems in the cell phone ticket system.

1. Group of recipients

In principle, we only use your personal data within our organization. If and insofar as we involve third parties in the fulfillment of contracts, they will only receive the personal data to the extent that the transfer is necessary for the corresponding service. In the event that we outsource certain parts of data processing ("order processing"), we contractually commit processors in accordance with art. 28 GDPR to use personal data only in accordance with the requirements of the applicable data protection laws and to ensure the protection of your data protection rights.

We would like to point out that some data processing may also take place in so-called insecure third countries, such as the USA, in particular through the integrated services of your operating system. US providers are legally commided to disclose personal data to security authorities without the consent of the data subject. We would like to point out that it therefore cannot be ruled out that your data located on US servers may be processed, analyzed and permanently stored for monitoring purposes. We have no influence on this data processing.

2. Timetables

We integrate the services of HaCon Ingenieurgesellschaft mbH, Lister Straße 15, 30163 Hannover into our applications.

When you use the functions of the app, a connection is established between your browser (end device) and the HaCon servers. Your data, such as your IP address and the device you are using, as well as your interactions within the applications are processed. This includes the following app areas: Start, Timetable, Departures, Map, Alarms, Settings, Tutorial and About the app.

3. Forwarding to other telemedia providers

Our apps may contain links to offers from other telemedia providers. If you access these links and thereby enable third parties to process your personal data (e.g. your IP address), we have no influence on this processing and therefore cannot accept any responsibility for it.

We indicate the forwarding to other telemedia providers in accordance with §19 para. 3 TDDDG at the appropriate places symbolically or by textual design.

The GDPR grants you certain rights when processing your personal data. If you would like to assert these rights, please send your request by email - clearly identifying yourself - to the data protection officer named under II. or by post to our business address.

1. Right to revoke the declaration of consent (art. 7 para. 3 GDPR)

You have the right to revoke your consent at any time. Revoking your consent will not affect the lawfulness of the processing carried out based on your consent before its revocation.

2. Right to confirmation and information (art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed; If this is the case, you have the right to information about this personal data and to the information listed in detail in art. 15 GDPR.

3. Recht auf Berichtigung (Art. 16 DSGVO)

Sie haben das Recht unverzüglich die Berichtigung Sie betreffender unrichtiger personenbezogener Daten und gegebenenfalls die Vervollständigung unvollständiger personenbezogener Daten zu verlangen.

4. Right to deletion (art. 17 GDPR)

You have the right to request that personal data concerning you be deleted immediately if one of the reasons listed in art. 17 GDPR applies

5. Right to restriction of processing (art. 18 GDPR)

You have the right to request that processing be restricted if one of the conditions listed in art. 18 GDPR is met.

6. Right to information (art. 19 GDPR)

If you have asserted the right to rectification or deletion of your data or to restrict processing to the person responsible, the person responsible is obliged to inform all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients upon request by the person responsible.

7. Right to data portability (art. 20 GDPR)

In certain cases, which are listed in detail in art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request that this data be transmitted to a third party.

8. Right to object (art. 21 GDPR)

If data is collected on the basis of art. 6 para. 1 sentence 1 lit. f of the GDPR (data processing to protect the legitimate interests of the person responsible or a third party), you have the right to object at any time for reasons arising from your particular situation to object to the processing. We will then no longer process the personal data unless there are demonstrably compelling legitimate reasons for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

9. Right to complain to a supervisory authority (art. 77/78 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of your personal data is contrary to violates the GDPR.

In the state of Saxony-Anhalt, the responsible supervisory authority is the State Commissioner for Data Protection for Saxony-Anhalt, Leiterstrasse 9, 39104 Magdeburg.

10. Automated decision making

We do not use automatic decision-making or profiling.

Our apps may contain links to third-party data protection websites. If you access these links and thereby enable third parties to process your personal data (e. g. your IP address), we have no influence on this processing and can therefore assume no responsibility for it.

We indicate the transfer to other telemedia providers in the appropriate places using color, symbols or text.

We ensure data security through security standards that correspond to the current state of the art. In order to protect your data as comprehensively as possible from unwanted access, we take technical and organizational measures in accordance with the current state of the art. We use an encryption process in our app. The communication between the app and our server is transmitted over the Internet using SSL/TLS encryption.

The use of contact details published as part of the imprint obligation to send unsolicited advertising and information materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of unsolicited advertising information being sent, such as spam emails.

Recognizing that transparency is an ongoing commitment, we review this privacy notice periodically.

We reserve the right to adapt this information in the event of changes to the service to changes in the functionality of the app or to changes in legal requirements.

We therefore recommend that you read this data protection information at regular intervals to find out more about its contents.

Stand: September 2025

Magdeburg, 30th September 2025

Nahverkehrsservice Sachsen-Anhalt GmbH