Data Privacy Statement NAHSHUTTLE app

1. General information

Nahverkehrsverbund Schleswig-Holstein GmbH (NAH.SH GmbH), Raiffeisenstrasse 1, 24103 Kiel, Germany, is responsible for data processing in this app in accordance with the European General Data Protection Regulation (GDPR). We respect your privacy rights. We understand the importance of any personal information you provide as a user of our app. We respect the protection of your personal data and will collect, store, or process all data obtained exclusively within the scope of our business purpose in accordance with the relevant data protection regulations.

Our app may also contain links to websites from other providers. This Privacy Policy does not apply to such third-party sites. If the use of these third-party websites involves the collection, processing, or use of personal data, please refer to the privacy policies of the respective providers. We are not responsible for how they handle your data.

2. Definitions

Personal data is any information relating to an identified or identifiable natural person. A natural person is identifiable if they can be identified directly or indirectly, in particular by being assigned to such identifiers as names, ID numbers, location data, an online identifier, or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of that person.

3. Legal basis, storage duration, data deletion

If we obtain your consent for the processing of personal data, Art. 6, para. 1 (a) GDPR applies as the legal basis.

The processing of personal data required to fulfill a contract or to carry out pre-contractual measures with you is based on Art. 6, para. 1 (b) GDPR. This also includes, for example, the provision of our app and your use of it.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, this is done within the framework of Art. 6, para. 1 (c) GDPR.

If the processing is necessary to protect a legitimate interest of ours or a third party, and your interests, fundamental rights, and freedoms do not override the legitimate interest, Art. 6, para. 1 (f) GDPR is the legal basis. As a rule, our company’s legitimate interest lies in the provision of services owed and/or the ongoing optimization of our services and commercial presentation.

Your personal data shall be deleted as soon as the purpose for which it is stored ceases to apply. The data will also be deleted if a prescribed storage period expires, unless further storage of the data is necessary, given our legitimate interests.

4. Collection of personal data

When using the app, we collect the personal data described below to enable convenient use of the features. If you wish to use our app, we collect the following technically necessary data:

• IP address
• Date and time of request
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (concrete page)
• Access Status/HTTP status code
• Respective volume of data transferred
• The app from which the request originates
• Device type
• Operating system

The legal basis for data processing is Art. 6, para. 1 (b) GDPR. Data processing, at least on a temporary basis, is necessary for the functionality of our app and for your use of it.

5. Hosting and technical operation of the NAHSHUTTLE-App

The app is hosted and technically supported by Ioki GmbH, An der Welle 3, 60322 Frankfurt am Main – a subsidiary of Deutsche Bahn AG (https://www.ioki.com). loki receives the above data as a processor based on an agreement that meets the requirements of Art. 28 GDPR.

6. Booking rides

If you wish to book rides via this app, to conclude a contract, you must provide the personal data we require to process your order. Mandatory information required for the execution of contracts is marked separately; any further information is voluntary. To use the service, a valid email address and a mobile phone number are required. We use the data you provide to process your ride booking. The legal basis for this is Art. 6, para. 1, sentence 1 (b) GDPR.

When you create an account under “My account”, the data you provide will be stored revocably. All other data, including your user account, can always be deleted in the customer area.

We are obliged by commercial and tax law to store your address, payment, and order data for a period of ten years. However, after 2 years, we will limit the processing of your data. That is, your data will only be used to comply with legal obligations.

To prevent unauthorized access to your personal data by third parties, especially financial data, the order process is encrypted using TLS technology.

For the purpose of processing your ride booking, we also share your address data with the ride service providers we use in the relevant service area. The legal basis for this is Art. 6, para. 1, sentence 1 (b) GDPR, as it is not possible to provide the booked ride service without the involvement of a transportation service provider.

Information on ride history is also used in an anonymized form for capacity utilization analysis. This is done to provide you, as a user of the app and as a rider, with improved ride availability on an ongoing basis. This anonymized use of data is absolutely necessary to maintain our service and to continuously adapt it to the needs of our users. Without this data processing as a basis for planning, it would not be possible to continue offering the service. You can view your ride history in the app yourself.

The legal basis is the ongoing use of the NAHSHUTTLE app, Art. 6, para. 1, sentence 1 (b) GDPR. The ongoing use of the anonymized data collected is necessary to ensure the continued usability of the app.

We may use your data collected during registration to inform you by email about important changes to your account (e.g., suspension or deletion, etc.). This may occur either at your request, if you have decided to close your account with us, or in the event of a violation of our Terms and Conditions that results in the suspension of your account. In this case, we will also use the data provided in your account (name, email address, and telephone number, if applicable) in advance to clarify the case. This is done within the framework of fulfilling the contract and enforcing the Terms and Conditions (Art. 6, para. 1 (b) GDPR).

7. Data collected when you contact us

If you send us inquiries via email, your details will be stored by us via the email address provided (nahshuttle@nah.sh) for contacting us, including the contact data you have provided there, solely for the purpose of processing the respective inquiry and in the event of follow-up questions. We do not share this information with third parties without your permission.

If your email or complaint concerns the services of a third party – for example, if you have questions about bus or train services, the quality of local public transport, or cancellations and delays – we will forward your message to the relevant transport company or the responsible public transport authority, requesting their response.

The corresponding data is used based on Art. 6, para. 1, sentence 1 (b) GDPR to process your request.

8. Data collected in connection with the processing of your payments

Your payments are processed by the payment service provider LOGPAY Financial Services GmbH, Schwalbacher Straße 72, 65760 Eschborn, Germany. This includes payments by credit card, SEPA direct debit, or PayPal. LOGPAY Financial Services GmbH is authorized as a payment institution by the Federal Financial Supervisory Authority (BaFin ID: 10148164).

When you provide your credit card details, they are transmitted directly to the payment service provider we use via an encrypted connection. The payment service provider then performs what is known as authentication of your payment method. This ensures that your payment method is an active payment method. For security reasons, only the last four digits of your credit card number are transmitted to us, and we store these digits for identification and verification purposes for the duration of the statutory retention period.

The legal basis in this context is Art. 6, para. 1, sentence 1 (c) GDPR. Logpay’s privacy policy can be found at the following link: https://docs.logpay.de/_docs/de/Datenschutzinformationen.pdf

9. Newsletter

We require your consent to send you messages via our email distribution list. This consent applies only to the sending of emails; the data will not be shared with third parties. To give your consent, please enable the option to receive the newsletter in your user account under Permissions. The newsletter will only be sent to the email address associated with the account. It is not possible to enter a second email address. Your consent is given voluntarily. The legal basis is Art. 6, para. 1, sentence 1 (a) GDPR. You may revoke your consent at any time with effect for the future. You can do this directly in the app or by sending an email to nahshuttle@nah.sh. Your email address will then be removed from the email distribution list immediately, and you will not receive any further messages.

10. Use of push notifications

If you would like to receive information about timetable changes, news, or offers via push notifications, you must enable this feature in the NAHSHUTTLE app.

For push notifications, we use the Firebase Cloud Messaging services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for Android devices, and the “Apple Push Notification” service provided by Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA, for Apple devices.

In this process, Firebase and Apple generate a derived key that is composed of the app ID and the device ID. This key is stored on our push platform with the settings you have selected to provide you with the content. No further data is collected for this purpose. Firebase and Apple act solely as transmitters. The legal basis for processing is Art. 6, para. 1(a) GDPR.

11. Technical analysis of app behavior using Firebase and Google Analytics

We use the Firebase service in our mobile app to analyze user interactions and improve our services. The provider is Google Ireland Limited (“Google”), Gordon House, 4 Barrow Street, Dublin, Ireland.

The legal basis for the use of Firebase is your consent pursuant to Art. 6, para. 1 (a) GDPR. You may revoke your consent with future effect at any time.

The data processed by Firebase includes your IP address, device information, usage data, and, depending on the service used, also app activity and crash reports. Firebase may also use cookies to provide its services.

The purpose of data processing is to provide backend infrastructure, enable user authentication, and analyze app usage to improve performance.

There is no uniform standard retention period for data across Firebase services, as the retention period depends on the specific Firebase product used (e.g., Analytics, Firestore, Realtime Database, Crashlytics, etc.). For example, Firebase Analytics stores user-related data for up to 14 months by default, but this period can be adjusted. For other services, such as Firestore or Realtime Database, data is stored until it is deleted by the developer. The Google Firebase Privacy and Security Documentation does not specify a universal retention period for all data processed by Firebase. For more information, please refer to the Firebase Privacy and Security Documentation: https://firebase.google.com/support/privacy and the Google Cloud Platform Data Deletion Documentation: https://cloud.google.com/terms/data-deletion.

It cannot be ruled out that personal data may be transferred to non-secure third countries (USA), where the level of data protection is lower than in the EU. Google is certified under the EU–US Data Privacy Framework, which governs the secure processing of EU citizens’ data in the USA.

For more information on Firebase’s privacy policy, please visit: https://firebase.google.com/support/privacy.

12. Use of Google Maps

In our app, we use the Google Maps feature provided by Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland (hereinafter “Google”) to be able to show you offers for transport services at your location and for the route you have requested.

By using our app, Google receives the information that you have accessed the corresponding feature in our app. Your IP address is also transmitted. The information collected in this way is stored on servers, which may also be located in the USA. This takes place regardless of whether Google provides a user account via which you are logged in, or no user account exists. If you are logged in to Google, your information will be directly associated with your account. If you do not wish to be associated with your Google profile, you must first log out before activating the button. Google stores your data as usage profiles and uses this for advertising purposes, market research, and/or the needs-based design of its own products. Such evaluation also takes place (even for users who are not logged in) for the purposes of providing customized advertising and to inform other social media users about activities on our app. You have the right to object to the creation of these user profiles. You must exercise this right directly with Google.

We use Google Maps within the framework of our app offering, as the use of our app currently only functions with this service (legal basis: Art. 6, para. 1, sentence 1, (b) GDPR). Please do not use our app if you wish to avoid data processing by Google.

Alternatively, you can also book your ride by phone at +49 431-66019-93 and pay for your ticket directly in the vehicle. Our website at https://www.nah.sh/ also allows you to easily search for possible routes for the following service areas (NAHSHUTTLE Eckernförde and NAHSHUTTLE Schleswig-Flensburg).

For more information on processing by Google, please refer to Google’s privacy policy. There, you will also find further information on your rights in this regard and on the settings options available to you to protect your privacy: https://policies.google.com/privacy?hl=de.

13. Use of Sentry

We use the ‘Sentry’ service in our app to monitor and track errors and performance issues. The provider is Functional Software, Inc. (“Sentry”), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.

The legal basis for the use of Sentry is our legitimate interest pursuant to Art. 6, para. 1 (f) GDPR, to monitor and improve the stability, security, and performance of our app by identifying and correcting technical errors.

The data processed by Sentry includes your IP address, error and performance data, device and browser information, and details of your interaction with the app. Sentry may also use cookies to support its functionality.

The purpose of data processing is to monitor, detect, and correct application errors and performance issues. It cannot be ruled out that personal data may be transferred to non-secure third countries (USA), where the level of data protection is lower than in the EU. Sentry is certified under the EU–US Data Privacy Framework, which governs the secure processing of EU citizens’ data in the USA. The basis for data processing is a contract in accordance with Art. 28 GDPR. For more information on Sentry’s privacy policy, please visit: https://sentry.io/privacy/

14. Your rights

Insofar as we process your personal data in our app, you are a “data subject” within the meaning of the GDPR. You have the following rights with respect to us: 

14.1 Your right to information

You can request confirmation from us as to whether we are processing your personal data. If such processing is taking place, you can request the following information from us:

• The purposes for which the personal data is being processed;
• The categories of personal data being processed;
• The recipients or categories of recipients to whom your personal data has been or will be disclosed;
• How long we plan to store your personal data, or, if specific information in this respect is not possible, our criteria for determining the retention period;
• Right to lodge a complaint with a supervisory authority;
• Any available information on the origin of the data, if the personal data has not been collected from you;
• The existence of automated decision-making processes, including profiling, as defined in Art. 22, para. 1 and 4 GDPR and – at least in such cases – meaningful information about the logic involved and the scope and intended effects of such processing for you.

You have the right to request information regarding whether your personal information is being transmitted to a third-party country or an international organization. In this respect, you can request the appropriate guarantees in connection with the transmission in accordance with Art. 46 GDPR.

14.2 Right to have data corrected

You have the right to ask us to correct and/or complete your personal data if what we have on file is incorrect or incomplete. If this is the case, we will make the correction immediately.

14.3 Right to restrict processing

You have the right to request the restriction of the processing of your personal data under the following conditions, if:

• you dispute the accuracy of the data we have on file about you and set a deadline for us to verify its accuracy;
• the processing is unlawful, but you do not want your personal data to be deleted, but instead want its use restricted;
• we no longer require your personal data for processing purposes, but you need it to be kept on file to assert, exercise, or defend legal claims; or
• you have objected to processing pursuant to Art. 21, para. 1 GDPR, and it has not yet been determined whether our legitimate grounds outweigh yours.

If you have requested a restriction of the processing of your personal data, such data may — apart from its storage — only be processed with your consent, for the establishment, exercise, or defense of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. You will be informed by us before the restriction is lifted.

14.4 Right to deletion

You can ask us to delete your personal data immediately. We are obliged to delete this data immediately if one of the following reasons applies:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• You revoke any existing consent on which the processing is based in accordance with Art. 6, para. 1, sentence 1, (a) or Art. 9, para. 2 (a) GDPR and there is no other legal basis for its continued processing;
• You object to the processing for direct marketing purposes pursuant to Art. 21, para. 1 GDPR, and there are no overriding legitimate grounds for the processing;
• You object to the processing for direct marketing purposes pursuant to Art. 21, para. 2 GDPR;
• Your personal data has been processed unlawfully;
• The deletion of your personal data is necessary to fulfill a legal obligation under EU law or the law of the Member States to which we are subject;
• The personal data has been collected in relation to services offered by an information collection company according to Art. 8, para. 1 GDPR;

Your right to deletion does not exist if processing is necessary

• to exercise the right to freedom of expression and information;
• to comply with a legal obligation requiring the processing under the law of the Union or the Member States to which we are subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in us;
• for reasons of public interest in the field of public health in accordance with Art. 9, para. 2, sentence 1 (h) (i) as well as Art. 9, para. 3 GDPR;
• for archival purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Art. 89, para. 1 GDPR, insofar as the exercise of the right specified in para. 1 is likely to make meeting the objectives of such processing impossible or severely compromised; or
• to assert, exercise, or defend legal claims.

If we have made your personal data public and are obliged to delete it pursuant to Art. 17, para. 1 GDPR, we will take appropriate measures — considering available technology and implementation costs — to inform the data controller(s) that you have requested the deletion of all links to, copies, or replications of your personal data.

14.5 Right to information

You have the right to be informed about potential recipients of disclosures as defined above.

14.6 Right to data portability

You have the right to obtain your personal data, which you have provided to us in a structured, commonly used, machine-readable format. You have the right to transmit this data to another responsible party without any hindrance by us, provided that:

• the processing is based on consent pursuant to Art. 6, para. 1 (a) GDPR or Art. 9, para. 2 (a) GDPR or based on a contract in accordance with Art. 6, para. 1 (b) GDPR and

• the processing is carried out using automated methods.

In addition, you have the right to request the transfer of your personal data directly from us to another data controller, insofar as this is technically feasible. This transfer may not affect the rights and freedoms of other persons.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on us.

We currently do not believe that any data collected through this app would fall under the right to data portability.

14.7 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, which is conducted based on Art. 6 para. 1 (e) or (f) GDPR; the same applies to profiling based on these provisions.

We will then no longer process your personal information unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing is intended to assert, exercise, or defend legal claims.

If your personal data is being processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data that concerns you for the purpose of such marketing. This also applies to profiling, insofar as it is associated with such direct marketing.

If you object to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

In the context of the use of information company services, and Directive 2002/58/EC notwithstanding, you may exercise your right to object using an automated process.

14.8 The right to revoke the data protection declaration of consent

You have the right to revoke your consent to this Privacy Policy or the processing of your data at any time. This revocation will not affect the lawfulness of any processing done beforehand.

14.9 Automated decision in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing — including profiling — that has legal effect against you or significantly impairs you in a similar manner. We do not carry out such processing.

14.10 The right to lodge a complaint with a supervisory authority

You have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work, or where the suspected infringement of GDPR has taken place, without prejudice to any other rights of appeal.

15. Data security

To protect your personal data, we have taken technical and organizational measures to ensure that your data is protected against accidental or intentional loss, destruction, or manipulation, as well as access by unauthorized persons.

Our protective measures are reviewed at regular intervals and adapted to changes in technology as necessary.

16. Data Protection Officer

If you have any further questions regarding the processing of your personal data, please contact:

NAH.SH Customer Service, Tel.: 0431 660 19 449

kundendialog@nah.sh or, alternatively, directly to nahshuttle@nah.sh.

Or contact our Data Protection Officer: compolicy GmbH, Schwedenkai 1, 24103 Kiel, info@compolicy.de.

17. Changes to this Privacy Policy

We reserve the right to change this Privacy Policy at any time as necessary in accordance with the data protection regulations applicable at that time.

Last updated: February 2026